Skip to content

cloudeteer/terraform-azurerm-vm

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

28 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Note

This repository is publicly accessible as part of our open-source initiative. We welcome contributions from the community alongside our organization's primary development efforts.


terraform-azurerm-vm

SemVer Keep a Changelog Contributor Covenant

This module is designed to simplify the deployment and management of virtual machines (VMs) in Microsoft Azure. This module provides a flexible and reusable way to create both Linux and Windows VMs, allowing users to specify various configuration parameters such as the VM size, operating system image, network interfaces, and resource group. The module supports both Linux and Windows operating systems and integrates seamlessly with other Azure resources such as virtual networks, subnets, and network interfaces.

Azure Image Quick start templates

As documented on the image input variable, it is possible to use so-called Image Urn Aliases as image to use. These aliases are based on the Azure quickstart templates, which can be found at https://github.com/Azure/azure-rest-api-specs/blob/main/arm-compute/quickstart-templates/aliases.json, and which are also used by the az CLI when running az vm image list.

Usage

This example demonstrates the usage of the virtual machine module with default settings. It sets up all necessary dependencies, including a resource group, virtual network, subnet, recovery services vault, backup policy, and key vault, to ensure seamless deployment.

Tip

Our module enables password-based login for Linux virtual machines, configurable via the authentication_type input variable. If the disable_password_authentication setting on the azurerm_linux_virtual_machine resource within this module is not explicitly set to false, Trivy will flag a high-severity warning. To suppress this warning, add the comment #trivy:ignore:avd-azu-0039 directly above the Terraform module definition, as shown in the example below.

resource "azurerm_resource_group" "example" {
  name     = "rg-example-dev-we-01"
  location = "West Europe"
}

resource "azurerm_virtual_network" "example" {
  name                = "vnet-example-dev-we-01"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  address_space = ["10.0.0.0/16"]
}

resource "azurerm_subnet" "example" {
  name                = "snet-example-dev-we-01"
  resource_group_name = azurerm_resource_group.example.name

  address_prefixes     = ["10.0.2.0/24"]
  virtual_network_name = azurerm_virtual_network.example.name
}

resource "azurerm_recovery_services_vault" "example" {
  name                = "rsv-example-dev-we-01"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  sku                 = "Standard"
  soft_delete_enabled = false
  storage_mode_type   = "GeoRedundant"
}

resource "azurerm_backup_policy_vm" "example" {
  name                = "bkpvm-example-dev-we-01"
  resource_group_name = azurerm_resource_group.example.name

  policy_type         = "V2"
  recovery_vault_name = azurerm_recovery_services_vault.example.name
  timezone            = "UTC"

  backup {
    frequency = "Daily"
    time      = "23:00"
  }

  retention_daily {
    count = 30
  }
}

data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "example" {
  name                = "kv-example-dev-we-01"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  purge_protection_enabled = false
  sku_name                 = "standard"
  tenant_id                = data.azurerm_client_config.current.tenant_id

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set"]
  }
}

#trivy:ignore:avd-azu-0039
module "example" {
  source = "cloudeteer/vm/azurerm"

  name                = "vm-example-dev-we-01"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  backup_policy_id = azurerm_backup_policy_vm.example.id
  computer_name    = "example"
  image            = "Win2022Datacenter"
  key_vault_id     = azurerm_key_vault.example.id
  subnet_id        = azurerm_subnet.example.id
}

Providers

The following providers are used by this module:

Resources

The following resources are used by this module:

Required Inputs

The following input variables are required:

Description: The URN or URN alias of the operating system image. Valid URN format is Publisher:Offer:SKU:Version. Use az vm image list to list possible URN values.

Valid URN aliases are:

  • CentOS85Gen2
  • Debian11
  • FlatcarLinuxFreeGen2
  • OpenSuseLeap154Gen2
  • RHELRaw8LVMGen2
  • SuseSles15SP5
  • Ubuntu2204
  • Ubuntu2404
  • Ubuntu2404Pro
  • Win2022Datacenter
  • Win2022AzureEditionCore
  • Win2019Datacenter
  • Win2016Datacenter
  • Win2012R2Datacenter
  • Win2012Datacenter

Type: string

Description: The Azure location where the virtual machine should reside.

