Skip to content

fix: adding cmk to data disks #5903

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

fix: adding cmk to data disks #5903

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
bd2a3a7
fix: adding cmk to data disks
Dylan-Prins Aug 27, 2025
1d6c837
chore: running Set-AVMModule
Dylan-Prins Aug 27, 2025
e61577a
docs: adding documentation
Dylan-Prins Aug 27, 2025
975f4b4
fix: pester rules
Dylan-Prins Aug 27, 2025
7e863c6
fix: changelog
Dylan-Prins Aug 27, 2025
200655a
fix: docs
Dylan-Prins Sep 19, 2025
742a204
Merge branch 'main' into virtual-machine-cmk
Dylan-Prins Sep 19, 2025
a00c094
fix build
Dylan-Prins Sep 19, 2025
8c2256a
fix changelog
Dylan-Prins Sep 19, 2025
b396162
Merge branch 'main' into virtual-machine-cmk
Dylan-Prins Sep 19, 2025
6f8c789
Merge branch 'main' into virtual-machine-cmk
AlexanderSehr Nov 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions avm/res/compute/virtual-machine/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,16 @@

The latest version of the changelog can be found [here](https://github.com/Azure/bicep-registry-modules/blob/main/avm/res/compute/virtual-machine/CHANGELOG.md).

## 0.20.1

### Changes

- added encryption to Data disks

### Breaking Changes

- Renamed `zone` parameter to `availabilityZone` in public IP config

## 0.20.0

### Changes
Expand Down
33 changes: 22 additions & 11 deletions avm/res/compute/virtual-machine/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,12 +82,12 @@ module virtualMachine 'br/public:avm/res/compute/virtual-machine:<version>' = {
{
name: 'ipconfig01'
pipConfiguration: {
publicIpNameSuffix: '-pip-01'
zones: [
availabilityZones: [
1
2
3
]
publicIpNameSuffix: '-pip-01'
}
subnetResourceId: '<subnetResourceId>'
}
Expand Down Expand Up @@ -154,12 +154,12 @@ module virtualMachine 'br/public:avm/res/compute/virtual-machine:<version>' = {
{
"name": "ipconfig01",
"pipConfiguration": {
"publicIpNameSuffix": "-pip-01",
"zones": [
"availabilityZones": [
1,
2,
3
]
],
"publicIpNameSuffix": "-pip-01"
},
"subnetResourceId": "<subnetResourceId>"
}
Expand Down Expand Up @@ -230,12 +230,12 @@ param nicConfigurations = [
{
name: 'ipconfig01'
pipConfiguration: {
publicIpNameSuffix: '-pip-01'
zones: [
availabilityZones: [
1
2
3
]
publicIpNameSuffix: '-pip-01'
}
subnetResourceId: '<subnetResourceId>'
}
Expand Down Expand Up @@ -2734,8 +2734,8 @@ module virtualMachine 'br/public:avm/res/compute/virtual-machine:<version>' = {
{
name: 'ipconfig01'
pipConfiguration: {
availabilityZones: []
publicIpNameSuffix: '-pip-01'
zones: []
}
subnetResourceId: '<subnetResourceId>'
}
Expand Down Expand Up @@ -2825,8 +2825,8 @@ module virtualMachine 'br/public:avm/res/compute/virtual-machine:<version>' = {
{
"name": "ipconfig01",
"pipConfiguration": {
"publicIpNameSuffix": "-pip-01",
"zones": []
"availabilityZones": [],
"publicIpNameSuffix": "-pip-01"
},
"subnetResourceId": "<subnetResourceId>"
}
Expand Down Expand Up @@ -2922,8 +2922,8 @@ param nicConfigurations = [
{
name: 'ipconfig01'
pipConfiguration: {
availabilityZones: []
publicIpNameSuffix: '-pip-01'
zones: []
}
subnetResourceId: '<subnetResourceId>'
}
Expand Down Expand Up @@ -4549,6 +4549,7 @@ module virtualMachine 'br/public:avm/res/compute/virtual-machine:<version>' = {
diskSizeGB: 128
managedDisk: {
diskEncryptionSetResourceId: '<diskEncryptionSetResourceId>'
diskEncryptionType: 'EncryptionAtRestWithPlatformAndCustomerKeys'
storageAccountType: 'Premium_LRS'
}
}
Expand Down Expand Up @@ -4626,6 +4627,7 @@ module virtualMachine 'br/public:avm/res/compute/virtual-machine:<version>' = {
"diskSizeGB": 128,
"managedDisk": {
"diskEncryptionSetResourceId": "<diskEncryptionSetResourceId>",
"diskEncryptionType": "EncryptionAtRestWithPlatformAndCustomerKeys",
"storageAccountType": "Premium_LRS"
}
}
Expand Down Expand Up @@ -4685,6 +4687,7 @@ param dataDisks = [
diskSizeGB: 128
managedDisk: {
diskEncryptionSetResourceId: '<diskEncryptionSetResourceId>'
diskEncryptionType: 'EncryptionAtRestWithPlatformAndCustomerKeys'
storageAccountType: 'Premium_LRS'
}
}
Expand Down Expand Up @@ -7344,6 +7347,7 @@ The managed disk parameters.
| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`diskEncryptionSetResourceId`](#parameter-datadisksmanageddiskdiskencryptionsetresourceid) | string | Specifies the customer managed disk encryption set resource id for the managed disk. |
| [`diskEncryptionType`](#parameter-datadisksmanageddiskdiskencryptiontype) | string | The type of key used to encrypt the data of the disk. |
| [`id`](#parameter-datadisksmanageddiskid) | string | Specifies the resource id of a pre-existing managed disk. If the disk should be created, this property should be empty. |
| [`storageAccountType`](#parameter-datadisksmanageddiskstorageaccounttype) | string | Specifies the storage account type for the managed disk. Ignored when attaching a pre-existing disk. |

