diff --git a/azurerm/internal/services/compute/tests/resource_arm_managed_disk_test.go b/azurerm/internal/services/compute/tests/resource_arm_managed_disk_test.go index 9bad68ae1311..f4320ecb73c5 100644 --- a/azurerm/internal/services/compute/tests/resource_arm_managed_disk_test.go +++ b/azurerm/internal/services/compute/tests/resource_arm_managed_disk_test.go @@ -324,7 +324,41 @@ func TestAccAzureRMManagedDisk_diskEncryptionSet(t *testing.T) { ), }, { - Config: testAccAzureRMManagedDisk_diskEncryptionSet(data), + Config: testAccAzureRMManagedDisk_diskEncryptionSet(data, true), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMManagedDiskExists(data.ResourceName, &d, true), + ), + }, + data.ImportStep(), + }, + }) +} + +func TestAccAzureRMManagedDisk_diskEncryptionSet_update(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_managed_disk", "test") + var d compute.Disk + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acceptance.PreCheck(t) }, + Providers: acceptance.SupportedProviders, + CheckDestroy: testCheckAzureRMManagedDiskDestroy, + Steps: []resource.TestStep{ + { + // TODO: After applying soft-delete and purge-protection in keyVault, this extra step can be removed. + Config: testAccAzureRMManagedDisk_diskEncryptionSetDependencies(data), + Check: resource.ComposeTestCheckFunc( + enableSoftDeleteAndPurgeProtectionForKeyVault("azurerm_key_vault.test"), + ), + }, + { + Config: testAccAzureRMManagedDisk_diskEncryptionSet(data, false), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMManagedDiskExists(data.ResourceName, &d, true), + ), + }, + data.ImportStep(), + { + Config: testAccAzureRMManagedDisk_diskEncryptionSet(data, true), Check: resource.ComposeTestCheckFunc( testCheckAzureRMManagedDiskExists(data.ResourceName, &d, true), ), @@ -947,8 +981,13 @@ resource "azurerm_key_vault_key" "test" { `, data.RandomInteger, location, data.RandomString) } -func testAccAzureRMManagedDisk_diskEncryptionSet(data acceptance.TestData) string { +func testAccAzureRMManagedDisk_diskEncryptionSet(data acceptance.TestData, complete bool) string { template := testAccAzureRMManagedDisk_diskEncryptionSetDependencies(data) + diskEncryptionSetLine := "" + if complete { + diskEncryptionSetLine = "disk_encryption_set_id = azurerm_disk_encryption_set.test.id" + } + return fmt.Sprintf(` %s @@ -989,14 +1028,14 @@ resource "azurerm_managed_disk" "test" { storage_account_type = "Standard_LRS" create_option = "Empty" disk_size_gb = 1 - disk_encryption_set_id = azurerm_disk_encryption_set.test.id + %s depends_on = [ "azurerm_role_assignment.disk-encryption-read-keyvault", "azurerm_key_vault_access_policy.disk-encryption", ] } -`, template, data.RandomInteger, data.RandomInteger) +`, template, data.RandomInteger, data.RandomInteger, diskEncryptionSetLine) } func testAccAzureRMManagedDisk_managedDiskAttached(data acceptance.TestData, diskSize int) string { diff --git a/website/docs/r/managed_disk.html.markdown b/website/docs/r/managed_disk.html.markdown index 177b37a5849c..f74382342930 100644 --- a/website/docs/r/managed_disk.html.markdown +++ b/website/docs/r/managed_disk.html.markdown @@ -91,7 +91,7 @@ The following arguments are supported: --- -* `disk_encryption_set_id` - (Optional) The ID of a Disk Encryption Set which should be used to encrypt this Managed Disk. Changing this forces a new resource to be created. +* `disk_encryption_set_id` - (Optional) The ID of a Disk Encryption Set which should be used to encrypt this Managed Disk. -> **NOTE:** The Disk Encryption Set must have the `Reader` Role Assignment scoped on the Key Vault - in addition to an Access Policy to the Key Vault