Merge pull request #296 from aztfmod/js-encrypt-disk-cmk

Disk Encryption Set with CMK
aztfmod · Mar 25, 2021 · fbbf064 · fbbf064
2 parents 5fcbebb + 7c0c09b
commit fbbf064
Show file tree

Hide file tree

Showing 39 changed files with 587 additions and 100 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -32,7 +32,7 @@
     // "shutdownAction": "none",
 
     // Uncomment the next line to run commands after the container is created.
-    "postCreateCommand": "cp -R /tmp/.ssh-localhost/* ~/.ssh && sudo chmod 600 ~/.ssh/* && sudo chown -R $(whoami) /tf/caf && git config --global core.editor vi && pre-commit install && pre-commit autoupdate",
+    "postCreateCommand": "sudo cp -R /tmp/.ssh-localhost/* ~/.ssh && sudo chmod 600 ~/.ssh/* && sudo chown -R $(whoami) /tf/caf && git config --global core.editor vi && pre-commit install && pre-commit autoupdate",
 
     // Add the IDs of extensions you want installed when the container is created in the array below.
     "extensions": [

diff --git a/.github/workflows/master-100-tf13.yaml b/.github/workflows/master-100-tf13.yaml
@@ -84,6 +84,7 @@ jobs:
             "compute/virtual_machine/101-single-windows-vm",
             "compute/virtual_machine/104-single-windows-backup",
             "compute/virtual_machine/211-vm-bastion-winrm-agents",
+            "compute/virtual_machine/105-single-windows-vm-kv-admin-secrets",
             "cosmos_db/100-simple-cosmos-db-cassandra",
             "cosmos_db/100-simple-cosmos-db-gremlin",
             "cosmos_db/100-simple-cosmos-db-mongo",

diff --git a/.github/workflows/master-100-tf14.yaml b/.github/workflows/master-100-tf14.yaml
@@ -1,4 +1,4 @@
-# 
+#
 # Copyright (c) Microsoft Corporation
 # Licensed under the MIT License.
 #
@@ -91,6 +91,7 @@ jobs:
             "compute/virtual_machine/101-single-windows-vm",
             "compute/virtual_machine/104-single-windows-backup",
             "compute/virtual_machine/211-vm-bastion-winrm-agents",
+            "compute/virtual_machine/105-single-windows-vm-kv-admin-secrets",
             "cosmos_db/100-simple-cosmos-db-cassandra",
             "cosmos_db/100-simple-cosmos-db-gremlin",
             "cosmos_db/100-simple-cosmos-db-mongo",

diff --git a/.github/workflows/master-100-tf15.yaml b/.github/workflows/master-100-tf15.yaml
@@ -83,6 +83,7 @@ jobs:
             "compute/virtual_machine/101-single-windows-vm",
             "compute/virtual_machine/104-single-windows-backup",
             "compute/virtual_machine/211-vm-bastion-winrm-agents",
+            "compute/virtual_machine/105-single-windows-vm-kv-admin-secrets",
             "cosmos_db/100-simple-cosmos-db-cassandra",
             "cosmos_db/100-simple-cosmos-db-gremlin",
             "cosmos_db/100-simple-cosmos-db-mongo",

diff --git a/.github/workflows/master-standalone-tf13.yaml b/.github/workflows/master-standalone-tf13.yaml
@@ -48,6 +48,7 @@ jobs:
             "compute/virtual_machine/104-single-windows-backup",
             "compute/virtual_machine/105-single-windows-vm-kv-admin-secrets",
             "compute/virtual_machine/211-vm-bastion-winrm-agents",
+            "compute/virtual_machine/210-vm-bastion-winrm",
             "cosmos_db/100-simple-cosmos-db-cassandra",
             "cosmos_db/100-simple-cosmos-db-cassandra",
             "cosmos_db/100-simple-cosmos-db-gremlin",
@@ -106,7 +107,7 @@ jobs:
             "recovery_vault/103-asr-with-private-endpoint",
             "redis_cache/100-redis-standard",
             "storage_accounts/100-simple-storage-account-blob-container",
-            "storage_accounts/102-storage-account-advanced-options",         
+            "storage_accounts/102-storage-account-advanced-options",
             "synapse_analytics/100-synapse",
             "synapse_analytics/101-synapse-sparkpool",
             "webapps/appservice/101-appservice-simple",

