feat: (IAC-1386) Updated code to add changes for customer managed keys

main.tf

@@ -144,7 +144,8 @@ module "aks" {
   aks_cluster_max_pods                     = var.default_nodepool_max_pods
   aks_cluster_os_disk_size                 = var.default_nodepool_os_disk_size
   aks_cluster_node_vm_size                 = var.default_nodepool_vm_type
-  aks_cluster_enable_host_encryption       = var.enable_default_nodepool_host_encryption
+  aks_cluster_enable_host_encryption       = var.aks_cluster_enable_host_encryption
+  aks_node_disk_encryption_set_id          = var.aks_node_disk_encryption_set_id
   aks_cluster_node_admin                   = var.node_vm_admin
   aks_cluster_ssh_public_key               = try(file(var.ssh_public_key), "")
   aks_cluster_private_dns_zone_id          = var.aks_cluster_private_dns_zone_id
@@ -208,7 +209,7 @@ module "node_pools" {
   zones                        = (var.node_pools_availability_zone == "" || var.node_pools_proximity_placement == true) ? [] : (var.node_pools_availability_zones != null) ? var.node_pools_availability_zones : [var.node_pools_availability_zone]
   proximity_placement_group_id = element(coalescelist(azurerm_proximity_placement_group.proximity[*].id, [""]), 0)
   orchestrator_version         = var.kubernetes_version
-  enable_host_encryption       = var.enable_nodepools_host_encryption
+  enable_host_encryption       = var.aks_cluster_enable_host_encryption
   tags                         = var.tags
 }
 

modules/azure_aks/main.tf

@@ -13,6 +13,7 @@ resource "azurerm_kubernetes_cluster" "aks" {
   support_plan                      = var.cluster_support_tier
   role_based_access_control_enabled = true
   http_application_routing_enabled  = false
+  disk_encryption_set_id            = var.aks_node_disk_encryption_set_id
 
   # https://docs.microsoft.com/en-us/azure/aks/supported-kubernetes-versions
   # az aks get-versions --location eastus -o table

modules/azure_aks/variables.tf

@@ -119,6 +119,12 @@ variable "aks_cluster_enable_host_encryption" {
   default     = false
 }
 
+variable "aks_node_disk_encryption_set_id" {
+  description = "The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. Changing this forces a new resource to be created."
+  type        = string
+  default     = null
+}
+
 variable "kubernetes_version" {
   description = "The AKS cluster K8s version"
   type        = string

modules/azurerm_vm/main.tf

@@ -36,15 +36,16 @@ resource "azurerm_network_interface_security_group_association" "vm_nic_sg" {
 
 # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk
 resource "azurerm_managed_disk" "vm_data_disk" {
-  count                = var.data_disk_count
-  name                 = format("%s-disk%02d", var.name, count.index + 1)
-  location             = var.azure_rg_location
-  resource_group_name  = var.azure_rg_name
-  storage_account_type = var.data_disk_storage_account_type
-  create_option        = "Empty"
-  disk_size_gb         = var.data_disk_size
-  zone                 = var.data_disk_zone
-  tags                 = var.tags
+  count                  = var.data_disk_count
+  name                   = format("%s-disk%02d", var.name, count.index + 1)
+  location               = var.azure_rg_location
+  resource_group_name    = var.azure_rg_name
+  storage_account_type   = var.data_disk_storage_account_type
+  create_option          = "Empty"
+  disk_size_gb           = var.data_disk_size
+  zone                   = var.data_disk_zone
+  disk_encryption_set_id = var.disk_encryption_set_id
+  tags                   = var.tags
 }
 
 resource "azurerm_virtual_machine_data_disk_attachment" "vm_data_disk_attach" {
@@ -79,9 +80,10 @@ resource "azurerm_linux_virtual_machine" "vm" {
   }
 
   os_disk {
-    caching              = var.os_disk_caching
-    storage_account_type = var.os_disk_storage_account_type
-    disk_size_gb         = var.os_disk_size
+    caching                = var.os_disk_caching
+    storage_account_type   = var.os_disk_storage_account_type
+    disk_size_gb           = var.os_disk_size
+    disk_encryption_set_id = var.disk_encryption_set_id
   }
 
