From bd0157394172fcc17990a7265b6b3fbc67ee1717 Mon Sep 17 00:00:00 2001 From: Yichun Ma Date: Wed, 22 Jun 2022 16:17:06 +0800 Subject: [PATCH 1/2] Add examples for confidential VM, VMSS and OS Disk --- quickstart/201-confidential-os-disk/main.tf | 24 +++ .../201-confidential-os-disk/provider.tf | 14 ++ quickstart/201-confidential-os-disk/readme.md | 19 +++ .../201-confidential-os-disk/variables.tf | 10 ++ quickstart/201-confidential-vm/main.tf | 145 ++++++++++++++++++ quickstart/201-confidential-vm/provider.tf | 20 +++ quickstart/201-confidential-vm/readme.md | 27 ++++ quickstart/201-confidential-vm/variables.tf | 15 ++ quickstart/201-confidential-vmss/main.tf | 55 +++++++ quickstart/201-confidential-vmss/provider.tf | 14 ++ quickstart/201-confidential-vmss/readme.md | 22 +++ quickstart/201-confidential-vmss/variables.tf | 16 ++ quickstart/README.md | 3 + 13 files changed, 384 insertions(+) create mode 100644 quickstart/201-confidential-os-disk/main.tf create mode 100644 quickstart/201-confidential-os-disk/provider.tf create mode 100644 quickstart/201-confidential-os-disk/readme.md create mode 100644 quickstart/201-confidential-os-disk/variables.tf create mode 100644 quickstart/201-confidential-vm/main.tf create mode 100644 quickstart/201-confidential-vm/provider.tf create mode 100644 quickstart/201-confidential-vm/readme.md create mode 100644 quickstart/201-confidential-vm/variables.tf create mode 100644 quickstart/201-confidential-vmss/main.tf create mode 100644 quickstart/201-confidential-vmss/provider.tf create mode 100644 quickstart/201-confidential-vmss/readme.md create mode 100644 quickstart/201-confidential-vmss/variables.tf diff --git a/quickstart/201-confidential-os-disk/main.tf b/quickstart/201-confidential-os-disk/main.tf new file mode 100644 index 00000000..2060fc8a --- /dev/null +++ b/quickstart/201-confidential-os-disk/main.tf @@ -0,0 +1,24 @@ +data "azurerm_platform_image" "example" { + location = var.location + publisher = "MicrosoftWindowsServer" + offer = "windows-cvm" + sku = "2022-datacenter-cvm" +} + +resource "azurerm_resource_group" "example" { + name = "${var.name_prefix}-rg" + location = var.location +} + +resource "azurerm_managed_disk" "example" { + name = "${var.name_prefix}-disk" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + storage_account_type = "Standard_LRS" + create_option = "FromImage" + image_reference_id = data.azurerm_platform_image.example.id + os_type = "Windows" + hyper_v_generation = "V2" + + security_type = "ConfidentialVM_DiskEncryptedWithPlatformKey" +} diff --git a/quickstart/201-confidential-os-disk/provider.tf b/quickstart/201-confidential-os-disk/provider.tf new file mode 100644 index 00000000..6b2a6509 --- /dev/null +++ b/quickstart/201-confidential-os-disk/provider.tf @@ -0,0 +1,14 @@ +terraform { + required_version = ">=1.0" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~>3.8" + } + } +} + +provider "azurerm" { + features {} +} diff --git a/quickstart/201-confidential-os-disk/readme.md b/quickstart/201-confidential-os-disk/readme.md new file mode 100644 index 00000000..b5cbba57 --- /dev/null +++ b/quickstart/201-confidential-os-disk/readme.md @@ -0,0 +1,19 @@ +# Azure confidential os disk + +This template deploys an Azure confidential os disk encrypted by platform key. + +## Resources + +- [azurerm_managed_disk](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk) +- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) + +## Variables + +| Name | Description | +|-|-| +| `location` | (Required) Azure Region in which to deploy these resources.| +| `name_prefix` | (Optional) Prefix of the resource name. Value defaults to: tftest| + +## Example + +To see how to run this example, see [Create an Azure confidential os disk using Terraform](https://docs.microsoft.com/azure/developer/terraform/create-confidential-os-disk). diff --git a/quickstart/201-confidential-os-disk/variables.tf b/quickstart/201-confidential-os-disk/variables.tf new file mode 100644 index 00000000..37a61bc2 --- /dev/null +++ b/quickstart/201-confidential-os-disk/variables.tf @@ -0,0 +1,10 @@ +variable "location" { + type = string + description = "Location where resources will be created" +} + +variable "name_prefix" { + type = string + default = "tftest" + description = "Prefix of the resource name" +} diff --git a/quickstart/201-confidential-vm/main.tf b/quickstart/201-confidential-vm/main.tf new file mode 100644 index 00000000..c590a84a --- /dev/null +++ b/quickstart/201-confidential-vm/main.tf @@ -0,0 +1,145 @@ +resource "azurerm_resource_group" "example" { + name = "${var.name_prefix}-rg" + location = var.location +} + +// Key Vault and Disk Encryption Set +data "azurerm_client_config" "current" {} + +resource "azurerm_key_vault" "example" { + name = "${var.name_prefix}-kv" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + sku_name = "premium" + tenant_id = data.azurerm_client_config.current.tenant_id + enabled_for_disk_encryption = true + purge_protection_enabled = true + soft_delete_retention_days = 7 +} + +resource "azurerm_key_vault_access_policy" "service-principal" { + key_vault_id = azurerm_key_vault.example.id + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id + + key_permissions = [ + "Create", + "Delete", + "Get", + "Purge", + "Update", + ] + + secret_permissions = [ + "Get", + "Delete", + "Set", + ] +} + +resource "azurerm_key_vault_key" "example" { + name = "examplekey" + key_vault_id = azurerm_key_vault.example.id + key_type = "RSA-HSM" + key_size = 2048 + + key_opts = [ + "decrypt", + "encrypt", + "sign", + "unwrapKey", + "verify", + "wrapKey", + ] + + depends_on = [azurerm_key_vault_access_policy.service-principal] +} + +resource "azurerm_disk_encryption_set" "example" { + name = "${var.name_prefix}-des" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + key_vault_key_id = azurerm_key_vault_key.example.id + encryption_type = "ConfidentialVmEncryptedWithCustomerKey" + + identity { + type = "SystemAssigned" + } +} + +resource "azurerm_key_vault_access_policy" "disk-encryption" { + key_vault_id = azurerm_key_vault.example.id + + key_permissions = [ + "Get", + "WrapKey", + "UnwrapKey", + ] + + tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id + object_id = azurerm_disk_encryption_set.example.identity.0.principal_id +} + +// Virtual Machine +resource "azurerm_virtual_network" "example" { + name = "${var.name_prefix}-vnet" + address_space = ["10.0.0.0/16"] + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name +} + +resource "azurerm_subnet" "example" { + name = "${var.name_prefix}-subnet" + resource_group_name = azurerm_resource_group.example.name + virtual_network_name = azurerm_virtual_network.example.name + address_prefixes = ["10.0.2.0/24"] +} + +resource "azurerm_network_interface" "example" { + name = "${var.name_prefix}-nic" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + ip_configuration { + name = "internal" + subnet_id = azurerm_subnet.example.id + private_ip_address_allocation = "Dynamic" + } +} + +resource "azurerm_linux_virtual_machine" "test" { + name = "${var.name_prefix}-vm" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + size = "Standard_DC2as_v5" + admin_username = "azureuser" + network_interface_ids = [ + azurerm_network_interface.example.id, + ] + + admin_ssh_key { + username = "azureuser" + public_key = var.vm_public_key + } + + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + security_encryption_type = "DiskWithVMGuestState" + secure_vm_disk_encryption_set_id = azurerm_disk_encryption_set.example.id + } + + source_image_reference { + publisher = "Canonical" + offer = "0001-com-ubuntu-confidential-vm-focal" + sku = "20_04-lts-cvm" + version = "latest" + } + + vtpm_enabled = true + secure_boot_enabled = true + + depends_on = [ + azurerm_key_vault_access_policy.disk-encryption, + ] +} diff --git a/quickstart/201-confidential-vm/provider.tf b/quickstart/201-confidential-vm/provider.tf new file mode 100644 index 00000000..4accb4e0 --- /dev/null +++ b/quickstart/201-confidential-vm/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_version = ">=1.0" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~>3.8" + } + } +} + +provider "azurerm" { + features { + key_vault { + recover_soft_deleted_key_vaults = false + purge_soft_delete_on_destroy = false + purge_soft_deleted_keys_on_destroy = false + } + } +} diff --git a/quickstart/201-confidential-vm/readme.md b/quickstart/201-confidential-vm/readme.md new file mode 100644 index 