Feature request: Create Azure VM with TrustedLaunch, vTPM and secure boot? #1006
Comments
dgiesselbach
changed the title
Fred-sun
added
medium_priority
|
@dgiesselbach Thanks for your feedback! We will add these feature as soon as possible! Thank you very much! |
|
@Fred-sun Would it be possible to extend this feature request to add an option to enable encryptionAtHost for new vm's as well? |
Fred-sun
added
has_pr
|
@dgiesselbach Already add to azure_rm_virtualmachine, Now work in azure_rm_virtualmachinescaleset! Thank you very much! |
|
azure_rm_virtualmachinescalset.py added 'security_profile' in #1033 |
|
@Fred-sun could you please show me the parameters in the azure_rm_virtualmachine module for trusted launch, secureboot and vtpm? I can't find any information about it in this latest article https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_virtualmachine_module.html |
|
@dgiesselbach dded in PR #1033. Once this PR is merged, we can see it in the main branch. You can now switch to that branch to use it as well. Thanks! |
|
Is it possible that we can speed up the pull request? |
SUMMARY
Maybe I'm blind. I can't find any property to enable trusted launch, vTPM and secure boot in VM creation process. I can't find anything in the doc article either!
https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_virtualmachine_module.html
ISSUE TYPE
You must set the security type to Standard or TrustedLaunch. If TrustedLaunch is set, set secure-boot vtpm to true or false.
COMPONENT NAME
azure.azcollection.azure_rm_virtualmachine v.1.13.0
ADDITIONAL INFORMATION
reference url: https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/virtual-machines/trusted-launch-portal.md
Via Azure CLI you are already able to create a VM with TrustedLaunch, vTPM and Secure Boot:
az vm create
--resource-group myResourceGroup
--name myVM
--image Canonical:UbuntuServer:18_04-lts-gen2:latest
--admin-username azureuser
--generate-ssh-keys
--security-type TrustedLaunch
--enable-secure-boot true \
--enable-vtpm true
There is also a update function for existing vms. It only works if TrustedLaunch is enabled in the VM creation process:
az vm update
--resource-group myResourceGroup
--name myVM
--enable-secure-boot true
--enable-vtpm true
Here is an output from a "normal" VM without "securityProfile" TrustedLaunch
[
{
"additionalCapabilities": null,
"applicationProfile": null,
"availabilitySet": null,
"billingProfile": null,
"capacityReservation": null,
"diagnosticsProfile": null,
"evictionPolicy": null,
"extendedLocation": null,
"extensionsTimeBudget": null,
"hardwareProfile": {
"vmSize": "Standard_D4s_v4",
"vmSizeProperties": null
},
"host": null,
"hostGroup": null,
"id": "/subscriptions/xxxx",
"identity": null,
"instanceView": null,
"licenseType": "Windows_Client",
"location": "germanywestcentral",
"name": "vm-xxxx",
"networkProfile": {
"networkApiVersion": null,
"networkInterfaceConfigurations": null,
"networkInterfaces": [
{
"deleteOption": null,
"id": "/subscriptions/xxxx",
"primary": true,
"resourceGroup": "rg-xxxx"
}
]
},
"osProfile": {
"adminPassword": null,
"adminUsername": "xxxx",
"allowExtensionOperations": true,
"computerName": "xxxx",
"customData": null,
"linuxConfiguration": null,
"requireGuestProvisionSignal": true,
"secrets": [],
"windowsConfiguration": {
"additionalUnattendContent": null,
"enableAutomaticUpdates": true,
"enableVmAgentPlatformUpdates": false,
"patchSettings": {
"assessmentMode": "ImageDefault",
"automaticByPlatformSettings": null,
"enableHotpatching": null,
"patchMode": "AutomaticByOS"
},
"provisionVmAgent": true,
"timeZone": null,
"winRm": null
}
},
"plan": null,
"platformFaultDomain": null,
"priority": null,
"provisioningState": "Succeeded",
"proximityPlacementGroup": null,
"resourceGroup": "rg-xxxx",
"resources": null,
"scheduledEventsProfile": null,
"securityProfile": null,
"storageProfile": {
"dataDisks": [],
"diskControllerType": null,
"imageReference": {
"communityGalleryImageId": null,
"exactVersion": "19042.2132.221018",
"id": null,
"offer": "office-365",
"publisher": "MicrosoftWindowsDesktop",
"sharedGalleryImageId": null,
"sku": "20h2-evd-o365pp-g2",
"version": "19042.2132.221018"
},
"osDisk": {
"caching": "ReadWrite",
"createOption": "FromImage",
"deleteOption": "Detach",
"diffDiskSettings": null,
"diskSizeGb": 127,
"encryptionSettings": null,
"image": null,
"managedDisk": {
"diskEncryptionSet": null,
"id": "/subscriptions/xxxx",
"resourceGroup": "rg-xxxx",
"securityProfile": null,
"storageAccountType": "Premium_LRS"
},
"name": "disk-xxxx",
"osType": "Windows",
"vhd": null,
"writeAcceleratorEnabled": null
}
},
"tags": {
},
"timeCreated": "2022-10-27T10:47:37.552231+00:00",
"type": "Microsoft.Compute/virtualMachines",
"userData": null,
"virtualMachineScaleSet": null,
"vmId": "xxxx",
"zones": null
}
]
Here are the parameters, if trusted launch, secureBootEnabled and vTPM are enabled:
"securityProfile": {
"encryptionAtHost": null,
"securityType": "TrustedLaunch",
"uefiSettings": {
"secureBootEnabled": true,
"vTpmEnabled": true
}
},
We need these three options "--security-type TrustedLaunch", "--enable-secure-boot true" and "--enable-vtpm true" we need in "azure.azcollection.azure_rm_virtualmachine"
The text was updated successfully, but these errors were encountered: