Search code examples
azureterraformterraform-provider-azure

use azurerm_virtual_machine with trusted_launch

Due to https://github.com/hashicorp/terraform-provider-azurerm/issues/6117, I must use azurerm_virtual_machine to create my intended machine.

Unfortunately, the image in use requires trusted launch, for which I could not find any configuration option.

Is this possible or am I forced to use az_api instead?

Solution

  • As it seems not possible with azurerm, I ended up doing it with terraform_data.

    As the image I'm using defines managed data disks, I had to extend the cleanup accordingly. My code looks like this:

    resource "terraform_data" "vm" {
  input = {
    subscription_id     = var.subscription_id
    resource_group_name = data.azurerm_resource_group.main.name
    vmname              = var.vm_name
    vm_size             = var.vm_size
    vm_username         = var.admin_username
    password            = var.admin_password
    nic_id              = azurerm_network_interface.main.id
    hostname            = random_string.hostname.result
    location            = var.location
    image_id            = var.image_id
    tags                = local.cli_tags
    identity            = join(" ", data.azurerm_user_assigned_identity.main[*].id)
  }

  provisioner "local-exec" {
    when    = create
    command = <<EOF
az account set --subscription ${self.input.subscription_id}
az vm create --resource-group ${self.input.resource_group_name} --name ${self.input.vmname} --image ${self.input.image_id} --size ${self.input.vm_size} --security-type TrustedLaunch --enable-secure-boot true --enable-vtpm true --admin-username ${self.input.vm_username} --admin-password ${self.input.password} --os-disk-size-gb 128 --nics ${self.input.nic_id} --computer-name ${self.input.hostname} --nic-delete-option delete --os-disk-delete-option delete --location "${self.input.location}" --os-disk-caching ReadWrite --data-disk-caching ReadWrite --storage-sku Premium_LRS --assign-identity [system] ${self.input.identity} --tags ${self.input.tags}
EOF
  }

  provisioner "local-exec" {
    when    = destroy
    command = <<EOF
az account set --subscription ${self.input.subscription_id}
ids=$(az vm show -d -g ${self.input.resource_group_name} -n ${self.input.vmname} --query "storageProfile.dataDisks[].managedDisk.id" | jq -r 'join(" ")')
az vm delete -g ${self.input.resource_group_name} -n ${self.input.vmname} --yes
az disk delete --ids $ids --yes
EOF
  }
}

locals {
  cli_tags = join(" ", [for k, v in var.tags : "${k}=\"${v}\""])
}

    Beware that only the relevant code for the vm is posted and may required adaptations for specific needs. Additionally, the hostname is set randomly to prevent machines with the same name trying to join AAD. Also beware to add all inputs which should force a recreation of the resource.