Type: string

Description: The name of the virtual machine. Changing this forces a new resource to be created.

Type: string

Description: The name of the resource group in which the virtual machine should exist. Changing this forces a new resource to be created.

Type: string

Optional Inputs

The following input variables are optional (have default values):

Description: Enable additional capabilities.

Optional arguments:

Argument Description
ultra_ssd_enabled Should the capacity to enable Data Disks of the UltraSSD_LRS storage account type be supported on this Virtual Machine?
hibernation_enabled Whether to enable the hibernation capability or not.

Type:

object({
    ultra_ssd_enabled   = optional(bool)
    hibernation_enabled = optional(bool)
  })

Default: null

Description: Additional content for the unattend.xml file used during Windows installation. This feature is not supported on Linux Virtual Machines.

Required arguments:

Argument Description
content The XML formatted content that is added to the unattend.xml file for the specified path and component.
setting The name of the setting to which the content applies. Possible values are AutoLogon and FirstLogonCommands.

Type:

object({
    content = string
    setting = string
  })

Default: null

Description: Password to use for the local administrator on this virtual machine. If not set, a password will be generated and stored in the Key Vault specified by key_vault_id.

Type: string

Default: null

Description: Algorithm for the admin SSH key pair, used only if authentication_type is SSH and no admin_ssh_public_key is provided. Valid values: RSA, ED25519.

Type: string

Default: "ED25519"

Description: Public key to use for SSH authentication. Must be at least 2048-bit and in ssh-rsa or ssh-ed25519 format.

Type: string

Default: null

Description: Username of the local administrator for the virtual machine.

Type: string

Default: "azureadmin"

Description: Should Extension Operations be allowed on this Virtual Machine?

Type: bool

Default: true

Description: The virtual machine's architecture. Valid values are x86 or arm. The default is null, which determines the architecture to use based on the virtual machine image offering.

Type: string

Default: null

Description: Specifies the authentication type to use. Valid options are Password, SSH, or Password, SSH. Windows virtual machines support only Password.

Type: string

Default: "Password"

Description: Specifies the ID of the Availability Set in which the Virtual Machine should exist

Type: string

Default: null

Description: The ID of the backup policy to use.

Type: string

Default: null

Description: Enable boot diagnostics and optionally specify the storage account to use to store boot diagnostics. The default is to use a managed storage account to store boot diagnostics when enabled.

Optional parameters:

Parameter Description
enable Whether to enable (true) or disable (false) boot diagnostics.
storage_account_uri The endpoint for the Azure storage account that should be used to store boot diagnostics, including console output and hypervisor screenshots.

Type:

object({
    enabled             = optional(bool, true)
    storage_account_uri = optional(string)
  })

Default:

{
  "enabled": true
}

Description: Specifies whether to skip platform scheduled patching when a user schedule is associated with the VM.

NOTE: Can only be set to true when patch_mode is set to AutomaticByPlatform.

Type: bool

Default: true

Description: Specifies the hostname to use for this virtual machine. If unspecified, it defaults to name.

Type: string

Default: null

Description: Create (true) a network interface for the virtual machine. If disabled (false), the subnet_id must be omitted and network_interface_ids must be defined.

Type: bool

Default: true

Description: If set to true a Azure public IP address will be created and assigned to the default network interface.

Type: bool

Default: false

Description: The Base64-Encoded Custom Data which should be used for this Virtual Machine.

Type: string

Default: null

Description: Additional disks to be attached to the virtual machine.

Required parameters:

Parameter Description
disk_size_gb Specifies the size of the managed disk to create in gigabytes.
lun The Logical Unit Number of the Data Disk, which needs to be unique within the Virtual Machine.

Optional parameters:

Parameter Description
caching Specifies the caching requirements for this Data Disk. Possible values include None, ReadOnly and ReadWrite.
create_option The method to use when creating the managed disk. Possible values include: Empty - Create an empty managed disk.
name Specifies the name of the Managed Disk. If omitted a name will be generated based on name.
storage_account_type The type of storage to use for the managed disk. Possible values are Standard_LRS, StandardSSD_ZRS, Premium_LRS, PremiumV2_LRS, Premium_ZRS, StandardSSD_LRS or UltraSSD_LRS.

Type:

list(object({
    caching              = optional(string, "ReadWrite")
    create_option        = optional(string, "Empty")
    disk_size_gb         = number
    lun                  = number
    name                 = optional(string)
    storage_account_type = optional(string, "Premium_LRS")
  }))

Default: []

Description: Specifies whether Automatic Updates are enabled for Windows Virtual Machines. This feature is not supported on Linux Virtual Machines.

Type: bool

Default: true

Description: Enable (true) or disable (false) a backup protected VM.

Type: bool

Default: true

Description: Should all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host?

NOTE: Requires Microsoft.Compute/EncryptionAtHost to be enabled at the subscription level.

Type: bool

Default: true

Description: List of extensions to enable.

Possible values:

  • NetworkWatcherAgent
  • AzureMonitorAgent
  • AzurePolicy
  • AntiMalware

NOTE: The extensions listed here will only be applied if allow_extension_operations is set to true (default). If allow_extension_operations is set to false, this list will be ignored and no extensions will be created.

Type: list(string)

Default:

[
  "NetworkWatcherAgent",
  "AzureMonitorAgent",
  "AzurePolicy",
  "AntiMalware"
]

Description: Should the Windows VM be patched without requiring a reboot? more infos

NOTE: Hotpatching can only be enabled if the patch_mode is set to AutomaticByPlatform, the provision_vm_agent is set to true, your source_image_reference references a hotpatching enabled image, and the VM's size is set to a Azure generation 2 VM.

CAUTION: The setting bypass_platform_safety_checks_on_user_schedule_enabled is set to true by default. To enable hotpatching, change it to false.

Type: bool

Default: false

Description: The Azure managed identity to assign to the virtual machine.

Optional parameters:

Parameter Description
type Specifies the type of Managed Service Identity that should be configured on this Windows Virtual Machine. Possible values are SystemAssigned, UserAssigned, or SystemAssigned, UserAssigned (to enable both).
identity_ids Specifies a list of User Assigned Managed Identity IDs to be assigned to this Windows Virtual Machine.

Type:

object({
    type         = optional(string)
    identity_ids = optional(list(string))
  })

Default: null

Description: Key Vault ID to store the generated admin password or admin SSH private key. Required when admin_password or admin_ssh_public_key is not set. Must not be set if either admin_password or admin_ssh_public_key is set.

Type: string

Default: null

Description: Specifies the license type to be used for this Virtual Machine.

Possible values:

  • For Windows images (using Azure Hybrid Use Benefit): None, Windows_Client, Windows_Server.
  • For Linux images: RHEL_BYOS, RHEL_BASE, RHEL_EUS, RHEL_SAPAPPS, RHEL_SAPHA, RHEL_BASESAPAPPS, RHEL_BASESAPHA, SLES_BYOS, SLES_SAP, SLES_HPC.

Type: string

Default: null

Description: A list of network interface IDs to attach to this virtual machine. The first network interface ID in this list will be the primary network interface of the virtual machine. If subnet_id is set, then the network interface created by this module will be the primary network interface of the virtual machine.

Type: list(string)

Default: null

Description: The virtual machine's operating system. Valid values are Linux or Windows. The default is null, which determines the operating system to use based on the virtual machine image offering.

Type: string

Default: null

Description: Operating system disk parameters.

Optional parameters:

Parameter Description
caching The Type of Caching which should be used for the Internal OS Disk. Possible values are None, ReadOnly and ReadWrite.
disk_encryption_set_id The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk. Conflicts with secure_vm_disk_encryption_set_id.
NOTE: The Disk Encryption Set must have the Reader Role Assignment scoped on the Key Vault - in addition to an Access Policy to the Key Vault.
disk_size_gb The Size of the Internal OS Disk in GB, if you wish to vary from the size used in the image this Virtual Machine is sourced from.
NOTE: If specified this must be equal to or larger than the size of the Image the Virtual Machine is based on. When creating a larger disk than exists in the image you'll need to repartition the disk to use the remaining space.
name The name which should be used for the Internal OS Disk. Default is name prefixed with osdisk-.
security_encryption_type Encryption Type when the Virtual Machine is a Confidential VM. Possible values are VMGuestStateOnly and DiskWithVMGuestState.
NOTE: vtpm_enabled must be set to true when security_encryption_type is specified.
NOTE: encryption_at_host_enabled cannot be set to true when security_encryption_type is set to DiskWithVMGuestState.
secure_vm_disk_encryption_set_id The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk when the Virtual Machine is a Confidential VM. Conflicts with disk_encryption_set_id.
NOTE: secure_vm_disk_encryption_set_id can only be specified when security_encryption_type is set to DiskWithVMGuestState.
storage_account_type The Type of Storage Account which should back this the Internal OS Disk. Possible values are Standard_LRS, StandardSSD_LRS, Premium_LRS, StandardSSD_ZRS and Premium_ZRS.
write_accelerator_enabled Should Write Accelerator be Enabled for this OS Disk? Defaults to false.
NOTE: This requires that the storage_account_type is set to Premium_LRS and that caching is set to None.

