Microsoft.Compute diskEncryptionSets 2023-04-02
Bicep resource definition
The diskEncryptionSets resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Compute/diskEncryptionSets resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Compute/diskEncryptionSets@2023-04-02' = {
name: 'string'
location: 'string'
tags: {
tagName1: 'tagValue1'
tagName2: 'tagValue2'
}
identity: {
type: 'string'
userAssignedIdentities: {
{customized property}: {}
}
}
properties: {
activeKey: {
keyUrl: 'string'
sourceVault: {
id: 'string'
}
}
encryptionType: 'string'
federatedClientId: 'string'
rotationToLatestKeyVersionEnabled: bool
}
}
Property values
diskEncryptionSets
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) Character limit: 1-80 Valid characters: Alphanumerics, underscores, and hyphens. |
| location | Resource location | string (required) |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
| identity | The managed identity for the disk encryption set. It should be given permission on the key vault before it can be used to encrypt disks. | EncryptionSetIdentity |
| properties | EncryptionSetProperties |
EncryptionSetIdentity
| Name | Description | Value |
|---|---|---|
| type | The type of Managed Identity used by the DiskEncryptionSet. Only SystemAssigned is supported for new creations. Disk Encryption Sets can be updated with Identity type None during migration of subscription to a new Azure Active Directory tenant; it will cause the encrypted resources to lose access to the keys. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
| userAssignedIdentities | The list of user identities associated with the disk encryption set. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | UserAssignedIdentities |
UserAssignedIdentities
| Name | Description | Value |
|---|---|---|
| {customized property} | UserAssignedIdentitiesValue |
UserAssignedIdentitiesValue
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
EncryptionSetProperties
| Name | Description | Value |
|---|---|---|
| activeKey | The key vault key which is currently used by this disk encryption set. | KeyForDiskEncryptionSet |
| encryptionType | The type of key used to encrypt the data of the disk. | 'ConfidentialVmEncryptedWithCustomerKey' 'EncryptionAtRestWithCustomerKey' 'EncryptionAtRestWithPlatformAndCustomerKeys' |
| federatedClientId | Multi-tenant application client id to access key vault in a different tenant. Setting the value to 'None' will clear the property. | string |
| rotationToLatestKeyVersionEnabled | Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. | bool |
KeyForDiskEncryptionSet
| Name | Description | Value |
|---|---|---|
| keyUrl | Fully versioned Key Url pointing to a key in KeyVault. Version segment of the Url is required regardless of rotationToLatestKeyVersionEnabled value. | string (required) |
| sourceVault | Resource id of the KeyVault containing the key or secret. This property is optional and cannot be used if the KeyVault subscription is not the same as the Disk Encryption Set subscription. | SourceVault |
SourceVault
| Name | Description | Value |
|---|---|---|
| id | Resource Id | string |
ARM template resource definition
The diskEncryptionSets resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Compute/diskEncryptionSets resource, add the following JSON to your template.
{
"type": "Microsoft.Compute/diskEncryptionSets",
"apiVersion": "2023-04-02",
"name": "string",
"location": "string",
"tags": {
"tagName1": "tagValue1",
"tagName2": "tagValue2"
},
"identity": {
"type": "string",
"userAssignedIdentities": {
"{customized property}": {}
}
},
"properties": {
"activeKey": {
"keyUrl": "string",
"sourceVault": {
"id": "string"
}
},
"encryptionType": "string",
"federatedClientId": "string",
"rotationToLatestKeyVersionEnabled": "bool"
}
}
Property values
diskEncryptionSets
| Name | Description | Value |
|---|---|---|
| type | The resource type | 'Microsoft.Compute/diskEncryptionSets' |
| apiVersion | The resource api version | '2023-04-02' |
| name | The resource name | string (required) Character limit: 1-80 Valid characters: Alphanumerics, underscores, and hyphens. |
| location | Resource location | string (required) |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
| identity | The managed identity for the disk encryption set. It should be given permission on the key vault before it can be used to encrypt disks. | EncryptionSetIdentity |
| properties | EncryptionSetProperties |
EncryptionSetIdentity
| Name | Description | Value |
|---|---|---|
| type | The type of Managed Identity used by the DiskEncryptionSet. Only SystemAssigned is supported for new creations. Disk Encryption Sets can be updated with Identity type None during migration of subscription to a new Azure Active Directory tenant; it will cause the encrypted resources to lose access to the keys. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