Expand All @@ -7354,6 +7358,13 @@ Specifies the customer managed disk encryption set resource id for the managed d
- Required: No
- Type: string

### Parameter: `dataDisks.managedDisk.diskEncryptionType`

The type of key used to encrypt the data of the disk.

- Required: No
- Type: string

### Parameter: `dataDisks.managedDisk.id`

Specifies the resource id of a pre-existing managed disk. If the disk should be created, this property should be empty.
Expand Down
7 changes: 7 additions & 0 deletions avm/res/compute/virtual-machine/main.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -536,6 +536,10 @@ resource managedDataDisks 'Microsoft.Compute/disks@2024-03-02' = [
diskMBpsReadWrite: dataDisk.?diskMBpsReadWrite
publicNetworkAccess: publicNetworkAccess
networkAccessPolicy: networkAccessPolicy
encryption: {
Copy link
Collaborator

@AlexanderSehr AlexanderSehr Sep 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if the entire property should be conditional / if the deployment works if no encryption is specified, yet the parameters are passed in as

encryption: {
  diskEncryptionSetId: null
  type: null
}

No need to change it now, it should just be tested. However in case it may fail we'd need to change it to e.g.

encryption: !empty(dataDisk.managedDisk.?diskEncryptionSetResourceId) ? {
  diskEncryptionSetId: dataDisk.managedDisk.?diskEncryptionSetResourceId
  type: dataDisk.managedDisk.?type
} : null

or

...(!empty(dataDisk.managedDisk.?diskEncryptionSetResourceId)  ? { encryption: {
  diskEncryptionSetId: dataDisk.managedDisk.?diskEncryptionSetResourceId
  type: dataDisk.managedDisk.?type
} : {})

UNLESS, the resource type anyways defaults to

encryption: {
  diskEncryptionSetId: null
  type: 'EncryptionAtRestWithPlatformKey'
}

i.e., MS-managed encryption. In that case, the default for type should just be EncryptionAtRestWithPlatformKey and you're good to go

diskEncryptionSetId: dataDisk.managedDisk.?diskEncryptionSetResourceId
type: 'EncryptionAtRestWithCustomerKey'
Copy link
Collaborator

@AlexanderSehr AlexanderSehr Sep 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this should rather be something akin to dataDisk.managedDisk.?type ?? 'EncryptionAtRestWithPlatformKey'?

If defaulting to EncryptionAtRestWithCustomerKey I guess you'd always need to provide a key.

}
}
zones: availabilityZone != -1 && !contains(dataDisk.managedDisk.?storageAccountType, 'ZRS')
? array(string(availabilityZone))
Expand Down Expand Up @@ -1223,6 +1227,9 @@ type dataDiskType = {
@description('Optional. Specifies the customer managed disk encryption set resource id for the managed disk.')
diskEncryptionSetResourceId: string?

