Azure Windows Virtual Machine

This module creates a Windows Virtual Machine with Windows Remote Management (WinRM) activated.

The Windows Virtual Machine comes with:

• Azure Monitor Agent activated and configured
• A link to an Azure Monitor Data Collection Rule for logging
• An optional link to a Load Balancer or Application Gateway
• A link to the Recovery Vault and one of its policies to back up the Virtual Machine
• Optional certificates retrieved from Azure Key Vault

This code is mostly based on Tom Harvey work: https://github.com/terraform-providers/terraform-provider-azurerm/tree/master/examples/virtual-machines/provisioners/windows

Following tags are automatically set with default values: env, stack, os_family, os_distribution, os_version.

Limitations

• A self-signed certificate is generated and associated

Requirements

• PowerShell CLI installed with pwsh executable available
• Azure PowerShell module installed
• The port 5986 must be reachable
• An Azure Key Vault configured with Virtual Machine deployment enabled will be used
• An existing Azure Monitor Data Collection Rule is mandatory for monitoring ang logging management with Azure Monitor Agent

Ansible usage

The created Virtual Machine can be used with Ansible this way:

ansible all -i <public_ip_address>, -m win_ping -e ansible_user=<vm_username> -e ansible_password==<vm_password> -e ansible_connection=winrm -e ansible_winrm_server_cert_validation=ignore

Global versioning rule for Claranet Azure modules

Module version	Terraform version	OpenTofu version	AzureRM version
>= 8.x.x	Unverified	1.8.x	>= 4.0
>= 7.x.x	1.3.x		>= 3.0
>= 6.x.x	1.x		>= 3.0
>= 5.x.x	0.15.x		>= 2.0
>= 4.x.x	0.13.x / 0.14.x		>= 2.0
>= 3.x.x	0.12.x		>= 2.0
>= 2.x.x	0.12.x		< 2.0
< 2.x.x	0.11.x		< 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

# Retrieve the existing Entra groups to which we want to assign login access on the Windows Virtual Machine
data "azuread_group" "vm_admins_group" {
  display_name = "Virtual Machines Administrators"
}

data "azuread_group" "vm_users_group" {
  display_name = "Virtual Machines Basic Users"
}

resource "azurerm_availability_set" "main" {
  name                = "${var.stack}-${var.client_name}-${module.azure_region.location_short}-${var.environment}-as"
  location            = module.azure_region.location
  resource_group_name = module.rg.name
  managed             = true
}

module "vm" {
  source  = "claranet/windows-vm/azurerm"
  version = "x.x.x"

  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  client_name    = var.client_name
  environment    = var.environment
  stack          = var.stack

  resource_group_name = module.rg.name

  key_vault = {
    id = module.run.key_vault_id
  }

  subnet = module.subnet

  vm_size        = "Standard_B2s"
  admin_username = var.vm_admin_login
  admin_password = var.vm_admin_password

  diagnostics_storage_account_name = module.run.logs_storage_account_name
  azure_monitor_data_collection_rule = {
    id = module.run.data_collection_rule_id
  }

  # Set to null to deactivate backup
  backup_policy = {
    id = module.run.vm_backup_policy_id
  }

  patch_mode = "AutomaticByPlatform"
  maintenance_configurations_ids = [
    module.run.maintenance_configurations["Donald"].id,
    module.run.maintenance_configurations["Hammer"].id,
  ]

  availability_set = azurerm_availability_set.main
  # or use Availability Zone
  # zone_id = 1

  vm_image = {
    publisher = "MicrosoftWindowsServer"
    offer     = "WindowsServer"
    sku       = "2019-Datacenter-with-Containers"
    version   = "latest"
  }

  # The feature must be activated upstream:
  # az feature register --namespace Microsoft.Compute --name EncryptionAtHost --subscription <subscription_id_or_name>
  encryption_at_host_enabled = true

  # Use unmanaged disk if needed
  # If those blocks are not defined, it will use managed_disks
  os_disk_size_gb = "150" # At least 127 Gb
  os_disk_caching = "ReadWrite"

  storage_data_disk_config = {
    app = {
      disk_size_gb         = 256
      lun                  = 0
      storage_account_type = "Premium_LRS"
    }
  }

  entra_login_enabled = true
  entra_login_user_objects_ids = [
    data.azuread_group.vm_users_group.object_id,
  ]
  entra_login_admin_objects_ids = [
    data.azuread_group.vm_admins_group.object_id,
  ]
}

