terraform-azurerm-compute/README.md

52 KiB

terraform-azurerm-compute

Notice on Upgrade to V4.x

We've added a CI pipeline for this module to speed up our code review and to enforce a high code quality standard, if you want to contribute by submitting a pull request, please read Pre-Commit & Pr-Check & Test section, or your pull request might be rejected by CI pipeline.

A pull request will be reviewed when it has passed Pre Pull Request Check in the pipeline, and will be merged when it has passed the acceptance tests. Once the ci Pipeline failed, please read the pipeline's output, thanks for your cooperation.

V4.0.0 is a major version upgrade. Extreme caution must be taken during the upgrade to avoid resource replacement and downtime by accident.

Running the terraform plan first to inspect the plan is strongly advised.

Deploys 1+ Virtual Machines to your provided VNet

This Terraform module deploys Virtual Machines in Azure with the following characteristics:

  • Ability to specify a simple string to get the latest marketplace image using var.vm_os_simple
  • All VMs use managed disks
  • Network Security Group (NSG) created with a single remote access rule which opens var.remote_port port or auto calculated port number if using var.vm_os_simple to all nics
  • VM nics attached to a single virtual network subnet of your choice (new or existing) via var.vnet_subnet_id.
  • Control the number of Public IP addresses assigned to VMs via var.nb_public_ip. Create and attach one Public IP per VM up to the number of VMs or create NO public IPs via setting var.nb_public_ip to 0.
  • Control SKU and Allocation Method of the public IPs via var.allocation_method and var.public_ip_sku.

Note: Terraform module registry is incorrect in the number of required parameters since it only deems required based on variables with non-existent values. The actual minimum required variables depends on the configuration and is specified below in the usage.

Usage in Terraform 0.13

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

module "linuxservers" {
  source              = "Azure/compute/azurerm"
  resource_group_name = azurerm_resource_group.example.name
  vm_os_simple        = "UbuntuServer"
  public_ip_dns       = ["linsimplevmips"] // change to a unique name per datacenter region
  vnet_subnet_id      = module.network.vnet_subnets[0]

  depends_on = [azurerm_resource_group.example]
}

module "windowsservers" {
  source              = "Azure/compute/azurerm"
  resource_group_name = azurerm_resource_group.example.name
  is_windows_image    = true
  vm_hostname         = "mywinvm" // line can be removed if only one VM module per resource group
  admin_password      = "ComplxP@ssw0rd!"
  vm_os_simple        = "WindowsServer"
  public_ip_dns       = ["winsimplevmips"] // change to a unique name per datacenter region
  vnet_subnet_id      = module.network.vnet_subnets[0]

  depends_on = [azurerm_resource_group.example]
}

module "network" {
  source              = "Azure/network/azurerm"
  resource_group_name = azurerm_resource_group.example.name
  subnet_prefixes     = ["10.0.1.0/24"]
  subnet_names        = ["subnet1"]

  depends_on = [azurerm_resource_group.example]
}

output "linux_vm_public_name" {
  value = module.linuxservers.public_ip_dns_name
}

output "windows_vm_public_name" {
  value = module.windowsservers.public_ip_dns_name
}

Simple Usage in Terraform 0.12

This contains the bare minimum options to be configured for the VM to be provisioned. The entire code block provisions a Windows and a Linux VM, but feel free to delete one or the other and corresponding outputs. The outputs are also not necessary to provision, but included to make it convenient to know the address to connect to the VMs after provisioning completes.

Provisions an Ubuntu Server 16.04-LTS VM and a Windows 2016 Datacenter Server VM using vm_os_simple to a new VNet and opens up ports 22 for SSH and 3389 for RDP access via the attached public IP to each VM. All resources are provisioned into the default resource group called terraform-compute. The Ubuntu Server will use the ssh key found in the default location ~/.ssh/id_rsa.pub.

