This module creates a Windows Virtual Machine with Windows Remote Management (WinRM) activated.
The Windows Virtual Machine comes with:
- Azure Monitor Agent activated and configured
- A link to an Azure Monitor Data Collection Rule for logging
- An optional link to a Load Balancer or Application Gateway
- A link to the Recovery Vault and one of its policies to back up the Virtual Machine
- Optional certificates retrieved from Azure Key Vault
This code is mostly based on Tom Harvey work: https://github.com/terraform-providers/terraform-provider-azurerm/tree/master/examples/virtual-machines/provisioners/windows
Following tags are automatically set with default values: env
, stack
, os_family
, os_distribution
, os_version
.
- A self-signed certificate is generated and associated
- PowerShell CLI installed with
pwsh
executable available - Azure PowerShell module installed
- The port 5986 must be reachable
- An Azure Key Vault configured with Virtual Machine deployment enabled will be used
- An existing Azure Monitor Data Collection Rule is mandatory for monitoring ang logging management with Azure Monitor Agent
The created Virtual Machine can be used with Ansible this way:
ansible all -i <public_ip_address>, -m win_ping -e ansible_user=<vm_username> -e ansible_password==<vm_password> -e ansible_connection=winrm -e ansible_winrm_server_cert_validation=ignore
Module version | Terraform version | OpenTofu version | AzureRM version |
---|---|---|---|
>= 8.x.x | Unverified | 1.8.x | >= 4.0 |
>= 7.x.x | 1.3.x | >= 3.0 | |
>= 6.x.x | 1.x | >= 3.0 | |
>= 5.x.x | 0.15.x | >= 2.0 | |
>= 4.x.x | 0.13.x / 0.14.x | >= 2.0 | |
>= 3.x.x | 0.12.x | >= 2.0 | |
>= 2.x.x | 0.12.x | < 2.0 | |
< 2.x.x | 0.11.x | < 2.0 |
If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper
available in the documentation.
# Retrieve the existing Entra groups to which we want to assign login access on the Windows Virtual Machine
data "azuread_group" "vm_admins_group" {
display_name = "Virtual Machines Administrators"
}
data "azuread_group" "vm_users_group" {
display_name = "Virtual Machines Basic Users"
}
resource "azurerm_availability_set" "main" {
name = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-as"
location = module.azure_region.location
resource_group_name = module.rg.name
managed = true
}
module "vm" {
source = "claranet/windows-vm/azurerm"
version = "x.x.x"
location = module.azure_region.location
location_short = module.azure_region.location_short
client_name = var.client_name
environment = var.environment
stack = var.stack
resource_group_name = module.rg.name
key_vault = {
id = module.run.key_vault_id
}
subnet = module.subnet
vm_size = "Standard_B2s"
admin_username = var.vm_admin_login
admin_password = var.vm_admin_password
diagnostics_storage_account_name = module.run.logs_storage_account_name
azure_monitor_data_collection_rule = {
id = module.run.data_collection_rule_id
}
# Set to null to deactivate backup
backup_policy = {
id = module.run.vm_backup_policy_id
}
patch_mode = "AutomaticByPlatform"
maintenance_configurations_ids = [
module.run.maintenance_configurations["Donald"].id,
module.run.maintenance_configurations["Hammer"].id,
]
availability_set = azurerm_availability_set.main
# or use Availability Zone
# zone_id = 1
vm_image = {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2019-Datacenter-with-Containers"
version = "latest"
}
# The feature must be activated upstream:
# az feature register --namespace Microsoft.Compute --name EncryptionAtHost --subscription <subscription_id_or_name>
encryption_at_host_enabled = true
# Use unmanaged disk if needed
# If those blocks are not defined, it will use managed_disks
os_disk_size_gb = "150" # At least 127 Gb
os_disk_caching = "ReadWrite"
storage_data_disk_config = {
app = {
disk_size_gb = 256
lun = 0
storage_account_type = "Premium_LRS"
}
}
entra_login_enabled = true
entra_login_user_objects_ids = [
data.azuread_group.vm_users_group.object_id,
]
entra_login_admin_objects_ids = [
data.azuread_group.vm_admins_group.object_id,
]
}
Name | Version |
---|---|
azapi | ~> 2.0 |
azurecaf | ~> 1.2.28 |
azurerm | ~> 4.0 |
terraform | n/a |
Name | Source | Version |
---|---|---|
azure_region | claranet/regions/azurerm | >= 7.2.0 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
admin_password | Password for the Virtual Machine administrator account. | string |
n/a | yes |
admin_username | Username for the Virtual Machine administrator account. | string |
n/a | yes |
application_gateway_attachment | ID of the Application Gateway Backend Pool to attach the Virtual Machine to. | object({ |
null |
no |
availability_set | ID of the Availability Set in which to locate the Virtual Machine. | object({ |
null |
no |
azure_monitor_agent_auto_upgrade_enabled | Automatically update agent when publisher releases a new version of the agent. | bool |
false |
no |
azure_monitor_agent_user_assigned_identity | User Assigned Identity to use with Azure Monitor Agent. | string |