Type:

object({
    caching                          = optional(string, "ReadWrite")
    disk_size_gb                     = optional(string)
    name                             = optional(string)
    storage_account_type             = optional(string, "Premium_LRS")
    disk_encryption_set_id           = optional(string)
    write_accelerator_enabled        = optional(bool, false)
    secure_vm_disk_encryption_set_id = optional(string)
    security_encryption_type         = optional(string)
  })

Default:

{
  "caching": "ReadWrite",
  "storage_account_type": "Premium_LRS",
  "write_accelerator_enabled": false
}

Description: Specifies the mode of VM Guest Patching for the Virtual Machine. Possible values are AutomaticByPlatform or ImageDefault.

NOTE: If the patch_assessment_mode is set to AutomaticByPlatform then the provision_vm_agent field must be set to true.

Possible values:

  • AutomaticByPlatform
  • ImageDefault

Type: string

Default: "AutomaticByPlatform"

Description: Specifies the mode of in-guest patching to this Windows Virtual Machine. For more information on patch modes please see the product documentation.

NOTE: If patch_mode is set to AutomaticByPlatform then provision_vm_agent must also be set to true. If the Virtual Machine is using a hotpatching enabled image the patch_mode must always be set to AutomaticByPlatform.

Possible values:

  • AutomaticByOS
  • AutomaticByPlatform
  • Manual

Type: string

Default: "AutomaticByPlatform"

Description: The plan configuration for the Marketplace Image used to create a Virtual Machine.

Required arguments:

Argument Description
name Specifies the Name of the Marketplace Image this Virtual Machine should be created from.
product Specifies the Product of the Marketplace Image this Virtual Machine should be created from.
publisher Specifies the Publisher of the Marketplace Image this Virtual Machine should be created from.

Type:

object({
    name      = string
    product   = string
    publisher = string
  })

Default: null

Description: The static IP address to use. If not set (default), a dynamic IP address is assigned.

Type: string

Default: null

Description: Should the Azure VM Agent be provisioned on this Virtual Machine?

NOTE: If provision_vm_agent is set to false then allow_extension_operations must also be set to false.

Type: bool

Default: true

Description: The ID of the Proximity Placement Group which the Virtual Machine should be assigned to.

Type: string

Default: null

Description: Specifies whether secure boot should be enabled on the virtual machine.

Type: bool

Default: true

Description: The SKU to use for this virtual machine.

Common sizes:

  • Standard_B2s
  • Standard_B2ms
  • Standard_D2s_v5
  • Standard_D4s_v5
  • Standard_DC2s_v2
  • Standard_DS1_v2
  • Standard_DS2_v2
  • Standard_E4s_v5
  • Standard_E4bds_v5
  • Standard_F2s_v2
  • Standard_F4s_v2

Type: string

Default: "Standard_DS1_v2"

Description: The ID of the Image which this Virtual Machine should be created from.

Possible Image ID types include:

  • Image ID
  • Shared Image ID
  • Shared Image Version ID
  • Community Gallery Image ID
  • Community Gallery Image Version ID
  • Shared Gallery Image IDs and Shared Gallery Image Version ID

Type: string

Default: null

Description: If set to true, the secrets generated by this module will be stored in the Key Vault specified by key_vault_id.

Type: bool

Default: true

Description: The ID of the subnet where the virtual machine's primary network interface should be located.

Type: string

Default: null

Description: A mapping of tags which should be assigned to all resources in this module.

Type: map(string)

Default: {}

Description: A mapping of tags which should be assigned to the Virtual Machine. This map will be merged with tags.

