add disk encryption prop to data disk

internal/services/compute/image_resource.go

@@ -198,6 +198,13 @@ func resourceImage() *pluginsdk.Resource {
 							ValidateFunc: validation.NoZeroValues,
 						},
 
+						"disk_encryption_set_id": {
+							Type:         pluginsdk.TypeString,
+							Optional:     true,
+							ForceNew:     true,
+							ValidateFunc: validate.DiskEncryptionSetID,
+						},
+
 						"storage_type": {
 							Type:         pluginsdk.TypeString,
 							Description:  "The type of storage disk",
@@ -430,6 +437,12 @@ func expandImageDataDisks(disks []interface{}) *[]images.ImageDataDisk {
 			item.ManagedDisk = managedDisk
 		}
 
+		if id := config["disk_encryption_set_id"].(string); id != "" {
+			item.DiskEncryptionSet = &images.SubResource{
+				Id: utils.String(id),
+			}
+		}
+
 		if features.FourPointOhBeta() {
 			item.StorageAccountType = pointer.To(images.StorageAccountTypes(config["storage_type"].(string)))
 		}
@@ -513,13 +526,18 @@ func flattenImageDataDisks(input *images.ImageStorageProfile) []interface{} {
 				if disk.ManagedDisk != nil && disk.ManagedDisk.Id != nil {
 					managedDiskId = *disk.ManagedDisk.Id
 				}
+				diskEncryptionSetId := ""
+				if set := disk.DiskEncryptionSet; set != nil && set.Id != nil {
+					diskEncryptionSetId = *set.Id
+				}
 
 				properties := map[string]interface{}{
-					"blob_uri":        blobUri,
-					"caching":         caching,
-					"lun":             int(disk.Lun),
-					"managed_disk_id": managedDiskId,
-					"size_gb":         diskSizeGb,
+					"blob_uri":               blobUri,
+					"caching":                caching,
+					"lun":                    int(disk.Lun),
+					"managed_disk_id":        managedDiskId,
+					"size_gb":                diskSizeGb,
+					"disk_encryption_set_id": diskEncryptionSetId,
 				}
 
 				if features.FourPointOhBeta() {

internal/services/compute/image_resource_test.go

@@ -859,6 +859,24 @@ func (r ImageResource) standaloneImageEncrypt(data acceptance.TestData) string {
   }`
 	}
 
+	dataDisk := `
+  data_disk {
+    blob_uri               = "${azurerm_storage_account.test.primary_blob_endpoint}${azurerm_storage_container.test.name}/myosdisk1.vhd"
+    size_gb                = 30
+    caching                = "None"
+    disk_encryption_set_id = azurerm_disk_encryption_set.test.id
+    storage_type           = "StandardSSD_LRS"
+    }`
+	if !features.FourPointOhBeta() {
+		dataDisk = `
+    data_disk {
+      blob_uri               = "${azurerm_storage_account.test.primary_blob_endpoint}${azurerm_storage_container.test.name}/myosdisk1.vhd"
+      size_gb                = 30
+      caching                = "None"
+      disk_encryption_set_id = azurerm_disk_encryption_set.test.id
+  }`
+	}
+
 	return fmt.Sprintf(`
 %[1]s
 
@@ -872,7 +890,6 @@ resource "azurerm_key_vault" "test" {
   sku_name                    = "standard"
   purge_protection_enabled    = true
   enabled_for_disk_encryption = true
-
 }
 
 resource "azurerm_key_vault_access_policy" "service-principal" {
@@ -952,12 +969,14 @@ resource "azurerm_image" "test" {
 
   %[4]s
 
+  %[5]s
+
   tags = {
     environment = "Dev"
     cost-center = "Ops"
   }
 }
-`, template, data.RandomInteger, data.RandomString, osDisk)
+`, template, data.RandomInteger, data.RandomString, osDisk, dataDisk)
 }
 
 func (ImageResource) template(data acceptance.TestData) string {

website/docs/r/image.html.markdown

@@ -54,7 +54,7 @@ The `os_disk` block supports the following:
 * `blob_uri` - (Optional) Specifies the URI in Azure storage of the blob that you want to use to create the image. Changing this forces a new resource to be created.
 * `caching` - (Optional) Specifies the caching mode as `ReadWrite`, `ReadOnly`, or `None`. The default is `None`.
 * `size_gb` - (Optional) Specifies the size of the image to be created. Changing this forces a new resource to be created.
-* `disk_encryption_set_id` - (Optional) The ID of the Disk Encryption Set which should be used to encrypt this image. Changing this forces a new resource to be created.
+* `disk_encryption_set_id` - (Optional) The ID of the Disk Encryption Set which should be used to encrypt this disk. Changing this forces a new resource to be created.
 
 ---
 
@@ -65,6 +65,7 @@ The `data_disk` block supports the following:
 * `blob_uri` - (Optional) Specifies the URI in Azure storage of the blob that you want to use to create the image.
 * `caching` - (Optional) Specifies the caching mode as `ReadWrite`, `ReadOnly`, or `None`. Defaults to `None`.
 * `size_gb` - (Optional) Specifies the size of the image to be created. The target size can't be smaller than the source size.
+* `disk_encryption_set_id` - (Optional) The ID of the Disk Encryption Set which should be used to encrypt this disk. Changing this forces a new resource to be created.
 
 ## Attributes Reference