Support EncryptionAtRestWithPlatformAndCustomerKeys in disk encryption

[myc2h6o]

Fix #10588

• r\disk_encrytpion_set: Add new property encryption_type
  • By default the value is EncryptionAtRestWithCustomerKey, and user can specify EncryptionAtRestWithPlatformAndCustomerKeys to enable double encryption, which uses both customer key and platform key.
  • This property cannot be updated although it is an settable in update api, thus setting ForceNew
• r\managed_disk, r\linux_virtual_machine, r\windows_virtual_machine: Auto-detect encryptionType from disk_encryption_set_id
  • Earlier encryptionType is always EncryptionAtRestWithCustomerKey, which throws an error when the encryption type of the corresponding encryption set is EncryptionAtRestWithPlatformAndCustomerKeys. In this change, when disk_encryption_set_id is specified, the encryptionType will be retrieved from the encryption set so that it can support both encryption types.
• r\managed_disk: Update ValidateFunc from azure.ValidateResourceID to validate.DiskEncryptionSetID
• Test result
  Tested with TestAccDiskEncryptionSet_|TestAccManagedDisk_|TestAccLinuxVirtualMachine_|TestAccWindowsVirtualMachine_. 196/200 tests pass, failed tests fail at main as well
  

[stephybun]

Hi @myc2h6o, thanks for this PR! Overall this look goods, I have a few suggestions though.

[stephybun]

The error returned from parse.DiskEncryptionSetID contains some really useful information on why the id couldn't be parsed so I think it would be more helpful to return that in addition/instead of an error message

Suggested change

	return fmt.Errorf("`disk_encryption_set_id` is not a valid disk encryption set id")
	return err

[myc2h6o]

Updated and moved to new method retrieveDiskEncryptionSetEncryptionType in disk_encryption_set.go

[stephybun]

We could shorten the error message here since that info is contained within the parsed resource ID

Suggested change

	return fmt.Errorf("reading Disk Encryption Set %q (Resource Group %q): %+v", diskEncryptionSet.Name, diskEncryptionSet.ResourceGroup, err)
	return fmt.Errorf("reading %s: %+v", *diskEncryptionSet, err)

[myc2h6o]

Updated in the new method

[stephybun]

Same comment here as above

[stephybun]

Same here as above

[stephybun]

Suggested change

	* `encryption_type` - (Optional) The type of key used to encrypt the data of the disk. Allowed values are `EncryptionAtRestWithCustomerKey` and `EncryptionAtRestWithPlatformAndCustomerKeys`. Defaults to `EncryptionAtRestWithCustomerKey`.
	* `encryption_type` - (Optional) The type of key used to encrypt the data of the disk. Accepted values are `EncryptionAtRestWithCustomerKey` and `EncryptionAtRestWithPlatformAndCustomerKeys`. Defaults to `EncryptionAtRestWithCustomerKey`.

[tombuildsstuff]

We've been using Possible in most cases fwiw:

Suggested change

	* `encryption_type` - (Optional) The type of key used to encrypt the data of the disk. Allowed values are `EncryptionAtRestWithCustomerKey` and `EncryptionAtRestWithPlatformAndCustomerKeys`. Defaults to `EncryptionAtRestWithCustomerKey`.
	* `encryption_type` - (Optional) The type of key used to encrypt the data of the disk. Possible values are `EncryptionAtRestWithCustomerKey` and `EncryptionAtRestWithPlatformAndCustomerKeys`. Defaults to `EncryptionAtRestWithCustomerKey`.

[myc2h6o]

Updated

[stephybun]

I think it makes sense to specify an error occurred while attempting to retrieve a disk encryption set

Suggested change

	return nil, err
	return nil, fmt.Errorf("retrieving %s: %+v", *diskEncryptionSet, err)

[myc2h6o]

yes make sense, adding retrieving %s to the error message

[stephybun]

And then here to just return the error

Suggested change

	return fmt.Errorf("retrieving encryption type from disk encryption set %q: %+v", diskEncryptionSetId, err)
	return err

[stephybun]

Same here

[stephybun]

Same here

[stephybun]

Same here

[tombuildsstuff]

hi @myc2h6o

Thanks for this PR.

