terraform-azurerm-virtual-machine

Deploys 1 Virtual Machines to your provided VNet

This Terraform module deploys one Virtual Machines in Azure with the following characteristics:

• Ability to specify a simple string to get the latest marketplace image using var.os_simple
• All VMs use managed disks
• VM nic attached to an existed virtual network subnet via var.subnet_id.

This module will only create resources that belong to the virtual machine, like managed disk and network interface. It won't create resources that don't belong to this virtual machine, like network security group.

Example Usage

module "linux" {
  source = "../.."

  location                   = local.resource_group.location
  image_os                   = "linux"
  resource_group_name        = local.resource_group.name
  allow_extension_operations = false
  data_disks = [
    for i in range(2) : {
      name                 = "linuxdisk${random_id.id.hex}${i}"
      storage_account_type = "Standard_LRS"
      create_option        = "Empty"
      disk_size_gb         = 1
      attach_setting = {
        lun     = i
        caching = "ReadWrite"
      }
      disk_encryption_set_id = azurerm_disk_encryption_set.example.id
    }
  ]
  new_boot_diagnostics_storage_account = {
    customer_managed_key = {
      key_vault_key_id          = azurerm_key_vault_key.storage_account_key.id
      user_assigned_identity_id = azurerm_user_assigned_identity.storage_account_key_vault.id
    }
  }
  new_network_interface = {
    ip_forwarding_enabled = false
    ip_configurations = [
      {
        public_ip_address_id = try(azurerm_public_ip.pip[0].id, null)
        primary              = true
      }
    ]
  }
  admin_username = "azureuser"
  admin_ssh_keys = [
    {
      public_key = tls_private_key.ssh.public_key_openssh
    }
  ]
  name = "ubuntu-${random_id.id.hex}"
  os_disk = {
    caching              = "ReadWrite"
    storage_account_type = "Standard_LRS"
  }
  os_simple = "UbuntuServer"
  size      = var.size
  subnet_id = module.vnet.vnet_subnets[0]

  depends_on = [azurerm_key_vault_access_policy.des]
}

Please refer to the sub folders under examples folder. You can execute terraform apply command in examples's sub folder to try the module. These examples are tested against every PR with the E2E Test.

Enable or disable tracing tags

We're using BridgeCrew Yor and yorbox to help manage tags consistently across infrastructure as code (IaC) frameworks. In this module you might see tags like:

resource "azurerm_resource_group" "rg" {
  location = "eastus"
  name     = random_pet.name
  tags = merge(var.tags, (/*<box>*/ (var.tracing_tags_enabled ? { for k, v in /*</box>*/ {
    avm_git_commit           = "3077cc6d0b70e29b6e106b3ab98cee6740c916f6"
    avm_git_file             = "main.tf"
    avm_git_last_modified_at = "2023-05-05 08:57:54"
    avm_git_org              = "lonegunmanb"
    avm_git_repo             = "terraform-yor-tag-test-module"
    avm_yor_trace            = "a0425718-c57d-401c-a7d5-f3d88b2551a4"
  } /*<box>*/ : replace(k, "avm_", var.tracing_tags_prefix) => v } : {}) /*</box>*/))
}

To enable tracing tags, set the variable to true:

module "example" {
  source               = <module_source>
  ...
  tracing_tags_enabled = true
}

The tracing_tags_enabled is default to false.

To customize the prefix for your tracing tags, set the tracing_tags_prefix variable value in your Terraform configuration:

module "example" {
  source              = <module_source>
  ...
  tracing_tags_prefix = "custom_prefix_"
}

The actual applied tags would be:

{
  custom_prefix_git_commit           = "3077cc6d0b70e29b6e106b3ab98cee6740c916f6"
  custom_prefix_git_file             = "main.tf"
  custom_prefix_git_last_modified_at = "2023-05-05 08:57:54"
  custom_prefix_git_org              = "lonegunmanb"
  custom_prefix_git_repo             = "terraform-yor-tag-test-module"
  custom_prefix_yor_trace            = "a0425718-c57d-401c-a7d5-f3d88b2551a4"
}

Pre-Commit & Pr-Check & Test

Configurations

• Configure Terraform for Azure

We assumed that you have setup service principal's credentials in your environment variables like below:

export ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
export ARM_TENANT_ID="<azure_subscription_tenant_id>"
export ARM_CLIENT_ID="<service_principal_appid>"
export ARM_CLIENT_SECRET="<service_principal_password>"

On Windows Powershell:

$env:ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
$env:ARM_TENANT_ID="<azure_subscription_tenant_id>"
$env:ARM_CLIENT_ID="<service_principal_appid>"
$env:ARM_CLIENT_SECRET="<service_principal_password>"

We provide a docker image to run the pre-commit checks and tests for you: mcr.microsoft.com/azterraform:latest

To run the pre-commit task, we can run the following command:

$ docker run --rm -v $(pwd):/src -w /src mcr.microsoft.com/azterraform:latest make pre-commit

On Windows Powershell:

$ docker run --rm -v ${pwd}:/src -w /src mcr.microsoft.com/azterraform:latest make pre-commit

In pre-commit task, we will:

1. Run terraform fmt -recursive command for your Terraform code.
2. Run terrafmt fmt -f command for markdown files and go code files to ensure that the Terraform code embedded in these files are well formatted.
3. Run go mod tidy and go mod vendor for test folder to ensure that all the dependencies have been synced.
4. Run gofmt for all go code files.
5. Run gofumpt for all go code files.
6. Run terraform-docs on README.md file, then run markdown-table-formatter to format markdown tables in README.md.

