d\managed_disk: Add support for encryption_settings (#15774)

internal/services/compute/managed_disk_data_source.go

@@ -60,6 +60,54 @@ func dataSourceManagedDisk() *pluginsdk.Resource {
 				Computed: true,
 			},
 
+			"encryption_settings": {
+				Type:     pluginsdk.TypeList,
+				Computed: true,
+				Elem: &pluginsdk.Resource{
+					Schema: map[string]*pluginsdk.Schema{
+						"enabled": {
+							Type:     pluginsdk.TypeBool,
+							Computed: true,
+						},
+
+						"disk_encryption_key": {
+							Type:     pluginsdk.TypeList,
+							Computed: true,
+							Elem: &pluginsdk.Resource{
+								Schema: map[string]*pluginsdk.Schema{
+									"secret_url": {
+										Type:     pluginsdk.TypeString,
+										Computed: true,
+									},
+
+									"source_vault_id": {
+										Type:     pluginsdk.TypeString,
+										Computed: true,
+									},
+								},
+							},
+						},
+						"key_encryption_key": {
+							Type:     pluginsdk.TypeList,
+							Computed: true,
+							Elem: &pluginsdk.Resource{
+								Schema: map[string]*pluginsdk.Schema{
+									"key_url": {
+										Type:     pluginsdk.TypeString,
+										Computed: true,
+									},
+
+									"source_vault_id": {
+										Type:     pluginsdk.TypeString,
+										Computed: true,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+
 			"image_reference_id": {
 				Type:     pluginsdk.TypeString,
 				Computed: true,
@@ -162,6 +210,10 @@ func dataSourceManagedDiskRead(d *pluginsdk.ResourceData, meta interface{}) erro
 			diskEncryptionSetId = *props.Encryption.DiskEncryptionSetID
 		}
 		d.Set("disk_encryption_set_id", diskEncryptionSetId)
+
+		if err := d.Set("encryption_settings", flattenManagedDiskEncryptionSettings(props.EncryptionSettingsCollection)); err != nil {
+			return fmt.Errorf("setting `encryption_settings`: %+v", err)
+		}
 	}
 
 	return tags.FlattenAndSet(d, resp.Tags)

internal/services/compute/managed_disk_data_source_test.go

@@ -67,6 +67,27 @@ func TestAccDataSourceManagedDisk_diskAccess(t *testing.T) {
 	})
 }
 
+func TestAccDataSourceManagedDisk_encryptionSettings(t *testing.T) {
+	data := acceptance.BuildTestData(t, "data.azurerm_managed_disk", "test")
+	r := ManagedDiskDataSource{}
+
+	data.DataSourceTest(t, []acceptance.TestStep{
+		{
+			Config: r.encryptionSettings(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).Key("encryption_settings.#").HasValue("1"),
+				check.That(data.ResourceName).Key("encryption_settings.0.enabled").HasValue("true"),
+				check.That(data.ResourceName).Key("encryption_settings.0.disk_encryption_key.#").HasValue("1"),
+				check.That(data.ResourceName).Key("encryption_settings.0.disk_encryption_key.0.secret_url").Exists(),
+				check.That(data.ResourceName).Key("encryption_settings.0.disk_encryption_key.0.source_vault_id").Exists(),
+				check.That(data.ResourceName).Key("encryption_settings.0.key_encryption_key.#").HasValue("1"),
+				check.That(data.ResourceName).Key("encryption_settings.0.key_encryption_key.0.key_url").Exists(),
+				check.That(data.ResourceName).Key("encryption_settings.0.key_encryption_key.0.source_vault_id").Exists(),
+			),
+		},
+	})
+}
+
 func (ManagedDiskDataSource) basic(data acceptance.TestData, name string, resourceGroupName string) string {
 	return fmt.Sprintf(`
 provider "azurerm" {
@@ -168,3 +189,103 @@ data "azurerm_managed_disk" "test" {
 }
 `, data.Locations.Primary, data.RandomInteger)
 }
+
+func (ManagedDiskDataSource) encryptionSettings(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {
+    key_vault {
+      recover_soft_deleted_key_vaults       = false
+      purge_soft_delete_on_destroy          = false
+      purge_soft_deleted_keys_on_destroy    = false
+      purge_soft_deleted_secrets_on_destroy = false
+    }
+  }
+}
+
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+resource "azurerm_key_vault" "test" {
+  name                = "acctestkv-%s"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  tenant_id           = "${data.azurerm_client_config.current.tenant_id}"
+  sku_name            = "standard"
+
+  access_policy {
+    tenant_id = "${data.azurerm_client_config.current.tenant_id}"
+    object_id = "${data.azurerm_client_config.current.object_id}"
+
+    key_permissions = [
+      "Create",
+      "Delete",
+      "Get",
+      "Purge",
+    ]
+
+    secret_permissions = [
+      "Delete",
+      "Get",
+      "Set",
+    ]
+  }
+
+  enabled_for_disk_encryption = true
+
+  tags = {
+    environment = "Production"
+  }
+}
+
+resource "azurerm_key_vault_secret" "test" {
+  name         = "secret-%s"
+  value        = "szechuan"
+  key_vault_id = azurerm_key_vault.test.id
+}
+
+resource "azurerm_key_vault_key" "test" {
+  name         = "key-%s"
+  key_vault_id = azurerm_key_vault.test.id
+  key_type     = "EC"
+  key_size     = 2048
+
+  key_opts = [
+    "sign",
+    "verify",
+  ]
+}
+
+resource "azurerm_managed_disk" "test" {
+  name                 = "acctestd-%d"
+  location             = "${azurerm_resource_group.test.location}"
+  resource_group_name  = "${azurerm_resource_group.test.name}"
+  storage_account_type = "Standard_LRS"
+  create_option        = "Empty"
+  disk_size_gb         = "1"
+
+  encryption_settings {
+    enabled = true
+
+    disk_encryption_key {
+      secret_url      = "${azurerm_key_vault_secret.test.id}"
+      source_vault_id = "${azurerm_key_vault.test.id}"
+    }
+
+    key_encryption_key {
+      key_url         = "${azurerm_key_vault_key.test.id}"
+      source_vault_id = "${azurerm_key_vault.test.id}"
+    }
+  }
+}
+
+data "azurerm_managed_disk" "test" {
+  name                = azurerm_managed_disk.test.name
+  resource_group_name = azurerm_resource_group.test.name
+}
+`, data.RandomInteger, data.Locations.Primary, data.RandomString, data.RandomString, data.RandomString, data.RandomInteger)
+}

website/docs/d/managed_disk.html.markdown

@@ -59,6 +59,32 @@ output "id" {
 
 * `disk_access_id` - The ID of the disk access resource for using private endpoints on disks.
 
+* `encryption_settings` - A `encryption_settings` block as defined below.
+
+---
+
+The `encryption_settings` block supports:
+
+* `disk_encryption_key` - A `disk_encryption_key` block as defined above.
+
+* `key_encryption_key` - A `key_encryption_key` block as defined below.
+
+---
+
+The `disk_encryption_key` block supports:
+
+* `secret_url` - The URL to the Key Vault Secret used as the Disk Encryption Key.
+
+* `source_vault_id` - The ID of the source Key Vault.
+
+---
+
+The `key_encryption_key` block supports:
+
+* `key_url` - The URL to the Key Vault Key used as the Key Encryption Key.
+
+* `source_vault_id` - The ID of the source Key Vault.
+
 ## Timeouts
 
 The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/docs/configuration/resources.html#timeouts) for certain actions: