Support EncryptionAtRestWithPlatformAndCustomerKeys in disk encryption

internal/services/compute/disk_encryption_set_resource.go

@@ -65,6 +65,17 @@ func resourceDiskEncryptionSet() *pluginsdk.Resource {
 				Optional: true,
 			},
 
+			"encryption_type": {
+				Type:     pluginsdk.TypeString,
+				Optional: true,
+				ForceNew: true,
+				Default:  compute.DiskEncryptionSetTypeEncryptionAtRestWithCustomerKey,
+				ValidateFunc: validation.StringInSlice([]string{
+					string(compute.DiskEncryptionSetTypeEncryptionAtRestWithCustomerKey),
+					string(compute.DiskEncryptionSetTypeEncryptionAtRestWithPlatformAndCustomerKeys),
+				}, true),
+			},
+
 			"identity": {
 				Type: pluginsdk.TypeList,
 				// whilst the API Documentation shows optional - attempting to send nothing returns:
@@ -132,6 +143,7 @@ func resourceDiskEncryptionSetCreate(d *pluginsdk.ResourceData, meta interface{}
 
 	location := azure.NormalizeLocation(d.Get("location").(string))
 	rotationToLatestKeyVersionEnabled := d.Get("auto_key_rotation_enabled").(bool)
+	encryptionType := d.Get("encryption_type").(string)
 	identityRaw := d.Get("identity").([]interface{})
 	t := d.Get("tags").(map[string]interface{})
 
@@ -145,6 +157,7 @@ func resourceDiskEncryptionSetCreate(d *pluginsdk.ResourceData, meta interface{}
 				},
 			},
 			RotationToLatestKeyVersionEnabled: utils.Bool(rotationToLatestKeyVersionEnabled),
+			EncryptionType:                    compute.DiskEncryptionSetType(encryptionType),
 		},
 		Identity: expandDiskEncryptionSetIdentity(identityRaw),
 		Tags:     tags.Expand(t),
@@ -203,6 +216,7 @@ func resourceDiskEncryptionSetRead(d *pluginsdk.ResourceData, meta interface{})
 		}
 		d.Set("key_vault_key_id", keyVaultKeyId)
 		d.Set("auto_key_rotation_enabled", props.RotationToLatestKeyVersionEnabled)
+		d.Set("encryption_type", props.EncryptionType)
 	}
 
 	if err := d.Set("identity", flattenDiskEncryptionSetIdentity(resp.Identity)); err != nil {

internal/services/compute/disk_encryption_set_resource_test.go

@@ -104,6 +104,30 @@ func TestAccDiskEncryptionSet_keyRotate(t *testing.T) {
 	})
 }
 
+func TestAccDiskEncryptionSet_withEncryptionType(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_disk_encryption_set", "test")
+	r := DiskEncryptionSetResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.withEncryptionTypeDefault(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("encryption_type").HasValue("EncryptionAtRestWithCustomerKey"),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.withEncryptionTypeUpdated(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("encryption_type").HasValue("EncryptionAtRestWithPlatformAndCustomerKeys"),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func (DiskEncryptionSetResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
 	id, err := parse.DiskEncryptionSetID(state.ID)
 	if err != nil {
@@ -292,3 +316,38 @@ resource "azurerm_disk_encryption_set" "test" {
 }
 `, r.dependencies(data), data.RandomInteger)
 }
+
+func (r DiskEncryptionSetResource) withEncryptionTypeDefault(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_disk_encryption_set" "test" {
+  name                = "acctestDES-%d"
+  resource_group_name = azurerm_resource_group.test.name
+  location            = azurerm_resource_group.test.location
+  key_vault_key_id    = azurerm_key_vault_key.test.id
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+`, r.dependencies(data), data.RandomInteger)
+}
+
+func (r DiskEncryptionSetResource) withEncryptionTypeUpdated(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_disk_encryption_set" "test" {
+  name                = "acctestDES-%d"
+  resource_group_name = azurerm_resource_group.test.name
+  location            = azurerm_resource_group.test.location
+  key_vault_key_id    = azurerm_key_vault_key.test.id
+  encryption_type     = "EncryptionAtRestWithPlatformAndCustomerKeys"
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+`, r.dependencies(data), data.RandomInteger)
+}

internal/services/compute/managed_disk_resource.go

@@ -344,8 +344,19 @@ func resourceManagedDiskCreate(d *pluginsdk.ResourceData, meta interface{}) erro
 	}
 
 	if diskEncryptionSetId := d.Get("disk_encryption_set_id").(string); diskEncryptionSetId != "" {
+		diskEncryptionSet, err := parse.DiskEncryptionSetID(diskEncryptionSetId)
+		if err != nil {
+			return fmt.Errorf("`disk_encryption_set_id` is not a valid disk encryption set id")
+		}
+
+		diskEncryptionSetClient := meta.(*clients.Client).Compute.DiskEncryptionSetsClient
+		resp, err := diskEncryptionSetClient.Get(ctx, diskEncryptionSet.ResourceGroup, diskEncryptionSet.Name)
+		if err != nil {
+			return fmt.Errorf("reading Disk Encryption Set %q (Resource Group %q): %+v", diskEncryptionSet.Name, diskEncryptionSet.ResourceGroup, err)
+		}
+
 		props.Encryption = &compute.Encryption{
-			Type:                compute.EncryptionTypeEncryptionAtRestWithCustomerKey,
+			Type:                compute.EncryptionType(resp.EncryptionType),
 			DiskEncryptionSetID: utils.String(diskEncryptionSetId),
 		}
 	}
@@ -537,8 +548,19 @@ func resourceManagedDiskUpdate(d *pluginsdk.ResourceData, meta interface{}) erro
 	if d.HasChange("disk_encryption_set_id") {
 		shouldShutDown = true
 		if diskEncryptionSetId := d.Get("disk_encryption_set_id").(string); diskEncryptionSetId != "" {
+			diskEncryptionSet, err := parse.DiskEncryptionSetID(diskEncryptionSetId)
+			if err != nil {
+				return fmt.Errorf("`disk_encryption_set_id` is not a valid disk encryption set id")
+			}
+
+			diskEncryptionSetClient := meta.(*clients.Client).Compute.DiskEncryptionSetsClient
+			resp, err := diskEncryptionSetClient.Get(ctx, diskEncryptionSet.ResourceGroup, diskEncryptionSet.Name)
+			if err != nil {
+				return fmt.Errorf("reading Disk Encryption Set %q (Resource Group %q): %+v", diskEncryptionSet.Name, diskEncryptionSet.ResourceGroup, err)
+			}
+
 			diskUpdate.Encryption = &compute.Encryption{
-				Type:                compute.EncryptionTypeEncryptionAtRestWithCustomerKey,
+				Type:                compute.EncryptionType(resp.EncryptionType),
 				DiskEncryptionSetID: utils.String(diskEncryptionSetId),
 			}
 		} else {

website/docs/r/disk_encryption_set.html.markdown

@@ -107,6 +107,8 @@ The following arguments are supported:
 
 * `auto_key_rotation_enabled` - (Optional) Boolean flag to specify whether Azure Disk Encryption Set automatically rotates encryption Key to latest version. Defaults to `false`.
 
+* `encryption_type` - (Optional) The type of key used to encrypt the data of the disk. Allowed values are `EncryptionAtRestWithCustomerKey` and `EncryptionAtRestWithPlatformAndCustomerKeys`. Defaults to `EncryptionAtRestWithCustomerKey`.
+
 * `identity` - (Required) An `identity` block as defined below.
 
 * `tags` - (Optional) A mapping of tags to assign to the Disk Encryption Set.

website/docs/r/managed_disk.html.markdown

@@ -97,6 +97,8 @@ The following arguments are supported:
 
 ~> **NOTE:** Disk Encryption Sets are in Public Preview in a limited set of regions
 
+-> **NOTE:** Encryption type of the key will be decided by the disk encryption set. [More info on encryption type](https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption)
+
 * `disk_iops_read_write` - (Optional) The number of IOPS allowed for this disk; only settable for UltraSSD disks. One operation can transfer between 4k and 256k bytes.
 
 * `disk_mbps_read_write` - (Optional) The bandwidth allowed for this disk; only settable for UltraSSD disks. MBps means millions of bytes per second.