Then we can run the pr-check task to check whether our code meets our pipeline's requirement(We strongly recommend you run the following command before you commit):

$ docker run --rm -v $(pwd):/src -w /src mcr.microsoft.com/azterraform:latest make pr-check

On Windows Powershell:

$ docker run --rm -v ${pwd}:/src -w /src mcr.microsoft.com/azterraform:latest make pr-check

To run the e2e-test, we can run the following command:

docker run --rm -v $(pwd):/src -w /src -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET mcr.microsoft.com/azterraform:latest make e2e-test

On Windows Powershell:

docker run --rm -v ${pwd}:/src -w /src -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET mcr.microsoft.com/azterraform:latest make e2e-test

Prerequisites

• Docker

Authors

Originally created by lonegunmanb

License

MIT

Requirements

Name	Version
terraform	>= 1.2
azurerm	>= 3.11, < 4.0
random	>=3.0.0

Providers

Name	Version
azurerm	>= 3.11, < 4.0
random	>=3.0.0

Modules

No modules.

Resources

Name	Type
azurerm_linux_virtual_machine.vm_linux	resource
azurerm_managed_disk.disk	resource
azurerm_network_interface.vm	resource
azurerm_storage_account.boot_diagnostics	resource
azurerm_virtual_machine_data_disk_attachment.attachment	resource
azurerm_virtual_machine_extension.extensions	resource
azurerm_windows_virtual_machine.vm_windows	resource
random_id.vm_sa	resource