Providers

Name	Version
azapi	~> 2.0
azurecaf	~> 1.2.28
azurerm	~> 4.0
terraform	n/a

Modules

Name	Source	Version
azure_region	claranet/regions/azurerm	>= 7.2.0

Resources

Name	Type
azapi_resource_action.main	resource
azurerm_backup_protected_vm.main	resource
azurerm_key_vault_access_policy.main	resource
azurerm_key_vault_certificate.main	resource
azurerm_maintenance_assignment_virtual_machine.main	resource
azurerm_managed_disk.main	resource
azurerm_monitor_data_collection_rule_association.main	resource
azurerm_network_interface.main	resource
azurerm_network_interface_application_gateway_backend_address_pool_association.main	resource
azurerm_network_interface_backend_address_pool_association.main	resource
azurerm_public_ip.main	resource
azurerm_role_assignment.rbac_admin_login	resource
azurerm_role_assignment.rbac_user_login	resource
azurerm_virtual_machine_data_disk_attachment.main	resource
azurerm_virtual_machine_extension.azure_monitor_agent	resource
azurerm_virtual_machine_extension.entra_login	resource
azurerm_virtual_machine_extension.key_vault_certificates	resource
azurerm_windows_virtual_machine.main	resource
terraform_data.winrm_connection_test	resource
azurecaf_name.disk	data source
azurecaf_name.hostname	data source
azurecaf_name.nic	data source
azurecaf_name.public_ip	data source
azurecaf_name.vm	data source
azurerm_client_config.current	data source
azurerm_managed_disk.vm_os_disk	data source

