disk_encryption_set doesn't support referencing a key in a managed HSM key vault in the key_vault_key_id

[sgettys]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.4.5

AzureRM Provider Version

3.52.0

Affected Resource(s)/Data Source(s)

azurerm_disk_encryption_set

Terraform Configuration Files

resource "azurerm_disk_encryption_set" "des" {
  name                = "des-test"
  resource_group_name = var.resource_group_name
  location            = var.location
  key_vault_key_id    = var.key_id
  encryption_type     = var.encryption_type

  identity {
    type         = "SystemAssigned"
  }
}

Debug Output/Panic Output

Error: validating Key Vault Key "https://******.managedhsm.azure.net/keys/***/***" for Disk Encryption Set: retrieving the Resource ID the Key Vault at URL "https://******.managedhsm.azure.net/": expected a URI in the format `the-keyvault-name.vault.**` but got "******.managedhsm.azure.net"

Expected Behaviour

The provider should allow for keys in managed HSMs to be used for disk encryption sets. Tested with the az cli and creating new des with managed HSM key URIs is supported.

Actual Behaviour

Resource failed provider validation due to the logic in the base URL parsing: https://github.com/hashicorp/terraform-provider-azurerm/blob/9a8299335488b18860282d391842e09c78d68ac5/internal/services/keyvault/client/helpers.go#L182

Steps to Reproduce

1. Create a key in a managed HSM
2. Use that key in the azurerm_disk_encryption_set resource

Important Factoids

No response

References

No response

[wuxu92]

Hi @sgettys, Is this issue dup with #13654? we can support this feature when terraform can manage mshm keys. and this work is still in progres in #20855.

[sgettys]

Hi @sgettys, Is this issue dup with #13654? we can support this feature when terraform can manage mshm keys. and this work is still in progres in #20855.

@wuxu92 it is similar but not a dupe. That bug is related to validating the ID of the Azure resource, this one is the base URL of the vault itself. Same logic but different codepath. There might be a bigger effort on top of #20855 to determine what resources are compatible with both key vault and mhsm vaults and ensure that the validation and parsing logic supports both.

[musteepha]

Exact same issue as you we had disable disk encryption in code to get a deployment

[sgettys]

Exact same issue as you we had disable disk encryption in code to get a deployment

@musteepha Just an FYI I have a workaround in place using the azapi resource to create the disk encryption set:

resource "azapi_resource" "des" {
  type      = "Microsoft.Compute/diskEncryptionSets@2022-07-02"
  name      = local.des_name
  location  = var.location
  parent_id = data.azurerm_resource_group.default.id
  identity {
    type         = "UserAssigned"
    identity_ids = [var.user_managed_identity_id]
  }
  body = jsonencode({
    properties = {
      activeKey = {
        keyUrl = var.key_id
        # sourceVault = {
        #   id = "string"
        # }
      }
      encryptionType = var.encryption_type
      #federatedClientId                 = "string"
      #rotationToLatestKeyVersionEnabled = bool
    }
  })
}

[Flasheh]

With the merge of https://github.com/hashicorp/terraform-provider-azurerm/pull/25601, can support for HSM keys be built into the resource?

[katbyte]

@Flasheh yes the provider now supports creating HSM keys and with the merge of the parser/validation functions a PR can now be opened for disk encryption set to support them following the pattern in the storagte account resource with an added mhsm key property

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.