Merge pull request microsoft#103 from myc2h6o/vm_ade

Add examples for Azure Disk Encryption Extension for VM and VMSS

Author: grayzu

quickstart/201-vm-disk-encryption-extension/main.tf

@@ -0,0 +1,132 @@
+resource "azurerm_resource_group" "example" {
+  name     = "${var.name_prefix}-rg"
+  location = var.location
+}
+
+// Key Vault Key
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_key_vault" "example" {
+  name                        = "${var.name_prefix}-kv"
+  location                    = azurerm_resource_group.example.location
+  resource_group_name         = azurerm_resource_group.example.name
+  tenant_id                   = data.azurerm_client_config.current.tenant_id
+  sku_name                    = "premium"
+  enabled_for_disk_encryption = true
+  purge_protection_enabled    = true
+  soft_delete_retention_days  = 7
+}
+
+resource "azurerm_key_vault_access_policy" "service-principal" {
+  key_vault_id = azurerm_key_vault.example.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = data.azurerm_client_config.current.object_id
+
+  key_permissions = [
+    "Create",
+    "Delete",
+    "Get",
+    "Update",
+  ]
+
+  secret_permissions = [
+    "Get",
+    "Delete",
+    "Set",
+  ]
+}
+
+resource "azurerm_key_vault_key" "example" {
+  name         = "examplekey"
+  key_vault_id = azurerm_key_vault.example.id
+  key_type     = "RSA-HSM"
+  key_size     = 2048
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey",
+  ]
+
+  depends_on = [
+    azurerm_key_vault_access_policy.service-principal
+  ]
+}
+
+// Virtual Machine
+resource "azurerm_virtual_network" "example" {
+  name                = "${var.name_prefix}-vnet"
+  address_space       = ["10.0.0.0/16"]
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+}
+
+resource "azurerm_subnet" "example" {
+  name                 = "${var.name_prefix}-subnet"
+  resource_group_name  = azurerm_resource_group.example.name
+  virtual_network_name = azurerm_virtual_network.example.name
+  address_prefixes     = ["10.0.2.0/24"]
+}
+
+resource "azurerm_network_interface" "example" {
+  name                = "${var.name_prefix}-nic"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+
+  ip_configuration {
+    name                          = "internal"
+    subnet_id                     = azurerm_subnet.example.id
+    private_ip_address_allocation = "Dynamic"
+  }
+}
+
+resource "azurerm_linux_virtual_machine" "example" {
+  name                = "${var.name_prefix}-vm"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+  size                = "Standard_D2s_v3"
+  admin_username      = "azureuser"
+  network_interface_ids = [
+    azurerm_network_interface.example.id,
+  ]
+
+  admin_ssh_key {
+    username   = "azureuser"
+    public_key = var.vm_public_key
+  }
+
+  source_image_reference {
+    publisher = "Canonical"
+    offer     = "UbuntuServer"
+    sku       = "16.04-LTS"
+    version   = "latest"
+  }
+
+  os_disk {
+    storage_account_type = "Standard_LRS"
+    caching              = "ReadWrite"
+  }
+}
+
+// Disk Encryption Extension
+resource "azurerm_virtual_machine_extension" "example" {
+  name                       = "AzureDiskEncryptionForLinux"
+  publisher                  = "Microsoft.Azure.Security"
+  type                       = "AzureDiskEncryptionForLinux"
+  type_handler_version       = "1.1"
+  auto_upgrade_minor_version = false
+  virtual_machine_id         = azurerm_linux_virtual_machine.example.id
+
+  settings = jsonencode({
+    "EncryptionOperation"    = "EnableEncryption"
+    "KeyEncryptionAlgorithm" = "RSA-OAEP"
+    "KeyVaultURL"            = azurerm_key_vault.example.vault_uri
+    "KeyVaultResourceId"     = azurerm_key_vault.example.id
+    "KeyEncryptionKeyURL"    = azurerm_key_vault_key.example.id
+    "KekVaultResourceId"     = azurerm_key_vault.example.id
+    "VolumeType"             = "All"
+  })
+}