Inputs

Name	Description	Type	Default	Required
admin_password	Password for the Virtual Machine administrator account.	string	n/a	yes
admin_username	Username for the Virtual Machine administrator account.	string	n/a	yes
application_gateway_attachment	ID of the Application Gateway Backend Pool to attach the Virtual Machine to.	object({ id = string })	null	no
availability_set	ID of the Availability Set in which to locate the Virtual Machine.	object({ id = string })	null	no
azure_monitor_agent_auto_upgrade_enabled	Automatically update agent when publisher releases a new version of the agent.	bool	false	no
azure_monitor_agent_user_assigned_identity	User Assigned Identity to use with Azure Monitor Agent.	string	null	no
azure_monitor_agent_version	Azure Monitor Agent extension version. See documentation.	string	"1.13"	no
azure_monitor_data_collection_rule	Data Collection Rule ID from Azure Monitor for metrics and logs collection. Used with new monitoring agent, set to null to disable.	object({ id = string })	n/a	yes
backup_policy	Backup policy ID from the Recovery Vault to attach the Virtual Machine to. Can be null to disable backup.	object({ id = string })	n/a	yes
certificate_validity_in_months	The created certificate validity in months.	number	48	no
client_name	Client name/account used in naming.	string	n/a	yes
computer_name	Custom name for the Virtual Machine hostname. Based on var.custom_name if not set.	string	""	no
custom_data	The base64-encoded custom data which should be used for this Virtual Machine. Changing this forces a new resource to be created.	string	null	no
custom_dns_label	The DNS label to use for public access. Virtual Machine name if not set. DNS label will be <label>.westeurope.cloudapp.azure.com.	string	""	no
custom_name	Custom name for the Virtual Machine. Generated if not set.	string	""	no
dcr_custom_name	Custom name for the Data Collection Rule association.	string	null	no
default_tags_enabled	Option to enable or disable default tags.	bool	true	no
diagnostics_storage_account_name	Name of the Storage Account in which boot diagnostics are stored.	string	n/a	yes
disk_controller_type	Specifies the Disk Controller Type used for this Virtual Machine. Possible values are SCSI and NVMe.	string	null	no
encryption_at_host_enabled	Should all disks (including the temporary disk) attached to the Virtual Machine be encrypted by enabling Encryption at Host? See documentation for more information on compatible Virtual Machine sizes.	bool	true	no
entra_login_admin_objects_ids	Entra ID (aka AAD) objects IDs allowed to connect as administrator on the Virtual Machine.	list(string)	[]	no
entra_login_enabled	Enable login with Entra ID (aka AAD).	bool	false	no
entra_login_extension_version	Virtual Machine extension version for Entra ID (aka AAD) login extension.	string	"1.0"	no
entra_login_user_objects_ids	Entra ID (aka AAD) objects IDs allowed to connect as standard user on the Virtual Machine.	list(string)	[]	no
environment	Project environment.	string	n/a	yes
extensions_extra_tags	Extra tags to set on Virtual Machine extensions.	map(string)	{}	no
extra_tags	Extra tags to set on each created resource.	map(string)	{}	no
hotpatching_enabled	Should the Virtual Machine be patched without requiring a reboot?	bool	false	no
identity	Identity block. See documentation.	object({ type = string identity_ids = list(string) })	{ "identity_ids": [], "type": "SystemAssigned" }	no
ip_configuration_custom_name	Custom name for the IP configuration of the network interface. Generated if not set.	string	null	no
key_vault	ID of the Key Vault to use for Virtual Machine certificate (value to null to disable WinRM certificate).	object({ id = string })	n/a	yes
key_vault_certificates	Key Vault certificates object. names = List of Key Vault certificates names to install in the Virtual Machine. store_name = Name of the certificate store in which to install the Key Vault certificates. polling_rate = Polling rate (in seconds) for Key Vault certificates retrieval.	object({ names = optional(list(string)) store_name = optional(string, "MY") polling_rate = optional(number, 300) })	{}	no
license_type	Specifies the BYOL type for this Virtual Machine. Possible values are Windows_Client and Windows_Server.	string	null	no
load_balancer_attachment	ID of the Load Balancer Backend Pool to attach the Virtual Machine to.	object({ id = string })	null	no
location	Azure location.	string	n/a	yes
location_short	Short string for Azure location.	string	n/a	yes
maintenance_configurations_ids	List of maintenance configurations to attach to this Virtual Machine.	list(string)	[]	no
monitoring_agent_enabled	true to use and deploy the Azure Monitor Agent.	bool	true	no
name_prefix	Optional prefix for the generated name.	string	""	no
name_suffix	Optional suffix for the generated name.	string	""	no
nic_accelerated_networking_enabled	Should accelerated networking be enabled? Defaults to true.	bool	true	no
nic_custom_name	Custom name for the network interface. Generated if not set.	string	null	no
nic_extra_tags	Extra tags to set on the network interface.	map(string)	{}	no
os_disk_caching	Specifies the caching requirements for the OS disk.	string	"ReadWrite"	no
os_disk_custom_name	Custom name for the OS disk. Generated if not set.	string	null	no
os_disk_extra_tags	Extra tags to set on the OS disk.	map(string)	{}	no
os_disk_size_gb	Specifies the size of the OS disk in gigabytes.	string	null	no
os_disk_storage_account_type	The type of Storage Account used to store the operating system disk. Possible values are Standard_LRS, StandardSSD_LRS, Premium_LRS, StandardSSD_ZRS and Premium_ZRS.	string	"Premium_ZRS"	no
os_disk_tagging_enabled	Should OS disk tagging be enabled? Defaults to true.	bool	true	no
patch_mode	Specifies the mode of in-guest patching to this Windows Virtual Machine. Possible values are Manual, AutomaticByOS and AutomaticByPlatform.	string	"AutomaticByPlatform"	no
patching_reboot_setting	Specifies the reboot setting for platform scheduled patching. Possible values are Always, IfRequired and Never.	string	"IfRequired"	no
public_ip_custom_name	Custom name for the Public IP. Generated if not set.	string	null	no
public_ip_enabled	Should a Public IP be attached to the Virtual Machine?	bool	false	no
public_ip_extra_tags	Extra tags to set on the Public IP.	map(string)	{}	no
public_ip_zones	Availability Zones of the Public IP attached to the Virtual Machine. Can be null if no zone distpatch.	list(number)	[ 1, 2, 3 ]	no
resource_group_name	Resource Group name.	string	n/a	yes
spot_instance_enabled	true to deploy the Virtual Machine as a Spot Instance.	bool	false	no
spot_instance_eviction_policy	Specifies what should happen when the Virtual Machine is evicted for price reasons. At this time, the only supported value is Deallocate. Changing this forces a new resource to be created.	string	"Deallocate"	no
spot_instance_max_bid_price	The maximum price you're willing to pay for this Virtual Machine in US dollars; must be greater than the current spot price. -1 if you don't want the Virtual Machine to be evicted for price reasons.	number	-1	no
stack	Project stack name.	string	n/a	yes
static_private_ip	Static private IP address. Dynamic addressing if not set.	string	null	no
storage_data_disk_config	Map of objects to configure storage data disk(s).	map(object({ name = optional(string) create_option = optional(string, "Empty") disk_size_gb = number lun = optional(number) caching = optional(string, "ReadWrite") storage_account_type = optional(string, "StandardSSD_ZRS") source_resource_id = optional(string) extra_tags = optional(map(string), {}) }))	{}	no
subnet	ID of the Subnet in which to create the Virtual Machine.	object({ id = string })	n/a	yes
ultra_ssd_enabled	Specifies whether Ultra Disks is enabled (UltraSSD_LRS storage type for data disks).	bool	null	no
user_data	The base64-encoded user data which should be used for this Virtual Machine.	string	null	no
vm_agent_platform_updates_enabled	Specifies whether VMAgent Platform Updates is enabled. Defaults to false.	bool	false	no
vm_image	Virtual Machine source image information. See documentation.	object({ publisher = string offer = string sku = string version = optional(string, "latest") })	{ "offer": "WindowsServer", "publisher": "MicrosoftWindowsServer", "sku": "2022-datacenter-g2", "version": "latest" }	no
vm_image_id	ID of the source image which this Virtual Machine should be created from. This variable supersedes var.vm_image if not null.	string	null	no
vm_plan	Virtual Machine plan image information. See documentation. This variable has to be used for BYOS image. Before using BYOS image, you need to accept legal plan terms. See documentation.	object({ name = string product = string publisher = string })	null	no
vm_size	Size (SKU) of the Virtual Machine to create.	string	n/a	yes
vtpm_enabled	Specifies if vTPM (virtual Trusted Platform Module) and Trusted Launch is enabled for the Virtual Machine. Defaults to true. Changing this forces a new resource to be created.	bool	true	no
zone_id	Index of the Availability Zone which the Virtual Machine should be allocated in.	number	null	no