@description('Optional. The type of key used to encrypt the data of the disk.')
diskEncryptionType: resourceInput<'Microsoft.Compute/disks@2024-03-02'>.properties.encryption.type?

@description('Optional. Specifies the resource id of a pre-existing managed disk. If the disk should be created, this property should be empty.')
id: string?
}
Expand Down
18 changes: 16 additions & 2 deletions avm/res/compute/virtual-machine/main.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"_generator": {
"name": "bicep",
"version": "0.37.4.10188",
"templateHash": "5626158199534722675"
"templateHash": "13239692483716196396"
},
"name": "Virtual Machines",
"description": "This module deploys a Virtual Machine with one or multiple NICs and optionally one or multiple public IPs."
Expand Down Expand Up @@ -220,6 +220,16 @@
"description": "Optional. Specifies the customer managed disk encryption set resource id for the managed disk."
}
},
"diskEncryptionType": {
"type": "string",
"metadata": {
"__bicep_resource_derived_type!": {
"source": "Microsoft.Compute/disks@2024-03-02#properties/properties/properties/encryption/properties/type"
},
"description": "Optional. The type of key used to encrypt the data of the disk."
},
"nullable": true
},
"id": {
"type": "string",
"nullable": true,
Expand Down Expand Up @@ -2617,7 +2627,11 @@
"diskIOPSReadWrite": "[tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'diskIOPSReadWrite')]",
"diskMBpsReadWrite": "[tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'diskMBpsReadWrite')]",
"publicNetworkAccess": "[parameters('publicNetworkAccess')]",
"networkAccessPolicy": "[parameters('networkAccessPolicy')]"
"networkAccessPolicy": "[parameters('networkAccessPolicy')]",
"encryption": {
"diskEncryptionSetId": "[tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()].managedDisk, 'diskEncryptionSetResourceId')]",
"type": "EncryptionAtRestWithCustomerKey"
}
},
"zones": "[if(and(not(equals(parameters('availabilityZone'), -1)), not(contains(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()].managedDisk, 'storageAccountType'), 'ZRS'))), array(string(parameters('availabilityZone'))), null())]",
"tags": "[coalesce(tryGet(coalesce(parameters('dataDisks'), createArray())[copyIndex()], 'tags'), parameters('tags'))]"
Expand Down
10 changes: 5 additions & 5 deletions avm/res/compute/virtual-machine/tests/e2e/atmg/dependencies.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ param location string = resourceGroup().location

var addressPrefix = '10.0.0.0/16'

resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = {
resource virtualNetwork 'Microsoft.Network/virtualNetworks@2024-07-01' = {
name: virtualNetworkName
location: location
properties: {
Expand All @@ -35,7 +35,7 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = {
}
}

resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2024-11-30' = {
name: managedIdentityName
location: location
}
Expand All @@ -53,7 +53,7 @@ resource msiRGContrRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-
}
}

resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
name: sshDeploymentScriptName
location: location
kind: 'AzurePowerShell'
Expand All @@ -64,7 +64,7 @@ resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01'
}
}
properties: {
azPowerShellVersion: '9.0'
azPowerShellVersion: '11.0'
retentionInterval: 'P1D'
arguments: ' -SSHKeyName "${sshKeyName}" -ResourceGroupName "${resourceGroup().name}"'
scriptContent: loadTextContent('../../../../../../../utilities/e2e-template-assets/scripts/New-SSHKey.ps1')
Expand All @@ -74,7 +74,7 @@ resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01'
]
}

resource sshKey 'Microsoft.Compute/sshPublicKeys@2022-03-01' = {
resource sshKey 'Microsoft.Compute/sshPublicKeys@2024-11-01' = {
name: sshKeyName
location: location
properties: {
Expand Down
4 changes: 2 additions & 2 deletions avm/res/compute/virtual-machine/tests/e2e/atmg/main.test.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ param namePrefix string = '#_namePrefix_#'

