通过 Terraform 代码使用 CMK 对虚拟机进行磁盘加密

我已经创建了 terraform 脚本来使用 Azure keyvault 中的 CMK，但是我的操作系统磁盘仍然使用 PMK 而不是 CMK 进行加密，是否有其他可能使其通过 terraform 默认使用 CMK 访问磁盘加密

这里是更新的 Terraform 代码，用于创建

VM

CMK

    provider "azurerm" {
        features {}
    }
    
    data "azurerm_client_config" "current" {}
    
    resource "azurerm_resource_group" "example" {
      name     = "encryption-resources"
      location = "West Europe"
    }
    
    resource "azurerm_key_vault" "example" {
      name                        = "encry-venkat-keyvault"
      location                    = azurerm_resource_group.example.location
      resource_group_name         = azurerm_resource_group.example.name
      tenant_id                   = data.azurerm_client_config.current.tenant_id
      sku_name                    = "premium"
      enabled_for_disk_encryption = true
      purge_protection_enabled    = true
      enable_rbac_authorization   = true
    }
    
    resource "azurerm_role_assignment" "key_vault_admin_assignment" {
      scope                = azurerm_key_vault.example.id
      role_definition_name = "Key Vault Administrator"
      principal_id         = "b70519fb-7ca5-446d-b788-a5268970efd7"
    }
    
    resource "azurerm_key_vault_key" "example" {
      name         = "encryption-demo-key"
      key_vault_id = azurerm_key_vault.example.id
      key_type     = "RSA"
      key_size     = 2048
    
      key_opts = [
       "decrypt",
        "encrypt",
        "sign",
        "unwrapKey",
        "verify",
        "wrapKey",
      ]
      
    }
    
    resource "azurerm_disk_encryption_set" "example" {
      name                = "encryptionset"
      resource_group_name = azurerm_resource_group.example.name
      location            = azurerm_resource_group.example.location
      key_vault_key_id    = azurerm_key_vault_key.example.id
    
      identity {
        type = "SystemAssigned"
      }
    }
    
    resource "azurerm_role_assignment" "example-disk" {
      scope                = azurerm_key_vault.example.id
      role_definition_name = "Key Vault Crypto Service Encryption User"
      principal_id         = azurerm_disk_encryption_set.example.identity.0.principal_id
    }
    
    resource "azurerm_virtual_network" "tfencrypt_vnet" {
      name                = "tfencrypt_vnet"
      address_space       = ["10.0.0.0/16"]
      location            = azurerm_resource_group.example.location
      resource_group_name = azurerm_resource_group.example.name
    }
    
    resource "azurerm_subnet" "tfencrypt_subnet" {
      name                 = "tfencrypt_subnet"
      resource_group_name  = azurerm_resource_group.example.name
      virtual_network_name = azurerm_virtual_network.tfencrypt_vnet.name
      address_prefixes       = ["10.0.0.0/24"]
    }
    resource "azurerm_network_interface" "tfencrypt_nic" {
      name                = "tfencrypt_nic"
      location            = azurerm_resource_group.example.location
      resource_group_name = azurerm_resource_group.example.name
    
      ip_configuration {
        name                          = "ipconfig1"
        subnet_id                     = azurerm_subnet.tfencrypt_subnet.id
        private_ip_address_allocation = "Dynamic"
      }
    }
    resource "azurerm_linux_virtual_machine" "tfencrypt_vm" {
      name                  = "tfencrypt"
      location              = azurerm_resource_group.example.location
      resource_group_name   = azurerm_resource_group.example.name
      network_interface_ids = [azurerm_network_interface.tfencrypt_nic.id]
      size               = "Standard_F2s"
      admin_username = "benhu"
      admin_password = "Password1234!"
      disable_password_authentication = false
    
      source_image_reference {
        publisher = "Canonical"
        offer     = "UbuntuServer"
        sku       = "18.04-LTS"
        version   = "latest"
      }
    
      os_disk {
        name          = "tfencrypt_osdisk"
        caching       = "ReadWrite"
        storage_account_type = "Premium_LRS"
        disk_encryption_set_id = azurerm_disk_encryption_set.example.id
      }
    }

运行上述 terraform 代码后，虚拟机已默认使用 CMK 加密。