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

module "linuxservers" {
  source              = "Azure/compute/azurerm"
  resource_group_name = azurerm_resource_group.example.name
  vm_os_simple        = "UbuntuServer"
  public_ip_dns       = ["linsimplevmips"] // change to a unique name per datacenter region
  vnet_subnet_id      = module.network.vnet_subnets[0]
}

module "windowsservers" {
  source              = "Azure/compute/azurerm"
  resource_group_name = azurerm_resource_group.example.name
  is_windows_image    = true
  vm_hostname         = "mywinvm" // line can be removed if only one VM module per resource group
  admin_password      = "ComplxP@ssw0rd!"
  vm_os_simple        = "WindowsServer"
  public_ip_dns       = ["winsimplevmips"] // change to a unique name per datacenter region
  vnet_subnet_id      = module.network.vnet_subnets[0]
}

module "network" {
  source              = "Azure/network/azurerm"
  resource_group_name = azurerm_resource_group.example.name
  subnet_prefixes     = ["10.0.1.0/24"]
  subnet_names        = ["subnet1"]
}

output "linux_vm_public_name" {
  value = module.linuxservers.public_ip_dns_name
}

output "windows_vm_public_name" {
  value = module.windowsservers.public_ip_dns_name
}

Advanced Usage

The following example illustrates some of the configuration options available to deploy a virtual machine. Feel free to remove the Linux or Windows modules and corresponding outputs.

More specifically this provisions:

1 - New vnet for all vms

2 - Ubuntu 18.04 Server VMs using vm_os_publisher, vm_os_offer and vm_os_sku which is configured with:

  • No public IP assigned, so access can only happen through another machine on the vnet.
  • Opens up port 22 for SSH access with the default ~/.ssh/id_rsa.pub key
  • Boot diagnostics is enabled.
  • Additional tags are added to the resource group.
  • OS disk is deleted upon deletion of the VM
  • Add one 64GB premium managed data disk

2 - Windows Server 2012 R2 VMs using vm_os_publisher, vm_os_offer and vm_os_sku which is configured with:

  • Two Public IP addresses (one for each VM)
  • Public IP Addresses allocation method is Static and SKU is Standard
  • Opens up port 3389 for RDP access using the password as shown

3 - New features are supported in v3.0.0:

  • "nb_data_disk" Number of the data disks attached to each virtual machine

  • "enable_ssh_key" Enable ssh key authentication in Linux virtual Machine. When ssh keys are enabled you can either

    • use the default "~/.ssh/id_rsa.pub"
    • set one key by setting a path in ssh_key variable. e.g "joey_id_rsa.pub"
    • set ssh_key and add zero or more files paths in extra_ssh_keys variable e.g. ["ross_id_rsa.pub", "rachel_id_rsa.pub"] (since v3.8.0)
    • set ssh_key_values as a list of raw public ssh keys values or refer it to a data source with the public key value, e.g. ["ssh-rsa AAAAB3NzaC1yc..."]

4 - You can install custom certificates / secrets on the virtual machine from Key Vault by using the variable os_profile_secrets.

The variable accepts a list of maps with the following keys:

  • source_vault_id : The ID of the Key Vault Secret which contains the encrypted Certificate.
  • certificate_url : The certificate URL in Key Vault
  • certificate_store : The certificate store on the Virtual Machine where the certificate should be added to (Windows Only).

In the below example we use the data sources azurerm_key_vault and azurerm_key_vault_certificate to fetch the certificate information from Key Vault and add it to windowsservers via os_profile_secrets parameter.