diff --git a/.github/workflows/master-standalone-tf14.yaml b/.github/workflows/master-standalone-tf14.yaml
@@ -54,14 +54,12 @@ jobs:
             "compute/virtual_machine/102-single-vm-data-disks",
             "compute/virtual_machine/104-single-windows-backup",
             "compute/virtual_machine/105-single-windows-vm-kv-admin-secrets",
+            "compute/virtual_machine/210-vm-bastion-winrm",
             "compute/virtual_machine/211-vm-bastion-winrm-agents",
             "cosmos_db/100-simple-cosmos-db-cassandra",
-            "cosmos_db/100-simple-cosmos-db-cassandra",
-            "cosmos_db/100-simple-cosmos-db-gremlin",
             "cosmos_db/100-simple-cosmos-db-gremlin",
             "cosmos_db/100-simple-cosmos-db-sql",
             "cosmos_db/100-simple-cosmos-db-table",
-            "cosmos_db/100-simple-cosmos-db-table",
             "databricks/100-simple-databricks",
             "datalake/101-datalake-storage",
             "eventhub/100-simple-eventhub-namespace",

diff --git a/.github/workflows/master-standalone-tf15.yaml b/.github/workflows/master-standalone-tf15.yaml
@@ -42,8 +42,10 @@ jobs:
             "compute/kubernetes_services/101-single-cluster",
             "compute/kubernetes_services/102-multi-nodepools",
             "compute/proximity_placement_group",
-            "compute/virtual_machine/105-single-windows-vm-kv-admin-secrets",
+            "compute/virtual_machine/100-single-linux-vm",
             "compute/virtual_machine/211-vm-bastion-winrm-agents",
+            "compute/virtual_machine/105-single-windows-vm-kv-admin-secrets",
+            "compute/virtual_machine/210-vm-bastion-winrm",
             "cosmos_db/100-simple-cosmos-db-cassandra",
             "cosmos_db/100-simple-cosmos-db-gremlin",
             "cosmos_db/100-simple-cosmos-db-sql",

diff --git a/disk_encryption_sets.tf b/disk_encryption_sets.tf
@@ -0,0 +1,16 @@
+module "disk_encryption_sets" {
+  source   = "./modules/security/disk_encryption_set"
+  for_each = local.security.disk_encryption_sets
+
+  global_settings   = local.global_settings
+  client_config     = local.client_config
+  settings          = each.value
+  resource_groups   = module.resource_groups
+  base_tags         = try(local.global_settings.inherit_tags, false) ? module.resource_groups[each.value.resource_group_key].tags : {}
+  key_vault_key_ids = module.keyvault_keys
+  keyvault_id       = local.combined_objects_keyvaults[try(each.value.keyvault.lz_key, local.client_config.landingzone_key)][each.value.keyvault.key].id
+}
+
+output disk_encryption_sets {
+  value = module.disk_encryption_sets
+}
diff --git a/examples/compute/virtual_machine/100-single-linux-vm/configuration.tfvars b/examples/compute/virtual_machine/100-single-linux-vm/configuration.tfvars
@@ -46,6 +46,8 @@ virtual_machines = {
         size                            = "Standard_F2"
         admin_username                  = "adminuser"
         disable_password_authentication = true
+
+        #custom_data                     = "scripts/cloud-init/install-rover-tools.config"
         custom_data                     = "../../examples/compute/virtual_machine/100-single-linux-vm/scripts/cloud-init/install-rover-tools.config"
 
