generated from miljodir/terraform-azurerm-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
255 lines (228 loc) · 11.4 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
#---------------------------------------------------------------
# Generates SSH2 key Pair for Linux VM's (Dev Environment only)
#---------------------------------------------------------------
resource "tls_private_key" "rsa" {
count = var.generate_admin_ssh_key == true && var.os_flavor == "linux" ? 1 : 0
algorithm = "ED25519"
rsa_bits = 4096
lifecycle {
ignore_changes = [
#rsa_bits,
algorithm
]
}
}
#----------------------------------------------------------
# Resource Group, VNet, Subnet selection & Random Resources
#----------------------------------------------------------
resource "random_password" "passwd" {
count = (var.disable_password_authentication != true && var.os_flavor == "linux") || (var.os_flavor == "windows" && var.admin_password == null) ? 1 : 0
length = 24
min_upper = 4
min_lower = 2
min_numeric = 4
special = false
keepers = {
admin_password = var.os_flavor
}
}
#---------------------------------------
# Network Interface for Virtual Machine
#---------------------------------------
resource "azurerm_network_interface" "nic" {
name = "${var.virtual_machine_name}-nic"
resource_group_name = var.resource_group_name
location = var.location
dns_servers = var.dns_servers
ip_forwarding_enabled = false
accelerated_networking_enabled = var.enable_accelerated_networking
tags = var.tags
ip_configuration {
name = var.ipconfig_name
primary = true
subnet_id = var.subnet_id
private_ip_address_allocation = var.private_ip_address_allocation_type
private_ip_address = var.private_ip_address_allocation_type == "Static" ? var.private_ip_address : null
}
}
#---------------------------------------
# Managed disk creation and attachment
#---------------------------------------
resource "azurerm_managed_disk" "datadisks_create" {
for_each = var.datadisks
name = each.value.override_name != null ? each.value.override_name : "${var.virtual_machine_name}-datadisk${each.value.lun}"
location = var.location
resource_group_name = var.resource_group_name
storage_account_type = each.value.type
create_option = "Empty"
disk_size_gb = each.value.size
zone = var.availability_zone
lifecycle {
ignore_changes = [
encryption_settings,
zone
]
}
}
resource "azurerm_virtual_machine_data_disk_attachment" "datadisks_attach" {
for_each = var.datadisks
managed_disk_id = azurerm_managed_disk.datadisks_create[each.key].id
virtual_machine_id = var.os_flavor == "windows" ? azurerm_windows_virtual_machine.win_vm[0].id : azurerm_linux_virtual_machine.linux_vm[0].id
lun = each.value.lun
caching = each.value.caching
}
#---------------------------------------
# Linux Virtual machine
#---------------------------------------
resource "azurerm_linux_virtual_machine" "linux_vm" {
count = var.os_flavor == "linux" ? 1 : 0
name = var.virtual_machine_name
computer_name = var.host_name
resource_group_name = var.resource_group_name
location = var.location
size = var.virtual_machine_size
admin_username = var.admin_username
admin_password = var.disable_password_authentication != true && var.admin_password == null ? try(random_password.passwd[0].result, null) : var.admin_password
network_interface_ids = [azurerm_network_interface.nic.id]
source_image_id = var.source_image_id != null ? var.source_image_id : null
provision_vm_agent = var.provision_vm_agent
allow_extension_operations = var.allow_extension_operations
encryption_at_host_enabled = var.encryption_at_host_enabled
dedicated_host_id = var.dedicated_host_id
availability_set_id = var.availability_set_id
zone = var.availability_zone
tags = var.tags
patch_mode = var.patch_mode
patch_assessment_mode = var.patch_assessment_mode
bypass_platform_safety_checks_on_user_schedule_enabled = var.bypass_platform_safety_checks_on_user_schedule_enabled
vm_agent_platform_updates_enabled = var.vm_agent_platform_updates_enabled
secure_boot_enabled = var.secure_boot_enabled
vtpm_enabled = var.vtpm_enabled
admin_ssh_key {
username = var.admin_username
public_key = var.generate_admin_ssh_key == true && var.os_flavor == "linux" ? tls_private_key.rsa[0].public_key_openssh : file(var.admin_ssh_key_data)
}
source_image_reference {
publisher = local.image["publisher"]
offer = local.image["offer"]
sku = local.image["sku"]
version = local.image["version"]
}
os_disk {
storage_account_type = var.os_disk_storage_account_type
