Skip to content

Latest commit

 

History

History

azure

README.md

Azure Confidential VM

Terraform module to orchestrate Azure Confidential VM (CVM) instances.

Authentication

Official documentation: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret

Generate your Azure Client Id and Secret keys in Azure. Source an .rc file with the following environment variables:

export ARM_SUBSCRIPTION_ID=***
export ARM_TENANT_ID=***
export ARM_CLIENT_ID=***
export ARM_CLIENT_SECRET=***

Module wrappers

Users of this Terraform module can create multiple similar resources by using for_each meta-argument within module block.

Users of Terragrunt can achieve similar results by using modules provided in the wrappers directory, if they prefer to reduce amount of configuration files.

Requirements

Name Version
terraform >= 1.0
azurerm >= 4.50

Providers

Name Version
azurerm >= 4.50
http n/a
local n/a
null n/a
tls n/a

Modules

No modules.

Resources

Name Type
azurerm_linux_virtual_machine.cvm resource
azurerm_network_interface.default resource
azurerm_network_security_group.default resource
azurerm_network_security_rule.default resource
azurerm_network_security_rule.ssh resource
azurerm_public_ip.default resource
azurerm_subnet.default resource
azurerm_subnet_network_security_group_association.default resource
azurerm_virtual_network.default resource
local_sensitive_file.signing-key resource
null_resource.signing-key-fingerprint resource
tls_private_key.rsa-4096 resource
azurerm_resource_group.default data source
http_http.cblogin data source
local_file.signing-key-fingerprint data source

Inputs

Name Description Type Default Required
az_region Azure Region. Defaults to the AZ Resource Group location. string null no
az_resource_group_name Azure Resource Group Name string n/a yes
cb_password CanaryBit password string n/a yes
cb_username CanaryBit username string n/a yes
cvm_disk_size_gb CVM Disk size string "30" no
cvm_name Confidential VM name string n/a yes
cvm_os URN of the OS image string "canonical:ubuntu-24_04-lts:cvm:latest" no
cvm_ports_open List of CVM open network ports list(string) [] no
cvm_size Supported sizes are Standard_DC* or Standard_EC* series string n/a yes
cvm_ssh_enabled Enable/Disable SSH login bool null no
cvm_ssh_pubkey Path to the public key used for SSH connection string n/a yes
cvm_username CVM Username for SSH login string "tower" no
remote_attestation Enable CanaryBit Remote Attestation 
object({
    environments = string
    cbinspector_url = optional(string, "https://api.inspector.confidentialcloud.io")
    cbclient_version = optional(string, "0.2.4")
    cbcli_version = optional(string, "0.2.5")
    signing_key = optional(string)
  })
 null no

Outputs

Name Description
cloud-init The cloud-init configuration of the running CVM instance(s)
cvm-info Details of the running CVM instance(s)