I've taken a look through and left some comments line in addition to @stephybun's review - if we can fix up both sets of comments then we should be able to take another look.

Thanks!

[tombuildsstuff]

this should be case-sensitive:

Suggested change

	}, true),
	}, false),

[myc2h6o]

Updated

[tombuildsstuff]

this won't be returned from the API for older resources - so we'll need to default that in code:

Suggested change

	d.Set("encryption_type", props.EncryptionType)
	encryptionType := string(compute.DiskEncryptionSetTypeEncryptionAtRestWithCustomerKey)
	if props.EncryptionType != "" {
	encryptionType = string(props.EncryptionType)
	}
	d.Set("encryption_type", encryptionType)

[myc2h6o]

Updated to set default value

[tombuildsstuff]

this should be a string:

Suggested change

	Default: compute.DiskEncryptionSetTypeEncryptionAtRestWithCustomerKey,
	Default: string(compute.DiskEncryptionSetTypeEncryptionAtRestWithCustomerKey),

[myc2h6o]

thanks for pointing out, updated

[tombuildsstuff]

this field is ForceNew, so this won't update - it'll destroy and recreate the resource. Since the first step is the same as Basic we can remove this, and move the assertion up into the Basic test

Suggested change

	{
	Config: r.withEncryptionTypeDefault(data),
	Check: acceptance.ComposeTestCheckFunc(
	check.That(data.ResourceName).ExistsInAzure(r),
	check.That(data.ResourceName).Key("encryption_type").HasValue("EncryptionAtRestWithCustomerKey"),
	),
	},
	data.ImportStep(),
	{
	Config: r.withEncryptionTypeUpdated(data),
	{
	Config: r.customerAndPlatformKey(data),

[myc2h6o]

yes make sense, removed the update part in the test and add the default value check to the basic test

[tombuildsstuff]

Suggested change

	func (r DiskEncryptionSetResource) withEncryptionTypeUpdated(data acceptance.TestData) string {
	func (r DiskEncryptionSetResource) customerAndPlatformKey(data acceptance.TestData) string {

[tombuildsstuff]

same here:

Suggested change

	Type: compute.EncryptionType(*encryptionType),
	Type: *encryptionType,

[tombuildsstuff]

We've been using Possible in most cases fwiw:

Suggested change

	* `encryption_type` - (Optional) The type of key used to encrypt the data of the disk. Allowed values are `EncryptionAtRestWithCustomerKey` and `EncryptionAtRestWithPlatformAndCustomerKeys`. Defaults to `EncryptionAtRestWithCustomerKey`.
	* `encryption_type` - (Optional) The type of key used to encrypt the data of the disk. Possible values are `EncryptionAtRestWithCustomerKey` and `EncryptionAtRestWithPlatformAndCustomerKeys`. Defaults to `EncryptionAtRestWithCustomerKey`.

[tombuildsstuff]

this fields configured on the Disk Encryption Set rather than the VM, so this comment isn't really necessary:

Suggested change

-> **NOTE:** Encryption type of the key will be decided by the disk encryption set. [More info on encryption type](https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption)

[myc2h6o]

Removed.

[tombuildsstuff]

this fields configured on the Disk Encryption Set rather than the VM, so this comment isn't really necessary:

Suggested change

-> **NOTE:** Encryption type of the key will be decided by the disk encryption set. [More info on encryption type](https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption)

[tombuildsstuff]

this fields configured on the Disk Encryption Set rather than the VM, so this comment isn't really necessary:

Suggested change

-> **NOTE:** Encryption type of the key will be decided by the disk encryption set. [More info on encryption type](https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption)

[stephybun]

Thanks for adopting those changes @myc2h6o. The tests are passing too so this LGTM 🚀

[github-actions]

This functionality has been released in v2.86.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.