Outputs

Name	Description
admin_password	Administrator password of the Virtual Machine.
admin_username	Administrator username of the Virtual Machine.
hostname	Hostname of the Virtual Machine.
id	ID of the Virtual Machine.
identity_principal_id	Object ID of the Virtual Machine Managed Service Identity.
name	Name of the Virtual Machine.
nic_id	ID of the network interface attached to the Virtual Machine.
nic_ip_configuration_name	Name of the IP configuration for the network interface attached to the Virtual Machine.
nic_name	Name of the network interface attached to the Virtual Machine.
private_ip_address	Private IP address of the Virtual Machine.
public_domain_name_label	Public domain name of the Virtual Machine.
public_ip_address	Public IP address of the Virtual Machine.
public_ip_id	Public IP ID of the Virtual Machine.
public_ip_name	Public IP name of the Virtual Machine.
resource	Windows Virtual Machine resource object.
resource_key_vault_certificate	WinRM Key Vault certificate resource object.
resource_maintenance_configuration_assignment	Maintenance configuration assignment resource object.
resource_network_interface	Network interface resource object.
resource_public_ip	Public IP resource object.
terraform_module	Information about this Terraform module.
winrm_key_vault_certificate_data	RAW Key Vault certificate data represented as a hexadecimal string.
winrm_key_vault_certificate_id	ID of the generated WinRM Key Vault certificate.
winrm_key_vault_certificate_name	Name of the generated WinRM Key Vault certificate.
winrm_key_vault_certificate_thumbprint	X509 thumbprint of the Key Vault certificate represented as a hexadecimal string.

Related documentation

Microsoft Azure documentation: docs.microsoft.com/en-us/azure/virtual-machines/windows/