quickstart/201-vm-disk-encryption-extension/providers.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_version = ">=1.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~>3.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {
+    key_vault {
+      recover_soft_deleted_key_vaults    = false
+      purge_soft_delete_on_destroy       = false
+      purge_soft_deleted_keys_on_destroy = false
+    }
+  }
+}

quickstart/201-vm-disk-encryption-extension/readme.md

@@ -0,0 +1,27 @@
+# Azure virtual machine with disk encryption extension
+
+This template deploys an Azure virtual machine with disk encryption extension.
+
+## Resources
+
+- [azurerm_key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault)
+- [azurerm_key_vault_access_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy)
+- [azurerm_key_vault_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key)
+- [azurerm_linux_virtual_machine](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine)
+- [azurerm_network_interface](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface)
+- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group)
+- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet)
+- [azurerm_virtual_machine_extension](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_extension)
+- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network)
+
+## Variables
+
+| Name | Description |
+|-|-|
+| `location` | (Required) Azure Region in which to deploy these resources.|
+| `name_prefix` | (Required) Prefix of the resource name.|
+| `vm_public_key` | (Required) Public key of the Virtual Machine.|
+
+## Example
+
+To see how to run this example, see [Create an Azure virtual machine with disk encryption extension using Terraform](https://docs.microsoft.com/azure/developer/terraform/create-vm-with-disk-encryption-extension).

quickstart/201-vm-disk-encryption-extension/variables.tf

@@ -0,0 +1,14 @@
+variable "location" {
+  type        = string
+  description = "Location where resources will be created"
+}
+
+variable "name_prefix" {
+  type        = string
+  description = "Prefix of the resource name"
+}
+
+variable "vm_public_key" {
+  type        = string
+  description = "Public key of the Virtual Machine"
+}

quickstart/201-vmss-disk-encryption-extension/main.tf

@@ -0,0 +1,126 @@
+resource "azurerm_resource_group" "example" {
+  name     = "${var.name_prefix}-rg"
+  location = var.location
+}
+
+// Key Vault Key
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_key_vault" "example" {
+  name                        = "${var.name_prefix}-kv"
+  location                    = azurerm_resource_group.example.location
+  resource_group_name         = azurerm_resource_group.example.name
+  tenant_id                   = data.azurerm_client_config.current.tenant_id
+  sku_name                    = "premium"
+  enabled_for_disk_encryption = true
+  purge_protection_enabled    = true
+  soft_delete_retention_days  = 7
+}
+
+resource "azurerm_key_vault_access_policy" "service-principal" {
+  key_vault_id = azurerm_key_vault.example.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = data.azurerm_client_config.current.object_id
+
+  key_permissions = [
+    "Create",
+    "Delete",
+    "Get",
+    "Update",
+  ]
+
+  secret_permissions = [
+    "Get",
+    "Delete",
+    "Set",
+  ]
+}
+
+resource "azurerm_key_vault_key" "example" {
+  name         = "examplekey"
+  key_vault_id = azurerm_key_vault.example.id
+  key_type     = "RSA-HSM"
+  key_size     = 3072
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey",
+  ]
+
+  depends_on = [
+    azurerm_key_vault_access_policy.service-principal
+  ]
+}
+
+// Virtual Machine Scale Set
+resource "azurerm_virtual_network" "example" {
+  name                = "${var.name_prefix}-vnet"
+  address_space       = ["10.0.0.0/16"]
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+}
+
+resource "azurerm_subnet" "example" {
+  name                 = "${var.name_prefix}-subnet"
+  resource_group_name  = azurerm_resource_group.example.name
+  virtual_network_name = azurerm_virtual_network.example.name
+  address_prefixes     = ["10.0.2.0/24"]
+}
+
+resource "azurerm_windows_virtual_machine_scale_set" "example" {
+  name                 = "${var.name_prefix}-vmss"
+  resource_group_name  = azurerm_resource_group.example.name
+  location             = azurerm_resource_group.example.location
+  sku                  = "Standard_D2s_v3"
+  instances            = 2
+  admin_username       = "adminuser"
+  admin_password       = var.admin_password
+  computer_name_prefix = "vmss"
+  upgrade_mode         = "Automatic"
+
+  source_image_reference {
+    publisher = "MicrosoftWindowsServer"
+    offer     = "WindowsServer"
+    sku       = "2022-Datacenter"
+    version   = "latest"
+  }
+
+  os_disk {
+    storage_account_type = "Premium_LRS"
+    caching              = "None"
+  }
+
+  network_interface {
+    name    = "example"
+    primary = true
+    ip_configuration {
+      name      = "internal"
+      primary   = true
+      subnet_id = azurerm_subnet.example.id
+    }
+  }
+}
+
+// Disk Encryption Extension
+resource "azurerm_virtual_machine_scale_set_extension" "example" {
+  name                         = "AzureDiskEncryption"
+  publisher                    = "Microsoft.Azure.Security"
+  type                         = "AzureDiskEncryption"
+  type_handler_version         = "2.2"
+  auto_upgrade_minor_version   = false
+  virtual_machine_scale_set_id = azurerm_windows_virtual_machine_scale_set.example.id
+
+  settings = jsonencode({
+    "EncryptionOperation"    = "EnableEncryption"
+    "KeyEncryptionAlgorithm" = "RSA-OAEP"
+    "KeyVaultURL"            = azurerm_key_vault.example.vault_uri
+    "KeyVaultResourceId"     = azurerm_key_vault.example.id
+    "KeyEncryptionKeyURL"    = azurerm_key_vault_key.example.id
+    "KekVaultResourceId"     = azurerm_key_vault.example.id
+    "VolumeType"             = "All"
+  })
+}

