From 7c88fe498de3dabc9adb2bfd0122d1f49f246a5b Mon Sep 17 00:00:00 2001 From: Yuval Yaron <43217306+yuvalyaron@users.noreply.github.com> Date: Tue, 28 Jan 2025 18:51:01 +0200 Subject: [PATCH] Enable encryption at host for vms (#4263) --- CHANGELOG.md | 1 + core/terraform/resource_processor/vmss_porter/main.tf | 2 +- core/terraform/servicebus.tf | 5 +++-- core/version.txt | 2 +- resource_processor/_version.py | 2 +- .../shared_services/admin-vm/terraform/admin-jumpbox.tf | 1 + templates/shared_services/sonatype-nexus-vm/terraform/vm.tf | 1 + .../guacamole-azure-export-reviewvm/terraform/windowsvm.tf | 1 + .../guacamole-azure-import-reviewvm/terraform/windowsvm.tf | 1 + .../guacamole-azure-linuxvm/terraform/linuxvm.tf | 1 + .../guacamole-azure-windowsvm/terraform/windowsvm.tf | 1 + 11 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 79ed543bd4..929f97efc4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,6 +36,7 @@ ENHANCEMENTS: * Add EventGrid diagnostics to identify airlock issues ([#4258](https://github.com/microsoft/AzureTRE/issues/4258)) * Allow enablement of Secure Boot and vTPM for Guacamole VMs ([#4235](https://github.com/microsoft/AzureTRE/issues/4235)) * Surface the server-layout parameter of Guacamole [server-layout](https://guacamole.apache.org/doc/gug/configuring-guacamole.html#session-settings) ([#4234](https://github.com/microsoft/AzureTRE/issues/4234)) +* Add encryption at host for VMs ([#4263](https://github.com/microsoft/AzureTRE/pull/4263)) BUG FIXES: * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112)) diff --git a/core/terraform/resource_processor/vmss_porter/main.tf b/core/terraform/resource_processor/vmss_porter/main.tf index d1d92c565b..f390be1863 100644 --- a/core/terraform/resource_processor/vmss_porter/main.tf +++ b/core/terraform/resource_processor/vmss_porter/main.tf @@ -79,7 +79,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "vm_linux" { disable_password_authentication = false admin_password = random_password.password.result custom_data = data.template_cloudinit_config.config.rendered - encryption_at_host_enabled = false + encryption_at_host_enabled = true upgrade_mode = "Automatic" tags = local.tre_core_tags secure_boot_enabled = true diff --git a/core/terraform/servicebus.tf b/core/terraform/servicebus.tf index faef9322d7..f686a8e08e 100644 --- a/core/terraform/servicebus.tf +++ b/core/terraform/servicebus.tf @@ -32,8 +32,9 @@ resource "azurerm_servicebus_namespace" "sb" { dynamic "customer_managed_key" { for_each = var.enable_cmk_encryption ? [1] : [] content { - key_vault_key_id = azurerm_key_vault_key.tre_encryption[0].id - identity_id = azurerm_user_assigned_identity.encryption[0].id + key_vault_key_id = azurerm_key_vault_key.tre_encryption[0].id + identity_id = azurerm_user_assigned_identity.encryption[0].id + infrastructure_encryption_enabled = true } } diff --git a/core/version.txt b/core/version.txt index b663def5a3..318bf6c824 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.18" +__version__ = "0.11.19" diff --git a/resource_processor/_version.py b/resource_processor/_version.py index ae6db5f176..fee46bd8ce 100644 --- a/resource_processor/_version.py +++ b/resource_processor/_version.py @@ -1 +1 @@ -__version__ = "0.11.0" +__version__ = "0.11.1" diff --git a/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf b/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf index 2d9a2047b2..97919f81d1 100644 --- a/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf +++ b/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf @@ -36,6 +36,7 @@ resource "azurerm_windows_virtual_machine" "jumpbox" { admin_username = "adminuser" admin_password = random_password.password.result tags = local.tre_shared_service_tags + encryption_at_host_enabled = true secure_boot_enabled = true vtpm_enabled = true diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf index 8bd6d3ff66..224143937a 100644 --- a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf +++ b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf @@ -103,6 +103,7 @@ resource "azurerm_linux_virtual_machine" "nexus" { admin_username = "adminuser" admin_password = random_password.nexus_vm_password.result tags = local.tre_shared_service_tags + encryption_at_host_enabled = true secure_boot_enabled = true vtpm_enabled = true diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf index 84724fddbf..aa25d019a9 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf @@ -124,6 +124,7 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { allow_extension_operations = true admin_username = random_string.username.result admin_password = random_password.password.result + encryption_at_host_enabled = true secure_boot_enabled = local.secure_boot_enabled vtpm_enabled = local.vtpm_enabled diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf index e761cca22e..792330d7fd 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf @@ -45,6 +45,7 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { allow_extension_operations = true admin_username = random_string.username.result admin_password = random_password.password.result + encryption_at_host_enabled = true secure_boot_enabled = local.secure_boot_enabled vtpm_enabled = local.vtpm_enabled diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf index ca407e318f..30b1fdfcb9 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf @@ -44,6 +44,7 @@ resource "azurerm_linux_virtual_machine" "linuxvm" { disable_password_authentication = false admin_username = random_string.username.result admin_password = random_password.password.result + encryption_at_host_enabled = true secure_boot_enabled = local.secure_boot_enabled vtpm_enabled = local.vtpm_enabled diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf index f0de361955..2640c00759 100644 --- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf +++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf @@ -45,6 +45,7 @@ resource "azurerm_windows_virtual_machine" "windowsvm" { allow_extension_operations = true admin_username = random_string.username.result admin_password = random_password.password.result + encryption_at_host_enabled = true secure_boot_enabled = local.secure_boot_enabled vtpm_enabled = local.vtpm_enabled