00000000..fb7cb1eb --- /dev/null +++ b/quickstart/201-confidential-vm/readme.md @@ -0,0 +1,27 @@ +# Azure confidential virtual machine + +This template deploys an Azure confidential virtual machine with disk encrypted by customer managed key. + +## Resources + +- [azurerm_disk_encryption_set](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/disk_encryption_set) +- [azurerm_key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) +- [azurerm_key_vault_access_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) +- [azurerm_key_vault_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key) +- [azurerm_linux_virtual_machine](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine) +- [azurerm_network_interface](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface) +- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) +- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) +- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) + +## Variables + +| Name | Description | +|-|-| +| `location` | (Required) Azure Region in which to deploy these resources.| +| `vm_public_key` | (Required) Public key of the Virtual Machine.| +| `name_prefix` | (Optional) Prefix of the resource name. Value defaults to: tftest| + +## Example + +To see how to run this example, see [Create an Azure confidential virtual machine using Terraform](https://docs.microsoft.com/azure/developer/terraform/create-confidential-vm). diff --git a/quickstart/201-confidential-vm/variables.tf b/quickstart/201-confidential-vm/variables.tf new file mode 100644 index 00000000..c3125425 --- /dev/null +++ b/quickstart/201-confidential-vm/variables.tf @@ -0,0 +1,15 @@ +variable "location" { + type = string + description = "Location where resources will be created" +} + +variable "vm_public_key" { + type = string + description = "Public key of the Virtual Machine" +} + +variable "name_prefix" { + type = string + default = "tftest" + description = "Prefix of the resource name" +} diff --git a/quickstart/201-confidential-vmss/main.tf b/quickstart/201-confidential-vmss/main.tf new file mode 100644 index 00000000..78d00637 --- /dev/null +++ b/quickstart/201-confidential-vmss/main.tf @@ -0,0 +1,55 @@ +resource "azurerm_resource_group" "example" { + name = "${var.name_prefix}-rg" + location = var.location +} + +resource "azurerm_virtual_network" "example" { + name = "${var.name_prefix}-vnet" + address_space = ["10.0.0.0/16"] + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name +} + +resource "azurerm_subnet" "example" { + name = "${var.name_prefix}-subnet" + resource_group_name = azurerm_resource_group.example.name + virtual_network_name = azurerm_virtual_network.example.name + address_prefixes = ["10.0.2.0/24"] +} + +resource "azurerm_windows_virtual_machine_scale_set" "example" { + name = "${var.name_prefix}-vmss" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + sku = "Standard_DC2as_v5" + instances = 2 + admin_username = "adminuser" + admin_password = var.admin_password + computer_name_prefix = "vmss" + + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "windows-cvm" + sku = "2022-datacenter-cvm" + version = "latest" + } + + os_disk { + storage_account_type = "Premium_LRS" + caching = "None" + security_encryption_type = "VMGuestStateOnly" + } + + network_interface { + name = "example" + primary = true + ip_configuration { + name = "internal" + primary = true + subnet_id = azurerm_subnet.example.id + } + } + + vtpm_enabled = true + secure_boot_enabled = true +} diff --git a/quickstart/201-confidential-vmss/provider.tf b/quickstart/201-confidential-vmss/provider.tf new file mode 100644 index 00000000..6b2a6509 --- /dev/null +++ b/quickstart/201-confidential-vmss/provider.tf @@ -0,0 +1,14 @@ +terraform { + required_version = ">=1.0" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~>3.8" + } + } +} + +provider "azurerm" { + features {} +} diff --git a/quickstart/201-confidential-vmss/readme.md b/quickstart/201-confidential-vmss/readme.md new file mode 100644 index 00000000..d1f2032b --- /dev/null +++ b/quickstart/201-confidential-vmss/readme.md @@ -0,0 +1,22 @@ +# Azure confidential virtual machine scale set + +This template deploys an Azure confidential virtual machine scale set with guest state encrypted only. + +## Resources + +- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) +- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) +- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) +- [azurerm_windows_virtual_machine_scale_set](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_virtual_machine_scale_set) + +## Variables + +| Name | Description | +|-|-| +| `admin_password` | (Required) Admin password of the virtual machine scale set.