{ "description": "Generator information:\n- Generated from: /compute/resource-manager/Microsoft.Compute/DiskRP/stable/2022-07-02/diskEncryptionSet.json\n- ARM URI: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{diskEncryptionSetName}", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "properties": { "activeKey": { "description": "ActiveKey: The key vault key which is currently used by this disk encryption set.", "properties": { "keyUrl": { "description": "KeyUrl: Fully versioned Key Url pointing to a key in KeyVault. Version segment of the Url is required regardless of\nrotationToLatestKeyVersionEnabled value.", "type": "string" }, "keyUrlFromConfig": { "description": "KeyUrlFromConfig: Fully versioned Key Url pointing to a key in KeyVault. Version segment of the Url is required\nregardless of rotationToLatestKeyVersionEnabled value.", "properties": { "key": { "description": "Key is the key in the Kubernetes configmap being referenced", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes configmap being referenced.\nThe configmap must be in the same namespace as the resource", "type": "string" } }, "required": [ "key", "name" ], "type": "object", "additionalProperties": false }, "sourceVault": { "description": "SourceVault: Resource id of the KeyVault containing the key or secret. This property is optional and cannot be used if\nthe KeyVault subscription is not the same as the Disk Encryption Set subscription.", "properties": { "reference": { "description": "Reference: Resource Id", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "azureName": { "description": "AzureName: The name of the resource in Azure. This is often the same as the name of the resource in Kubernetes but it\ndoesn't have to be.", "type": "string" }, "encryptionType": { "description": "EncryptionType: The type of key used to encrypt the data of the disk.", "enum": [ "ConfidentialVmEncryptedWithCustomerKey", "EncryptionAtRestWithCustomerKey", "EncryptionAtRestWithPlatformAndCustomerKeys" ], "type": "string" }, "federatedClientId": { "description": "FederatedClientId: Multi-tenant application client id to access key vault in a different tenant. Setting the value to\n'None' will clear the property.", "type": "string" }, "federatedClientIdFromConfig": { "description": "FederatedClientIdFromConfig: Multi-tenant application client id to access key vault in a different tenant. Setting the\nvalue to 'None' will clear the property.", "properties": { "key": { "description": "Key is the key in the Kubernetes configmap being referenced", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes configmap being referenced.\nThe configmap must be in the same namespace as the resource", "type": "string" } }, "required": [ "key", "name" ], "type": "object", "additionalProperties": false }, "identity": { "description": "Identity: The managed identity for the disk encryption set. It should be given permission on the key vault before it can\nbe used to encrypt disks.", "properties": { "type": { "description": "Type: The type of Managed Identity used by the DiskEncryptionSet. Only SystemAssigned is supported for new creations.\nDisk Encryption Sets can be updated with Identity type None during migration of subscription to a new Azure Active\nDirectory tenant; it will cause the encrypted resources to lose access to the keys.", "enum": [ "None", "SystemAssigned", "SystemAssigned, UserAssigned", "UserAssigned" ], "type": "string" }, "userAssignedIdentities": { "description": "UserAssignedIdentities: The list of user identities associated with the disk encryption set. The user identity\ndictionary key references will be ARM resource ids in the form:\n'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.", "items": { "description": "Information about the user assigned identity for the resource", "properties": { "reference": { "description": "ResourceReference represents a resource reference, either to a Kubernetes resource or directly to an Azure resource via ARMID", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "location": { "description": "Location: Resource location", "type": "string" }, "operatorSpec": { "description": "OperatorSpec: The specification for configuring operator behavior. This field is interpreted by the operator and not\npassed directly to Azure", "properties": { "configMapExpressions": { "description": "ConfigMapExpressions: configures where to place operator written dynamic ConfigMaps (created with CEL expressions).", "items": { "description": "DestinationExpression is a CEL expression and a destination to store the result in. The destination may\nbe a secret or a configmap. The value of the expression is stored at the specified location in\nthe destination.", "properties": { "key": { "description": "Key is the key in the ConfigMap or Secret being written to. If the CEL expression in Value returns a string\nthis is required to identify what key to write to. If the CEL expression in Value returns a map[string]string\nKey must not be set, instead the keys written will be determined dynamically based on the keys of the resulting\nmap[string]string.", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes configmap or secret to write to.