Azure · AlexanderSehr · Jun 27, 2022 · Jun 25, 2022 · Jun 25, 2022 · Jun 25, 2022
@@ -5,11 +5,11 @@
         "name": {
             "value": "<<namePrefix>>-az-des-x-001"
         },
-        "keyVaultId": {
+        "keyVaultResourceId": {
             "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
         },
-        "keyUrl": {
-            "value": "https://adp-<<namePrefix>>-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5" // ID must be updated for new keys
+        "keyName": {
+            "value": "keyEncryptionKey"
         },
         "roleAssignments": {
             "value": [

@@ -5,10 +5,13 @@ param name string
 param location string = resourceGroup().location
 
 @description('Required. Resource ID of the KeyVault containing the key or secret.')
-param keyVaultId string
+param keyVaultResourceId string
 
 @description('Required. Key URL (with version) pointing to a key or secret in KeyVault.')
-param keyUrl string
+param keyName string
+
+@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.')
+param keyVersion string = ''
 
 @description('Optional. The type of key used to encrypt the data of the disk. For security reasons, it is recommended to set encryptionType to EncryptionAtRestWithPlatformAndCustomerKeys.')
 @allowed([
@@ -41,6 +44,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena
   }
 }
 
+resource keyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = {
+  name: '${last(split(keyVaultResourceId, '/'))}/${keyName}'
+  scope: resourceGroup(split(keyVaultResourceId, '/')[2], split(keyVaultResourceId, '/')[4])
+}
+
 resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = {
   name: name
   location: location
@@ -51,9 +59,9 @@ resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = {
   properties: {
     activeKey: {
       sourceVault: {
-        id: keyVaultId
+        id: keyVaultResourceId
       }
-      keyUrl: keyUrl
+      keyUrl: !empty(keyVersion) ? '${keyVaultKey.properties.keyUri}/${keyVersion}' : keyVaultKey.properties.keyUriWithVersion
     }
     encryptionType: encryptionType
     rotationToLatestKeyVersionEnabled: rotationToLatestKeyVersionEnabled
@@ -63,7 +71,7 @@ resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = {
 module keyVaultAccessPolicies '../../Microsoft.KeyVault/vaults/accessPolicies/deploy.bicep' = {
   name: '${uniqueString(deployment().name, location)}-DiskEncrSet-KVAccessPolicies'
   params: {
-    keyVaultName: last(split(keyVaultId, '/'))
+    keyVaultName: last(split(keyVaultResourceId, '/'))
     accessPolicies: [
       {
         tenantId: subscription().tenantId
@@ -81,7 +89,7 @@ module keyVaultAccessPolicies '../../Microsoft.KeyVault/vaults/accessPolicies/de
     ]
   }
   // This is to support access policies to KV in different subscription and resource group than the disk encryption set.
-  scope: resourceGroup(split(keyVaultId, '/')[2], split(keyVaultId, '/')[4])
+  scope: resourceGroup(split(keyVaultResourceId, '/')[2], split(keyVaultResourceId, '/')[4])
 }
 
 module diskEncryptionSet_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: {
@@ -108,7 +116,7 @@ output resourceGroupName string = resourceGroup().name
 output systemAssignedPrincipalId string = diskEncryptionSet.identity.principalId
 
 @description('The name of the key vault with the disk encryption key.')
-output keyVaultName string = last(split(keyVaultId, '/'))
+output keyVaultName string = last(split(keyVaultResourceId, '/'))
 
 @description('The location the resource was deployed into.')
 output location string = diskEncryptionSet.location
@@ -22,15 +22,16 @@ This template deploys a disk encryption set.
 **Required parameters**
 | Parameter Name | Type | Description |
 | :-- | :-- | :-- |
-| `keyUrl` | string | Key URL (with version) pointing to a key or secret in KeyVault. |
-| `keyVaultId` | string | Resource ID of the KeyVault containing the key or secret. |
+| `keyName` | string | Key URL (with version) pointing to a key or secret in KeyVault. |
+| `keyVaultResourceId` | string | Resource ID of the KeyVault containing the key or secret. |
 | `name` | string | The name of the disk encryption set that is being created. |
 
 **Optional parameters**
 | Parameter Name | Type | Default Value | Allowed Values | Description |
 | :-- | :-- | :-- | :-- | :-- |
 | `enableDefaultTelemetry` | bool | `True` |  | Enable telemetry via the Customer Usage Attribution ID (GUID). |
 | `encryptionType` | string | `'EncryptionAtRestWithPlatformAndCustomerKeys'` | `[EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys]` | The type of key used to encrypt the data of the disk. For security reasons, it is recommended to set encryptionType to EncryptionAtRestWithPlatformAndCustomerKeys. |
+| `keyVersion` | string | `''` |  | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. |
 | `location` | string | `[resourceGroup().location]` |  | Resource location. |
 | `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
 | `rotationToLatestKeyVersionEnabled` | bool | `False` |  | Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. |
@@ -164,11 +165,11 @@ tags: {
         "name": {
             "value": "<<namePrefix>>-az-des-x-001"
         },
-        "keyVaultId": {
+        "keyVaultResourceId": {
             "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
         },
-        "keyUrl": {
-            "value": "https://adp-<<namePrefix>>-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5" // ID must be updated for new keys
+        "keyName": {
+            "value": "keyEncryptionKey"
         },
         "roleAssignments": {
             "value": [
@@ -196,8 +197,8 @@ module diskEncryptionSets './Microsoft.Compute/diskEncryptionSets/deploy.bicep'
   name: '${uniqueString(deployment().name)}-diskEncryptionSets'
   params: {
     name: '<<namePrefix>>-az-des-x-001'
-    keyVaultId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001'
-    keyUrl: 'https://adp-<<namePrefix>>-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5'
+    keyVaultResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001'
+    keyName: 'keyEncryptionKey'
     roleAssignments: [
       {
         roleDefinitionIdOrName: 'Reader'