quickstart/201-vmss-disk-encryption-extension/providers.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_version = ">=1.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~>3.8"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {
+    key_vault {
+      recover_soft_deleted_key_vaults    = false
+      purge_soft_delete_on_destroy       = false
+      purge_soft_deleted_keys_on_destroy = false
+    }
+  }
+}

quickstart/201-vmss-disk-encryption-extension/readme.md

@@ -0,0 +1,26 @@
+# Azure virtual machine scale set with disk encryption extension
+
+This template deploys an Azure virtual machine scale set with disk encryption extension.
+
+## Resources
+
+- [azurerm_key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault)
+- [azurerm_key_vault_access_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy)
+- [azurerm_key_vault_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key)
+- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group)
+- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet)
+- [azurerm_virtual_machine_scale_set_extension](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_scale_set_extension)
+- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network)
+- [azurerm_windows_virtual_machine_scale_set](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_virtual_machine_scale_set)
+
+## Variables
+
+| Name | Description |
+|-|-|
+| `admin_password` | (Required) Admin password of the virtual machine scale set.|
+| `location` | (Required) Azure Region in which to deploy these resources.|
+| `name_prefix` | (Required) Prefix of the resource name.|
+
+## Example
+
+To see how to run this example, see [Create an Azure virtual machine scale set with disk encryption extension using Terraform](https://docs.microsoft.com/azure/developer/terraform/create-vmss-with-disk-encryption-extension).

quickstart/201-vmss-disk-encryption-extension/variables.tf

@@ -0,0 +1,15 @@
+variable "admin_password" {
+  type        = string
+  sensitive   = true
+  description = "Admin password of the virtual machine scale set"
+}
+
+variable "location" {
+  type        = string
+  description = "Location where resources will be created"
+}
+
+variable "name_prefix" {
+  type        = string
+  description = "Prefix of the resource name"
+}

quickstart/README.md

@@ -29,6 +29,8 @@ This project has adopted the [Microsoft Open Source Code of Conduct](https://ope
 - [Azure Kubernetes Service with Log Analytics](./201-aks-log-analytics/)
 - [Azure Kubernetes Service with Helm](./201-aks-helm/)
 - [Azure Kubernetes Service with ACR](./201-aks-acr-identity/)
+- [Azure Virtual Machine Disk Encryption Extension](./201-vm-disk-encryption-extension)
+- [Azure Virtual Machine Scale Set Disk Encryption Extension](./201-vmss-disk-encryption-extension)
 - [Azure virtual machine scale set with jumpbox](./201-vmss-jumpbox)
 - [Azure virtual machine scale set with jumpbox from Packer custom image](./201-vmss-packer-jumpbox)
 - [Azure PostgreSQL Flexible Server Database](./201-postgresql-fs-db)