Using customer managed keys will give administrators control over how data is encrypted to better meet compliance regulations, as well as allow for a more specific key rotation period. Using system-generated keys can sometimes lead to expired or exposed keys remaining in use, leading to insecure data. It is often recommended to use a customer managed key when the service is available.
Once encryption methodology has been chosen, it cannot be changed. A new resource can be created using a customer-managed key for encryption by following the steps below. Changing the key_vault_key_id field in Terraform creates a new resource.
In Azure Console -
In Terraform -
References:
https://learn.microsoft.com/en-us/azure/cosmos-db/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account#key_vault_key_id