main.encryption.tf

#get the CMK vault
data "azurerm_key_vault" "this_vault" {
  count = var.customer_managed_key == null ? 0 : 1

  name                = split("/", var.customer_managed_key.key_vault_resource_id)[8]
  resource_group_name = split("/", var.customer_managed_key.key_vault_resource_id)[4]
}

#update the private cloud resource to use a CMK
resource "azapi_update_resource" "customer_managed_key" {
  count = var.customer_managed_key == null ? 0 : 1

  type = "Microsoft.AVS/privateClouds@2023-09-01"
  body = {
    properties = {
      encryption = {
        status = "Enabled"
        keyVaultProperties = {
          keyName     = var.customer_managed_key.key_name
          keyVaultUrl = data.azurerm_key_vault.this_vault[0].vault_uri
          keyVersion  = var.customer_managed_key.key_version
        }
      }
    }
  }
  #name      = "${azapi_resource.this_private_cloud.name}-${var.customer_managed_key.key_name}"
  resource_id = azapi_resource.this_private_cloud.id

  depends_on = [
    azapi_resource.this_private_cloud,
    azapi_resource.clusters,
    azurerm_role_assignment.this_private_cloud,
    azurerm_monitor_diagnostic_setting.this_private_cloud_diags,
    #azapi_update_resource.managed_identity
  ]
}