Inputs

Name	Description	Type	Default	Required
additional_unattend_contents	list(object({ content = "(Required) The XML formatted content that is added to the unattend.xml file for the specified path and component. Changing this forces a new resource to be created." setting = "(Required) The name of the setting to which the content applies. Possible values are AutoLogon and FirstLogonCommands. Changing this forces a new resource to be created." }))	list(object({ content = string setting = string }))	[]	no
admin_password	(Optional) The Password which should be used for the local-administrator on this Virtual Machine Required when using Windows Virtual Machine. Changing this forces a new resource to be created. When an admin_password is specified disable_password_authentication must be set to false. One of either admin_password or admin_ssh_key must be specified.	string	null	no
admin_ssh_keys	set(object({ public_key = "(Required) The Public Key which should be used for authentication, which needs to be at least 2048-bit and in ssh-rsa format. Changing this forces a new resource to be created." username = "(Optional) The Username for which this Public SSH Key should be configured. Changing this forces a new resource to be created. The Azure VM Agent only allows creating SSH Keys at the path /home/{admin_username}/.ssh/authorized_keys - as such this public key will be written to the authorized keys file. If no username is provided this module will use var.admin_username." }))	set(object({ public_key = string username = optional(string) }))	[]	no
admin_username	(Optional) The admin username of the VM that will be deployed.	string	"azureuser"	no
allow_extension_operations	(Optional) Should Extension Operations be allowed on this Virtual Machine? Defaults to false.	bool	false	no
automatic_updates_enabled	(Optional) Specifies if Automatic Updates are Enabled for the Windows Virtual Machine. Changing this forces a new resource to be created. Defaults to true.	bool	true	no
availability_set_id	(Optional) Specifies the ID of the Availability Set in which the Virtual Machine should exist. Cannot be used along with new_availability_set, new_capacity_reservation_group, capacity_reservation_group_id, virtual_machine_scale_set_id, zone. Changing this forces a new resource to be created.	string	null	no
boot_diagnostics	(Optional) Enable or Disable boot diagnostics.	bool	false	no
boot_diagnostics_storage_account_uri	(Optional) The Primary/Secondary Endpoint for the Azure Storage Account which should be used to store Boot Diagnostics, including Console Output and Screenshots from the Hypervisor.	string	null	no
bypass_platform_safety_checks_on_user_schedule_enabled	(Optional) Specifies whether to skip platform scheduled patching when a user schedule is associated with the VM. Only valid if patch_mode is AutomaticByPlatform.	bool	false	no
capacity_reservation_group_id	(Optional) Specifies the ID of the Capacity Reservation Group which the Virtual Machine should be allocated to. Cannot be used with new_capacity_reservation_group, availability_set_id, new_availability_set, proximity_placement_group_id.	string	null	no
computer_name	(Optional) Specifies the Hostname which should be used for this Virtual Machine. If unspecified this defaults to the value for the vm_name field. If the value of the vm_name field is not a valid computer_name, then you must specify computer_name. Changing this forces a new resource to be created.	string	null	no
custom_data	(Optional) The Base64-Encoded Custom Data which should be used for this Virtual Machine. Changing this forces a new resource to be created.	string	null	no
data_disks	set(object({ name = "(Required) Specifies the name of the Managed Disk. Changing this forces a new resource to be created." storage_account_type = "(Required) The type of storage to use for the managed disk. Possible values are Standard_LRS, StandardSSD_ZRS, Premium_LRS, PremiumV2_LRS, Premium_ZRS, StandardSSD_LRS or UltraSSD_LRS. Azure Ultra Disk Storage is only available in a region that support availability zones and can only enabled on the following VM series: ESv3, DSv3, FSv3, LSv2, M and Mv2. For more information see the Azure Ultra Disk Storage product documentation." create_option = "(Required) The method to use when creating the managed disk. Changing this forces a new resource to be created. Possible values include: Import, Empty, Copy, FromImage, Restore, Upload." attach_setting = object({ lun = number caching = string create_option = optional(string, "Attach") write_accelerator_enabled = optional(bool, false) }) disk_encryption_set_id = "(Optional) The ID of a Disk Encryption Set which should be used to encrypt this Managed Disk. Conflicts with secure_vm_disk_encryption_set_id. The Disk Encryption Set must have the Reader Role Assignment scoped on the Key Vault - in addition to an Access Policy to the Key Vault. Disk Encryption Sets are in Public Preview in a limited set of regions" disk_iops_read_write = "(Optional) The number of IOPS allowed for this disk; only settable for UltraSSD disks and PremiumV2 disks. One operation can transfer between 4k and 256k bytes." disk_mbps_read_write = "(Optional) The bandwidth allowed for this disk; only settable for UltraSSD disks and PremiumV2 disks. MBps means millions of bytes per second." disk_iops_read_only = "(Optional) The number of IOPS allowed across all VMs mounting the shared disk as read-only; only settable for UltraSSD disks and PremiumV2 disks with shared disk enabled. One operation can transfer between 4k and 256k bytes." disk_mbps_read_only = "(Optional) The bandwidth allowed across all VMs mounting the shared disk as read-only; only settable for UltraSSD disks and PremiumV2 disks with shared disk enabled. MBps means millions of bytes per second." logical_sector_size = "(Optional) Logical Sector Size. Possible values are: 512 and 4096. Changing this forces a new resource to be created. Setting logical sector size is supported only with UltraSSD_LRS disks and PremiumV2_LRS disks." source_uri = "(Optional) URI to a valid VHD file to be used when create_option is Import. Changing this forces a new resource to be created." source_resource_id = "(Optional) The ID of an existing Managed Disk or Snapshot to copy when create_option is Copy or the recovery point to restore when create_option is Restore. Changing this forces a new resource to be created." storage_account_id = "(Optional) The ID of the Storage Account where the source_uri is located. Required when