Type: map(string)

Default: {}

Description: Specifies the Time Zone which should be used by the Virtual Machine, the possible values are defined here. Setting timezone is not supported on Linux Virtual Machines.

Type: string

Default: null

Description: Specifies the Orchestrated Virtual Machine Scale Set that this Virtual Machine should be created within.

NOTE: To update virtual_machine_scale_set_id the Preview Feature Microsoft.Compute/SingleFDAttachDetachVMToVmss needs to be enabled, see the documentation for more information.

Type: string

Default: null

Description: Specifies if vTPM (virtual Trusted Platform Module) and Trusted Launch is enabled for the Virtual Machine.

Type: bool

Default: true

Description: Availability Zone in which this Windows Virtual Machine should be located.

Type: string

Default: null

Outputs

The following outputs are exported:

Description: The admin password of the virtual machine.

Description: The private SSH key of the admin user.

Description: The piblic SSH key of the admin user.

Description: The admin username of the virtual machine.

Description: A list of data disks attached to the virtual machine. Each list element is an map with the following keys:

Attributes:

Attribute Description
attachment_id The ID of the virtual machine data disk attachment
id The ID of the managed data disk.
name The name of the managed data disk.

Description: The ID of the virtual machine.

Description: The virtual machine operating system image to use.

Attributes:

Attribute Description
architecture The image architecture.
offer The image offer.
operating_system The image operating system.
publisher The image publisher.
sku The image Stock Keeping Unit (SKU).
urn The full image URN.
urnAlias The image alias URN.
NOTE: Only Azure Image Quick start templates have an alias URN
version The image version.

Description: Key Vault Secret IDs for generated secrets.

Attributes:

Attribute Description
admin_password The Key Vault secret ID for the password generated when variable admin_password is unset, and variable authentication_type is set to Password.
admin_ssh_private_key The Key Vault secret ID for the SSH private key generated when variable admin_ssh_public_key is unset, and variable authentication_type is set to SSH.

Description: The network interface create by this module, if create_network_interface ist set.

Attributes:

Attribute Description
applied_dns_servers If the Virtual Machine using this Network Interface is part of an Availability Set, then this list will have the union of all DNS servers from all Network Interfaces that are part of the Availability Set.
id The ID of the Network Interface.
internal_domain_name_suffix The DNS name can be constructed by concatenating the VM name with this value.
mac_address The Media Access Control (MAC) Address of the Network Interface.
name The name of the Network Interface.
private_ip_address The first private IP address of the network interface.
NOTE: If private_ip_address is unset Azure will allocate an IP Address on Network Interface creation.
private_ip_addresses The private IP addresses of the network interface.
NOTE: If private_ip_address is unset Azure will allocate an IP Address on Network Interface creation.

Description: The primary private IP address assigned to this virtual machine.

Description: A list of all private IP addresses assigned to this virtual machine.

Description: The public IP created by this module, if create_public_ip_address is set.

Attribute Description
id The ID of the Public IP.
ip_address The IP address value that was allocated.

Description: The primary public IP address assigned to this virtual machine.

Description: A list of all public IP addresses assigned to this virtual machine.

Description: The primary user assigned identity of the virtual machine

Attributes:

Attribute Description
principal_id The Principal ID of the system assigned identity.
tenant_id The Tenant ID of the system assigned identity.

Description: The primary user assigned identity of the virtual machine

Attributes:

Attribute Description
client_id The client id in uuid format of the user assigned identity.
id The resource id of the user assgined identity.
name The name of the user assigned identity.
principal_id The Principal ID of the user assigned identity.
tenant_id The Tenant ID of the user assigned identity.

Description: A list of all user assigned identities of the virtual machine.

Description: A list of virtual machine extensions installed on this virtual machine by this module. Each list element is a map with the following attributes:

Attribute Description
id The ID of the extension peering.
name The name of the extension peering.
publisher The publisher of the extension.
type The type of the extension.
type_handler_version The version of the extension.
auto_upgrade_minor_version Indicates whether the platform deploys the latest minor version update of the extension handler.
automatic_upgrade_enabled Indicates whether the extension is automatically updated whenever the publisher releases a new version.

Description: A unique 128-bit identifier for this virtual machine (UUID).