| userAssignedIdentities | The list of user identities associated with the disk encryption set. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | UserAssignedIdentities |
UserAssignedIdentities
| Name | Description | Value |
|---|---|---|
| {customized property} | UserAssignedIdentitiesValue |
UserAssignedIdentitiesValue
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
EncryptionSetProperties
| Name | Description | Value |
|---|---|---|
| activeKey | The key vault key which is currently used by this disk encryption set. | KeyForDiskEncryptionSet |
| encryptionType | The type of key used to encrypt the data of the disk. | 'ConfidentialVmEncryptedWithCustomerKey' 'EncryptionAtRestWithCustomerKey' 'EncryptionAtRestWithPlatformAndCustomerKeys' |
| federatedClientId | Multi-tenant application client id to access key vault in a different tenant. Setting the value to 'None' will clear the property. | string |
| rotationToLatestKeyVersionEnabled | Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. | bool |
KeyForDiskEncryptionSet
| Name | Description | Value |
|---|---|---|
| keyUrl | Fully versioned Key Url pointing to a key in KeyVault. Version segment of the Url is required regardless of rotationToLatestKeyVersionEnabled value. | string (required) |
| sourceVault | Resource id of the KeyVault containing the key or secret. This property is optional and cannot be used if the KeyVault subscription is not the same as the Disk Encryption Set subscription. | SourceVault |
SourceVault
| Name | Description | Value |
|---|---|---|
| id | Resource Id | string |
Terraform (AzAPI provider) resource definition
The diskEncryptionSets resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Compute/diskEncryptionSets resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Compute/diskEncryptionSets@2023-04-02"
name = "string"
location = "string"
parent_id = "string"
tags = {
tagName1 = "tagValue1"
tagName2 = "tagValue2"
}
identity {
type = "string"
identity_ids = []
}
body = jsonencode({
properties = {
activeKey = {
keyUrl = "string"
sourceVault = {
id = "string"
}
}
encryptionType = "string"
federatedClientId = "string"
rotationToLatestKeyVersionEnabled = bool
}
})
}
Property values
diskEncryptionSets
| Name | Description | Value |
|---|---|---|
| type | The resource type | "Microsoft.Compute/diskEncryptionSets@2023-04-02" |
| name | The resource name | string (required) Character limit: 1-80 Valid characters: Alphanumerics, underscores, and hyphens. |
| location | Resource location | string (required) |
| parent_id | To deploy to a resource group, use the ID of that resource group. | string (required) |
| tags | Resource tags | Dictionary of tag names and values. |
| identity | The managed identity for the disk encryption set. It should be given permission on the key vault before it can be used to encrypt disks. | EncryptionSetIdentity |
| properties | EncryptionSetProperties |
EncryptionSetIdentity
| Name | Description | Value |
|---|---|---|
| type | The type of Managed Identity used by the DiskEncryptionSet. Only SystemAssigned is supported for new creations. Disk Encryption Sets can be updated with Identity type None during migration of subscription to a new Azure Active Directory tenant; it will cause the encrypted resources to lose access to the keys. | "SystemAssigned" "SystemAssigned, UserAssigned" "UserAssigned" |
| identity_ids | The list of user identities associated with the disk encryption set. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | Array of user identity IDs. |
UserAssignedIdentities
| Name | Description | Value |
|---|---|---|
| {customized property} | UserAssignedIdentitiesValue |
UserAssignedIdentitiesValue
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
EncryptionSetProperties
| Name | Description | Value |
|---|---|---|
| activeKey | The key vault key which is currently used by this disk encryption set. | KeyForDiskEncryptionSet |
| encryptionType | The type of key used to encrypt the data of the disk. | "ConfidentialVmEncryptedWithCustomerKey" "EncryptionAtRestWithCustomerKey" "EncryptionAtRestWithPlatformAndCustomerKeys" |
| federatedClientId | Multi-tenant application client id to access key vault in a different tenant. Setting the value to 'None' will clear the property. | string |
| rotationToLatestKeyVersionEnabled | Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. | bool |
KeyForDiskEncryptionSet
| Name | Description | Value |
|---|---|---|
| keyUrl | Fully versioned Key Url pointing to a key in KeyVault. Version segment of the Url is required regardless of rotationToLatestKeyVersionEnabled value. | string (required) |
| sourceVault | Resource id of the KeyVault containing the key or secret. This property is optional and cannot be used if the KeyVault subscription is not the same as the Disk Encryption Set subscription. | SourceVault |
SourceVault
| Name | Description | Value |
|---|---|---|
| id | Resource Id | string |