I am trying to encrypt the "storage_os_disk" on an Azure VM via Terraform. I have set the managed disk type on the VM OS Disk, so it will be managed, since I know the disk must be managed to allow encryption.
I cannot seem to figure out how to encrypt the OS disk, in terraform
Here is my code i am trying:
resource "azurerm_network_interface" "nic" {
name = "${var.project_ident}-${var.env_ident}-${var.admin_vm_name}-${var.region_suffix}-encrpytest"
location = "${data.azurerm_resource_group.core-rg.location}"
resource_group_name = "${data.azurerm_resource_group.core-rg.name}"
depends_on = ["azurerm_virtual_machine.dns-vm"]
ip_configuration {
name = "${var.project_ident}-${var.env_ident}-${var.admin_vm_name}-${var.region_suffix}-encrpytest"
subnet_id ="${data.terraform_remote_state.network.sn1_id}"
private_ip_address_allocation = "static"
private_ip_address = "${cidrhost(data.terraform_remote_state.network.sn1_address_prefix, 6 )}"
}
}
resource "azurerm_virtual_machine" "admin-vm-encrpytest" {
name = "${var.project_ident}-${var.env_ident}-${var.admin_vm_name}-encrpytest"
location = "${data.azurerm_resource_group.core-rg.location}"
resource_group_name = "${data.azurerm_resource_group.core-rg.name}"
network_interface_ids = ["${azurerm_network_interface.nic.id}"]
vm_size = "Standard_B2s"
depends_on = ["azurerm_virtual_machine.dns-vm"]
# Requires LRS Storage Account
boot_diagnostics {
enabled = "True"
storage_uri = "${data.terraform_remote_state.sa.sa_2_prim_blob_ep}"
#storage_uri = "${data.azurerm_storage_account.storage-account-2.primary_blob_endpoint}"
}
storage_os_disk {
name = "${var.project_ident}-${var.env_ident}-${var.admin_vm_name}-${var.region_suffix}-encrpytest"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
encryption_settings {
enabled = "True"
key_encryption_key {
key_url = "${data.terraform_remote_state.kv.vault_key_1_id}"
source_vault_id = "${data.terraform_remote_state.kv.vault_id}"
}
disk_encryption_key {
secret_url = "${data.terraform_remote_state.kv.vault_key_2_id}"
source_vault_id = "${data.terraform_remote_state.kv.vault_id}"
}
}
}
os_profile {
computer_name = "encrpytest"
admin_username = "cactusadmin"
admin_password = "${var.admin_vm_password}"
}
os_profile_windows_config {
provision_vm_agent = true
enable_automatic_upgrades = true
}
# Uncomment this line to delete the OS disk automatically when deleting the VM
delete_os_disk_on_termination = true
# Uncomment this line to delete the data disks automatically when deleting the VM
delete_data_disks_on_termination = true
storage_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2016-Datacenter"
version = "latest"
}
}
Thank you
Firstly, the encryption_settings does not exist in the storage_os_disk block but azurerm_managed_disk. So you could create an individual azurerm_managed_disk resource then create VM from a managed disk with the platform image referring here.
Alternatively, you could try to use azurerm_virtual_machine_extension for disk-encryption, refer to this.
resource "azurerm_virtual_machine_extension" "disk-encryption" {
name = "DiskEncryption"
location = "${local.location}"
resource_group_name = "${azurerm_resource_group.environment-rg.name}"
virtual_machine_name = "${azurerm_virtual_machine.server.name}"
publisher = "Microsoft.Azure.Security"
type = "AzureDiskEncryption"
type_handler_version = "2.2"
settings = <<SETTINGS
{
"EncryptionOperation": "EnableEncryption",
"KeyVaultURL": "https://${local.vaultname}.vault.azure.net",
"KeyVaultResourceId": "/subscriptions/${local.subscriptionid}/resourceGroups/${local.vaultresourcegroup}/providers/Microsoft.KeyVault/vaults/${local.vaultname}",
"KeyEncryptionKeyURL": "https://${local.vaultname}.vault.azure.net/keys/${local.keyname}/${local.keyversion}",
"KekVaultResourceId": "/subscriptions/${local.subscriptionid}/resourceGroups/${local.vaultresourcegroup}/providers/Microsoft.KeyVault/vaults/${local.vaultname}",
"KeyEncryptionAlgorithm": "RSA-OAEP",
"VolumeType": "All"
}
SETTINGS
}