create_option is set to Import. Changing this forces a new resource to be created." image_reference_id = "(Optional) ID of an existing platform/marketplace disk image to copy when create_option is FromImage. This field cannot be specified if gallery_image_reference_id is specified. Changing this forces a new resource to be created." gallery_image_reference_id = "(Optional) ID of a Gallery Image Version to copy when create_option is FromImage. This field cannot be specified if image_reference_id is specified. Changing this forces a new resource to be created." disk_size_gb = "(Optional) (Optional, Required for a new managed disk) Specifies the size of the managed disk to create in gigabytes. If create_option is Copy or FromImage, then the value must be equal to or greater than the source's size. The size can only be increased. In certain conditions the Data Disk size can be updated without shutting down the Virtual Machine, however only a subset of Virtual Machine SKUs/Disk combinations support this. More information can be found for Linux Virtual Machines and Windows Virtual Machines respectively. If No Downtime Resizing is not available, be aware that changing this value is disruptive if the disk is attached to a Virtual Machine. The VM will be shut down and de-allocated as required by Azure to action the change. Terraform will attempt to start the machine again after the update if it was in a running state when the apply was started." upload_size_bytes = "(Optional) Specifies the size of the managed disk to create in bytes. Required when create_option is Upload. The value must be equal to the source disk to be copied in bytes. Source disk size could be calculated with ls -l or wc -c. More information can be found at Copy a managed disk. Changing this forces a new resource to be created." network_access_policy = "(Optional) Policy for accessing the disk via network. Allowed values are AllowAll, AllowPrivate, and DenyAll." disk_access_id = "(Optional) The ID of the disk access resource for using private endpoints on disks. disk_access_id is only supported when network_access_policy is set to AllowPrivate." public_network_access_enabled = "(Optional) Whether it is allowed to access the disk via public network. Defaults to true." tier = "(Optional) The disk performance tier to use. Possible values are documented here. This feature is currently supported only for premium SSDs. Changing this value is disruptive if the disk is attached to a Virtual Machine. The VM will be shut down and de-allocated as required by Azure to action the change. Terraform will attempt to start the machine again after the update if it was in a running state when the apply was started." max_shares = "(Optional) The maximum number of VMs that can attach to the disk at the same time. Value greater than one indicates a disk that can be mounted on multiple VMs at the same time." trusted_launch_enabled = "(Optional) Specifies if Trusted Launch is enabled for the Managed Disk. Changing this forces a new resource to be created." secure_vm_disk_encryption_set_id = "(Optional) The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk when the Virtual Machine is a Confidential VM. Conflicts with disk_encryption_set_id. Changing this forces a new resource to be created. secure_vm_disk_encryption_set_id can only be specified when security_type is set to ConfidentialVM_DiskEncryptedWithCustomerKey." security_type = "(Optional) Security Type of the Managed Disk when it is used for a Confidential VM. Possible values are ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey, ConfidentialVM_DiskEncryptedWithPlatformKey and ConfidentialVM_DiskEncryptedWithCustomerKey. Changing this forces a new resource to be created. security_type cannot be specified when trusted_launch_enabled is set to true. secure_vm_disk_encryption_set_id must be specified when security_type is set to ConfidentialVM_DiskEncryptedWithCustomerKey." hyper_v_generation = "(Optional) The HyperV Generation of the Disk when the source of an Import or Copy operation targets a source that contains an operating system. Possible values are V1 and V2. Changing this forces a new resource to be created." on_demand_bursting_enabled = "(Optional) Specifies if On-Demand Bursting is enabled for the Managed Disk. Credit-Based Bursting is enabled by default on all eligible disks. More information on Credit-Based and On-Demand Bursting can be found in the documentation." encryption_settings = optional(object({ disk_encryption_key = optional(object({ secret_url = "(Required) The URL to the Key Vault Secret used as the Disk Encryption Key. This can be found as id on the azurerm_key_vault_secret resource." source_vault_id = "(Required) The ID of the source Key Vault. This can be found as id on the azurerm_key_vault resource." })) key_encryption_key = optional(object({ key_url = "(Required) The URL to the Key Vault Key used as the Key Encryption Key. This can be found as id on the azurerm_key_vault_key resource." source_vault_id = "(Required) The ID of the source Key Vault. This can be found as id on the azurerm_key_vault resource." })) })) }))	set(object({ name = string storage_account_type = string create_option = string attach_setting = object({ lun = number caching = string create_option = optional(string, "Attach") write_accelerator_enabled = optional(bool, false) }) disk_encryption_set_id = optional(string) disk_iops_read_write = optional(number) disk_mbps_read_write = optional(number) disk_iops_read_only = optional(number) disk_mbps_read_only = optional(number) logical_sector_size = optional(number) source_uri = optional(string) source_resource_id = optional(string) storage_account_id = optional(string) image_reference_id = optional(string) gallery_image_reference_id = optional(string) disk_size_gb = optional(number) upload_size_bytes = optional(number) network_access_policy = optional(string) disk_access_id = optional(string) public_network_access_enabled = optional(bool, true) tier = optional(string) max_shares = optional(number) trusted_launch_enabled = optional(bool) secure_vm_disk_encryption_set_id = optional(string) security_type = optional(string) hyper_v_generation = optional(string) on_demand_bursting_enabled = optional(bool) encryption_settings = optional(object({ disk_encryption_key = optional(object({ secret_url = string source_vault_id = string })) key_encryption_key = optional(object({ key_url = string source_vault_id = string })) })) }))	[]	no