\nThe configmap or secret will be created in the same namespace as the resource.", "type": "string" }, "value": { "description": "Value is a CEL expression. The CEL expression may return a string or a map[string]string. For more information\non CEL in ASO see https://azure.github.io/azure-service-operator/guide/expressions/", "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "type": "array" }, "secretExpressions": { "description": "SecretExpressions: configures where to place operator written dynamic secrets (created with CEL expressions).", "items": { "description": "DestinationExpression is a CEL expression and a destination to store the result in. The destination may\nbe a secret or a configmap. The value of the expression is stored at the specified location in\nthe destination.", "properties": { "key": { "description": "Key is the key in the ConfigMap or Secret being written to. If the CEL expression in Value returns a string\nthis is required to identify what key to write to. If the CEL expression in Value returns a map[string]string\nKey must not be set, instead the keys written will be determined dynamically based on the keys of the resulting\nmap[string]string.", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes configmap or secret to write to.\nThe configmap or secret will be created in the same namespace as the resource.", "type": "string" }, "value": { "description": "Value is a CEL expression. The CEL expression may return a string or a map[string]string. For more information\non CEL in ASO see https://azure.github.io/azure-service-operator/guide/expressions/", "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "owner": { "description": "Owner: The owner of the resource. The owner controls where the resource goes when it is deployed. The owner also\ncontrols the resources lifecycle. When the owner is deleted the resource will also be deleted. Owner is expected to be a\nreference to a resources.azure.com/ResourceGroup resource", "properties": { "armId": { "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "name": { "description": "This is the name of the Kubernetes resource to reference.", "type": "string" } }, "type": "object", "additionalProperties": false }, "rotationToLatestKeyVersionEnabled": { "description": "RotationToLatestKeyVersionEnabled: Set this flag to true to enable auto-updating of this disk encryption set to the\nlatest key version.", "type": "boolean" }, "tags": { "additionalProperties": { "type": "string" }, "description": "Tags: Resource tags", "type": "object" } }, "required": [ "location", "owner" ], "type": "object", "additionalProperties": false }, "status": { "description": "disk encryption set resource.", "properties": { "activeKey": { "description": "ActiveKey: The key vault key which is currently used by this disk encryption set.", "properties": { "keyUrl": { "description": "KeyUrl: Fully versioned Key Url pointing to a key in KeyVault. Version segment of the Url is required regardless of\nrotationToLatestKeyVersionEnabled value.", "type": "string" }, "sourceVault": { "description": "SourceVault: Resource id of the KeyVault containing the key or secret. This property is optional and cannot be used if\nthe KeyVault subscription is not the same as the Disk Encryption Set subscription.", "properties": { "id": { "description": "Id: Resource Id", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "autoKeyRotationError": { "description": "AutoKeyRotationError: The error that was encountered during auto-key rotation. If an error is present, then auto-key\nrotation will not be attempted until the error on this disk encryption set is fixed.", "properties": { "code": { "description": "Code: The error code.", "type": "string" }, "details": { "description": "Details: The Api error details", "items": { "description": "Api error base.", "properties": { "code": { "description": "Code: The error code.", "type": "string" }, "message": { "description": "Message: The error message.", "type": "string" }, "target": { "description": "Target: The target of the particular error.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "innererror": { "description": "Innererror: The Api inner error", "properties": { "errordetail": { "description": "Errordetail: The internal error message or exception dump.", "type": "string" }, "exceptiontype": { "description": "Exceptiontype: The exception type.", "type": "string" } }, "type": "object", "additionalProperties": false }, "message": { "description": "Message: The error message.", "type": "string" }, "target": { "description": "Target: The target of the particular error.", "type": "string" } }, "type": "object", "additionalProperties": false }, "conditions": { "description": "Conditions: The observed state of the resource", "items": { "description": "Condition defines an extension to status (an observation) of a resource", "properties": { "lastTransitionTime": { "description": "LastTransitionTime is the last time the condition transitioned from one status to another.", "format": "date-time", "type": "string" }, "message": { "description": "Message is a human readable message indicating details about the transition. This field may be empty.", "type": "string" }, "observedGeneration": { "description": "ObservedGeneration is the .metadata.generation that the condition was set based upon. For instance, if\n.metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "type": "integer" }, "reason": { "description": "Reason for the condition's last transition.