         # Spot VM to save money
@@ -56,11 +58,14 @@ virtual_machines = {
         network_interface_keys = ["nic0"]
 
         os_disk = {
-          name                 = "example_vm1-os"
-          caching              = "ReadWrite"
-          storage_account_type = "Standard_LRS"
+          name                    = "example_vm1-os"
+          caching                 = "ReadWrite"
+          storage_account_type    = "Standard_LRS"
+          disk_encryption_set_key = "set1"
+        }
+        identity = {
+          type = "SystemAssigned"
         }
-
         source_image_reference = {
           publisher = "Canonical"
           offer     = "UbuntuServer"
@@ -70,7 +75,18 @@ virtual_machines = {
 
       }
     }
-
+    data_disks = {
+      data1 = {
+        name                 = "server1-data1"
+        storage_account_type = "Standard_LRS"
+        # Only Empty is supported. More community contributions required to cover other scenarios
+        create_option           = "Empty"
+        disk_size_gb            = "10"
+        lun                     = 1
+        zones                   = ["1"]
+        disk_encryption_set_key = "set1"
+      }
+    }
   }
 }
 
@@ -91,17 +107,44 @@ diagnostic_storage_accounts = {
 
 keyvaults = {
   example_vm_rg1 = {
-    name               = "vmsecrets"
-    resource_group_key = "vm_region1"
-    sku_name           = "standard"
+    name                        = "vmlinuxakv"
+    resource_group_key          = "vm_region1"
+    sku_name                    = "standard"
+    soft_delete_enabled         = true
+    purge_protection_enabled    = true
+    enabled_for_disk_encryption = true
+    tags = {
+      env = "Standalone"
+    }
     creation_policies = {
       logged_in_user = {
         secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
+        key_permissions    = ["Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore", "Decrypt", "Encrypt", "UnwrapKey", "WrapKey", "Verify", "Sign", "Purge"]
       }
     }
   }
 }
 
+keyvault_keys = {
+  key1 = {
+    keyvault_key = "example_vm_rg1"
+    name         = "disk-key"
+    key_type     = "RSA"
+    key_size     = "2048"
+    key_opts     = ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"]
+  }
+}
+
+disk_encryption_sets = {
+  set1 = {
+    name               = "deskey1"
+    resource_group_key = "vm_region1"
+    key_vault_key_key  = "key1"
+    keyvault           = {
+      key = "example_vm_rg1"
+    }
+  }
+}
 vnets = {
   vnet_region1 = {
     resource_group_key = "vm_region1"

diff --git a/examples/compute/virtual_machine/100-single-linux-vm/readme.md b/examples/compute/virtual_machine/100-single-linux-vm/readme.md
@@ -0,0 +1,27 @@
+You can test this module outside of a landingzone using
+
+```bash
+configuration_folder=/tf/caf/examples/compute/virtual_machine/100-single-linux-vm
+parameter_files=$(find ${configuration_folder} | grep .tfvars | sed 's/.*/-var-file &/' | xargs)
+
+cd /tf/caf/landingzones/caf_example
+terraform init
+terraform [plan | apply | destroy ] \
+  -var-file ../configuration.tfvars
+
+
+```
+
+To test this deployment in the example landingzone. Make sure the launchpad has been deployed first
+
+```bash
+
+configuration_folder=/tf/caf/examples/compute/virtual_machine/100-single-linux-vm
+
+rover \
+  -lz /tf/caf/landingzones/caf_example \
+  -var-folder ${configuration_folder} \
+  -level level1 \
+  -a [plan | apply | destroy ]
+
+```
diff --git a/examples/compute/virtual_machine/105-single-windows-vm-kv-admin-secrets/configuration.tfvars b/examples/compute/virtual_machine/105-single-windows-vm-kv-admin-secrets/configuration.tfvars
@@ -1,15 +1,20 @@
-
 global_settings = {
   default_region = "region1"
   prefix         = null
   regions = {
     region1 = "southeastasia"
   }
 }
+tags = {
+  level = "100"
+}
 
 resource_groups = {
   vm_region1 = {
     name = "example-virtual-machine-rg1"
+    tags = {
+      env = "standalone"
+    }
   }
 }
 
