Azure Question posted in
The official documentation to get you started can be found here.

use azurerm_virtual_machine with trusted_launch

Due to https://github.com/hashicorp/terraform-provider-azurerm/issues/6117, I must use azurerm_virtual_machine to create my intended machine.

Unfortunately, the image in use requires trusted launch, for which I could not find any configuration option.

Is this possible or am I forced to use az_api instead?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    As it seems not possible with azurerm, I ended up doing it with terraform_data.

    As the image I'm using defines managed data disks, I had to extend the cleanup accordingly. My code looks like this:

    resource "terraform_data" "vm" {
  input = {
    subscription_id     = var.subscription_id
    resource_group_name = data.azurerm_resource_group.main.name
    vmname              = var.vm_name
    vm_size             = var.vm_size
    vm_username         = var.admin_username
    password            = var.admin_password
    nic_id              = azurerm_network_interface.main.id
    hostname            = random_string.hostname.result
    location            = var.location
    image_id            = var.image_id
    tags                = local.cli_tags
    identity            = join(" ", data.azurerm_user_assigned_identity.main[*].id)
  }

  provisioner "local-exec" {
    when    = create
    command = <<EOF
az account set --subscription ${self.input.subscription_id}
az vm create --resource-group ${self.input.resource_group_name} --name ${self.input.vmname} --image ${self.input.image_id} --size ${self.input.vm_size} --security-type TrustedLaunch --enable-secure-boot true --enable-vtpm true --admin-username ${self.input.vm_username} --admin-password ${self.input.password} --os-disk-size-gb 128 --nics ${self.input.nic_id} --computer-name ${self.input.hostname} --nic-delete-option delete --os-disk-delete-option delete --location "${self.input.location}" --os-disk-caching ReadWrite --data-disk-caching ReadWrite --storage-sku Premium_LRS --assign-identity [system] ${self.input.identity} --tags ${self.input.tags}
EOF
  }

  provisioner "local-exec" {
    when    = destroy
    command = <<EOF
az account set --subscription ${self.input.subscription_id}
ids=$(az vm show -d -g ${self.input.resource_group_name} -n ${self.input.vmname} --query "storageProfile.dataDisks[].managedDisk.id" | jq -r 'join(" ")')
az vm delete -g ${self.input.resource_group_name} -n ${self.input.vmname} --yes
az disk delete --ids $ids --yes
EOF
  }
}

locals {
  cli_tags = join(" ", [for k, v in var.tags : "${k}="${v}""])
}

    Beware that only the relevant code for the vm is posted and may required adaptations for specific needs. Additionally, the hostname is set randomly to prevent machines with the same name trying to join AAD. Also beware to add all inputs which should force a recreation of the resource.


  2. 0

    Here is the Terraform script to create a Virtual Machine with Trusted Launch configuration using the azurerm module. For Azapi, refer to the MS Doc

    provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "venkat" {
  name     = "terraform1-resources"
  location = "East US"
}

resource "azurerm_virtual_network" "venkat" {
  name                = "example-network"
  resource_group_name = azurerm_resource_group.venkat.name
  location            = azurerm_resource_group.venkat.location
  address_space       = ["10.0.0.0/16"]
  depends_on = [ azurerm_resource_group.venkat ]
}

resource "azurerm_subnet" "venkat" {
  name                 = "example-subnet"
  resource_group_name  = azurerm_resource_group.venkat.name
  virtual_network_name = azurerm_virtual_network.venkat.name
  address_prefixes     = ["10.0.1.0/24"]
  depends_on = [ azurerm_virtual_network.venkat ]
}

resource "azurerm_network_interface" "venkat" {
  name                = "example-nic1"
  resource_group_name = azurerm_resource_group.venkat.name
  location            = azurerm_resource_group.venkat.location

  ip_configuration {
    name                          = "internal"
    subnet_id                     = azurerm_subnet.venkat.id
    private_ip_address_allocation = "Dynamic"
  }
  depends_on = [ azurerm_subnet.venkat ]
}

resource "azurerm_virtual_machine" "venkat" {
  name                  = "venkat-machine-testvm2"
  location              = azurerm_resource_group.venkat.location
  resource_group_name   = azurerm_resource_group.venkat.name
  network_interface_ids = [azurerm_network_interface.venkat.id]
  vm_size               = "Standard_DS1_v2"

  storage_os_disk {
    name              = "terraformvenkat-vm-osdisk"
    caching           = "ReadWrite"
    create_option     = "FromImage"
    managed_disk_type = "Standard_LRS"
  }

  storage_image_reference {
    publisher = "canonical"
    offer     = "0001-com-ubuntu-server-focal"
    sku       = "20_04-lts-gen2"
    version   = "latest"
  }

  os_profile {
    computer_name  = "hostname"
    admin_username = "adminuser"
    admin_password = "P@ssw0rd1234!"
  }

  os_profile_linux_config {
    disable_password_authentication = false
  }
}

resource "null_resource" "vm-deallocate1" {
  provisioner "local-exec" {
    command = <<EOT
az vm deallocate --resource-group ${azurerm_resource_group.venkat.name} --name ${azurerm_virtual_machine.venkat.name}
EOT
    interpreter = ["bash", "-c"]
  }
  depends_on = [azurerm_virtual_machine.venkat]
}

resource "null_resource" "vm-1" {
  provisioner "local-exec" {
    command = <<EOT
az vm update --resource-group ${azurerm_resource_group.venkat.name} --name ${azurerm_virtual_machine.venkat.name} --security-type TrustedLaunch
sleep 60
az vm start --resource-group ${azurerm_resource_group.venkat.name} --name ${azurerm_virtual_machine.venkat.name}
EOT
    interpreter = ["bash", "-c"]
  }
  depends_on = [null_resource.vm-deallocate1]
}

    Output:

    enter image description here

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search