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

data "azurerm_key_vault" "example" {
  name                = "examplekeyvault"
  resource_group_name = azurerm_resource_group.example.name
}

data "azurerm_key_vault_certificate" "example" {
  name         = "example-kv-cert"
  key_vault_id = data.azurerm_key_vault.example.id
}

module "linuxservers" {
  source                           = "Azure/compute/azurerm"
  resource_group_name              = azurerm_resource_group.example.name
  vm_hostname                      = "mylinuxvm"
  nb_public_ip                     = 0
  remote_port                      = "22"
  nb_instances                     = 2
  vm_os_publisher                  = "Canonical"
  vm_os_offer                      = "UbuntuServer"
  vm_os_sku                        = "18.04-LTS"
  vnet_subnet_id                   = module.network.vnet_subnets[0]
  boot_diagnostics                 = true
  delete_os_disk_on_termination    = true
  nb_data_disk                     = 2
  data_disk_size_gb                = 64
  data_sa_type                     = "Premium_LRS"
  enable_ssh_key                   = true
  ssh_key_values                   = ["ssh-rsa AAAAB3NzaC1yc2EAAAAD..."]
  vm_size                          = "Standard_D4s_v3"
  delete_data_disks_on_termination = true

  tags = {
    environment = "dev"
    costcenter  = "it"
  }

  enable_accelerated_networking = true
}

module "windowsservers" {
  source                        = "Azure/compute/azurerm"
  resource_group_name           = azurerm_resource_group.example.name
  vm_hostname                   = "mywinvm"
  is_windows_image              = true
  admin_password                = "ComplxP@ssw0rd!"
  allocation_method             = "Static"
  public_ip_sku                 = "Standard"
  public_ip_dns                 = ["winterravmip", "winterravmip1"]
  nb_public_ip                  = 2
  remote_port                   = "3389"
  nb_instances                  = 2
  vm_os_publisher               = "MicrosoftWindowsServer"
  vm_os_offer                   = "WindowsServer"
  vm_os_sku                     = "2012-R2-Datacenter"
  vm_size                       = "Standard_DS2_V2"
  vnet_subnet_id                = module.network.vnet_subnets[0]
  enable_accelerated_networking = true
  license_type                  = "Windows_Client"
  identity_type                 = "SystemAssigned" // can be empty, SystemAssigned or UserAssigned

  extra_disks = [
    {
      size = 50
      name = "logs"
    },
    {
      size = 200
      name = "backup"
    }
  ]

  os_profile_secrets = [{
    source_vault_id   = data.azurerm_key_vault.example.id
    certificate_url   = data.azurerm_key_vault_certificate.example.secret_id
    certificate_store = "My"
  }]
}

module "network" {
  source              = "Azure/network/azurerm"
  resource_group_name = azurerm_resource_group.example.name
  subnet_prefixes     = ["10.0.1.0/24"]
  subnet_names        = ["subnet1"]
}

output "linux_vm_private_ips" {
  value = module.linuxservers.network_interface_private_ip
}

output "windows_vm_public_name" {
  value = module.windowsservers.public_ip_dns_name
}

output "windows_vm_public_ip" {
  value = module.windowsservers.public_ip_address
}

output "windows_vm_private_ips" {
  value = module.windowsservers.network_interface_private_ip
}

Pre-Commit & Pr-Check & Test

Configurations

We assumed that you have setup service principal's credentials in your environment variables like below:

export ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
export ARM_TENANT_ID="<azure_subscription_tenant_id>"
export ARM_CLIENT_ID="<service_principal_appid>"
export ARM_CLIENT_SECRET="<service_principal_password>"

On Windows Powershell:

$env:ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
$env:ARM_TENANT_ID="<azure_subscription_tenant_id>"
$env:ARM_CLIENT_ID="<service_principal_appid>"
$env:ARM_CLIENT_SECRET="<service_principal_password>"

We provide a docker image to run the pre-commit checks and tests for you: mcr.microsoft.com/azterraform:latest

To run the pre-commit task, we can run the following command:

$ docker run --rm -v $(pwd):/src -w /src mcr.microsoft.com/azterraform:latest make pre-commit

On Windows Powershell:

$ docker run --rm -v ${pwd}:/src -w /src mcr.microsoft.com/azterraform:latest make pre-commit

In pre-commit task, we will:

  1. Run terraform fmt -recursive command for your Terraform code.
  2. Run terrafmt fmt -f command for markdown files and go code files to ensure that the Terraform code embedded in these files are well formatted.
  3. Run go mod tidy and go mod vendor for test folder to ensure that all the dependencies have been synced.
  4. Run gofmt for all go code files.
  5. Run gofumpt for all go code files.
  6. Run terraform-docs on README.md file, then run markdown-table-formatter to format markdown tables in README.md.