caching = "ReadWrite"
name = var.os_disk_name != null ? var.os_disk_name : "${var.virtual_machine_name}-osdisk"
disk_size_gb = var.os_disk_size_gb != null ? var.os_disk_size_gb : null
}
dynamic "additional_capabilities" {
for_each = var.additional_capabilities == null ? [] : ["additional_capabilities"]
content {
ultra_ssd_enabled = var.additional_capabilities.ultra_ssd_enabled
hibernation_enabled = var.additional_capabilities.hibernation_enabled
}
}
boot_diagnostics {}
dynamic "identity" {
for_each = var.enable_managed_identity == false ? [] : [1]
content {
type = "SystemAssigned"
}
}
lifecycle {
ignore_changes = [
identity,
source_image_reference[0],
secure_boot_enabled, # Gen2 VMs only
vtpm_enabled, # Gen2 VMs only
]
}
}
#---------------------------------------
# Windows Virtual machine
# Note that VM resource name and hostname is generated differently
# Because of windows hostname limitations, prefix is omitted
#---------------------------------------
# var.disable_password_authentication != true && var.admin_password == null ? try(random_password.passwd[0].result, null) : var.admin_password
resource "azurerm_windows_virtual_machine" "win_vm" {
count = var.os_flavor == "windows" ? 1 : 0
name = var.virtual_machine_name
computer_name = var.host_name
resource_group_name = var.resource_group_name
location = var.location
size = var.virtual_machine_size
admin_username = var.admin_username
admin_password = var.admin_password == null ? random_password.passwd[0].result : var.admin_password
network_interface_ids = [azurerm_network_interface.nic.id]
source_image_id = var.source_image_id != null ? var.source_image_id : null
provision_vm_agent = var.provision_vm_agent
allow_extension_operations = var.allow_extension_operations
encryption_at_host_enabled = var.encryption_at_host_enabled
dedicated_host_id = var.dedicated_host_id
license_type = var.license_type
availability_set_id = var.availability_set_id
zone = var.availability_zone
patch_mode = var.patch_mode
patch_assessment_mode = var.patch_assessment_mode
bypass_platform_safety_checks_on_user_schedule_enabled = var.bypass_platform_safety_checks_on_user_schedule_enabled
enable_automatic_updates = var.enable_automatic_updates
vm_agent_platform_updates_enabled = var.vm_agent_platform_updates_enabled
timezone = var.timezone
secure_boot_enabled = var.secure_boot_enabled
vtpm_enabled = var.vtpm_enabled
hotpatching_enabled = var.hotpatching_enabled
tags = var.tags
source_image_reference {
publisher = local.image["publisher"]
offer = local.image["offer"]
sku = local.image["sku"]
version = local.image["version"]
}
os_disk {
storage_account_type = var.os_disk_storage_account_type
caching = "ReadWrite"
name = var.os_disk_name != null ? var.os_disk_name : "${var.virtual_machine_name}-osdisk"
disk_size_gb = var.os_disk_size_gb
}
dynamic "additional_capabilities" {
for_each = var.additional_capabilities == null ? [] : ["additional_capabilities"]
content {
ultra_ssd_enabled = var.additional_capabilities.ultra_ssd_enabled
hibernation_enabled = var.additional_capabilities.hibernation_enabled
}
}
boot_diagnostics {}
dynamic "identity" {
for_each = var.enable_managed_identity == false ? [] : [1]
content {
type = "SystemAssigned"
}
}
lifecycle {
ignore_changes = [
timezone,
zone,
identity,
secure_boot_enabled, # Gen2 VMs only
vtpm_enabled, # Gen2 VMs only
]
}
}
#--------------------------------------------------------------
# Update management center
#--------------------------------------------------------------
resource "azurerm_maintenance_assignment_virtual_machine" "main" {
count = var.patch_mode == "AutomaticByPlatform" && var.maintenance_configuration_id != null ? 1 : 0
location = var.location
maintenance_configuration_id = var.maintenance_configuration_id
virtual_machine_id = var.os_flavor == "windows" ? azurerm_windows_virtual_machine.win_vm[0].id : azurerm_linux_virtual_machine.linux_vm[0].id
}
#--------------------------------------------------------------
# SystemAssigned identity roles
#--------------------------------------------------------------
resource "azurerm_role_assignment" "role" {
for_each = var.managed_identity_roles
scope = each.value.scope
role_definition_name = each.value.role_definition_name
principal_id = var.os_flavor == "windows" ? azurerm_windows_virtual_machine.win_vm[0].identity[0].principal_id : azurerm_linux_virtual_machine.linux_vm[0].identity[0].principal_id
principal_type = "ServicePrincipal"
}