ENHANCEMENT #568
This PR adds the capability to enable Azure Disk Encryption instead of Encryption At Host. Azure Disk Encryption gets deployed to all of the Session Hosts as well as the Management VM and the key is stored in the same key vault in the zeroTrust module. Azure Disk Encryption is needed in situations where Intune validates encryption status for "Compliant Devices". Encryption At Host is unable to report the encryption status to Intune, but Azure Disk Encryption will report the status to Intune because it uses Bitlocker.
Also fixed a couple typos.
This PR fixes/adds/changes/removes
Adds the Key Vault Key Uri output to the Key Vault CARML module
Adds 'encryptionAtHost' and 'azureDiskEncryption' variables to the bicep templates to deploy different types of encryption to the session hosts and management VM.
Removed all "User Assigned Managed Identity" sections that were commented out because these are not used
Separated the Encryption deployment from the diskZeroTrust variable. The diskZeroTrust variable will now only deploy the Azure Policies for the disk. The encryption is controlled using one of the two new variables (depending on which type of encryption you want to use.)
Updated documentation
Updated Portal UI so that the new variables are displayed and you can only select one or the other, not both.
Breaking Changes
If you use the diskZeroTrust variable to encrypt the disks, it will no longer do that. Instead, you will have to set 'encryptionAtHost' to true for that encryption to be enabled like it was before this PR. Alternatively, you can use the new 'azureDiskEncryption'.
Testing Evidence
As part of this Pull Request I have
[X] Read the Contribution Guide and ensured this PR is compliant with the guide
[X] Ensured the resource API versions in .bicep file/s I am adding/editing are using the latest API version possible
Overview/Summary
ENHANCEMENT #568 This PR adds the capability to enable Azure Disk Encryption instead of Encryption At Host. Azure Disk Encryption gets deployed to all of the Session Hosts as well as the Management VM and the key is stored in the same key vault in the zeroTrust module. Azure Disk Encryption is needed in situations where Intune validates encryption status for "Compliant Devices". Encryption At Host is unable to report the encryption status to Intune, but Azure Disk Encryption will report the status to Intune because it uses Bitlocker.
Also fixed a couple typos.
This PR fixes/adds/changes/removes
Breaking Changes
Testing Evidence
As part of this Pull Request I have
.bicep
file/s I am adding/editing are using the latest API version possiblemain
branch