Terraform Basic Linux Virtual Machine

Introduction

This module deploys a simple virtual machine resource with an NSG, 1 NIC and a simple OS Disk.

Security Controls

The following security controls can be met through configuration of this template:

• AC-1, AC-10, AC-11, AC-11(1), AC-12, AC-14, AC-16, AC-17, AC-18, AC-18(4), AC-2 , AC-2(5), AC-20(1) , AC-20(3), AC-20(4), AC-24(1), AC-24(11), AC-3, AC-3 , AC-3(1), AC-3(3), AC-3(9), AC-4, AC-4(14), AC-6, AC-6, AC-6(1), AC-6(10), AC-6(11), AC-7, AC-8, AC-8, AC-9, AC-9(1), AI-16, AU-2, AU-3, AU-3(1), AU-3(2), AU-4, AU-5, AU-5(3), AU-8(1), AU-9, CM-10, CM-11(2), CM-2(2), CM-2(4), CM-3, CM-3(1), CM-3(6), CM-5(1), CM-6, CM-6, CM-7, CM-7, IA-1, IA-2, IA-3, IA-4(1), IA-4(4), IA-5, IA-5, IA-5(1), IA-5(13), IA-5(1c), IA-5(6), IA-5(7), IA-9, SC-10, SC-13, SC-15, SC-18(4), SC-2, SC-2, SC-23, SC-28, SC-30(5), SC-5, SC-7, SC-7(10), SC-7(16), SC-7(8), SC-8, SC-8(1), SC-8(4), SI-14, SI-2(1), SI-3

Dependancies

Hard:

• Resource Groups
• Keyvault
• VNET-Subnet

Optional (depending on options configured):

• log analytics workspace

Terraform Basic Linux Virtual Machine

Introduction

This module deploys a simple virtual machine resource with an NSG, 1 NIC and a simple OS Disk.

Security Controls

The following security controls can be met through configuration of this template:

• AC-1, AC-10, AC-11, AC-11(1), AC-12, AC-14, AC-16, AC-17, AC-18, AC-18(4), AC-2 , AC-2(5), AC-20(1) , AC-20(3), AC-20(4), AC-24(1), AC-24(11), AC-3, AC-3 , AC-3(1), AC-3(3), AC-3(9), AC-4, AC-4(14), AC-6, AC-6, AC-6(1), AC-6(10), AC-6(11), AC-7, AC-8, AC-8, AC-9, AC-9(1), AI-16, AU-2, AU-3, AU-3(1), AU-3(2), AU-4, AU-5, AU-5(3), AU-8(1), AU-9, CM-10, CM-11(2), CM-2(2), CM-2(4), CM-3, CM-3(1), CM-3(6), CM-5(1), CM-6, CM-6, CM-7, CM-7, IA-1, IA-2, IA-3, IA-4(1), IA-4(4), IA-5, IA-5, IA-5(1), IA-5(13), IA-5(1c), IA-5(6), IA-5(7), IA-9, SC-10, SC-13, SC-15, SC-18(4), SC-2, SC-2, SC-23, SC-28, SC-30(5), SC-5, SC-7, SC-7(10), SC-7(16), SC-7(8), SC-8, SC-8(1), SC-8(4), SI-14, SI-2(1), SI-3

Dependancies

Hard:

• Resource Groups
• Keyvault
• VNET-Subnet

Optional (depending on options configured):

• log analytics workspace

Usage

module "SRV-SASPR1" {
  count               = var.vmConfigs.SRV-SASPR1.deploy ? 1 : 0
  source              = "github.com/canada-ca-terraform-modules/terraform-azurerm-caf-linux_virtual_machine?ref=v1.1.5"
  env                 = var.env
  serverType          = var.vmConfigs.SRV-SASPR1.serverType
  userDefinedString   = var.vmConfigs.SRV-SASPR1.userDefinedString
  postfix             = var.vmConfigs.SRV-SASPR1.postfix
  resource_group      = local.resource_groups_L2.Project
  availability_set_id = azurerm_availability_set.SRV-SASPR-as.id
  subnet              = local.subnets[var.vmConfigs.SRV-SASPR1.subnet]
  nic_ip_configuration = {
    private_ip_address            = [cidrhost(local.subnets[var.vmConfigs.SRV-SASPR1.subnet].address_prefix, var.vmConfigs.SRV-SASPR1.IP)]
    private_ip_address_allocation = ["Static"]
  }
  storage_image_reference = {
    publisher = "RedHat",
    offer     = "RHEL",
    sku       = "7-LVM",
    version   = "7.7.2020031212"
  }
  encryptDisks = {
    KeyVaultResourceId = local.Project-kv.id
    KeyVaultURL        = local.Project-kv.vault_uri
  }
  os_managed_disk_type   = lookup(var.vmConfigs.SRV-SASPR1, "os_managed_disk_type", "StandardSSD_LRS")
  data_managed_disk_type = lookup(var.vmConfigs.SRV-SASPR1, "data_managed_disk_type", "StandardSSD_LRS")
  data_disks             = lookup(var.vmConfigs.SRV-SASPR1, "data_disks", {})
  priority               = lookup(var.vmConfigs.SRV-SASPR1, "priority", "Regular")
  admin_username         = var.vmConfigs.SRV-SASPR1.admin_username
  admin_password         = var.vmConfigs.SRV-SASPR1.admin_password
  vm_size                = var.vmConfigs.SRV-SASPR1.vm_size
  asg                    = azurerm_application_security_group.AD-Clients
  tags                   = var.tags
}

