diff --git a/quickstart/201-vm-disk-encryption-extension/main.tf b/quickstart/201-vm-disk-encryption-extension/main.tf new file mode 100644 index 00000000..7069557d --- /dev/null +++ b/quickstart/201-vm-disk-encryption-extension/main.tf @@ -0,0 +1,132 @@ +resource "azurerm_resource_group" "example" { + name = "${var.name_prefix}-rg" + location = var.location +} + +// Key Vault Key +data "azurerm_client_config" "current" {} + +resource "azurerm_key_vault" "example" { + name = "${var.name_prefix}-kv" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + tenant_id = data.azurerm_client_config.current.tenant_id + sku_name = "premium" + enabled_for_disk_encryption = true + purge_protection_enabled = true + soft_delete_retention_days = 7 +} + +resource "azurerm_key_vault_access_policy" "service-principal" { + key_vault_id = azurerm_key_vault.example.id + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id + + key_permissions = [ + "Create", + "Delete", + "Get", + "Update", + ] + + secret_permissions = [ + "Get", + "Delete", + "Set", + ] +} + +resource "azurerm_key_vault_key" "example" { + name = "examplekey" + key_vault_id = azurerm_key_vault.example.id + key_type = "RSA-HSM" + key_size = 2048 + + key_opts = [ + "decrypt", + "encrypt", + "sign", + "unwrapKey", + "verify", + "wrapKey", + ] + + depends_on = [ + azurerm_key_vault_access_policy.service-principal + ] +} + +// Virtual Machine +resource "azurerm_virtual_network" "example" { + name = "${var.name_prefix}-vnet" + address_space = ["10.0.0.0/16"] + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name +} + +resource "azurerm_subnet" "example" { + name = "${var.name_prefix}-subnet" + resource_group_name = azurerm_resource_group.example.name + virtual_network_name = azurerm_virtual_network.example.name + address_prefixes = ["10.0.2.0/24"] +} + +resource "azurerm_network_interface" "example" { + name = "${var.name_prefix}-nic" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + ip_configuration { + name = "internal" + subnet_id = azurerm_subnet.example.id + private_ip_address_allocation = "Dynamic" + } +} + +resource "azurerm_linux_virtual_machine" "example" { + name = "${var.name_prefix}-vm" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + size = "Standard_D2s_v3" + admin_username = "azureuser" + network_interface_ids = [ + azurerm_network_interface.example.id, + ] + + admin_ssh_key { + username = "azureuser" + public_key = var.vm_public_key + } + + source_image_reference { + publisher = "Canonical" + offer = "UbuntuServer" + sku = "16.04-LTS" + version = "latest" + } + + os_disk { + storage_account_type = "Standard_LRS" + caching = "ReadWrite" + } +} + +// Disk Encryption Extension +resource "azurerm_virtual_machine_extension" "example" { + name = "AzureDiskEncryptionForLinux" + publisher = "Microsoft.Azure.Security" + type = "AzureDiskEncryptionForLinux" + type_handler_version = "1.1" + auto_upgrade_minor_version = false + virtual_machine_id = azurerm_linux_virtual_machine.example.id + + settings = jsonencode({ + "EncryptionOperation" = "EnableEncryption" + "KeyEncryptionAlgorithm" = "RSA-OAEP" + "KeyVaultURL" = azurerm_key_vault.example.vault_uri + "KeyVaultResourceId" = azurerm_key_vault.example.id + "KeyEncryptionKeyURL" = azurerm_key_vault_key.example.id + "KekVaultResourceId" = azurerm_key_vault.example.id + "VolumeType" = "All" + }) +} diff --git a/quickstart/201-vm-disk-encryption-extension/providers.tf b/quickstart/201-vm-disk-encryption-extension/providers.tf new file mode 100644 index 00000000..684448ec --- /dev/null +++ b/quickstart/201-vm-disk-encryption-extension/providers.tf @@ -0,0 +1,20 @@ +terraform { + required_version = ">=1.0" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~>3.0" + } + } +} + +provider "azurerm" { + features { + key_vault { + recover_soft_deleted_key_vaults = false + purge_soft_delete_on_destroy = false + purge_soft_deleted_keys_on_destroy = false + } + } +} diff --git a/quickstart/201-vm-disk-encryption-extension/readme.md b/quickstart/201-vm-disk-encryption-extension/readme.md new file mode 100644 index 00000000..ebb740f5 --- /dev/null +++ b/quickstart/201-vm-disk-encryption-extension/readme.md @@ -0,0 +1,27 @@ +# Azure virtual machine with disk encryption extension + +This template deploys an Azure virtual machine with disk encryption