dedicated_host_group_id	(Optional) The ID of a Dedicated Host Group that this Linux Virtual Machine should be run within. Conflicts with dedicated_host_id.	string	null	no
dedicated_host_id	(Optional) The ID of a Dedicated Host where this machine should be run on. Conflicts with dedicated_host_group_id.	string	null	no
disable_password_authentication	(Optional) Should Password Authentication be disabled on this Virtual Machine? Defaults to true. Changing this forces a new resource to be created.	bool	true	no
edge_zone	(Optional) Specifies the Edge Zone within the Azure Region where this Linux Virtual Machine should exist. Changing this forces a new Virtual Machine to be created.	string	null	no
encryption_at_host_enabled	(Optional) Should all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host?	bool	null	no
eviction_policy	(Optional) Specifies what should happen when the Virtual Machine is evicted for price reasons when using a Spot instance. Possible values are Deallocate and Delete. Changing this forces a new resource to be created.	string	null	no
extensions	Argument to create azurerm_virtual_machine_extension resource, the argument descriptions could be found at the document.	set(object({ name = string publisher = string type = string type_handler_version = string auto_upgrade_minor_version = optional(bool) automatic_upgrade_enabled = optional(bool) failure_suppression_enabled = optional(bool, false) settings = optional(string) protected_settings = optional(string) protected_settings_from_key_vault = optional(object({ secret_url = string source_vault_id = string })) }))	[]	no
extensions_time_budget	(Optional) Specifies the duration allocated for all extensions to start. The time duration should be between 15 minutes and 120 minutes (inclusive) and should be specified in ISO 8601 format. Defaults to 90 minutes (PT1H30M).	string	"PT1H30M"	no
gallery_application	list(object({ version_id = "(Required) Specifies the Gallery Application Version resource ID." configuration_blob_uri = "(Optional) Specifies the URI to an Azure Blob that will replace the default configuration for the package if provided." order = "(Optional) Specifies the order in which the packages have to be installed. Possible values are between 0 and 2,147,483,647." tag = "(Optional) Specifies a passthrough value for more generic context. This field can be any valid string value." }))	list(object({ version_id = string configuration_blob_uri = optional(string) order = optional(number, 0) tag = optional(string) }))	[]	no
hotpatching_enabled	(Optional) Should the VM be patched without requiring a reboot? Possible values are true or false. Defaults to false. For more information about hot patching please see the product documentation. Hotpatching can only be enabled if the patch_mode is set to AutomaticByPlatform, the provision_vm_agent is set to true, your source_image_reference references a hotpatching enabled image, and the VM's size is set to a Azure generation 2 VM. An example of how to correctly configure a Windows Virtual Machine to use the hotpatching_enabled field can be found in the ./examples/virtual-machines/windows/hotpatching-enabled directory within the GitHub Repository.	bool	false	no
identity	object({ type = "(Required) Specifies the type of Managed Service Identity that should be configured on this Linux Virtual Machine. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both)." identity_ids = "(Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Linux Virtual Machine. This is required when type is set to UserAssigned or SystemAssigned, UserAssigned." })	object({ type = string identity_ids = optional(set(string)) })	null	no
image_os	(Required) Enum flag of virtual machine's os system	string	n/a	yes
license_type	(Optional) For Linux virtual machine specifies the BYOL Type for this Virtual Machine, possible values are RHEL_BYOS and SLES_BYOS. For Windows virtual machine specifies the type of on-premise license (also known as Azure Hybrid Use Benefit) which should be used for this Virtual Machine, possible values are None, Windows_Client and Windows_Server.	string	null	no
location	(Required) The Azure location where the Virtual Machine should exist. Changing this forces a new resource to be created.	string	n/a	yes
max_bid_price	(Optional) The maximum price you're willing to pay for this Virtual Machine, in US Dollars; which must be greater than the current spot price. If this bid price falls below the current spot price the Virtual Machine will be evicted using the eviction_policy. Defaults to -1, which means that the Virtual Machine should not be evicted for price reasons. This can only be configured when priority is set to Spot.	number	-1	no
name	(Required) The name of the Virtual Machine. Changing this forces a new resource to be created.	string	n/a	yes
network_interface_ids	A list of Network Interface IDs which should be attached to this Virtual Machine. The first Network Interface ID in this list will be the Primary Network Interface on the Virtual Machine. Cannot be used along with new_network_interface.	list(string)	null	no
new_boot_diagnostics_storage_account	object({ name = "(Optional) Specifies the name of the storage account. Only lowercase Alphanumeric characters allowed. Omit this field would generate one. Changing this forces a new resource to be created. This must be unique across the entire Azure service, not just within the resource group." account_kind = "(Optional) Defines the Kind of account. Valid options are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Defaults to StorageV2. Changing the account_kind value from Storage to StorageV2 will not trigger a force new on the storage account, it will only upgrade the existing storage account from Storage to StorageV2 keeping the existing storage account in place." account_tier = "(Optional) Defines the Tier to use for this storage account. Valid options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid. Defaults to Standard. Changing this forces a new resource to be created. Blobs with a tier of Premium are of account kind StorageV2." account_replication_type = "(Optional) Defines the type of replication to use for this storage account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS. Defaults to LRS. Changing this forces a new resource to be created when types LRS, GRS and RAGRS are changed to ZRS, GZRS or RAGZRS and vice versa." cross_tenant_replication_enabled = "(Optional) Should cross Tenant replication be enabled? Defaults to true." access_tier = "(Optional) Defines the access tier