Requirements

Name	Version
terraform	>= 0.12
azurerm	>= 1.32.0

Providers

Name	Version
azurerm	>= 1.32.0
random	n/a

Modules

No modules.

Resources

Name	Type
azurerm_backup_protected_vm.backup_vm	resource
azurerm_linux_virtual_machine.VM	resource
azurerm_managed_disk.data_disks	resource
azurerm_network_interface.NIC	resource
azurerm_network_interface_application_security_group_association.asg	resource
azurerm_network_interface_backend_address_pool_association.LB	resource
azurerm_network_interface_security_group_association.nic-nsg	resource
azurerm_network_security_group.NSG	resource
azurerm_public_ip.VM-EXT-PubIP	resource
azurerm_resource_group_template_deployment.autoshutdown	resource
azurerm_storage_account.boot_diagnostic	resource
azurerm_virtual_machine_data_disk_attachment.data_disks	resource
azurerm_virtual_machine_extension.AzureDiskEncryption	resource
azurerm_virtual_machine_extension.DAAgentForLinux	resource
azurerm_virtual_machine_extension.OmsAgentForLinux	resource
random_uuid.SequenceVersion	resource

Inputs

Name	Description	Type	Default	Required
accelerated_networking_enabled	Enables Azure Accelerated Networking using SR-IOV. Only certain VM instance sizes are supported.	bool	false	no
admin_password	Password of the VM admin account	string	null	no
admin_username	Name of the VM admin account	string	n/a	yes
asg	ASG object to join the NIC to	any	null	no
availability_set_id	Sets the id for the availability set to use for the VM	string	null	no
backup	Specifies the id of the backup policy to use.	bool	false	no
backup_policy_id	Specifies the id of the backup policy to use.	string	null	no
boot_diagnostic	Should a boot be turned on or not	bool	false	no
computer_name	(Optional) VM OS Hostname	string	null	no
custom_data	Specifies custom data to supply to the machine. On Linux-based systems, this can be used as a cloud-init script. On other systems, this will be copied as a file on disk. Internally, Terraform will base64 encode this value before sending it to the API. The maximum length of the binary array is 65535 bytes.	string	null	no
data_disks	Map of object of disk sizes in gigabytes and lun number for each desired data disks. See variable.tf file for example	any	{}	no
data_managed_disk_type	Specifies the type of Data Managed Disk which should be created. Possible values are Standard_LRS or Premium_LRS.	string	"Standard_LRS"	no
dependancyAgent	Should the VM be include the dependancy agent	bool	false	no
disable_password_authentication	Specifies whether password authentication should be disabled. If set to false, an admin_password must be specified.	bool	"false"	no
dnsServers	List of DNS servers IP addresses to use for this NIC, overrides the VNet-level server list. See variable.tf file for example	list(string)	null	no
encryptDisks	Should the VM disks be encrypted. See option-30-AzureDiskEncryption.tf file for example	object({ KeyVaultResourceId = string KeyVaultURL = string })	null	no
encryption_at_host_enabled	n/a	bool	false	no
env	4 chars defining the environment name prefix for the VM. Example: ScSc	string	n/a	yes
eviction_policy	Specifies what should happen when the Virtual Machine is evicted for price reasons when using a Spot instance. At this time the only supported value is Deallocate. Changing this forces a new resource to be created.	string	"Deallocate"	no
ip_forwarding_enabled	Enables IP Forwarding on the NIC.	bool	false	no
license_type	(Optional) Specifies the BYOL Type for this Virtual Machine. Possible values are RHEL_BYOS and SLES_BYOS.	string	null	no
load_balancer_backend_address_pools_ids	List of Load Balancer Backend Address Pool IDs references to which this NIC belongs	list(string)	[]	no
monitoringAgent	Should the VM be monitored. If yes provide the appropriate object as described. See option-40-OmsAgentForLinux.tf file for example	object({ workspace_id = string primary_shared_key = string })	null	no
nic_depends_on	List of resources that the VM NIC depend on	any	null	no
nic_ip_configuration	Defines how a private IP address is assigned. Options are Static or Dynamic. In case of Static also specifiy the desired privat IP address. See variable.tf file for example	object({ private_ip_address = list(string) private_ip_address_allocation = list(string) })	{ "private_ip_address": [ null ], "private_ip_address_allocation": [ "Dynamic" ] }	no