extension. + +## Resources + +- [azurerm_key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) +- [azurerm_key_vault_access_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) +- [azurerm_key_vault_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key) +- [azurerm_linux_virtual_machine](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine) +- [azurerm_network_interface](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface) +- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) +- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) +- [azurerm_virtual_machine_extension](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_extension) +- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) + +## Variables + +| Name | Description | +|-|-| +| `location` | (Required) Azure Region in which to deploy these resources.| +| `name_prefix` | (Required) Prefix of the resource name.| +| `vm_public_key` | (Required) Public key of the Virtual Machine.| + +## Example + +To see how to run this example, see [Create an Azure virtual machine with disk encryption extension using Terraform](https://docs.microsoft.com/azure/developer/terraform/create-vm-with-disk-encryption-extension). diff --git a/quickstart/201-vm-disk-encryption-extension/variables.tf b/quickstart/201-vm-disk-encryption-extension/variables.tf new file mode 100644 index 00000000..b5e9aa6e --- /dev/null +++ b/quickstart/201-vm-disk-encryption-extension/variables.tf @@ -0,0 +1,14 @@ +variable "location" { + type = string + description = "Location where resources will be created" +} + +variable "name_prefix" { + type = string + description = "Prefix of the resource name" +} + +variable "vm_public_key" { + type = string + description = "Public key of the Virtual Machine" +} diff --git a/quickstart/201-vmss-disk-encryption-extension/main.tf b/quickstart/201-vmss-disk-encryption-extension/main.tf new file mode 100644 index 00000000..f290e829 --- /dev/null +++ b/quickstart/201-vmss-disk-encryption-extension/main.tf @@ -0,0 +1,126 @@ +resource "azurerm_resource_group" "example" { + name = "${var.name_prefix}-rg" + location = var.location +} + +// Key Vault Key +data "azurerm_client_config" "current" {} + +resource "azurerm_key_vault" "example" { + name = "${var.name_prefix}-kv" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + tenant_id = data.azurerm_client_config.current.tenant_id + sku_name = "premium" + enabled_for_disk_encryption = true + purge_protection_enabled = true + soft_delete_retention_days = 7 +} + +resource "azurerm_key_vault_access_policy" "service-principal" { + key_vault_id = azurerm_key_vault.example.id + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id + + key_permissions = [ + "Create", + "Delete", + "Get", + "Update", + ] + + secret_permissions = [ + "Get", + "Delete", + "Set", + ] +} + +resource "azurerm_key_vault_key" "example" { + name = "examplekey" + key_vault_id = azurerm_key_vault.example.id + key_type = "RSA-HSM" + key_size = 3072 + + key_opts = [ + "decrypt", + "encrypt", + "sign", + "unwrapKey", + "verify", + "wrapKey", + ] + + depends_on = [ + azurerm_key_vault_access_policy.service-principal + ] +} + +// Virtual Machine Scale Set +resource "azurerm_virtual_network" "example" { + name = "${var.name_prefix}-vnet" + address_space = ["10.0.0.0/16"] + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name +} + +resource "azurerm_subnet" "example" { + name = "${var.name_prefix}-subnet" + resource_group_name = azurerm_resource_group.example.name + virtual_network_name = azurerm_virtual_network.example.name + address_prefixes = ["10.0.2.0/24"] +} + +resource "azurerm_windows_virtual_machine_scale_set" "example" { + name = "${var.name_prefix}-vmss" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + sku = "Standard_D2s_v3" + instances = 2 + admin_username = "adminuser" + admin_password = var.admin_password + computer_name_prefix = "vmss" + upgrade_mode = "Automatic" + + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2022-Datacenter" + version = "latest" + } + + os_disk { + storage_account_type = "Premium_LRS" + caching = "None" + } + + network_interface { + name = "example" + primary = true + ip_configuration { + name = "internal" + primary = true + subnet_id = azurerm_subnet.example.id + } + } +} + +// Disk Encryption Extension +resource "azurerm_virtual_machine_scale_set_extension" "example" { + name = "AzureDiskEncryption" + publisher = "Microsoft.Azure.Security" + type = "AzureDiskEncryption" + type_handler_version = "2.2" + auto_upgrade_minor_version = false + virtual_machine_scale_set_id = azurerm_windows_virtual_machine_scale_set.example.id + + settings = jsonencode({ + "EncryptionOperation" = "EnableEncryption" + "KeyEncryptionAlgorithm" = "RSA-OAEP" + "KeyVaultURL" = azurerm_key_vault.example.vault_uri + "KeyVaultResourceId" = azurerm_key_vault.example.id + "KeyEncryptionKeyURL" = azurerm_key_vault_key.example.id + "KekVaultResourceId" = azurerm_key_vault.example.id + "VolumeType" = "All" + }) +} diff --git a/quickstart/201-vmss-disk-encryption-extension/providers.tf b/quickstart/201-vmss-disk-encryption-extension/providers.tf new file mode 100644 index 00000000..e2d198c6 --- /dev/null +++ b/quickstart/201-vmss-disk-encryption-extension/providers.tf @@ -0,0 +1,20 @@ +terraform { + required_version = ">=1.0" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~>3.8" + } + } +} + +provider "azurerm" { + features { + key_vault { + recover_soft_deleted_key_vaults = false + purge_soft_delete_on_destroy = false + purge_soft_deleted_keys_on_destroy = false + } + } +} diff --git a/quickstart/201-vmss-disk-encryption-extension/readme.md b/quickstart/201-vmss-disk-encryption-extension/readme.md new file mode 100644 index 00000000..d5407df9 --- /dev/null +++ b/quickstart/201-vmss-disk-encryption-extension/readme.md @@ -0,0 +1,26 @@ +# Azure virtual machine scale set with disk encryption extension + +This template deploys an Azure virtual machine scale set with disk encryption extension. + +## Resources + +- [azurerm_key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) +- [azurerm_key_vault_access_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) +- [azurerm_key_vault_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key) +- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) +- [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) +- [azurerm_virtual_machine_scale_set_extension](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_scale_set_extension) +- [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) +- [azurerm_windows_virtual_machine_scale_set](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_virtual_machine_scale_set) + +## Variables + +| Name | Description | +|-|-| +| `admin_password` | (Required) Admin password of the virtual machine scale set.| +| `location` | (Required) Azure Region in which to deploy these resources.| +| `name_prefix` | (Required) Prefix of the resource name.| + +## Example + +To see how to run this example, see [Create an Azure virtual machine scale set with disk encryption extension using Terraform](https://docs.microsoft.com/azure/developer/terraform/create-vmss-with-disk-encryption-extension). diff --git a/quickstart/201-vmss-disk-encryption-extension/variables.tf b/quickstart/201-vmss-disk-encryption-extension/variables.tf new file mode 100644 index 00000000..762681e0 --- /dev/null +++ b/quickstart/201-vmss-disk-encryption-extension/variables.tf @@ -0,0 +1,15 @@ +variable "admin_password" { + type = string + sensitive = true + description = "Admin password of the virtual machine scale set" +} + +variable "location" { + type = string + description = "Location where resources will be created" +} + +variable "name_prefix" { + type = string + description = "Prefix of the resource name" +} diff --git a/quickstart/README.md b/quickstart/README.md index 6b716ef5..e94f3ca5 100644 --- a/quickstart/README.md +++ b/quickstart/README.md @@ -29,6 +29,8 @@ This project has adopted the [Microsoft Open Source Code of Conduct](https://ope - [Azure Kubernetes Service with Log Analytics](./201-aks-log-analytics/) - [Azure Kubernetes Service with Helm](./201-aks-helm/) - [Azure Kubernetes Service with ACR](./201-aks-acr-identity/) +- [Azure Virtual Machine Disk Encryption Extension](./201-vm-disk-encryption-extension) +- [Azure Virtual Machine Scale Set Disk Encryption Extension](./201-vmss-disk-encryption-extension) - [Azure virtual machine scale set with jumpbox](./201-vmss-jumpbox) - [Azure virtual machine scale set with jumpbox from Packer custom image](./201-vmss-packer-jumpbox) - [Azure PostgreSQL Flexible Server Database](./201-postgresql-fs-db)