azurerm_site_recovery_replicated_vm target_disk_encryption block values unknown before onboarding

[darren-johnson]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.8

AzureRM Provider Version

3.22.0

Affected Resource(s)/Data Source(s)

azurerm_site_recovery_replicated_vm

Terraform Configuration Files

resource "azurerm_site_recovery_replicated_vm" "vm-replication" {
  name                                      = "vm-replication"
  resource_group_name                       = azurerm_resource_group.secondary.name
  recovery_vault_name                       = azurerm_recovery_services_vault.vault.name
  source_recovery_fabric_name               = azurerm_site_recovery_fabric.primary.name
  source_vm_id                              = azurerm_virtual_machine.vm.id
  recovery_replication_policy_id            = azurerm_site_recovery_replication_policy.policy.id
  source_recovery_protection_container_name = azurerm_site_recovery_protection_container.primary.name

  target_resource_group_id                = azurerm_resource_group.secondary.id
  target_recovery_fabric_id               = azurerm_site_recovery_fabric.secondary.id
  target_recovery_protection_container_id = azurerm_site_recovery_protection_container.secondary.id

  managed_disk {
    disk_id                    = azurerm_virtual_machine.vm.storage_os_disk[0].managed_disk_id
    staging_storage_account_id = azurerm_storage_account.primary.id
    target_resource_group_id   = azurerm_resource_group.secondary.id
    target_disk_type           = "Premium_LRS"
    target_replica_disk_type   = "Premium_LRS"
    target_disk_encryption = [
      {
        disk_encryption_key = [
          {
            secret_url = data.azurerm_key_vault_secret.disk_encryption.id
            vault_id   = data.azurerm_key_vault.target.id
          },
        ]
        key_encryption_key = [
          {
            key_url  = data.azurerm_key_vault_key.disk_encryption.id
            vault_id = data.azurerm_key_vault.target.id
          },
        ]
      },
    ]
  }

  network_interface {
    source_network_interface_id   = azurerm_network_interface.vm.id
    target_subnet_name            = azurerm_subnet.secondary.name
    recovery_public_ip_address_id = azurerm_public_ip.secondary.id
  }

  depends_on = [
    azurerm_site_recovery_protection_container_mapping.container-mapping,
    azurerm_site_recovery_network_mapping.network-mapping,
  ]
}

Debug Output/Panic Output

N/A

Expected Behaviour

When onboarding a VM to Azure Site Recovery that uses disk encryption via the portal you are prompted for a target key vault.

At this point the target key vault key and secret do not exist, therefore it is impossible to supply these in the code before the VM is onboarded.

This could be amended so that instead the Target Key Vault ID is requested.

Therefore the block below could simply be replaced by the argument target_key_vault_id

    target_disk_encryption = [
      {
        disk_encryption_key = [
          {
            secret_url = data.azurerm_key_vault_secret.disk_encryption.id
            vault_id   = data.azurerm_key_vault.target.id
          },
        ]
        key_encryption_key = [
          {
            key_url  = data.azurerm_key_vault_key.disk_encryption.id
            vault_id = data.azurerm_key_vault.target.id
          },
        ]
      },
    ]

This had been previously requested in Issue 7239 but wasn't implemented.

Hopefully this is enough to get this resource fixed.

Actual Behaviour

No response

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[ziyeqf]

Hi @darren-johnson , thanks for opening the issue.

Did you mean that there will be a new Key Vault for the replica disk and the Key Vault does not exist before the VM onboarded, and there should be a property target_key_vault_id where provider should copy the encryption key from the original Key Vault to it?

In my opinion, for a replica disk, the encryption settings should be the same one in the same Key Vault instead of copying the encryption key to a new Key Vault. Therefore, the disk_encryption_key property could use the same one with the original disk, which will be known at this point.

For example the config could be as below:

data "azurerm_managed_disk" "example" {
  name                = azurerm_windows_virtual_machine.example.os_disk[0].name
  resource_group_name = azurerm_windows_virtual_machine.example.resource_group_name
}

resource "azurerm_site_recovery_replicated_vm" "example" {
...
  managed_disk {
...
    target_disk_encryption {
      disk_encryption_key {
        secret_url = data.azurerm_managed_disk.example.encryption_settings[0].disk_encryption_key[0].secret_url
        vault_id   = data.azurerm_managed_disk.example.encryption_settings[0].disk_encryption_key[0].source_vault_id
      }
    }
  }

}

If it helps or I misunderstand the issue or any further questions, please leave comments.