-
Notifications
You must be signed in to change notification settings - Fork 330
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: Create Azure VM with TrustedLaunch, vTPM and secure boot? #1006
Comments
@dgiesselbach Thanks for your feedback! We will add these feature as soon as possible! Thank you very much! |
@Fred-sun Would it be possible to extend this feature request to add an option to enable encryptionAtHost for new vm's as well? |
@dgiesselbach Already add to azure_rm_virtualmachine, Now work in azure_rm_virtualmachinescaleset! Thank you very much! |
azure_rm_virtualmachinescalset.py added 'security_profile' in #1033 |
@Fred-sun could you please show me the parameters in the azure_rm_virtualmachine module for trusted launch, secureboot and vtpm? I can't find any information about it in this latest article https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_virtualmachine_module.html |
@dgiesselbach dded in PR #1033. Once this PR is merged, we can see it in the main branch. You can now switch to that branch to use it as well. Thanks! |
Is it possible that we can speed up the pull request? |
SUMMARY
Maybe I'm blind. I can't find any property to enable trusted launch, vTPM and secure boot in VM creation process. I can't find anything in the doc article either!
https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_virtualmachine_module.html
ISSUE TYPE
You must set the security type to Standard or TrustedLaunch. If TrustedLaunch is set, set secure-boot vtpm to true or false.
COMPONENT NAME
azure.azcollection.azure_rm_virtualmachine v.1.13.0
ADDITIONAL INFORMATION
reference url: https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/virtual-machines/trusted-launch-portal.md
Via Azure CLI you are already able to create a VM with TrustedLaunch, vTPM and Secure Boot:
az vm create
--resource-group myResourceGroup
--name myVM
--image Canonical:UbuntuServer:18_04-lts-gen2:latest
--admin-username azureuser
--generate-ssh-keys
--security-type TrustedLaunch
--enable-secure-boot true \
--enable-vtpm true
There is also a update function for existing vms. It only works if TrustedLaunch is enabled in the VM creation process:
az vm update
--resource-group myResourceGroup
--name myVM
--enable-secure-boot true
--enable-vtpm true
Here is an output from a "normal" VM without "securityProfile" TrustedLaunch
[
{
"additionalCapabilities": null,
"applicationProfile": null,
"availabilitySet": null,
"billingProfile": null,
"capacityReservation": null,
"diagnosticsProfile": null,
"evictionPolicy": null,
"extendedLocation": null,
"extensionsTimeBudget": null,
"hardwareProfile": {
"vmSize": "Standard_D4s_v4",
"vmSizeProperties": null
},
"host": null,
"hostGroup": null,
"id": "/subscriptions/xxxx",
"identity": null,
"instanceView": null,
"licenseType": "Windows_Client",
"location": "germanywestcentral",
"name": "vm-xxxx",
"networkProfile": {
"networkApiVersion": null,
"networkInterfaceConfigurations": null,
"networkInterfaces": [
{
"deleteOption": null,
"id": "/subscriptions/xxxx",
"primary": true,
"resourceGroup": "rg-xxxx"
}
]
},
"osProfile": {
"adminPassword": null,
"adminUsername": "xxxx",
"allowExtensionOperations": true,
"computerName": "xxxx",
"customData": null,
"linuxConfiguration": null,
"requireGuestProvisionSignal": true,
"secrets": [],
"windowsConfiguration": {
"additionalUnattendContent": null,
"enableAutomaticUpdates": true,
"enableVmAgentPlatformUpdates": false,
"patchSettings": {
"assessmentMode": "ImageDefault",
"automaticByPlatformSettings": null,
"enableHotpatching": null,
"patchMode": "AutomaticByOS"
},
"provisionVmAgent": true,
"timeZone": null,
"winRm": null
}
},
"plan": null,
"platformFaultDomain": null,
"priority": null,
"provisioningState": "Succeeded",
"proximityPlacementGroup": null,
"resourceGroup": "rg-xxxx",
"resources": null,
"scheduledEventsProfile": null,
"securityProfile": null,
"storageProfile": {
"dataDisks": [],
"diskControllerType": null,
"imageReference": {
"communityGalleryImageId": null,
"exactVersion": "19042.2132.221018",
"id": null,
"offer": "office-365",
"publisher": "MicrosoftWindowsDesktop",
"sharedGalleryImageId": null,
"sku": "20h2-evd-o365pp-g2",
"version": "19042.2132.221018"
},
"osDisk": {
"caching": "ReadWrite",
"createOption": "FromImage",
"deleteOption": "Detach",
"diffDiskSettings": null,
"diskSizeGb": 127,
"encryptionSettings": null,
"image": null,
"managedDisk": {
"diskEncryptionSet": null,
"id": "/subscriptions/xxxx",
"resourceGroup": "rg-xxxx",
"securityProfile": null,
"storageAccountType": "Premium_LRS"
},
"name": "disk-xxxx",
"osType": "Windows",
"vhd": null,
"writeAcceleratorEnabled": null
}
},
"tags": {
},
"timeCreated": "2022-10-27T10:47:37.552231+00:00",
"type": "Microsoft.Compute/virtualMachines",
"userData": null,
"virtualMachineScaleSet": null,
"vmId": "xxxx",
"zones": null
}
]
Here are the parameters, if trusted launch, secureBootEnabled and vTPM are enabled:
"securityProfile": {
"encryptionAtHost": null,
"securityType": "TrustedLaunch",
"uefiSettings": {
"secureBootEnabled": true,
"vTpmEnabled": true
}
},
We need these three options "--security-type TrustedLaunch", "--enable-secure-boot true" and "--enable-vtpm true" we need in "azure.azcollection.azure_rm_virtualmachine"
The text was updated successfully, but these errors were encountered: