Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azurerm_windows_virtual_machine - Allow update of OS disk encryption settings #6846

Merged
merged 1 commit into from
May 11, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -887,7 +887,7 @@ func resourceLinuxVirtualMachineUpdate(d *schema.ResourceData, meta interface{})
}

if err := future.WaitForCompletionRef(ctx, client.Client); err != nil {
return fmt.Errorf("Error waiting to update encryption settings of of OS Disk %q for Linux Virtual Machine %q (Resource Group %q): %+v", diskName, id.Name, id.ResourceGroup, err)
return fmt.Errorf("Error waiting to update encryption settings of OS Disk %q for Linux Virtual Machine %q (Resource Group %q): %+v", diskName, id.Name, id.ResourceGroup, err)
}

log.Printf("[DEBUG] Updating encryption settings of OS Disk %q for Linux Virtual Machine %q (Resource Group %q) to %q.", diskName, id.Name, id.ResourceGroup, diskEncryptionSetId)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -149,24 +149,38 @@ func TestAccWindowsVirtualMachine_diskOSDiskEncryptionSet(t *testing.T) {
CheckDestroy: checkWindowsVirtualMachineIsDestroyed,
Steps: []resource.TestStep{
{
// TODO: After applying soft-delete and purge-protection in keyVault, this extra step can be removed.
Config: testWindowsVirtualMachine_diskOSDiskDiskEncryptionSetDependencies(data),
Config: testWindowsVirtualMachine_diskOSDiskDiskEncryptionSetEncrypted(data),
Check: resource.ComposeTestCheckFunc(
enableSoftDeleteAndPurgeProtectionForKeyVault("azurerm_key_vault.test"),
checkWindowsVirtualMachineExists(data.ResourceName),
),
},
data.ImportStep("admin_password"),
},
})
}

func TestAccWindowsVirtualMachine_diskOSDiskEncryptionSetUpdate(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_windows_virtual_machine", "test")

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { acceptance.PreCheck(t) },
Providers: acceptance.SupportedProviders,
CheckDestroy: checkWindowsVirtualMachineIsDestroyed,
Steps: []resource.TestStep{
{
Config: testWindowsVirtualMachine_diskOSDiskDiskEncryptionSetResource(data),
Config: testWindowsVirtualMachine_diskOSDiskDiskEncryptionSetUnencrypted(data),
Check: resource.ComposeTestCheckFunc(
checkWindowsVirtualMachineExists(data.ResourceName),
),
},
data.ImportStep("admin_password"),
{
Config: testWindowsVirtualMachine_diskOSDiskDiskEncryptionSet(data),
Config: testWindowsVirtualMachine_diskOSDiskDiskEncryptionSetEncrypted(data),
Check: resource.ComposeTestCheckFunc(
checkWindowsVirtualMachineExists(data.ResourceName),
),
},
data.ImportStep(
"admin_password",
),
data.ImportStep("admin_password"),
},
})
}
Expand Down Expand Up @@ -479,6 +493,10 @@ func testWindowsVirtualMachine_diskOSDiskDiskEncryptionSetDependencies(data acce
location := "westus2"

return fmt.Sprintf(`
provider "azurerm" {
features {}
}

# note: whilst these aren't used in all tests, it saves us redefining these everywhere
locals {
vm_name = "acctestvm%s"
Expand All @@ -497,6 +515,8 @@ resource "azurerm_key_vault" "test" {
resource_group_name = azurerm_resource_group.test.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
soft_delete_enabled = true
purge_protection_enabled = true
enabled_for_disk_encryption = true
}

Expand Down Expand Up @@ -602,7 +622,43 @@ resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
`, template, data.RandomInteger)
}

func testWindowsVirtualMachine_diskOSDiskDiskEncryptionSet(data acceptance.TestData) string {
func testWindowsVirtualMachine_diskOSDiskDiskEncryptionSetUnencrypted(data acceptance.TestData) string {
template := testWindowsVirtualMachine_diskOSDiskDiskEncryptionSetResource(data)
return fmt.Sprintf(`
%s

resource "azurerm_windows_virtual_machine" "test" {
name = local.vm_name
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
size = "Standard_F2"
admin_username = "adminuser"
admin_password = "P@$$w0rd1234!"
network_interface_ids = [
azurerm_network_interface.test.id,
]

os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}

source_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2016-Datacenter"
version = "latest"
}

depends_on = [
"azurerm_role_assignment.disk-encryption-read-keyvault",
"azurerm_key_vault_access_policy.disk-encryption",
]
}
`, template)
}

func testWindowsVirtualMachine_diskOSDiskDiskEncryptionSetEncrypted(data acceptance.TestData) string {
template := testWindowsVirtualMachine_diskOSDiskDiskEncryptionSetResource(data)
return fmt.Sprintf(`
%s
Expand All @@ -620,8 +676,8 @@ resource "azurerm_windows_virtual_machine" "test" {

os_disk {
caching = "ReadWrite"
disk_encryption_set_id = azurerm_disk_encryption_set.test.id
storage_account_type = "Standard_LRS"
disk_encryption_set_id = azurerm_disk_encryption_set.test.id
}

source_image_reference {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -891,6 +891,37 @@ func resourceWindowsVirtualMachineUpdate(d *schema.ResourceData, meta interface{
log.Printf("[DEBUG] Resized OS Disk %q for Windows Virtual Machine %q (Resource Group %q) to %dGB.", diskName, id.Name, id.ResourceGroup, newSize)
}

if d.HasChange("os_disk.0.disk_encryption_set_id") {
if diskEncryptionSetId := d.Get("os_disk.0.disk_encryption_set_id").(string); diskEncryptionSetId != "" {
diskName := d.Get("os_disk.0.name").(string)
log.Printf("[DEBUG] Updating encryption settings of OS Disk %q for Windows Virtual Machine %q (Resource Group %q) to %q..", diskName, id.Name, id.ResourceGroup, diskEncryptionSetId)

disksClient := meta.(*clients.Client).Compute.DisksClient

update := compute.DiskUpdate{
DiskUpdateProperties: &compute.DiskUpdateProperties{
Encryption: &compute.Encryption{
Type: compute.EncryptionAtRestWithCustomerKey,
DiskEncryptionSetID: utils.String(diskEncryptionSetId),
},
},
}

future, err := disksClient.Update(ctx, id.ResourceGroup, diskName, update)
if err != nil {
return fmt.Errorf("Error updating encryption settings of OS Disk %q for Windows Virtual Machine %q (Resource Group %q): %+v", diskName, id.Name, id.ResourceGroup, err)
}

if err := future.WaitForCompletionRef(ctx, client.Client); err != nil {
return fmt.Errorf("Error waiting to update encryption settings of OS Disk %q for Windows Virtual Machine %q (Resource Group %q): %+v", diskName, id.Name, id.ResourceGroup, err)
}

log.Printf("[DEBUG] Updating encryption settings of OS Disk %q for Windows Virtual Machine %q (Resource Group %q) to %q.", diskName, id.Name, id.ResourceGroup, diskEncryptionSetId)
} else {
return fmt.Errorf("Once a customer-managed key is used, you can’t change the selection back to a platform-managed key")
}
}

if shouldUpdate {
log.Printf("[DEBUG] Updating Windows Virtual Machine %q (Resource Group %q)..", id.Name, id.ResourceGroup)
future, err := client.Update(ctx, id.ResourceGroup, id.Name, update)
Expand Down