resource "random_pet" "prefix" {} resource "azurerm_resource_group" "example" { name = "${random_pet.prefix.id}-rg" location = var.location } // Key Vault and Disk Encryption Set data "azurerm_client_config" "current" {} locals { current_user_object_id = coalesce(var.msi_id, data.azurerm_client_config.current.object_id) } resource "azurerm_key_vault" "example" { name = "${random_pet.prefix.id}-kv" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name sku_name = "premium" tenant_id = data.azurerm_client_config.current.tenant_id enabled_for_disk_encryption = true purge_protection_enabled = true soft_delete_retention_days = 7 } resource "azurerm_key_vault_access_policy" "current_user" { key_vault_id = azurerm_key_vault.example.id tenant_id = data.azurerm_client_config.current.tenant_id object_id = local.current_user_object_id key_permissions = [ "Create", "Delete", "Get", "Purge", "Update", "GetRotationPolicy", ] secret_permissions = [ "Get", "Delete", "Set", ] } resource "azurerm_key_vault_key" "example" { name = "examplekey" key_vault_id = azurerm_key_vault.example.id key_type = "RSA-HSM" key_size = 2048 key_opts = [ "decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey", ] depends_on = [azurerm_key_vault_access_policy.current_user] } resource "azurerm_disk_encryption_set" "example" { name = "${random_pet.prefix.id}-des" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location key_vault_key_id = azurerm_key_vault_key.example.id encryption_type = "ConfidentialVmEncryptedWithCustomerKey" identity { type = "SystemAssigned" } } resource "azurerm_key_vault_access_policy" "disk-encryption" { key_vault_id = azurerm_key_vault.example.id key_permissions = [ "Get", "WrapKey", "UnwrapKey", ] tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id object_id = azurerm_disk_encryption_set.example.identity.0.principal_id } // Virtual Machine resource "azurerm_virtual_network" "example" { name = "${random_pet.prefix.id}-vnet" address_space = ["10.0.0.0/16"] location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name } resource "azurerm_subnet" "example" { name = "${random_pet.prefix.id}-subnet" resource_group_name = azurerm_resource_group.example.name virtual_network_name = azurerm_virtual_network.example.name address_prefixes = ["10.0.2.0/24"] } resource "azurerm_network_interface" "example" { name = "${random_pet.prefix.id}-nic" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name ip_configuration { name = "internal" subnet_id = azurerm_subnet.example.id private_ip_address_allocation = "Dynamic" } } resource "tls_private_key" "vm_key" { algorithm = "RSA" rsa_bits = 4096 } resource "azurerm_linux_virtual_machine" "test" { name = "${random_pet.prefix.id}-vm" resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location # Available sizes for Confidential VM can be found at: https://docs.microsoft.com/azure/confidential-computing/confidential-vm-overview size = "Standard_DC2as_v5" admin_username = "azureuser" network_interface_ids = [ azurerm_network_interface.example.id, ] admin_ssh_key { username = "azureuser" public_key = tls_private_key.vm_key.public_key_openssh } os_disk { caching = "ReadWrite" storage_account_type = "Standard_LRS" security_encryption_type = "DiskWithVMGuestState" secure_vm_disk_encryption_set_id = azurerm_disk_encryption_set.example.id } source_image_reference { publisher = "Canonical" offer = "0001-com-ubuntu-confidential-vm-focal" sku = "20_04-lts-cvm" version = "latest" } vtpm_enabled = true secure_boot_enabled = true depends_on = [ azurerm_key_vault_access_policy.disk-encryption, ] }