provider "azurerm" { version = "=2.25.0" features {} } data "azurerm_client_config" "current" {} resource "tls_private_key" "example_ssh" { algorithm = "RSA" rsa_bits = 4096 } output "tls_private_key" { value = "tls_private_key.example_ssh.private_key_pem" } resource "azurerm_resource_group" "example" { name = "Encrypt-resources" location = "North Europe" } resource "azurerm_virtual_network" "example" { name = "Encrypt-network" address_space = ["10.0.0.0/16"] location = "${azurerm_resource_group.example.location}" resource_group_name = "${azurerm_resource_group.example.name}" } resource "azurerm_subnet" "internal" { name = "internal" resource_group_name = "${azurerm_resource_group.example.name}" virtual_network_name = "${azurerm_virtual_network.example.name}" address_prefix = "10.0.2.0/24" } resource "azurerm_network_interface" "example" { name = "Encrypt-nic" location = "${azurerm_resource_group.example.location}" resource_group_name = "${azurerm_resource_group.example.name}" ip_configuration { name = "testconfiguration1" subnet_id = "${azurerm_subnet.internal.id}" private_ip_address_allocation = "Dynamic" } } resource "azurerm_key_vault" "example" { name = "TF-keyvault-omersh" location = "${azurerm_resource_group.example.location}" resource_group_name = "${azurerm_resource_group.example.name}" tenant_id = "${data.azurerm_client_config.current.tenant_id}" soft_delete_enabled = true enabled_for_disk_encryption = true purge_protection_enabled = true enabled_for_deployment = true sku_name = "premium" # Access Policy for Terraform User access_policy { tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_client_config.current.object_id key_permissions = [ "Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore" ] secret_permissions = [ "Get", "List", "Set", "Delete", "Recover", "Backup", "Restore" ] certificate_permissions = [ "Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore", "ManageContacts", "ManageIssuers", "GetIssuers", "ListIssuers", "SetIssuers", "DeleteIssuers" ] } } resource "azurerm_key_vault_key" "example" { name = "TF-key-omersh" key_vault_id = "${azurerm_key_vault.example.id}" key_type = "RSA" key_size = 2048 key_opts = [ "decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey", ] } resource "azurerm_disk_encryption_set" "example" { name = "example-set" resource_group_name = "${azurerm_resource_group.example.name}" location = "${azurerm_resource_group.example.location}" key_vault_key_id = "${azurerm_key_vault_key.example.id}" identity { type = "SystemAssigned" } } resource "azurerm_key_vault_access_policy" "disk-encryption" { key_vault_id = "${azurerm_key_vault.example.id}" tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id object_id = azurerm_disk_encryption_set.example.identity.0.principal_id key_permissions = [ "create", "get", "list", "wrapkey", "unwrapkey", ] secret_permissions = [ "get", "list", ] storage_permissions = [ "get", ] } resource "azurerm_role_assignment" "disk-encryption-read-keyvault" { scope = "${azurerm_key_vault.example.id}" role_definition_name = "Reader" principal_id = "${azurerm_disk_encryption_set.example.identity.0.principal_id}" } resource "azurerm_linux_virtual_machine" "example" { name = "example-vm" resource_group_name = "${azurerm_resource_group.example.name}" location = "${azurerm_resource_group.example.location}" size = "Standard_F2" admin_username = "adminuser" disable_password_authentication = true network_interface_ids = [ azurerm_network_interface.example.id, ] admin_ssh_key { username = "adminuser" public_key = file("~/.ssh/id_rsa.pub") } os_disk { caching = "ReadWrite" disk_encryption_set_id = "${azurerm_disk_encryption_set.example.id}" storage_account_type = "Standard_LRS" } source_image_reference { publisher = "Canonical" offer = "UbuntuServer" sku = "16.04-LTS" version = "latest" } }