Note
This repository is publicly accessible as part of our open-source initiative. We welcome contributions from the community alongside our organization's primary development efforts.
This module is designed to simplify the deployment and management of virtual machines (VMs) in Microsoft Azure. This module provides a flexible and reusable way to create both Linux and Windows VMs, allowing users to specify various configuration parameters such as the VM size, operating system image, network interfaces, and resource group. The module supports both Linux and Windows operating systems and integrates seamlessly with other Azure resources such as virtual networks, subnets, and network interfaces.
As documented on the image input variable, it is possible to use so-called Image Urn Aliases as image to use. These aliases are based on the Azure quickstart templates, which can be found at https://github.com/Azure/azure-rest-api-specs/blob/main/arm-compute/quickstart-templates/aliases.json, and which are also used by the az
CLI when running az vm image list
.
This example demonstrates the usage of the virtual machine module with default settings. It sets up all necessary dependencies, including a resource group, virtual network, subnet, recovery services vault, backup policy, and key vault, to ensure seamless deployment.
Tip
Our module enables password-based login for Linux virtual machines, configurable via the authentication_type
input variable. If the disable_password_authentication
setting on the azurerm_linux_virtual_machine
resource within this module is not explicitly set to false
, Trivy will flag a high-severity warning. To suppress this warning, add the comment #trivy:ignore:avd-azu-0039
directly above the Terraform module definition, as shown in the example below.
resource "azurerm_resource_group" "example" {
name = "rg-example-dev-we-01"
location = "West Europe"
}
resource "azurerm_virtual_network" "example" {
name = "vnet-example-dev-we-01"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
address_space = ["10.0.0.0/16"]
}
resource "azurerm_subnet" "example" {
name = "snet-example-dev-we-01"
resource_group_name = azurerm_resource_group.example.name
address_prefixes = ["10.0.2.0/24"]
virtual_network_name = azurerm_virtual_network.example.name
}
resource "azurerm_recovery_services_vault" "example" {
name = "rsv-example-dev-we-01"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = "Standard"
soft_delete_enabled = false
storage_mode_type = "GeoRedundant"
}
resource "azurerm_backup_policy_vm" "example" {
name = "bkpvm-example-dev-we-01"
resource_group_name = azurerm_resource_group.example.name
policy_type = "V2"
recovery_vault_name = azurerm_recovery_services_vault.example.name
timezone = "UTC"
backup {
frequency = "Daily"
time = "23:00"
}
retention_daily {
count = 30
}
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "example" {
name = "kv-example-dev-we-01"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
purge_protection_enabled = false
sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = ["Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set"]
}
}
#trivy:ignore:avd-azu-0039
module "example" {
source = "cloudeteer/vm/azurerm"
name = "vm-example-dev-we-01"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
backup_policy_id = azurerm_backup_policy_vm.example.id
computer_name = "example"
image = "Win2022Datacenter"
key_vault_id = azurerm_key_vault.example.id
subnet_id = azurerm_subnet.example.id
}
The following providers are used by this module:
The following resources are used by this module:
- azapi_resource_action.this (resource)
- azurerm_backup_protected_vm.this (resource)
- azurerm_key_vault_secret.this (resource)
- azurerm_linux_virtual_machine.this (resource)
- azurerm_managed_disk.this (resource)
- azurerm_network_interface.this (resource)
- azurerm_public_ip.this (resource)
- azurerm_user_assigned_identity.this (resource)
- azurerm_virtual_machine_data_disk_attachment.this (resource)
- azurerm_virtual_machine_extension.this (resource)
- azurerm_windows_virtual_machine.this (resource)
- random_password.this (resource)
- tls_private_key.this (resource)
- azapi_client_config.current (data source)
- azapi_resource.virtual_machine_image (data source)
- azapi_resource_list.virtual_machine_images (data source)
The following input variables are required:
Description: The URN or URN alias of the operating system image. Valid URN format is Publisher:Offer:SKU:Version
. Use az vm image list
to list possible URN values.
Valid URN aliases are:
CentOS85Gen2
Debian11
FlatcarLinuxFreeGen2
OpenSuseLeap154Gen2
RHELRaw8LVMGen2
SuseSles15SP5
Ubuntu2204
Ubuntu2404
Ubuntu2404Pro
Win2022Datacenter
Win2022AzureEditionCore
Win2019Datacenter
Win2016Datacenter
Win2012R2Datacenter
Win2012Datacenter
Type: string
Description: The Azure location where the virtual machine should reside.
