diff --git a/website/docs/r/mssql_managed_instance_transparent_data_encryption.html.markdown b/website/docs/r/mssql_managed_instance_transparent_data_encryption.html.markdown index 3beb2b207c7c..2e6803e8b40e 100644 --- a/website/docs/r/mssql_managed_instance_transparent_data_encryption.html.markdown +++ b/website/docs/r/mssql_managed_instance_transparent_data_encryption.html.markdown @@ -187,8 +187,6 @@ The following arguments are supported: * `key_vault_key_id` - (Optional) To use customer managed keys from Azure Key Vault, provide the AKV Key ID. To use service managed keys, omit this field. -* `managed_hsm_key_id` - (Optional) To use customer managed keys from a managed HSM, provide the Managed HSM Key ID. To use service managed keys, omit this field. - ~> **NOTE:** In order to use customer managed keys, the identity of the MSSQL Managed Instance must have the following permissions on the key vault: 'get', 'wrapKey' and 'unwrapKey' ~> **NOTE:** If `managed_instance_id` denotes a secondary instance deployed for disaster recovery purposes, then the `key_vault_key_id` should be the same key used for the primary instance's transparent data encryption. Both primary and secondary instances should be encrypted with same key material. diff --git a/website/docs/r/mssql_server_transparent_data_encryption.html.markdown b/website/docs/r/mssql_server_transparent_data_encryption.html.markdown index c8f3271596c6..4ddd556429a9 100644 --- a/website/docs/r/mssql_server_transparent_data_encryption.html.markdown +++ b/website/docs/r/mssql_server_transparent_data_encryption.html.markdown @@ -151,6 +151,8 @@ The following arguments are supported: * `key_vault_key_id` - (Optional) To use customer managed keys from Azure Key Vault, provide the AKV Key ID. To use service managed keys, omit this field. +* `managed_hsm_key_id` - (Optional) To use customer managed keys from a managed HSM, provide the Managed HSM Key ID. To use service managed keys, omit this field. + ~> **NOTE:** In order to use customer managed keys, the identity of the MSSQL server must have the following permissions on the key vault: 'get', 'wrapKey' and 'unwrapKey' ~> **NOTE:** If `server_id` denotes a secondary server deployed for disaster recovery purposes, then the `key_vault_key_id` should be the same key used for the primary server's transparent data encryption. Both primary and secondary servers should be encrypted with same key material.