@@ -20,7 +25,7 @@ virtual_machines = {
   example_vm1 = {
     resource_group_key                   = "vm_region1"
     provision_vm_agent                   = true
-    boot_diagnostics_storage_account_key = "bootdiag_region1"
+    boot_diagnostics_storage_account_key = "sa1"
 
     os_type = "windows"
 
@@ -44,6 +49,7 @@ virtual_machines = {
       windows = {
         name = "example_vm2"
         size = "Standard_F2"
+        zone = "1"
 
         admin_username_key = "vmadmin-username"
         admin_password_key = "vmadmin-password"
@@ -56,11 +62,18 @@ virtual_machines = {
         network_interface_keys = ["nic0"]
 
         os_disk = {
-          name                 = "example_vm1-os"
-          caching              = "ReadWrite"
-          storage_account_type = "Standard_LRS"
+          name                    = "example_vm1-os"
+          caching                 = "ReadWrite"
+          storage_account_type    = "Standard_LRS"
+          managed_disk_type       = "StandardSSD_LRS"
+          disk_size_gb            = "128"
+          create_option           = "FromImage"
+          disk_encryption_set_key = "set1"
         }
 
+        identity = {
+          type = "SystemAssigned"
+        }
         source_image_reference = {
           publisher = "MicrosoftWindowsServer"
           offer     = "WindowsServer"
@@ -70,7 +83,18 @@ virtual_machines = {
 
       }
     }
-
+    data_disks = {
+      data1 = {
+        name                 = "server1-data1"
+        storage_account_type = "Standard_LRS"
+        # Only Empty is supported. More community contributions required to cover other scenarios
+        create_option           = "Empty"
+        disk_size_gb            = "10"
+        lun                     = 1
+        zones                   = ["1"]
+        disk_encryption_set_key = "set1"
+      }
+    }
   }
 }
 
@@ -90,20 +114,23 @@ dynamic_keyvault_secrets = {
 
 keyvaults = {
   example_vm_rg1 = {
-    name               = "vmsecrets"
-    resource_group_key = "vm_region1"
-    sku_name           = "standard"
-
+    name                        = "vmsecretskv"
+    resource_group_key          = "vm_region1"
+    sku_name                    = "standard"
+    soft_delete_enabled         = true
+    purge_protection_enabled    = true
+    enabled_for_disk_encryption = true
+    tags = {
+      env = "Standalone"
+    }
     creation_policies = {
       logged_in_user = {
-        certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Purge", "Recover"]
-        secret_permissions      = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
+        secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
+        key_permissions    = ["Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore", "Decrypt", "Encrypt", "UnwrapKey", "WrapKey", "Verify", "Sign", "Purge"]
       }
     }
   }
 }
-
-
 vnets = {
   vnet_region1 = {
     resource_group_key = "vm_region1"
@@ -132,4 +159,53 @@ public_ip_addresses = {
     idle_timeout_in_minutes = "4"
 
   }
+}
+
+storage_accounts = {
+  sa1 = {
+    name               = "sa1dev"
+    resource_group_key = "vm_region1"
+    # Account types are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Defaults to StorageV2
+    account_kind = "BlobStorage"
+    # Account Tier options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid.
+    account_tier = "Standard"
+    #  Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS
+    account_replication_type = "LRS" # https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
+    min_tls_version          = "TLS1_2"
+    allow_blob_public_access = true
+    tags = {
+      environment = "dev"
+      team        = "IT"
+      ##
+    }
+    enable_system_msi = {
+      type = "SystemAssigned"
+    }
+    containers = {
+      dev = {
+        name = "random"
+      }
+    }
+  }
+
+}
+keyvault_keys = {
+  key1 = {
+    keyvault_key = "example_vm_rg1"
+    name         = "disk-key"
+    key_type     = "RSA"
+    key_size     = "2048"
+    key_opts     = ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"]
+  }
+}
+
+disk_encryption_sets = {
+  set1 = {
+    name               = "deskey1"
+    resource_group_key = "vm_region1"
+    key_vault_key_key  = "key1"
+    keyvault           = {
+      key = "example_vm_rg1"
+    }
+  }
 }