Type: string
Description: The name of the virtual machine. Changing this forces a new resource to be created.
Type: string
Description: The name of the resource group in which the virtual machine should exist. Changing this forces a new resource to be created.
Type: string
The following input variables are optional (have default values):
Description: Enable additional capabilities.
Optional arguments:
Argument | Description |
---|---|
ultra_ssd_enabled |
Should the capacity to enable Data Disks of the UltraSSD_LRS storage account type be supported on this Virtual Machine? |
hibernation_enabled |
Whether to enable the hibernation capability or not. |
Type:
object({
ultra_ssd_enabled = optional(bool)
hibernation_enabled = optional(bool)
})
Default: null
Description: Additional content for the unattend.xml file used during Windows installation. This feature is not supported on Linux Virtual Machines.
Required arguments:
Argument | Description |
---|---|
content |
The XML formatted content that is added to the unattend.xml file for the specified path and component. |
setting |
The name of the setting to which the content applies. Possible values are AutoLogon and FirstLogonCommands . |
Type:
object({
content = string
setting = string
})
Default: null
Description: Password to use for the local administrator on this virtual machine. If not set, a password will be generated and stored in the Key Vault specified by key_vault_id.
Type: string
Default: null
Description: Algorithm for the admin SSH key pair, used only if authentication_type
is SSH
and no admin_ssh_public_key
is provided. Valid values: RSA
, ED25519
.
Type: string
Default: "ED25519"
Description: Public key to use for SSH authentication. Must be at least 2048-bit and in ssh-rsa or ssh-ed25519 format.
Type: string
Default: null
Description: Username of the local administrator for the virtual machine.
Type: string
Default: "azureadmin"
Description: Should Extension Operations be allowed on this Virtual Machine?
Type: bool
Default: true
Description: The virtual machine's architecture. Valid values are x86
or arm
. The default is null
, which determines the architecture to use based on the virtual machine image offering.
Type: string
Default: null
Description: Specifies the authentication type to use. Valid options are Password
, SSH
, or Password, SSH
. Windows virtual machines support only Password
.
Type: string
Default: "Password"
Description: Specifies the ID of the Availability Set in which the Virtual Machine should exist
Type: string
Default: null
Description: The ID of the backup policy to use.
Type: string
Default: null
Description: Enable boot diagnostics and optionally specify the storage account to use to store boot diagnostics. The default is to use a managed storage account to store boot diagnostics when enabled.
Optional parameters:
Parameter | Description |
---|---|
enable |
Whether to enable (true ) or disable (false ) boot diagnostics. |
storage_account_uri |
The endpoint for the Azure storage account that should be used to store boot diagnostics, including console output and hypervisor screenshots. |
Type:
object({
enabled = optional(bool, true)
storage_account_uri = optional(string)
})
Default:
{
"enabled": true
}
Description: Specifies whether to skip platform scheduled patching when a user schedule is associated with the VM.
NOTE: Can only be set to true when patch_mode
is set to AutomaticByPlatform
.
Type: bool
Default: true
Description: Specifies the hostname to use for this virtual machine. If unspecified, it defaults to name
.
Type: string
Default: null
Description: Create (true
) a network interface for the virtual machine. If disabled (false
), the subnet_id
must be omitted and network_interface_ids
must be defined.
Type: bool
Default: true
Description: If set to true
a Azure public IP address will be created and assigned to the default network interface.
Type: bool
Default: false
Description: The Base64-Encoded Custom Data which should be used for this Virtual Machine.
Type: string
Default: null
Description: Additional disks to be attached to the virtual machine.
Required parameters:
Parameter | Description |
---|---|
disk_size_gb |
Specifies the size of the managed disk to create in gigabytes. |
lun |
The Logical Unit Number of the Data Disk, which needs to be unique within the Virtual Machine. |
Optional parameters:
Parameter | Description |
---|---|
caching |
Specifies the caching requirements for this Data Disk. Possible values include None , ReadOnly and ReadWrite . |
create_option |
The method to use when creating the managed disk. Possible values include: Empty - Create an empty managed disk. |
name |
Specifies the name of the Managed Disk. If omitted a name will be generated based on name . |
storage_account_type |
The type of storage to use for the managed disk. Possible values are Standard_LRS , StandardSSD_ZRS , Premium_LRS , PremiumV2_LRS , Premium_ZRS , StandardSSD_LRS or UltraSSD_LRS . |
Type:
list(object({
caching = optional(string, "ReadWrite")
create_option = optional(string, "Empty")
disk_size_gb = number
lun = number
name = optional(string)
storage_account_type = optional(string, "Premium_LRS")
}))
Default: []
Description: Specifies whether Automatic Updates are enabled for Windows Virtual Machines. This feature is not supported on Linux Virtual Machines.