   source_image_reference {

modules/azurerm_vm/variables.tf

@@ -168,3 +168,9 @@ variable "encryption_at_host_enabled" {
   type        = bool
   default     = false
 }
+
+variable "disk_encryption_set_id" {
+  description = "The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk."
+  type        = string
+  default     = null
+}

variables.tf

@@ -165,12 +165,18 @@ variable "default_nodepool_availability_zones" {
   default     = ["1"]
 }
 
-variable "enable_default_nodepool_host_encryption" {
-  description = "Enables host encryption on all the nodes in the Default Node Pool"
+variable "aks_cluster_enable_host_encryption" {
+  description = "Enables host encryption on all the nodes in the Node Pool."
   type        = bool
   default     = false
 }
 
+variable "aks_node_disk_encryption_set_id" {
+  description = "The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. Changing this forces a new resource to be created."
+  type        = string
+  default     = null
+}
+
 # AKS advanced network config
 variable "aks_network_plugin" {
   description = "Network plugin to use for networking. Currently supported values are azure and kubenet. Changing this forces a new resource to be created."
@@ -368,12 +374,18 @@ variable "jump_rwx_filestore_path" {
   default     = "/viya-share"
 }
 
-variable "enable_jump_vm_host_encryption" {
-  description = "Setting this variable enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. Defaults to false"
+variable "enable_vm_host_encryption" {
+  description = "Setting this variable enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. This setting applies to both Jump and NFS VM. Defaults to false"
   type        = bool
   default     = false
 }
 
+variable "vm_disk_encryption_set_id" {
+  description = "The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk. This setting applies to both Jump and NFS VM."
+  type        = string
+  default     = null
+}
+
 variable "storage_type" {
   description = "Type of Storage. Valid Values: `standard`, `ha` and `none`. `standard` creates NFS server VM, `ha` creates Azure Netapp Files"
   type        = string
@@ -438,12 +450,6 @@ variable "nfs_raid_disk_zone" {
   default     = null
 }
 
-variable "enable_nfs_vm_host_encryption" {
-  description = "Setting this variable enables all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host. Defaults to false"
-  type        = bool
-  default     = false
-}
-
 ## Azure Container Registry (ACR)
 variable "create_container_registry" {
   description = "Create Azure Container Registry"
@@ -533,12 +539,6 @@ variable "node_pools_proximity_placement" {
   default     = false
 }
 
-variable "enable_nodepools_host_encryption" {
-  description = "Enables host encryption on all the nodes in the Node Pool. Changing this forces a new resource to be created."
-  type        = bool
-  default     = false
-}
-
 variable "node_pools" {
   description = "Node pool definitions"
   type = map(object({

vms.tf

@@ -69,7 +69,8 @@ module "jump" {
   cloud_init                 = data.cloudinit_config.jump[0].rendered
   create_public_ip           = var.create_jump_public_ip
   enable_public_static_ip    = var.enable_jump_public_static_ip
-  encryption_at_host_enabled = var.enable_jump_vm_host_encryption
+  encryption_at_host_enabled = var.enable_vm_host_encryption
+  disk_encryption_set_id     = var.vm_disk_encryption_set_id
 
   # Jump VM mounts NFS path hence dependency on 'module.nfs'
   depends_on = [module.vnet, module.nfs]
@@ -110,7 +111,8 @@ module "nfs" {
   data_disk_size                 = var.nfs_raid_disk_size
   data_disk_storage_account_type = var.nfs_raid_disk_type
   data_disk_zone                 = var.nfs_raid_disk_zone
-  encryption_at_host_enabled     = var.enable_nfs_vm_host_encryption
+  encryption_at_host_enabled     = var.enable_vm_host_encryption
+  disk_encryption_set_id         = var.vm_disk_encryption_set_id
   depends_on                     = [module.vnet]
 }