Merge pull request microsoft#102 from myc2h6o/confidential_vm

grayzu · web-flow · commit aac920d615e7 · 2022-06-29T15:56:03.000-07:00
Add examples for confidential VM, VMSS and OS Disk
diff --git a/quickstart/201-confidential-os-disk/main.tf b/quickstart/201-confidential-os-disk/main.tf
@@ -0,0 +1,24 @@
+data "azurerm_platform_image" "example" {
+  location  = var.location
+  publisher = "MicrosoftWindowsServer"
+  offer     = "windows-cvm"
+  sku       = "2022-datacenter-cvm"
+}
+
+resource "azurerm_resource_group" "example" {
+  name     = "${var.name_prefix}-rg"
+  location = var.location
+}
+
+resource "azurerm_managed_disk" "example" {
+  name                 = "${var.name_prefix}-disk"
+  location             = azurerm_resource_group.example.location
+  resource_group_name  = azurerm_resource_group.example.name
+  storage_account_type = "Standard_LRS"
+  create_option        = "FromImage"
+  image_reference_id   = data.azurerm_platform_image.example.id
+  os_type              = "Windows"
+  hyper_v_generation   = "V2"
+
+  security_type = "ConfidentialVM_DiskEncryptedWithPlatformKey"
+}
diff --git a/quickstart/201-confidential-os-disk/providers.tf b/quickstart/201-confidential-os-disk/providers.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">=1.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~>3.8"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
diff --git a/quickstart/201-confidential-os-disk/readme.md b/quickstart/201-confidential-os-disk/readme.md
@@ -0,0 +1,19 @@
+# Azure confidential os disk
+
+This template deploys an Azure confidential os disk encrypted by platform key.
+
+## Resources
+
+- [azurerm_managed_disk](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk)
+- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group)
+
+## Variables
+
+| Name | Description |
+|-|-|
+| `location` | (Required) Azure Region in which to deploy these resources.|
+| `name_prefix` | (Required) Prefix of the resource name.|
+
+## Example
+
+To see how to run this example, see [Create an Azure confidential os disk using Terraform](https://docs.microsoft.com/azure/developer/terraform/create-confidential-os-disk).
diff --git a/quickstart/201-confidential-os-disk/variables.tf b/quickstart/201-confidential-os-disk/variables.tf
@@ -0,0 +1,9 @@
+variable "location" {
+  type        = string
+  description = "Location where resources will be created"
+}
+
+variable "name_prefix" {
+  type        = string
+  description = "Prefix of the resource name"
+}
diff --git a/quickstart/201-confidential-vm/main.tf b/quickstart/201-confidential-vm/main.tf
@@ -0,0 +1,148 @@
+resource "azurerm_resource_group" "example" {
+  name     = "${var.name_prefix}-rg"
+  location = var.location
+}
+
+// Key Vault and Disk Encryption Set
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_key_vault" "example" {
+  name                        = "${var.name_prefix}-kv"
+  location                    = azurerm_resource_group.example.location
+  resource_group_name         = azurerm_resource_group.example.name
+  sku_name                    = "premium"
+  tenant_id                   = data.azurerm_client_config.current.tenant_id
+  enabled_for_disk_encryption = true
+  purge_protection_enabled    = true
+  soft_delete_retention_days  = 7
+}
+
+resource "azurerm_key_vault_access_policy" "service-principal" {
+  key_vault_id = azurerm_key_vault.example.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = data.azurerm_client_config.current.object_id
+
+  key_permissions = [
+    "Create",
+    "Delete",
+    "Get",
+    "Purge",
+    "Update",
+  ]
+
+  secret_permissions = [
+    "Get",
+    "Delete",
+    "Set",
+  ]
+}
+
+resource "azurerm_key_vault_key" "example" {
+  name         = "examplekey"
+  key_vault_id = azurerm_key_vault.example.id
+  key_type     = "RSA-HSM"
+  key_size     = 2048
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey",
+  ]
+
+  depends_on = [azurerm_key_vault_access_policy.service-principal]
+}
+
+resource "azurerm_disk_encryption_set" "example" {
+  name                = "${var.name_prefix}-des"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+  key_vault_key_id    = azurerm_key_vault_key.example.id
+  encryption_type     = "ConfidentialVmEncryptedWithCustomerKey"