null |
no |
azure_monitor_agent_version | Azure Monitor Agent extension version. See documentation. | string |
"1.13" |
no |
azure_monitor_data_collection_rule | Data Collection Rule ID from Azure Monitor for metrics and logs collection. Used with new monitoring agent, set to null to disable. |
object({ |
n/a | yes |
backup_policy | Backup policy ID from the Recovery Vault to attach the Virtual Machine to. Can be null to disable backup. |
object({ |
n/a | yes |
certificate_validity_in_months | The created certificate validity in months. | number |
48 |
no |
client_name | Client name/account used in naming. | string |
n/a | yes |
computer_name | Custom name for the Virtual Machine hostname. Based on var.custom_name if not set. |
string |
"" |
no |
custom_data | The base64-encoded custom data which should be used for this Virtual Machine. Changing this forces a new resource to be created. | string |
null |
no |
custom_dns_label | The DNS label to use for public access. Virtual Machine name if not set. DNS label will be <label>.westeurope.cloudapp.azure.com . |
string |
"" |
no |
custom_name | Custom name for the Virtual Machine. Generated if not set. | string |
"" |
no |
dcr_custom_name | Custom name for the Data Collection Rule association. | string |
null |
no |
default_tags_enabled | Option to enable or disable default tags. | bool |
true |
no |
diagnostics_storage_account_name | Name of the Storage Account in which boot diagnostics are stored. | string |
n/a | yes |
disk_controller_type | Specifies the Disk Controller Type used for this Virtual Machine. Possible values are SCSI and NVMe . |
string |
null |
no |
encryption_at_host_enabled | Should all disks (including the temporary disk) attached to the Virtual Machine be encrypted by enabling Encryption at Host? See documentation for more information on compatible Virtual Machine sizes. | bool |
true |
no |
entra_login_admin_objects_ids | Entra ID (aka AAD) objects IDs allowed to connect as administrator on the Virtual Machine. | list(string) |
[] |
no |
entra_login_enabled | Enable login with Entra ID (aka AAD). | bool |
false |
no |
entra_login_extension_version | Virtual Machine extension version for Entra ID (aka AAD) login extension. | string |
"1.0" |
no |
entra_login_user_objects_ids | Entra ID (aka AAD) objects IDs allowed to connect as standard user on the Virtual Machine. | list(string) |
[] |
no |
environment | Project environment. | string |
n/a | yes |
extensions_extra_tags | Extra tags to set on Virtual Machine extensions. | map(string) |
{} |
no |
extra_tags | Extra tags to set on each created resource. | map(string) |
{} |
no |
hotpatching_enabled | Should the Virtual Machine be patched without requiring a reboot? | bool |
false |
no |
identity | Identity block. See documentation. | object({ |
{ |
no |
ip_configuration_custom_name | Custom name for the IP configuration of the network interface. Generated if not set. | string |
null |
no |
key_vault | ID of the Key Vault to use for Virtual Machine certificate (value to null to disable WinRM certificate). |
object({ |
n/a | yes |
key_vault_certificates | Key Vault certificates object.names = List of Key Vault certificates names to install in the Virtual Machine. |
object({ |
{} |
no |
license_type | Specifies the BYOL type for this Virtual Machine. Possible values are Windows_Client and Windows_Server . |
string |
null |
no |
load_balancer_attachment | ID of the Load Balancer Backend Pool to attach the Virtual Machine to. | object({ |
null |
no |
location | Azure location. | string |
n/a | yes |
location_short | Short string for Azure location. | string |
n/a | yes |
maintenance_configurations_ids | List of maintenance configurations to attach to this Virtual Machine. | list(string) |
[] |
no |
monitoring_agent_enabled | true to use and deploy the Azure Monitor Agent. |
bool |
true |
no |
name_prefix | Optional prefix for the generated name. | string |
"" |
no |
name_suffix | Optional suffix for the generated name. | string |
"" |
no |
nic_accelerated_networking_enabled | Should accelerated networking be enabled? Defaults to true . |
bool |
true |
no |
nic_custom_name | Custom name for the network interface. Generated if not set. | string |
null |
no |
nic_extra_tags | Extra tags to set on the network interface. | map(string) |
{} |
no |
os_disk_caching | Specifies the caching requirements for the OS disk. | string |
"ReadWrite" |
no |
os_disk_custom_name | Custom name for the OS disk. Generated if not set. | string |
null |
no |
os_disk_extra_tags | Extra tags to set on the OS disk. | map(string) |
{} |
no |
os_disk_size_gb | Specifies the size of the OS disk in gigabytes. | string |
null |
no |
os_disk_storage_account_type | The type of Storage Account used to store the operating system disk. Possible values are Standard_LRS , StandardSSD_LRS , Premium_LRS , StandardSSD_ZRS and Premium_ZRS . |
string |
"Premium_ZRS" |
no |