Then we can run the pr-check task to check whether our code meets our pipeline's requirement(We strongly recommend you run the following command before you commit):

$ docker run --rm -v $(pwd):/src -w /src -e CHECKOV_CONFIG=.checkov_config.yaml -e TFLINT_CONFIG=.tflint_alt.hcl mcr.microsoft.com/azterraform:latest make pr-check

On Windows Powershell:

$ docker run --rm -v ${pwd}:/src -w /src -e CHECKOV_CONFIG=.checkov_config.yaml -e TFLINT_CONFIG=.tflint_alt.hcl mcr.microsoft.com/azterraform:latest make pr-check

To run the e2e-test, we can run the following command:

docker run --rm -v $(pwd):/src -w /src -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET mcr.microsoft.com/azterraform:latest make e2e-test

On Windows Powershell:

docker run --rm -v ${pwd}:/src -w /src -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET mcr.microsoft.com/azterraform:latest make e2e-test

Prerequisites

Authors

Originally created by David Tesar

License

MIT

Requirements

Name Version
terraform >= 1.2
azurerm >= 3.11, < 4.0
random >=3.0.0

Providers

Name Version
azurerm >= 3.11, < 4.0
random >=3.0.0

Modules

Name Source Version
os ./os n/a

Resources

Name Type
azurerm_availability_set.vm resource
azurerm_network_interface.vm resource
azurerm_network_interface_security_group_association.test resource
azurerm_network_security_group.vm resource
azurerm_network_security_rule.vm resource
azurerm_public_ip.vm resource
azurerm_storage_account.vm-sa resource
azurerm_virtual_machine.vm-linux resource
azurerm_virtual_machine.vm-windows resource
random_id.vm-sa resource
azurerm_public_ip.vm data source
azurerm_resource_group.vm data source