for BlobStorage, FileStorage and StorageV2 accounts. Valid options are Hot and Cool, defaults to Hot." enable_https_traffic_only = "(Optional) Boolean flag which forces HTTPS if enabled, see here for more information. Defaults to true." min_tls_version = "(Optional) The minimum supported TLS version for the storage account. Possible values are TLS1_0, TLS1_1, and TLS1_2. Defaults to TLS1_2 for new storage accounts. At this time min_tls_version is only supported in the Public Cloud, China Cloud, and US Government Cloud." allow_nested_items_to_be_public = "(Optional) Allow or disallow nested items within this Account to opt into being public. Defaults to true. At this time allow_nested_items_to_be_public is only supported in the Public Cloud, China Cloud, and US Government Cloud." shared_access_key_enabled = "(Optional) Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is true. Terraform uses Shared Key Authorisation to provision Storage Containers, Blobs and other items - when Shared Key Access is disabled, you will need to enable the storage_use_azuread flag in the Provider block to use Azure AD for authentication, however not all Azure Storage services support Active Directory authentication." public_network_access_enabled = "(Optional) Whether the public network access is enabled? Defaults to false." default_to_oauth_authentication = "(Optional) Default to Azure Active Directory authorization in the Azure portal when accessing the Storage Account. The default value is false" customer_managed_key = optional(object({ key_vault_key_id = "(Required) The ID of the Key Vault Key, supplying a version-less key ID will enable auto-rotation of this key." user_assigned_identity_id = "(Required) The ID of a user assigned identity. customer_managed_key can only be set when the account_kind is set to StorageV2 or account_tier set to Premium, and the identity type is UserAssigned." })) blob_properties = optional(object({ delete_retention_policy = optional(object({ days = "(Optional) Specifies the number of days that the blob should be retained, between 1 and 365 days. Defaults to 7." })) restore_policy = optional(object({ days = "(Required) Specifies the number of days that the blob can be restored, between 1 and 365 days. This must be less than the days specified for delete_retention_policy." })) container_delete_retention_policy = optional(object({ days = "(Optional) Specifies the number of days that the container should be retained, between 1 and 365 days. Defaults to 7." })) })) identity = optional(object({ type = "(Required) Specifies the type of Managed Service Identity that should be configured on this Storage Account. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both)." identity_ids = "(Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Storage Account. This is required when type is set to UserAssigned or SystemAssigned, UserAssigned." })) })	object({ name = optional(string) account_kind = optional(string, "StorageV2") account_tier = optional(string, "Standard") account_replication_type = optional(string, "LRS") cross_tenant_replication_enabled = optional(bool, true) access_tier = optional(string, "Hot") enable_https_traffic_only = optional(bool, true) min_tls_version = optional(string, "TLS1_2") allow_nested_items_to_be_public = optional(bool, true) shared_access_key_enabled = optional(bool, true) public_network_access_enabled = optional(bool, false) default_to_oauth_authentication = optional(bool, false) customer_managed_key = optional(object({ key_vault_key_id = string user_assigned_identity_id = string })) blob_properties = optional(object({ delete_retention_policy = optional(object({ days = optional(number, 7) })) restore_policy = optional(object({ days = number })) container_delete_retention_policy = optional(object({ days = optional(number, 7) })) })) identity = optional(object({ type = string identity_ids = optional(list(string)) })) })	null	no
new_network_interface	New Network Interface that should be created and attached to this Virtual Machine. Cannot be used along with network_interface_ids. name = "(Optional) The name of the Network Interface. Omit this name would generate one. Changing this forces a new resource to be created." ip_configurations = list(object({ name = "(Optional) A name used for this IP Configuration. Omit this name would generate one. Changing this forces a new resource to be created." private_ip_address = "(Optional) The Static IP Address which should be used. When private_ip_address_allocation is set to Static this field can be configured." private_ip_address_version = "(Optional) The IP Version to use. Possible values are IPv4 or IPv6. Defaults to IPv4." private_ip_address_allocation = "(Required) The allocation method used for the Private IP Address. Possible values are Dynamic and Static. Defaults to Dynamic." public_ip_address_id = "(Optional) Reference to a Public IP Address to associate with this NIC" primary = "(Optional) Is this the Primary IP Configuration? Must be true for the first ip_configuration. Defaults to false." gateway_load_balancer_frontend_ip_configuration_id = "(Optional) The Frontend IP Configuration ID of a Gateway SKU Load Balancer." })) dns_servers = "(Optional) A list of IP Addresses defining the DNS Servers which should be used for this Network Interface. Configuring DNS Servers on the Network Interface will override the DNS Servers defined on the Virtual Network." edge_zone = "(Optional) Specifies the Edge Zone within the Azure Region where this Network Interface should exist. Changing this forces a new Network Interface to be created." accelerated_networking_enabled = "(Optional) Should Accelerated Networking be enabled? Defaults to false. Only certain Virtual Machine sizes are supported for Accelerated Networking - more information can be found in this document. To use Accelerated Networking in an Availability Set, the Availability Set must be deployed onto an Accelerated Networking enabled cluster." ip_forwarding_enabled = "(Optional) Should IP Forwarding be enabled? Defaults to false." internal_dns_name_label = "(Optional) The (relative) DNS Name used for internal communications between Virtual Machines in the same Virtual Network."	object({ name = optional(string) ip_configurations = list(object({ name = optional(string) private_ip_address = optional(string) private_ip_address_version = optional(string, "IPv4") private_ip_address_allocation = optional(string, "Dynamic") public_ip_address_id = optional(string) primary = optional(bool, false) gateway_load_balancer_frontend_ip_configuration_id = optional(string) })) dns_servers = optional(list(string)) edge_zone = optional(string) accelerated_networking_enabled = optional(bool, false) ip_forwarding_enabled = optional(bool, false) internal_dns_name_label = optional(string) })	{ "accelerated_networking_enabled": null, "dns_servers": null, "edge_zone": null, "internal_dns_name_label": null, "ip_configurations": [ { "gateway_load_balancer_frontend_ip_configuration_id": null, "name": null, "primary": true, "private_ip_address": null, "private_ip_address_allocation": null, "private_ip_address_version": null, "public_ip_address_id": null } ], "ip_forwarding_enabled": null, "name": null }	no