| +| `location` | (Required) Azure Region in which to deploy these resources.| +| `name_prefix` | (Optional) Prefix of the resource name. Value defaults to: tftest| + +## Example + +To see how to run this example, see [Create an Azure confidential virtual machine scale set using Terraform](https://docs.microsoft.com/azure/developer/terraform/create-confidential-vmss). diff --git a/quickstart/201-confidential-vmss/variables.tf b/quickstart/201-confidential-vmss/variables.tf new file mode 100644 index 00000000..897b03aa --- /dev/null +++ b/quickstart/201-confidential-vmss/variables.tf @@ -0,0 +1,16 @@ +variable "admin_password" { + type = string + sensitive = true + description = "Admin password of the virtual machine scale set" +} + +variable "location" { + type = string + description = "Location where resources will be created" +} + +variable "name_prefix" { + type = string + default = "tftest" + description = "Prefix of the resource name" +} diff --git a/quickstart/README.md b/quickstart/README.md index 29fa2663..6b716ef5 100644 --- a/quickstart/README.md +++ b/quickstart/README.md @@ -33,6 +33,9 @@ This project has adopted the [Microsoft Open Source Code of Conduct](https://ope - [Azure virtual machine scale set with jumpbox from Packer custom image](./201-vmss-packer-jumpbox) - [Azure PostgreSQL Flexible Server Database](./201-postgresql-fs-db) - [Azure MySQL Flexible Server Database](./201-mysql-fs-db) +- [Azure Confidential OS Disk](./201-confidential-os-disk) +- [Azure Confidential Virtual Machine](./201-confidential-vm) +- [Azure Confidential Virtual Machine Scale Set](./201-confidential-vmss) #### Advanced - [Azure Service Fabric](./301-service-fabric/) From e11e21b5251784e25f114eb7df69fdfbc310184f Mon Sep 17 00:00:00 2001 From: Yichun Ma Date: Tue, 28 Jun 2022 15:52:32 +0800 Subject: [PATCH 2/2] resolve comments --- .../{provider.tf => providers.tf} | 0 quickstart/201-confidential-os-disk/readme.md | 2 +- quickstart/201-confidential-os-disk/variables.tf | 1 - quickstart/201-confidential-vm/main.tf | 3 +++ .../201-confidential-vm/{provider.tf => providers.tf} | 0 quickstart/201-confidential-vm/readme.md | 2 +- quickstart/201-confidential-vm/variables.tf | 11 +++++------ quickstart/201-confidential-vmss/main.tf | 3 +++ .../{provider.tf => providers.tf} | 0 quickstart/201-confidential-vmss/readme.md | 2 +- quickstart/201-confidential-vmss/variables.tf | 1 - 11 files changed, 14 insertions(+), 11 deletions(-) rename quickstart/201-confidential-os-disk/{provider.tf => providers.tf} (100%) rename quickstart/201-confidential-vm/{provider.tf => providers.tf} (100%) rename quickstart/201-confidential-vmss/{provider.tf => providers.tf} (100%) diff --git a/quickstart/201-confidential-os-disk/provider.tf b/quickstart/201-confidential-os-disk/providers.tf similarity index 100% rename from quickstart/201-confidential-os-disk/provider.tf rename to quickstart/201-confidential-os-disk/providers.tf diff --git a/quickstart/201-confidential-os-disk/readme.md b/quickstart/201-confidential-os-disk/readme.md index b5cbba57..6b89fb3d 100644 --- a/quickstart/201-confidential-os-disk/readme.md +++ b/quickstart/201-confidential-os-disk/readme.md @@ -12,7 +12,7 @@ This template deploys an Azure confidential os disk encrypted by platform key. | Name | Description | |-|-| | `location` | (Required) Azure Region in which to deploy these resources.| -| `name_prefix` | (Optional) Prefix of the resource name. Value defaults to: tftest| +| `name_prefix` | (Required) Prefix of the resource name.