Inputs

Name Description Type Default Required
admin_password The admin password to be used on the VMSS that will be deployed. The password must meet the complexity requirements of Azure. string "" no
admin_username The admin username of the VM that will be deployed. string "azureuser" no
allocation_method Defines how an IP address is assigned. Options are Static or Dynamic. string "Dynamic" no
boot_diagnostics (Optional) Enable or Disable boot diagnostics. bool false no
boot_diagnostics_sa_type (Optional) Storage account type for boot diagnostics. string "Standard_LRS" no
custom_data The custom data to supply to the machine. This can be used as a cloud-init for Linux systems. string "" no
data_disk_size_gb Storage data disk size size. number 30 no
data_sa_type Data Disk Storage Account type. string "Standard_LRS" no
delete_data_disks_on_termination Delete data disks when machine is terminated. bool false no
delete_os_disk_on_termination Delete datadisk when machine is terminated. bool false no
enable_accelerated_networking (Optional) Enable accelerated networking on Network interface. bool false no
enable_ssh_key (Optional) Enable ssh key authentication in Linux virtual Machine. bool true no
extra_disks (Optional) List of extra data disks attached to each virtual machine.
list(object({
name = string
size = number
}))
[] no
extra_ssh_keys Same as ssh_key, but allows for setting multiple public keys. Set your first key in ssh_key, and the extras here. list(string) [] no
identity_ids Specifies a list of user managed identity ids to be assigned to the VM. list(string) [] no
identity_type The Managed Service Identity Type of this Virtual Machine. string "" no
is_windows_image Boolean flag to notify when the custom image is windows based. bool false no
license_type Specifies the BYOL Type for this Virtual Machine. This is only applicable to Windows Virtual Machines. Possible values are Windows_Client and Windows_Server string null no
location (Optional) The location in which the resources will be created. string "" no
nb_data_disk (Optional) Number of the data disks attached to each virtual machine. number 0 no
nb_instances Specify the number of vm instances. number 1 no
nb_public_ip Number of public IPs to assign corresponding to one IP per vm. Set to 0 to not assign any public IP addresses. number 1 no
os_profile_secrets Specifies a list of certificates to be installed on the VM, each list item is a map with the keys source_vault_id, certificate_url and certificate_store. list(map(string)) [] no
public_ip_dns Optional globally unique per datacenter region domain name label to apply to each public ip address. e.g. thisvar.varlocation.cloudapp.azure.com where you specify only thisvar here. This is an array of names which will pair up sequentially to the number of public ips defined in var.nb_public_ip. One name or empty string is required for every public ip. If no public ip is desired, then set this to an array with a single empty string. list(string)
[
null
]
no
public_ip_sku Defines the SKU of the Public IP. Accepted values are Basic and Standard. Defaults to Basic. string "Basic" no
remote_port Remote tcp port to be used for access to the vms created via the nsg applied to the nics. string "" no
resource_group_name The name of the resource group in which the resources will be created. string n/a yes
source_address_prefixes (Optional) List of source address prefixes allowed to access var.remote_port. list(string)
[
"0.0.0.0/0"
]
no
ssh_key Path to the public key to be used for ssh access to the VM. Only used with non-Windows vms and can be left as-is even if using Windows vms. If specifying a path to a certification on a Windows machine to provision a linux vm use the / in the path versus backslash. e.g. c:/home/id_rsa.pub. string "~/.ssh/id_rsa.pub" no
ssh_key_values List of Public SSH Keys values to be used for ssh access to the VMs. list(string) [] no
storage_account_type Defines the type of storage account to be created. Valid options are Standard_LRS, Standard_ZRS, Standard_GRS, Standard_RAGRS, Premium_LRS. string "Premium_LRS" no
tags A map of the tags to use on the resources that are deployed with this module. map(string)
{
"source": "terraform"
}
no
vm_hostname local name of the Virtual Machine. string "myvm" no
vm_os_id The resource ID of the image that you want to deploy if you are using a custom image.Note, need to provide is_windows_image = true for windows custom images. string "" no
vm_os_offer The name of the offer of the image that you want to deploy. This is ignored when vm_os_id or vm_os_simple are provided. string "" no
vm_os_publisher The name of the publisher of the image that you want to deploy. This is ignored when vm_os_id or vm_os_simple are provided. string "" no
vm_os_simple Specify UbuntuServer, WindowsServer, RHEL, openSUSE-Leap, CentOS, Debian, CoreOS and SLES to get the latest image version of the specified os. Do not provide this value if a custom value is used for vm_os_publisher, vm_os_offer, and vm_os_sku. string "" no
vm_os_sku The sku of the image that you want to deploy. This is ignored when vm_os_id or vm_os_simple are provided. string "" no
vm_os_version The version of the image that you want to deploy. This is ignored when vm_os_id or vm_os_simple are provided. string "latest" no
vm_size Specifies the size of the virtual machine. string "Standard_D2s_v3" no
vnet_subnet_id The subnet id of the virtual network where the virtual machines will reside. string n/a yes

Outputs

Name Description
availability_set_id id of the availability set where the vms are provisioned.
network_interface_ids ids of the vm nics provisoned.
network_interface_private_ip private ip addresses of the vm nics
network_security_group_id id of the security group provisioned
network_security_group_name name of the security group provisioned
public_ip_address The actual ip address allocated for the resource.
public_ip_dns_name fqdn to connect to the first vm provisioned.
public_ip_id id of the public ip address provisoned.
vm_identity map with key Virtual Machine Id, value list of identity created for the Virtual Machine.
vm_ids Virtual machine ids created.
vm_zones map with key Virtual Machine Id, value list of the Availability Zone which the Virtual Machine should be allocated in.