os_disk	object({ caching = "(Required) The Type of Caching which should be used for the Internal OS Disk. Possible values are None, ReadOnly and ReadWrite." storage_account_type = "(Required) The Type of Storage Account which should back this the Internal OS Disk. Possible values are Standard_LRS, StandardSSD_LRS, Premium_LRS, StandardSSD_ZRS and Premium_ZRS. Changing this forces a new resource to be created." disk_encryption_set_id = "(Optional) The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk. Conflicts with secure_vm_disk_encryption_set_id. The Disk Encryption Set must have the Reader Role Assignment scoped on the Key Vault - in addition to an Access Policy to the Key Vault" disk_size_gb = "(Optional) The Size of the Internal OS Disk in GB, if you wish to vary from the size used in the image this Virtual Machine is sourced from. If specified this must be equal to or larger than the size of the Image the Virtual Machine is based on. When creating a larger disk than exists in the image you'll need to repartition the disk to use the remaining space." name = "(Optional) The name which should be used for the Internal OS Disk. Changing this forces a new resource to be created." secure_vm_disk_encryption_set_id = "(Optional) The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk when the Virtual Machine is a Confidential VM. Conflicts with disk_encryption_set_id. Changing this forces a new resource to be created. secure_vm_disk_encryption_set_id can only be specified when security_encryption_type is set to DiskWithVMGuestState." security_encryption_type = "(Optional) Encryption Type when the Virtual Machine is a Confidential VM. Possible values are VMGuestStateOnly and DiskWithVMGuestState. Changing this forces a new resource to be created. vtpm_enabled must be set to true when security_encryption_type is specified. encryption_at_host_enabled cannot be set to true when security_encryption_type is set to DiskWithVMGuestState." write_accelerator_enabled = "(Optional) Should Write Accelerator be Enabled for this OS Disk? Defaults to false. This requires that the storage_account_type is set to Premium_LRS and that caching is set to None." diff_disk_settings = optional(object({ option = "(Required) Specifies the Ephemeral Disk Settings for the OS Disk. At this time the only possible value is Local. Changing this forces a new resource to be created." placement = "(Optional) Specifies where to store the Ephemeral Disk. Possible values are CacheDisk and ResourceDisk. Defaults to CacheDisk. Changing this forces a new resource to be created." }), []) })	object({ caching = string storage_account_type = string disk_encryption_set_id = optional(string) disk_size_gb = optional(number) name = optional(string) secure_vm_disk_encryption_set_id = optional(string) security_encryption_type = optional(string) write_accelerator_enabled = optional(bool, false) diff_disk_settings = optional(object({ option = string placement = optional(string, "CacheDisk") }), null) })	n/a	yes
os_simple	Specify UbuntuServer, WindowsServer, RHEL, openSUSE-Leap, CentOS, Debian, CoreOS and SLES to get the latest image version of the specified os. Do not provide this value if a custom value is used for vm_os_publisher, vm_os_offer, and vm_os_sku.	string	null	no
os_version	The version of the image that you want to deploy. This is ignored when vm_os_id or vm_os_simple are provided.	string	"latest"	no
patch_assessment_mode	(Optional) Specifies the mode of VM Guest Patching for the Virtual Machine. Possible values are AutomaticByPlatform or ImageDefault. Defaults to ImageDefault.	string	"ImageDefault"	no
patch_mode	(Optional) Specifies the mode of in-guest patching to this Linux Virtual Machine. Possible values are AutomaticByPlatform and ImageDefault. Defaults to ImageDefault. For more information on patch modes please see the product documentation.	string	null	no
plan	object({ name = "(Required) Specifies the Name of the Marketplace Image this Virtual Machine should be created from. Changing this forces a new resource to be created." product = "(Required) Specifies the Product of the Marketplace Image this Virtual Machine should be created from. Changing this forces a new resource to be created." publisher = "(Required) Specifies the Publisher of the Marketplace Image this Virtual Machine should be created from. Changing this forces a new resource to be created." })	object({ name = string product = string publisher = string })	null	no
platform_fault_domain	(Optional) Specifies the Platform Fault Domain in which this Virtual Machine should be created. Defaults to null, which means this will be automatically assigned to a fault domain that best maintains balance across the available fault domains. virtual_machine_scale_set_id is required with it. Changing this forces new Virtual Machine to be created.	number	null	no
priority	(Optional) Specifies the priority of this Virtual Machine. Possible values are Regular and Spot. Defaults to Regular. Changing this forces a new resource to be created.	string	"Regular"	no
provision_vm_agent	(Optional) Should the Azure VM Agent be provisioned on this Virtual Machine? Defaults to true. Changing this forces a new resource to be created. If provision_vm_agent is set to false then allow_extension_operations must also be set to false.	bool	true	no
proximity_placement_group_id	(Optional) The ID of the Proximity Placement Group which the Virtual Machine should be assigned to. Conflicts with capacity_reservation_group_id.	string	null	no
reboot_setting	(Optional) Specifies the reboot setting for platform scheduled patching. Possible values are Always, IfRequired and Never. Only valid if patch_mode is AutomaticByPlatform.	string	null	no