\nReasons are upper CamelCase (PascalCase) with no spaces. A reason is always provided, this field will not be empty.", "type": "string" }, "severity": { "description": "Severity with which to treat failures of this type of condition.\nFor conditions which have positive polarity (Status == True is their normal/healthy state), this will be omitted when Status == True\nFor conditions which have negative polarity (Status == False is their normal/healthy state), this will be omitted when Status == False.\nThis is omitted in all cases when Status == Unknown", "type": "string" }, "status": { "description": "Status of the condition, one of True, False, or Unknown.", "type": "string" }, "type": { "description": "Type of condition.", "type": "string" } }, "required": [ "lastTransitionTime", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "encryptionType": { "description": "EncryptionType: The type of key used to encrypt the data of the disk.", "type": "string" }, "federatedClientId": { "description": "FederatedClientId: Multi-tenant application client id to access key vault in a different tenant. Setting the value to\n'None' will clear the property.", "type": "string" }, "id": { "description": "Id: Resource Id", "type": "string" }, "identity": { "description": "Identity: The managed identity for the disk encryption set. It should be given permission on the key vault before it can\nbe used to encrypt disks.", "properties": { "principalId": { "description": "PrincipalId: The object id of the Managed Identity Resource. This will be sent to the RP from ARM via the\nx-ms-identity-principal-id header in the PUT request if the resource has a systemAssigned(implicit) identity", "type": "string" }, "tenantId": { "description": "TenantId: The tenant id of the Managed Identity Resource. This will be sent to the RP from ARM via the\nx-ms-client-tenant-id header in the PUT request if the resource has a systemAssigned(implicit) identity", "type": "string" }, "type": { "description": "Type: The type of Managed Identity used by the DiskEncryptionSet. Only SystemAssigned is supported for new creations.\nDisk Encryption Sets can be updated with Identity type None during migration of subscription to a new Azure Active\nDirectory tenant; it will cause the encrypted resources to lose access to the keys.", "type": "string" }, "userAssignedIdentities": { "additionalProperties": { "properties": { "clientId": { "description": "ClientId: The client id of user assigned identity.", "type": "string" }, "principalId": { "description": "PrincipalId: The principal id of user assigned identity.", "type": "string" } }, "type": "object", "additionalProperties": false }, "description": "UserAssignedIdentities: The list of user identities associated with the disk encryption set. The user identity\ndictionary key references will be ARM resource ids in the form:\n'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.", "type": "object" } }, "type": "object", "additionalProperties": false }, "lastKeyRotationTimestamp": { "description": "LastKeyRotationTimestamp: The time when the active key of this disk encryption set was updated.", "type": "string" }, "location": { "description": "Location: Resource location", "type": "string" }, "name": { "description": "Name: Resource name", "type": "string" }, "previousKeys": { "description": "PreviousKeys: A readonly collection of key vault keys previously used by this disk encryption set while a key rotation\nis in progress. It will be empty if there is no ongoing key rotation.", "items": { "description": "Key Vault Key Url to be used for server side encryption of Managed Disks and Snapshots", "properties": { "keyUrl": { "description": "KeyUrl: Fully versioned Key Url pointing to a key in KeyVault. Version segment of the Url is required regardless of\nrotationToLatestKeyVersionEnabled value.", "type": "string" }, "sourceVault": { "description": "SourceVault: Resource id of the KeyVault containing the key or secret. This property is optional and cannot be used if\nthe KeyVault subscription is not the same as the Disk Encryption Set subscription.", "properties": { "id": { "description": "Id: Resource Id", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "provisioningState": { "description": "ProvisioningState: The disk encryption set provisioning state.", "type": "string" }, "rotationToLatestKeyVersionEnabled": { "description": "RotationToLatestKeyVersionEnabled: Set this flag to true to enable auto-updating of this disk encryption set to the\nlatest key version.", "type": "boolean" }, "tags": { "additionalProperties": { "type": "string" }, "description": "Tags: Resource tags", "type": "object" }, "type": { "description": "Type: Resource type", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object" }