os_disk_tagging_enabled | Should OS disk tagging be enabled? Defaults to true . |
bool |
true |
no |
patch_mode | Specifies the mode of in-guest patching to this Windows Virtual Machine. Possible values are Manual , AutomaticByOS and AutomaticByPlatform . |
string |
"AutomaticByPlatform" |
no |
patching_reboot_setting | Specifies the reboot setting for platform scheduled patching. Possible values are Always , IfRequired and Never . |
string |
"IfRequired" |
no |
public_ip_custom_name | Custom name for the Public IP. Generated if not set. | string |
null |
no |
public_ip_enabled | Should a Public IP be attached to the Virtual Machine? | bool |
false |
no |
public_ip_extra_tags | Extra tags to set on the Public IP. | map(string) |
{} |
no |
public_ip_zones | Availability Zones of the Public IP attached to the Virtual Machine. Can be null if no zone distpatch. |
list(number) |
[ |
no |
resource_group_name | Resource Group name. | string |
n/a | yes |
spot_instance_enabled | true to deploy the Virtual Machine as a Spot Instance. |
bool |
false |
no |
spot_instance_eviction_policy | Specifies what should happen when the Virtual Machine is evicted for price reasons. At this time, the only supported value is Deallocate . Changing this forces a new resource to be created. |
string |
"Deallocate" |
no |
spot_instance_max_bid_price | The maximum price you're willing to pay for this Virtual Machine in US dollars; must be greater than the current spot price. -1 if you don't want the Virtual Machine to be evicted for price reasons. |
number |
-1 |
no |
stack | Project stack name. | string |
n/a | yes |
static_private_ip | Static private IP address. Dynamic addressing if not set. | string |
null |
no |
storage_data_disk_config | Map of objects to configure storage data disk(s). | map(object({ |
{} |
no |
subnet | ID of the Subnet in which to create the Virtual Machine. | object({ |
n/a | yes |
ultra_ssd_enabled | Specifies whether Ultra Disks is enabled (UltraSSD_LRS storage type for data disks). |
bool |
null |
no |
user_data | The base64-encoded user data which should be used for this Virtual Machine. | string |
null |
no |
vm_agent_platform_updates_enabled | Specifies whether VMAgent Platform Updates is enabled. Defaults to false . |
bool |
false |
no |
vm_image | Virtual Machine source image information. See documentation. | object({ |
{ |
no |
vm_image_id | ID of the source image which this Virtual Machine should be created from. This variable supersedes var.vm_image if not null . |
string |
null |
no |
vm_plan | Virtual Machine plan image information. See documentation. This variable has to be used for BYOS image. Before using BYOS image, you need to accept legal plan terms. See documentation. | object({ |
null |
no |
vm_size | Size (SKU) of the Virtual Machine to create. | string |
n/a | yes |
vtpm_enabled | Specifies if vTPM (virtual Trusted Platform Module) and Trusted Launch is enabled for the Virtual Machine. Defaults to true . Changing this forces a new resource to be created. |
bool |
true |
no |
zone_id | Index of the Availability Zone which the Virtual Machine should be allocated in. | number |
null |
no |
Name | Description |
---|---|
admin_password | Administrator password of the Virtual Machine. |
admin_username | Administrator username of the Virtual Machine. |
hostname | Hostname of the Virtual Machine. |
id | ID of the Virtual Machine. |
identity_principal_id | Object ID of the Virtual Machine Managed Service Identity. |
name | Name of the Virtual Machine. |
nic_id | ID of the network interface attached to the Virtual Machine. |
nic_ip_configuration_name | Name of the IP configuration for the network interface attached to the Virtual Machine. |
nic_name | Name of the network interface attached to the Virtual Machine. |
private_ip_address | Private IP address of the Virtual Machine. |
public_domain_name_label | Public domain name of the Virtual Machine. |
public_ip_address | Public IP address of the Virtual Machine. |
public_ip_id | Public IP ID of the Virtual Machine. |
public_ip_name | Public IP name of the Virtual Machine. |
resource | Windows Virtual Machine resource object. |
resource_key_vault_certificate | WinRM Key Vault certificate resource object. |
resource_maintenance_configuration_assignment | Maintenance configuration assignment resource object. |
resource_network_interface | Network interface resource object. |
resource_public_ip | Public IP resource object. |
terraform_module | Information about this Terraform module. |
winrm_key_vault_certificate_data | RAW Key Vault certificate data represented as a hexadecimal string. |
winrm_key_vault_certificate_id | ID of the generated WinRM Key Vault certificate. |
winrm_key_vault_certificate_name | Name of the generated WinRM Key Vault certificate. |
winrm_key_vault_certificate_thumbprint | X509 thumbprint of the Key Vault certificate represented as a hexadecimal string. |
Microsoft Azure documentation: docs.microsoft.com/en-us/azure/virtual-machines/windows/