resource_group_name	(Required) The name of the Resource Group in which the Virtual Machine should be exist. Changing this forces a new resource to be created.	string	n/a	yes
secrets	list(object({ key_vault_id = "(Required) The ID of the Key Vault from which all Secrets should be sourced." certificate = set(object({ url = "(Required) The Secret URL of a Key Vault Certificate. This can be sourced from the secret_id field within the azurerm_key_vault_certificate Resource." store = "(Optional) The certificate store on the Virtual Machine where the certificate should be added. Required when use with Windows Virtual Machine." })) }))	list(object({ key_vault_id = string certificate = set(object({ url = string store = optional(string) })) }))	[]	no
secure_boot_enabled	(Optional) Specifies whether secure boot should be enabled on the virtual machine. Changing this forces a new resource to be created.	bool	null	no
size	(Required) The SKU which should be used for this Virtual Machine, such as Standard_F2.	string	n/a	yes
source_image_id	(Optional) The ID of the Image which this Virtual Machine should be created from. Changing this forces a new resource to be created. Possible Image ID types include Image IDs, Shared Image IDs, Shared Image Version IDs, Community Gallery Image IDs, Community Gallery Image Version IDs, Shared Gallery Image IDs and Shared Gallery Image Version IDs. One of either source_image_id or source_image_reference must be set.	string	null	no
source_image_reference	object({ publisher = "(Required) Specifies the publisher of the image used to create the virtual machines. Changing this forces a new resource to be created." offer = "(Required) Specifies the offer of the image used to create the virtual machines. Changing this forces a new resource to be created." sku = "(Required) Specifies the SKU of the image used to create the virtual machines. Changing this forces a new resource to be created." version = "(Required) Specifies the version of the image used to create the virtual machines. Changing this forces a new resource to be created." })	object({ publisher = string offer = string sku = string version = string })	null	no
standard_os	map(object({ publisher = "(Required) Specifies the publisher of the image used to create the virtual machines. Changing this forces a new resource to be created." offer = "(Required) Specifies the offer of the image used to create the virtual machines. Changing this forces a new resource to be created." sku = "(Required) Specifies the SKU of the image used to create the virtual machines. Changing this forces a new resource to be created." }))	map(object({ publisher = string offer = string sku = string }))	{ "CentOS": { "offer": "CentOS", "publisher": "OpenLogic", "sku": "7.6" }, "CoreOS": { "offer": "CoreOS", "publisher": "CoreOS", "sku": "Stable" }, "Debian": { "offer": "Debian", "publisher": "credativ", "sku": "9" }, "RHEL": { "offer": "RHEL", "publisher": "RedHat", "sku": "8.2" }, "SLES": { "offer": "SLES", "publisher": "SUSE", "sku": "12-SP2" }, "UbuntuServer": { "offer": "UbuntuServer", "publisher": "Canonical", "sku": "18.04-LTS" }, "WindowsServer": { "offer": "WindowsServer", "publisher": "MicrosoftWindowsServer", "sku": "2019-Datacenter" }, "openSUSE-Leap": { "offer": "openSUSE-Leap", "publisher": "SUSE", "sku": "15.1" } }	no
subnet_id	(Required) The subnet id of the virtual network where the virtual machines will reside.	string	n/a	yes
tags	A map of the tags to use on the resources that are deployed with this module.	map(string)	{ "source": "terraform" }	no
termination_notification	object({ enabled = bool timeout = optional(string, "PT5M") })	object({ enabled = bool timeout = optional(string, "PT5M") })	null	no
timezone	(Optional) Specifies the Time Zone which should be used by the Virtual Machine, the possible values are defined here. Changing this forces a new resource to be created.	string	null	no
tracing_tags_enabled	Whether enable tracing tags that generated by BridgeCrew Yor.	bool	false	no
tracing_tags_prefix	Default prefix for generated tracing tags	string	"avm_"	no
user_data	(Optional) The Base64-Encoded User Data which should be used for this Virtual Machine.	string	null	no
virtual_machine_scale_set_id	(Optional) Specifies the Orchestrated Virtual Machine Scale Set that this Virtual Machine should be created within. Conflicts with availability_set_id. Changing this forces a new resource to be created.	string	null	no
vm_additional_capabilities	object({ ultra_ssd_enabled = "(Optional) Should the capacity to enable Data Disks of the UltraSSD_LRS storage account type be supported on this Virtual Machine? Defaults to false." })	object({ ultra_ssd_enabled = optional(bool, false) })	null	no
vtpm_enabled	(Optional) Specifies whether vTPM should be enabled on the virtual machine. Changing this forces a new resource to be created.	bool	null	no
winrm_listeners	set(object({ protocol = "(Required) Specifies Specifies the protocol of listener. Possible values are Http or Https" certificate_url = "(Optional) The Secret URL of a Key Vault Certificate, which must be specified when protocol is set to Https. Changing this forces a new resource to be created." }))	set(object({ protocol = string certificate_url = optional(string) }))	[]	no
zone	(Optional) The Availability Zone which the Virtual Machine should be allocated in, only one zone would be accepted. If set then this module won't create azurerm_availability_set resource. Changing this forces a new resource to be created.	string	null	no

Outputs

Name	Description
data_disk_ids	The list of data disk IDs attached to this Virtual Machine.
network_interface_id	Id of the vm nic that created by this module. null if var.network_interface_ids is provided.
network_interface_private_ip	Private ip address of the vm nic that created by this module. null if var.network_interface_ids is provided.
vm_admin_username	The username of the administrator configured in the Virtual Machine.
vm_availability_set_id	The ID of the Availability Set in which the Virtual Machine exists.
vm_dedicated_host_group_id	The ID of a Dedicated Host Group that this Linux Virtual Machine runs within
vm_dedicated_host_id	The ID of a Dedicated Host where this machine runs on
vm_id	Virtual machine ids created.
vm_identity	map with key Virtual Machine Id, value list of identity created for the Virtual Machine.
vm_name	Virtual machine names created.
vm_virtual_machine_scale_set_id	The Orchestrated Virtual Machine Scale Set id that this Virtual Machine was created within.
vm_zone	The Availability Zones in which this Virtual Machine is located.