NashTech Insights

Ensuring Azure Kubernetes Service (AKS) Uses Disk Encryption Set with Terraform

Atisha Shaurya
Atisha Shaurya
Table of Contents
a laptop on a table

Azure Kubernetes Service (AKS) is a robust managed container orchestration service in Azure, but securing your AKS cluster is a critical concern. Disk encryption is one of the essential security measures to protect your data at rest. In this blog post, we’ll explore how to ensure that your AKS cluster uses disk encryption set using Terraform, a popular infrastructure as code tool.


Before we begin, make sure you have the following prerequisites:

  1. Azure Account: You’ll need an Azure subscription. If you don’t have one, you can create a free Azure account.
  2. Terraform Installed: Ensure that Terraform is installed on your local machine. You can download it from the Terraform website.

1. Define an Azure Disk Encryption Set

The first step is to define an Azure Disk Encryption Set. Disk Encryption Sets are used to apply disk encryption to VMs within your AKS cluster. Here’s how you can define a Disk Encryption Sets in Terraform:

resource "azurerm_disk_encryption_set" "example" {
  name                = "example-encryption"
  resource_group_name =
  location            = azurerm_resource_group.example.location
  key_vault_id        =

In this code:

  • We define a resource block for the Disk Encryption Set named “example-encryption.”
  • We specify the name and location for the Disk Encryption Set, linking it to a specified Azure Resource Group.
  • We associate the Disk Encryption Set with an Azure Key Vault using its key_vault_id.

2. Define Your AKS Cluster

Now that we have the Disk Encryption Set defined, let’s configure our AKS cluster to use it. Below is an example of how you can define an AKS cluster in Terraform:

resource "azurerm_kubernetes_cluster" "example" {
  name                = "example-aks-cluster"
  location            = azurerm_resource_group.example.location
  resource_group_name =
  dns_prefix          = "exampleaks"

  default_node_pool {
    name       = "default"
    node_count = 1
    vm_size    = "Standard_D2s_v3"

  identity {
    type = "SystemAssigned"

  disk_encryption_set {
    id =

In this code:

  • We define an AKS cluster named “example-aks-cluster.”
  • We specify the location and resource group for the AKS cluster.
  • We configure a default node pool for the cluster with one node.
  • We enable managed system-assigned identity for the AKS cluster.
  • We associate the Disk Encryption Set with the AKS cluster using its id.

3. Apply the Terraform Configuration

With the Disk Encryption and AKS cluster configurations in place, you can now apply the Terraform configuration to create or update these resources. Run the following Terraform commands:

terraform init
terraform apply

Terraform will prompt you to confirm the creation or update of resources. Review the plan, and if it looks correct, type “yes” to proceed.

4. Verify Encryption

After Terraform completes the provisioning process, you can verify that disk encryption is applied to the VMs in your AKS cluster. You can do this by:

  1. Accessing one of the VMs within the AKS cluster.
  2. Checking the encryption status of the OS and data disks.


In this blog post, we’ve learned how to ensure that an Azure Kubernetes Service (AKS) cluster uses disk encryption sets to protect sensitive data on the underlying VMs. By defining a Disk Encryption Sets and associating it with your AKS cluster using Terraform, you can enhance the security of your containerized applications running on AKS.

Remember that security is an ongoing process, and it’s important to regularly monitor and update your security configurations to stay protected. Azure and Terraform provide powerful tools to help you achieve your security goals in a scalable and automated way.

Atisha Shaurya

Atisha Shaurya

Leave a Comment

Your email address will not be published. Required fields are marked *

Suggested Article

%d bloggers like this: