Support for passing cmk config in original resource block

[Netkracker]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

Not sure if this is a terraform provider design descision or an ARM API limitation
many different resources have a separate resource block to enable cmk encryption instead of passing the cmk info in the original resource block itself.

examples:
"azurerm_kusto_cluster" uses "azurerm_kusto_cluster_customer_managed_key"
"azurerm_mssql_managed_instance" uses "azurerm_mssql_managed_instance_transparent_data_encryption"
"azurerm_mssql_server" uses "azurerm_mssql_server_transparent_data_encryption"

while choosing this approach it is not possible to define policies that use the effect "Deny" on resources that do not use CMK, if the resources are created with terraform, as they never can be created in the first place.

educated guess is that azurerm_kusto_cluster is being created first and the policy engine denies the resource as it is not configured properly.

New or Affected Resource(s)/Data Source(s)

azurerm_kusto_cluster

Potential Terraform Configuration

No response

References

No response