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
+resource "azurerm_key_vault_access_policy" "disk-encryption" {
+  key_vault_id = azurerm_key_vault.example.id
+
+  key_permissions = [
+    "Get",
+    "WrapKey",
+    "UnwrapKey",
+  ]
+
+  tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id
+  object_id = azurerm_disk_encryption_set.example.identity.0.principal_id
+}
+
+// Virtual Machine
+resource "azurerm_virtual_network" "example" {
+  name                = "${var.name_prefix}-vnet"
+  address_space       = ["10.0.0.0/16"]
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+}
+
+resource "azurerm_subnet" "example" {
+  name                 = "${var.name_prefix}-subnet"
+  resource_group_name  = azurerm_resource_group.example.name
+  virtual_network_name = azurerm_virtual_network.example.name
+  address_prefixes     = ["10.0.2.0/24"]
+}
+
+resource "azurerm_network_interface" "example" {
+  name                = "${var.name_prefix}-nic"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+
+  ip_configuration {
+    name                          = "internal"
+    subnet_id                     = azurerm_subnet.example.id
+    private_ip_address_allocation = "Dynamic"
+  }
+}
+
+resource "azurerm_linux_virtual_machine" "test" {
+  name                = "${var.name_prefix}-vm"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+  
+  # Available sizes for Confidential VM can be found at: https://docs.microsoft.com/azure/confidential-computing/confidential-vm-overview
+  size                = "Standard_DC2as_v5"
+  
+  admin_username      = "azureuser"
+  network_interface_ids = [
+    azurerm_network_interface.example.id,
+  ]
+
+  admin_ssh_key {
+    username   = "azureuser"
+    public_key = var.vm_public_key
+  }
+
+  os_disk {
+    caching                          = "ReadWrite"
+    storage_account_type             = "Standard_LRS"
+    security_encryption_type         = "DiskWithVMGuestState"
+    secure_vm_disk_encryption_set_id = azurerm_disk_encryption_set.example.id
+  }
+
+  source_image_reference {
+    publisher = "Canonical"
+    offer     = "0001-com-ubuntu-confidential-vm-focal"
+    sku       = "20_04-lts-cvm"
+    version   = "latest"
+  }
+
+  vtpm_enabled        = true
+  secure_boot_enabled = true
+
+  depends_on = [
+    azurerm_key_vault_access_policy.disk-encryption,
+  ]
+}
diff --git a/quickstart/201-confidential-vm/providers.tf b/quickstart/201-confidential-vm/providers.tf
@@ -0,0 +1,20 @@
+terraform {
+  required_version = ">=1.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~>3.8"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {
+    key_vault {
+      recover_soft_deleted_key_vaults    = false
+      purge_soft_delete_on_destroy       = false
+      purge_soft_deleted_keys_on_destroy = false
+    }
+  }
+}
diff --git a/quickstart/201-confidential-vm/readme.md b/quickstart/201-confidential-vm/readme.md
@@ -0,0 +1,27 @@
+# Azure confidential virtual machine
+
+This template deploys an Azure confidential virtual machine with disk encrypted by customer managed key.
+
+## Resources
+
+- [azurerm_disk_encryption_set](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/disk_encryption_set)
+- [azurerm_key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault)
+- [azurerm_key_vault_access_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy)
+- [azurerm_key_vault_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key)
+- [azurerm_linux_virtual_machine](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine)
+- [azurerm_network_interface](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface)
+- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group)
+- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet)
+- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network)
+
+## Variables
+
+| Name | Description |
+|-|-|
+| `location` | (Required) Azure Region in which to deploy these resources.|
+| `name_prefix` | (Required) Prefix of the resource name.|
+| `vm_public_key` | (Required) Public key of the Virtual Machine.|
+
+## Example
+
+To see how to run this example, see [Create an Azure confidential virtual machine using Terraform](https://docs.microsoft.com/azure/developer/terraform/create-confidential-vm).
diff --git a/quickstart/201-confidential-vm/variables.tf b/quickstart/201-confidential-vm/variables.tf
@@ -0,0 +1,14 @@
+variable "location" {
+  type        = string
+  description = "Location where resources will be created"
+}
+
+variable "name_prefix" {
+  type        = string
+  description = "Prefix of the resource name"
+}
+
+variable "vm_public_key" {
+  type        = string
+  description = "Public key of the Virtual Machine"
+}
diff --git a/quickstart/201-confidential-vmss/main.tf b/quickstart/201-confidential-vmss/main.tf
@@ -0,0 +1,58 @@
+resource "azurerm_resource_group" "example" {
+  name     = "${var.name_prefix}-rg"
+  location = var.location
+}
+
+resource "azurerm_virtual_network" "example" {
+  name                = "${var.name_prefix}-vnet"
+  address_space       = ["10.0.0.0/16"]
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+}
+
+resource "azurerm_subnet" "example" {
+  name                 = "${var.name_prefix}-subnet"
+  resource_group_name  = azurerm_resource_group.example.name
+  virtual_network_name = azurerm_virtual_network.example.name
+  address_prefixes     = ["10.0.2.0/24"]
+}
+
+resource "azurerm_windows_virtual_machine_scale_set" "example" {
+  name                 = "${var.name_prefix}-vmss"
+  resource_group_name  = azurerm_resource_group.example.name
+  location             = azurerm_resource_group.example.location
+
+  # Available skus for Confidential VMSS can be found at: https://docs.microsoft.com/azure/confidential-computing/confidential-vm-overview
+  sku                  = "Standard_DC2as_v5"
+  
+  instances            = 2
+  admin_username       = "adminuser"
+  admin_password       = var.admin_password
+  computer_name_prefix = "vmss"
+
+  source_image_reference {
+    publisher = "MicrosoftWindowsServer"
+    offer     = "windows-cvm"
+    sku       = "2022-datacenter-cvm"
+    version   = "latest"
+  }
+
+  os_disk {
+    storage_account_type     = "Premium_LRS"
+    caching                  = "None"
+    security_encryption_type = "VMGuestStateOnly"
+  }
+
+  network_interface {
+    name    = "example"
+    primary = true
+    ip_configuration {
+      name      = "internal"
+      primary   = true
+      subnet_id = azurerm_subnet.example.id
+    }
+  }
+
+  vtpm_enabled        = true
+  secure_boot_enabled = true
+}
diff --git a/quickstart/201-confidential-vmss/providers.tf b/quickstart/201-confidential-vmss/providers.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">=1.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~>3.8"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
diff --git a/quickstart/201-confidential-vmss/readme.md b/quickstart/201-confidential-vmss/readme.md
@@ -0,0 +1,22 @@
+# Azure confidential virtual machine scale set
+
+This template deploys an Azure confidential virtual machine scale set with guest state encrypted only.
+
+## Resources
+
+- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group)
+- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet)
+- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network)
+- [azurerm_windows_virtual_machine_scale_set](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_virtual_machine_scale_set)
+
+## Variables
+
+| Name | Description |
+|-|-|
+| `admin_password` | (Required) Admin password of the virtual machine scale set.|
+| `location` | (Required) Azure Region in which to deploy these resources.|
+| `name_prefix` | (Required) Prefix of the resource name.|
+
+## Example
+
+To see how to run this example, see [Create an Azure confidential virtual machine scale set using Terraform](https://docs.microsoft.com/azure/developer/terraform/create-confidential-vmss).
diff --git a/quickstart/201-confidential-vmss/variables.tf b/quickstart/201-confidential-vmss/variables.tf
@@ -0,0 +1,15 @@
+variable "admin_password" {
+  type        = string
+  sensitive   = true
+  description = "Admin password of the virtual machine scale set"
+}
+
+variable "location" {
+  type        = string
+  description = "Location where resources will be created"
+}
+
+variable "name_prefix" {
+  type        = string
+  description = "Prefix of the resource name"
+}
diff --git a/quickstart/README.md b/quickstart/README.md