Type: bool
Default: true
Description: Enable (true
) or disable (false
) a backup protected VM.
Type: bool
Default: true
Description: Should all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host?
NOTE: Requires Microsoft.Compute/EncryptionAtHost
to be enabled at the subscription level.
Type: bool
Default: true
Description: List of extensions to enable.
Possible values:
NetworkWatcherAgent
AzureMonitorAgent
AzurePolicy
AntiMalware
NOTE: The extensions listed here will only be applied if allow_extension_operations
is set to true
(default). If allow_extension_operations
is set to false
, this list will be ignored and no extensions will be created.
Type: list(string)
Default:
[
"NetworkWatcherAgent",
"AzureMonitorAgent",
"AzurePolicy",
"AntiMalware"
]
Description: Should the Windows VM be patched without requiring a reboot? more infos
NOTE: Hotpatching can only be enabled if the patch_mode
is set to AutomaticByPlatform
, the provision_vm_agent
is set to true
, your source_image_reference
references a hotpatching enabled image, and the VM's size
is set to a Azure generation 2 VM.
CAUTION: The setting bypass_platform_safety_checks_on_user_schedule_enabled
is set to true
by default. To enable hotpatching, change it to false
.
Type: bool
Default: false
Description: The Azure managed identity to assign to the virtual machine.
Optional parameters:
Parameter | Description |
---|---|
type |
Specifies the type of Managed Service Identity that should be configured on this Windows Virtual Machine. Possible values are SystemAssigned , UserAssigned , or SystemAssigned, UserAssigned (to enable both). |
identity_ids |
Specifies a list of User Assigned Managed Identity IDs to be assigned to this Windows Virtual Machine. |
Type:
object({
type = optional(string)
identity_ids = optional(list(string))
})
Default: null
Description: Key Vault ID to store the generated admin password or admin SSH private key. Required when admin_password or admin_ssh_public_key is not set. Must not be set if either admin_password or admin_ssh_public_key is set.
Type: string
Default: null
Description: Specifies the license type to be used for this Virtual Machine.
Possible values:
- For Windows images (using Azure Hybrid Use Benefit):
None
,Windows_Client
,Windows_Server
. - For Linux images:
RHEL_BYOS
,RHEL_BASE
,RHEL_EUS
,RHEL_SAPAPPS
,RHEL_SAPHA
,RHEL_BASESAPAPPS
,RHEL_BASESAPHA
,SLES_BYOS
,SLES_SAP
,SLES_HPC
.
Type: string
Default: null
Description: A list of network interface IDs to attach to this virtual machine. The first network interface ID in this list will be the primary network interface of the virtual machine. If subnet_id
is set, then the network interface created by this module will be the primary network interface of the virtual machine.
Type: list(string)
Default: null
Description: The virtual machine's operating system. Valid values are Linux
or Windows
. The default is null
, which determines the operating system to use based on the virtual machine image offering.
Type: string
Default: null
Description: Operating system disk parameters.