| ## Example diff --git a/quickstart/201-confidential-os-disk/variables.tf b/quickstart/201-confidential-os-disk/variables.tf index 37a61bc2..d0d1cc7c 100644 --- a/quickstart/201-confidential-os-disk/variables.tf +++ b/quickstart/201-confidential-os-disk/variables.tf @@ -5,6 +5,5 @@ variable "location" { variable "name_prefix" { type = string - default = "tftest" description = "Prefix of the resource name" } diff --git a/quickstart/201-confidential-vm/main.tf b/quickstart/201-confidential-vm/main.tf index c590a84a..71ffe5da 100644 --- a/quickstart/201-confidential-vm/main.tf +++ b/quickstart/201-confidential-vm/main.tf @@ -111,7 +111,10 @@ resource "azurerm_linux_virtual_machine" "test" { name = "${var.name_prefix}-vm" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location + + # Available sizes for Confidential VM can be found at: https://docs.microsoft.com/azure/confidential-computing/confidential-vm-overview size = "Standard_DC2as_v5" + admin_username = "azureuser" network_interface_ids = [ azurerm_network_interface.example.id, diff --git a/quickstart/201-confidential-vm/provider.tf b/quickstart/201-confidential-vm/providers.tf similarity index 100% rename from quickstart/201-confidential-vm/provider.tf rename to quickstart/201-confidential-vm/providers.tf diff --git a/quickstart/201-confidential-vm/readme.md b/quickstart/201-confidential-vm/readme.md index fb7cb1eb..347abd3b 100644 --- a/quickstart/201-confidential-vm/readme.md +++ b/quickstart/201-confidential-vm/readme.md @@ -19,8 +19,8 @@ This template deploys an Azure confidential virtual machine with disk encrypted | Name | Description | |-|-| | `location` | (Required) Azure Region in which to deploy these resources.| +| `name_prefix` | (Required) Prefix of the resource name.| | `vm_public_key` | (Required) Public key of the Virtual Machine.| -| `name_prefix` | (Optional) Prefix of the resource name. Value defaults to: tftest| ## Example diff --git a/quickstart/201-confidential-vm/variables.tf b/quickstart/201-confidential-vm/variables.tf index c3125425..b5e9aa6e 100644 --- a/quickstart/201-confidential-vm/variables.tf +++ b/quickstart/201-confidential-vm/variables.tf @@ -3,13 +3,12 @@ variable "location" { description = "Location where resources will be created" } +variable "name_prefix" { + type = string + description = "Prefix of the resource name" +} + variable "vm_public_key" { type = string description = "Public key of the Virtual Machine" } - -variable "name_prefix" { - type = string - default = "tftest" - description = "Prefix of the resource name" -} diff --git a/quickstart/201-confidential-vmss/main.tf b/quickstart/201-confidential-vmss/main.tf index 78d00637..6ced7db2 100644 --- a/quickstart/201-confidential-vmss/main.tf +++ b/quickstart/201-confidential-vmss/main.tf @@ -21,7 +21,10 @@ resource "azurerm_windows_virtual_machine_scale_set" "example" { name = "${var.name_prefix}-vmss" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location + + # Available skus for Confidential VMSS can be found at: https://docs.microsoft.com/azure/confidential-computing/confidential-vm-overview sku = "Standard_DC2as_v5" + instances = 2 admin_username = "adminuser" admin_password = var.admin_password diff --git a/quickstart/201-confidential-vmss/provider.tf b/quickstart/201-confidential-vmss/providers.tf similarity index 100% rename from quickstart/201-confidential-vmss/provider.tf rename to quickstart/201-confidential-vmss/providers.tf diff --git a/quickstart/201-confidential-vmss/readme.md b/quickstart/201-confidential-vmss/readme.md index d1f2032b..66187ac3 100644 --- a/quickstart/201-confidential-vmss/readme.md +++ b/quickstart/201-confidential-vmss/readme.md @@ -15,7 +15,7 @@ This template deploys an Azure confidential virtual machine scale set with guest |-|-| | `admin_password` | (Required) Admin password of the virtual machine scale set.| | `location` | (Required) Azure Region in which to deploy these resources.| -| `name_prefix` | (Optional) Prefix of the resource name. Value defaults to: tftest| +| `name_prefix` | (Required) Prefix of the resource name.| ## Example diff --git a/quickstart/201-confidential-vmss/variables.tf b/quickstart/201-confidential-vmss/variables.tf index 897b03aa..762681e0 100644 --- a/quickstart/201-confidential-vmss/variables.tf +++ b/quickstart/201-confidential-vmss/variables.tf @@ -11,6 +11,5 @@ variable "location" { variable "name_prefix" { type = string - default = "tftest" description = "Prefix of the resource name" }