os_managed_disk_type	Specifies the type of OS Managed Disk which should be created. Possible values are Standard_LRS or Premium_LRS.	string	"Standard_LRS"	no
patch_assessment_mode	(Optional) Specifies the mode of in-guest patching to this Linux Virtual Machine. Possible values are AutomaticByPlatform and ImageDefault. Defaults to ImageDefault.	string	null	no
patch_mode	(Optional) Specifies the mode of in-guest patching to this Linux Virtual Machine. Possible values are AutomaticByPlatform and ImageDefault. Defaults to ImageDefault	string	null	no
plan	An optional plan block	object({ name = string product = string publisher = string })	null	no
postfix	(Optional) Desired postfix value for the name. Max 3 chars.	string	""	no
priority	Specifies the priority of this Virtual Machine. Possible values are Regular and Spot. Defaults to Regular. Changing this forces a new resource to be created.	string	"Regular"	no
provision_vm_agent	Should an Azure VM Agent be provisionned on the VM	bool	true	no
public_ip	Should the VM be assigned public IP(s). True or false.	bool	false	no
recovery_vault	The Recovery Services Vault object to use. Changing this forces a new resource to be created.	any	null	no
resource_group	Resourcegroup object that will contain the VM resources	any	n/a	yes
security_rules	Security rules to apply to the VM NIC	list(map(string))	[ { "access": "Allow", "description": "Allow all in", "destination_address_prefix": "", "destination_port_ranges": "", "direction": "Inbound", "name": "AllowAllInbound", "priority": "100", "protocol": "", "source_address_prefix": "", "source_port_ranges": "" }, { "access": "Allow", "description": "Allow all out", "destination_address_prefix": "", "destination_port_ranges": "", "direction": "Outbound", "name": "AllowAllOutbound", "priority": "105", "protocol": "", "source_address_prefix": "", "source_port_ranges": "" } ]	no
serverType	3 chars server type code for the VM.	string	"SRV"	no
shutdownConfig	Should the VM shutdown at the time specified. See option-30-autoshutdown.tf file for example	object({ autoShutdownStatus = string autoShutdownTime = string autoShutdownTimeZone = string autoShutdownNotificationStatus = string })	null	no
source_image_id	(Optional) The ID of the Image which this Virtual Machine should be created from. Changing this forces a new resource to be created.	string	null	no
ssh_key	The Public SSH Key.	string	null	no
storage_image_reference	(Optional) This block provisions the Virtual Machine from one of two sources: an Azure Platform Image (e.g. Ubuntu/Windows Server) or a Custom Image. Refer to https://www.terraform.io/docs/providers/azurerm/r/virtual_machine.html for more details.	object({ publisher = string offer = string sku = string version = string })	{ "offer": "RHEL", "publisher": "RedHat", "sku": "7.4", "version": "latest" }	no
storage_os_disk	This block describe the parameters for the OS disk. Refer to https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine#os_disk for more details.	object({ caching = string create_option = string disk_size_gb = number })	{ "caching": "ReadWrite", "create_option": "FromImage", "disk_size_gb": null }	no
subnet	subnet object to which the VM NIC will connect to	any	n/a	yes
tags	Tags that will be associated to VM resources	map(string)	{ "exampleTag1": "SomeValue2" }	no
ultra_ssd_enabled	Should the capacity to enable Data Disks of the UltraSSD_LRS storage account type be supported on this Virtual Machine?	bool	false	no
use_nic_nsg	Should a NIC NSG be used	bool	false	no
userDefinedString	User defined portion of the server name. Up to 8 chars minus the postfix lenght	string	n/a	yes
vm_depends_on	List of resources that the VM depend on	any	null	no
vm_size	Specifies the size of the Virtual Machine. Eg: Standard_F4	string	n/a	yes
zone	The Zone in which this Virtual Machine should be created. Changing this forces a new resource to be created.	any	null	no

Outputs

Name	Description
id	The id of the VM
name	The name of the VM
nic	The VM nic object
pip	The VM public ip if defined
vm	The VM object