Optional parameters:
Parameter | Description |
---|---|
caching |
The Type of Caching which should be used for the Internal OS Disk. Possible values are None , ReadOnly and ReadWrite . |
disk_encryption_set_id |
The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk. Conflicts with secure_vm_disk_encryption_set_id . |
NOTE: The Disk Encryption Set must have the Reader Role Assignment scoped on the Key Vault - in addition to an Access Policy to the Key Vault. | |
disk_size_gb |
The Size of the Internal OS Disk in GB, if you wish to vary from the size used in the image this Virtual Machine is sourced from. |
NOTE: If specified this must be equal to or larger than the size of the Image the Virtual Machine is based on. When creating a larger disk than exists in the image you'll need to repartition the disk to use the remaining space. | |
name |
The name which should be used for the Internal OS Disk. Default is name prefixed with osdisk- . |
security_encryption_type |
Encryption Type when the Virtual Machine is a Confidential VM. Possible values are VMGuestStateOnly and DiskWithVMGuestState . |
NOTE: vtpm_enabled must be set to true when security_encryption_type is specified. |
|
NOTE: encryption_at_host_enabled cannot be set to true when security_encryption_type is set to DiskWithVMGuestState . |
|
secure_vm_disk_encryption_set_id |
The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk when the Virtual Machine is a Confidential VM. Conflicts with disk_encryption_set_id . |
NOTE: secure_vm_disk_encryption_set_id can only be specified when security_encryption_type is set to DiskWithVMGuestState . |
|
storage_account_type |
The Type of Storage Account which should back this the Internal OS Disk. Possible values are Standard_LRS , StandardSSD_LRS , Premium_LRS , StandardSSD_ZRS and Premium_ZRS . |
write_accelerator_enabled |
Should Write Accelerator be Enabled for this OS Disk? Defaults to false . |
NOTE: This requires that the storage_account_type is set to Premium_LRS and that caching is set to None . |
Type:
object({
caching = optional(string, "ReadWrite")
disk_size_gb = optional(string)
name = optional(string)
storage_account_type = optional(string, "Premium_LRS")
disk_encryption_set_id = optional(string)
write_accelerator_enabled = optional(bool, false)
secure_vm_disk_encryption_set_id = optional(string)
security_encryption_type = optional(string)
})
Default:
{
"caching": "ReadWrite",
"storage_account_type": "Premium_LRS",
"write_accelerator_enabled": false
}
Description: Specifies the mode of VM Guest Patching for the Virtual Machine. Possible values are AutomaticByPlatform or ImageDefault.
NOTE: If the patch_assessment_mode
is set to AutomaticByPlatform
then the provision_vm_agent
field must be set to true
.
Possible values:
AutomaticByPlatform
ImageDefault
Type: string
Default: "AutomaticByPlatform"
Description: Specifies the mode of in-guest patching to this Windows Virtual Machine. For more information on patch modes please see the product documentation.
NOTE: If patch_mode
is set to AutomaticByPlatform
then provision_vm_agent
must also be set to true. If the Virtual Machine is using a hotpatching enabled image the patch_mode
must always be set to AutomaticByPlatform
.
Possible values:
AutomaticByOS
AutomaticByPlatform
Manual
Type: string
Default: "AutomaticByPlatform"
Description: The plan configuration for the Marketplace Image used to create a Virtual Machine.
Required arguments:
Argument | Description |
---|---|
name |
Specifies the Name of the Marketplace Image this Virtual Machine should be created from. |
product |
Specifies the Product of the Marketplace Image this Virtual Machine should be created from. |
publisher |
Specifies the Publisher of the Marketplace Image this Virtual Machine should be created from. |
Type:
object({
name = string
product = string
publisher = string
})
Default: null
Description: The static IP address to use. If not set (default), a dynamic IP address is assigned.
Type: string
Default: null
Description: Should the Azure VM Agent be provisioned on this Virtual Machine?
NOTE: If provision_vm_agent
is set to false
then allow_extension_operations
must also be set to false
.
Type: bool
Default: true
Description: The ID of the Proximity Placement Group which the Virtual Machine should be assigned to.
Type: string
Default: null
Description: Specifies whether secure boot should be enabled on the virtual machine.
Type: bool
Default: true
Description: The SKU to use for this virtual machine.
Common sizes:
Standard_B2s
Standard_B2ms
Standard_D2s_v5
Standard_D4s_v5
Standard_DC2s_v2
Standard_DS1_v2
Standard_DS2_v2
Standard_E4s_v5
Standard_E4bds_v5
Standard_F2s_v2
Standard_F4s_v2
Type: string
Default: "Standard_DS1_v2"
Description: The ID of the Image which this Virtual Machine should be created from.
Possible Image ID types include:
- Image ID
- Shared Image ID
- Shared Image Version ID
- Community Gallery Image ID
- Community Gallery Image Version ID
- Shared Gallery Image IDs and Shared Gallery Image Version ID
Type: string
Default: null
Description: If set to true
, the secrets generated by this module will be stored in the Key Vault specified by key_vault_id
.
Type: bool
Default: true
Description: The ID of the subnet where the virtual machine's primary network interface should be located.
Type: string
Default: null
Description: A mapping of tags which should be assigned to all resources in this module.
Type: map(string)
Default: {}
Description: A mapping of tags which should be assigned to the Virtual Machine. This map will be merged with tags
.
Type: map(string)
Default: {}
Description: Specifies the Time Zone which should be used by the Virtual Machine, the possible values are defined here. Setting timezone is not supported on Linux Virtual Machines.
