Unable to create encrypted OS disk from Marketplace

[AlexBevan]

Hi there,

Terraform Version

0.10.7
azurerm 0.3

Affected Resource(s)

• azurerm_virtual_machine
• azurerm_managed_disk

Terraform Configuration Files

https://gist.github.com/AlexBevan/3fec50ee253a75f7f01686b9a6b280bb

Expected Behavior

I should be able to attach an encrypted disk, both to the storage_os_disk and storage_data_disk when creating a VM.

Actual Behavior

No method for attaching to os_disk that I can see, storage_disk provides error:

• azurerm_virtual_machine.vm: compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=200 -- Original Error: Long running operation terminated with status 'Failed': Code="NotSupported" Message="Disk '/subscriptions/16c72dc1-52b7-4c8e-a182-8c719d9b2e8a/resourceGroups/atb2-d-scd/providers/Microsoft.Compute/disks/atb2-d-scd1-f' contains encryption settings and cannot be used as a data disk. In order to use it as a data disk, remove the encryption settings and ensure that the virtual machine’s OS disk has the applicable encryption settings defined."

[unfii]

also same error, when it will be fixed?

[nbering]

It might help diagnose the issue if you included a sample configuration. The error kind of suggests you're attaching the disk as a data disk and not an OS disk, though it wouldn't be the first time Azure has returned a nonsensical error.

Edit: My bad. I see your link now.

[nbering]

It seems to me the error you're seeing does apply to the Data Disk, not the OS Disk. My past experiments with managed disks and the OS disk can impart this observation that may help:

The OS Profile (machine name, admin password, etc) are applied by the same mechanism that copies the marketplace image to your managed disk. So you either need to have user settings pre-provisioned onto a custom image, or leave the OS disk out of your terraform config, allowing the VM provisioning process to create it.

It's possible that Terraform still does not support those type of disk encryption on a managed disk, but I think the error you've provided doesn't quite match up to the issue's title. The error is related to data disks, but your title is about the OS disk.

[unfii]

Possible to encrypt os disk and data disk?

[nbering]

The error suggests this isn't possible (at least on the managed disk level). I suspect this has more do with where the encryption feature you're requesting and where it hooks in. For example, there's a transparent encryption feature with blob storage where you never manage the keys but it is encrypted at rest. I think this feature you're using probably needs to pass keys to the bootloader so it can boot off the disk. To encrypt the data disk you might use a feature like BitLocker on Windows or LUKS/dm-crypt on Linux.

Lots of options on various levels for Encryption. It just depends who you're trying to protect your data from.

[tombuildsstuff]

hey @AlexBevan

Thanks for opening this issue - apologies for the delayed response here!

This issue is also being tracked in #486 - rather than having multiple issues open tracking the same thing I'm going to close this issue in favour of that one.

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!