// General resources
// =================
resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
resource resourceGroup 'Microsoft.Resources/resourceGroups@2025-04-01' = {
name: resourceGroupName
location: enforcedLocation
}
Expand Down Expand Up @@ -77,7 +77,7 @@ module testDeployment '../../../main.bicep' = [
name: 'ipconfig01'
pipConfiguration: {
publicIpNameSuffix: '-pip-01'
zones: [
availabilityZones: [
1
2
3
Expand Down
10 changes: 5 additions & 5 deletions avm/res/compute/virtual-machine/tests/e2e/linux.defaults/dependencies.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ param location string = resourceGroup().location

var addressPrefix = '10.0.0.0/16'

resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = {
resource virtualNetwork 'Microsoft.Network/virtualNetworks@2024-07-01' = {
name: virtualNetworkName
location: location
properties: {
Expand All @@ -35,7 +35,7 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = {
}
}

resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2024-11-30' = {
name: managedIdentityName
location: location
}
Expand All @@ -53,7 +53,7 @@ resource msiRGContrRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-
}
}

resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
name: sshDeploymentScriptName
location: location
kind: 'AzurePowerShell'
Expand All @@ -64,7 +64,7 @@ resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01'
}
}
properties: {
azPowerShellVersion: '9.0'
azPowerShellVersion: '11.0'
retentionInterval: 'P1D'
arguments: '-SSHKeyName "${sshKeyName}" -ResourceGroupName "${resourceGroup().name}"'
scriptContent: loadTextContent('../../../../../../../utilities/e2e-template-assets/scripts/New-SSHKey.ps1')
Expand All @@ -74,7 +74,7 @@ resource sshDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01'
]
}

resource sshKey 'Microsoft.Compute/sshPublicKeys@2022-03-01' = {
resource sshKey 'Microsoft.Compute/sshPublicKeys@2024-11-01' = {
name: sshKeyName
location: location
properties: {
Expand Down
2 changes: 1 addition & 1 deletion avm/res/compute/virtual-machine/tests/e2e/linux.defaults/main.test.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ param namePrefix string = '#_namePrefix_#'

// General resources
// =================
resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
resource resourceGroup 'Microsoft.Resources/resourceGroups@2025-04-01' = {
name: resourceGroupName
location: enforcedLocation
}
Expand Down
2 changes: 1 addition & 1 deletion avm/res/compute/virtual-machine/tests/e2e/windows.defaults/dependencies.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ param location string = resourceGroup().location

var addressPrefix = '10.0.0.0/16'

resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = {
resource virtualNetwork 'Microsoft.Network/virtualNetworks@2024-07-01' = {
name: virtualNetworkName
location: location
properties: {
Expand Down
2 changes: 1 addition & 1 deletion avm/res/compute/virtual-machine/tests/e2e/windows.defaults/main.test.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ param namePrefix string = '#_namePrefix_#'

// General resources
// =================
resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
resource resourceGroup 'Microsoft.Resources/resourceGroups@2025-04-01' = {
name: resourceGroupName
location: enforcedLocation
}
Expand Down
2 changes: 1 addition & 1 deletion avm/res/compute/virtual-machine/tests/e2e/windows.disks/dependencies.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ param sharedDiskName string

var addressPrefix = '10.0.0.0/16'

resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = {
resource virtualNetwork 'Microsoft.Network/virtualNetworks@2024-07-01' = {
name: virtualNetworkName
location: location
properties: {
Expand Down
2 changes: 1 addition & 1 deletion avm/res/compute/virtual-machine/tests/e2e/windows.disks/main.test.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ param namePrefix string = '#_namePrefix_#'

// General resources
// =================
resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
resource resourceGroup 'Microsoft.Resources/resourceGroups@2025-04-01' = {
name: resourceGroupName
location: enforcedLocation
}
Expand Down
2 changes: 1 addition & 1 deletion avm/res/compute/virtual-machine/tests/e2e/windows.guestconfiguration/dependencies.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ param location string = resourceGroup().location

var addressPrefix = '10.0.0.0/16'

resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = {
resource virtualNetwork 'Microsoft.Network/virtualNetworks@2024-07-01' = {
name: virtualNetworkName
location: location
properties: {
Expand Down
4 changes: 2 additions & 2 deletions avm/res/compute/virtual-machine/tests/e2e/windows.guestconfiguration/main.test.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ param namePrefix string = '#_namePrefix_#'

// General resources
// =================
resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
resource resourceGroup 'Microsoft.Resources/resourceGroups@2025-04-01' = {
name: resourceGroupName
location: enforcedLocation
}
Expand Down Expand Up @@ -75,7 +75,7 @@ module testDeployment '../../../main.bicep' = [
subnetResourceId: nestedDependencies.outputs.subnetResourceId
pipConfiguration: {
publicIpNameSuffix: '-pip-01'
zones: []
availabilityZones: []
}
}
]
Expand Down
Loading