Type: string
Default: null
Description: Specifies the Orchestrated Virtual Machine Scale Set that this Virtual Machine should be created within.
NOTE: To update virtual_machine_scale_set_id
the Preview Feature Microsoft.Compute/SingleFDAttachDetachVMToVmss
needs to be enabled, see the documentation for more information.
Type: string
Default: null
Description: Specifies if vTPM (virtual Trusted Platform Module) and Trusted Launch is enabled for the Virtual Machine.
Type: bool
Default: true
Description: Availability Zone in which this Windows Virtual Machine should be located.
Type: string
Default: null
The following outputs are exported:
Description: The admin password of the virtual machine.
Description: The private SSH key of the admin user.
Description: The piblic SSH key of the admin user.
Description: The admin username of the virtual machine.
Description: A list of data disks attached to the virtual machine. Each list element is an map with the following keys:
Attributes:
Attribute | Description |
---|---|
attachment_id |
The ID of the virtual machine data disk attachment |
id |
The ID of the managed data disk. |
name |
The name of the managed data disk. |
Description: The ID of the virtual machine.
Description: The virtual machine operating system image to use.
Attributes:
Attribute | Description |
---|---|
architecture |
The image architecture. |
offer |
The image offer. |
operating_system |
The image operating system. |
publisher |
The image publisher. |
sku |
The image Stock Keeping Unit (SKU). |
urn |
The full image URN. |
urnAlias |
The image alias URN. |
NOTE: Only Azure Image Quick start templates have an alias URN | |
version |
The image version. |
Description: Key Vault Secret IDs for generated secrets.
Attributes:
Attribute | Description |
---|---|
admin_password |
The Key Vault secret ID for the password generated when variable admin_password is unset, and variable authentication_type is set to Password . |
admin_ssh_private_key |
The Key Vault secret ID for the SSH private key generated when variable admin_ssh_public_key is unset, and variable authentication_type is set to SSH . |
Description: The network interface create by this module, if create_network_interface
ist set.
Attributes:
Attribute | Description |
---|---|
applied_dns_servers |
If the Virtual Machine using this Network Interface is part of an Availability Set, then this list will have the union of all DNS servers from all Network Interfaces that are part of the Availability Set. |
id |
The ID of the Network Interface. |
internal_domain_name_suffix |
The DNS name can be constructed by concatenating the VM name with this value. |
mac_address |
The Media Access Control (MAC) Address of the Network Interface. |
name |
The name of the Network Interface. |
private_ip_address |
The first private IP address of the network interface. |
NOTE: If private_ip_address is unset Azure will allocate an IP Address on Network Interface creation. |
|
private_ip_addresses |
The private IP addresses of the network interface. |
NOTE: If private_ip_address is unset Azure will allocate an IP Address on Network Interface creation. |
Description: The primary private IP address assigned to this virtual machine.
Description: A list of all private IP addresses assigned to this virtual machine.
Description: The public IP created by this module, if create_public_ip_address
is set.
Attribute | Description |
---|---|
id |
The ID of the Public IP. |
ip_address |
The IP address value that was allocated. |
Description: The primary public IP address assigned to this virtual machine.
Description: A list of all public IP addresses assigned to this virtual machine.
Description: The primary user assigned identity of the virtual machine
Attributes:
Attribute | Description |
---|---|
principal_id |
The Principal ID of the system assigned identity. |
tenant_id |
The Tenant ID of the system assigned identity. |
Description: The primary user assigned identity of the virtual machine
Attributes:
Attribute | Description |
---|---|
client_id |
The client id in uuid format of the user assigned identity. |
id |
The resource id of the user assgined identity. |
name |
The name of the user assigned identity. |
principal_id |
The Principal ID of the user assigned identity. |
tenant_id |
The Tenant ID of the user assigned identity. |
Description: A list of all user assigned identities of the virtual machine.
Description: A list of virtual machine extensions installed on this virtual machine by this module. Each list element is a map with the following attributes:
Attribute | Description |
---|---|
id |
The ID of the extension peering. |
name |
The name of the extension peering. |
publisher |
The publisher of the extension. |
type |
The type of the extension. |
type_handler_version |
The version of the extension. |
auto_upgrade_minor_version |
Indicates whether the platform deploys the latest minor version update of the extension handler. |
automatic_upgrade_enabled |
Indicates whether the extension is automatically updated whenever the publisher releases a new version. |
Description: A unique 128-bit identifier for this virtual machine (UUID).