azure_virtual_machine_extension does not enable disk encryption on Azure VM

[danielhelfand]

I am trying to use an azure_virtual_machine_extension to encrypt disks of a VM also created by terraform. My vm has an os disk and data disk. The data disk is a managed disk created by terraform.

I am not sure if there is something wrong with my config or if this is a known issue. At the very least, it would be nice to have an example of how to do this.

Terraform Version

Terraform v0.11.5
+ provider.azurerm v1.4.0
+ provider.null v1.0.0
+ provider.random v1.2.0

Affected Resource(s)

• azure_virtual_machine
• azure_virtual_machine_extension

Terraform Configuration Files

#Resource where module args are passed to:

resource "azurerm_virtual_machine_extension" "vm_extension" {
  name  = "${var.vm_ext_name}"
  location = "${var.arm_location}"
  resource_group_name = "${var.vm_ext_resource_group_name}"
  virtual_machine_name = "${var.vm_ext_virtual_machine_name}"
  publisher = "${var.vm_ext_publisher}"
  type = "${var.vm_ext_type}"
  type_handler_version = "${var.vm_ext_type_handler_version}"
  auto_upgrade_minor_version = "${var.vm_ext_auto_upgrade_minor_version}"
  settings = "${var.vm_ext_settings}"
  tags = "${var.global_tags}"
}

#Module with args:
module "create-vm-extension" {
  source  = "../../terraform_module/vm_extension"
  vm_ext_name = "AzureDiskEncryptionForLinux"
  arm_location = "centralus"
  vm_ext_resource_group_name  = "${module.create-resource-group.resource_group_name}"
  vm_ext_virtual_machine_name = "${module.create-linux-vm.linux_vm_name}"
  vm_ext_publisher = "Microsoft.Azure.Security"
  vm_ext_type = "AzureDiskEncryptionForLinux"
  vm_ext_type_handler_version = "0.1"
  vm_ext_settings             =<<SETTINGS
    {
      "AADClientCertThumbprint": null,
      "AADClientID": "<my_client_id>",
      "EncryptionOperation": "EnableEncryption",
      "KeyEncryptionAlgorithm": "RSA-OAEP",
      "KeyEncryptionKeyURL": null,
      "KeyVaultURL": "https://linuxvmexample.vault.azure.net",
      "VolumeType": "ALL"
    }
  SETTINGS
  vm_ext_auto_upgrade_minor_version = true
}

Expected Behavior

The azure_virtual_machine_extension should enable disk encryption on the VM it is attached to.

Actual Behavior

The azure_virtual_machine_extension is created successfully, but disk encryption isn't enabled on the VM's disks.

Important Factoids

The azure_virtual_machine_extension is created successfully. Running the following Azure CLI command enables the extension on the VM it is associated with:

az vm encryption enable --aad-client-id "<my_client_id>" --disk-encryption-keyvault linuxvmexample --name example-linux-vm --resource-group linux-vm-resource-group-example-resource-group --aad-client-secret "<my_client_secret>" --volume-type ALL

This command is not creating a new extension as running a terraform destroy still correctly removes the extension created by terraform and no new extensions appear with the VM in the Azure Portal.

The only difference I can find after running az vm extension list before and after running the az vm encryption command is the addition of a SequenceVersion key-value pair.

[tombuildsstuff]

hi @danielhelfand

Thanks for opening this issue :)

At this time the Azure Provider doesn't support Disk Encryption on Virtual Machines using the azurerm_virtual_machine resource - however it's something we're looking to support in the near future. There's a feature request open for this in #486, which I'm going to close this in favour of.

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!