diff --git a/.web-docs/components/builder/arm/README.md b/.web-docs/components/builder/arm/README.md index 1df0cc27..9f730dd4 100644 --- a/.web-docs/components/builder/arm/README.md +++ b/.web-docs/components/builder/arm/README.md @@ -335,9 +335,11 @@ Providing `temp_resource_group_name` or `location` in combination with - `build_resource_group_name` (string) - Specify an existing resource group to run the build in. -- `build_key_vault_name` (string) - Specify an existing key vault to use for uploading certificates to the +- `build_key_vault_name` (string) - Specify an existing key vault to use for uploading the certificate for the instance to connect. +- `build_key_vault_secret_name` (string) - Specify the secret name to use for the certificate created in the key vault. + - `build_key_vault_sku` (string) - Specify the KeyVault SKU to create during the build. Valid values are standard or premium. The default value is standard. @@ -526,7 +528,7 @@ Providing `temp_resource_group_name` or `location` in combination with - `secure_boot_enabled` (bool) - Specifies if Secure Boot and Trusted Launch is enabled for the Virtual Machine. -- `encryption_at_host` (bool) - Specifies if Encryption at host is enabled for the Virtual Machine. +- `encryption_at_host` (\*bool) - Specifies if Encryption at host is enabled for the Virtual Machine. Requires enabling encryption at host in the Subscription read more [here](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell) - `vtpm_enabled` (bool) - Specifies if vTPM (virtual Trusted Platform Module) and Trusted Launch is enabled for the Virtual Machine. diff --git a/builder/azure/arm/config.go b/builder/azure/arm/config.go index 744520bc..8303af68 100644 --- a/builder/azure/arm/config.go +++ b/builder/azure/arm/config.go @@ -572,7 +572,7 @@ type Config struct { SecureBootEnabled bool `mapstructure:"secure_boot_enabled" required:"false"` // Specifies if Encryption at host is enabled for the Virtual Machine. // Requires enabling encryption at host in the Subscription read more [here](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell) - EncryptionAtHost bool `mapstructure:"encryption_at_host" required:"false"` + EncryptionAtHost *bool `mapstructure:"encryption_at_host" required:"false"` // Specifies if vTPM (virtual Trusted Platform Module) and Trusted Launch is enabled for the Virtual Machine. VTpmEnabled bool `mapstructure:"vtpm_enabled" required:"false"` diff --git a/builder/azure/arm/template_factory.go b/builder/azure/arm/template_factory.go index cc0ad060..92926bf7 100644 --- a/builder/azure/arm/template_factory.go +++ b/builder/azure/arm/template_factory.go @@ -284,7 +284,7 @@ func GetVirtualMachineTemplateBuilder(config *Config) (*template.TemplateBuilder } } - if config.SecureBootEnabled || config.VTpmEnabled || config.EncryptionAtHost { + if config.SecureBootEnabled || config.VTpmEnabled || config.EncryptionAtHost != nil { err = builder.SetSecurityProfile(config.SecureBootEnabled, config.VTpmEnabled, config.EncryptionAtHost) if err != nil { return nil, err diff --git a/builder/azure/arm/template_factory_test.TestEncryptionAtHost01.approved.json b/builder/azure/arm/template_factory_test.TestEncryptionAtHost01.approved.json new file mode 100644 index 00000000..eef56a5b --- /dev/null +++ b/builder/azure/arm/template_factory_test.TestEncryptionAtHost01.approved.json @@ -0,0 +1,203 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "adminPassword": { + "type": "securestring" + }, + "adminUsername": { + "type": "string" + }, + "commandToExecute": { + "type": "string" + }, + "dataDiskName": { + "type": "string" + }, + "dnsNameForPublicIP": { + "type": "string" + }, + "nicName": { + "type": "string" + }, + "nsgName": { + "type": "string" + }, + "osDiskName": { + "type": "string" + }, + "publicIPAddressName": { + "type": "string" + }, + "storageAccountBlobEndpoint": { + "type": "string" + }, + "subnetName": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "vmSize": { + "type": "string" + } + }, + "resources": [ + { + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[parameters('publicIPAddressName')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[parameters('dnsNameForPublicIP')]" + }, + "publicIPAllocationMethod": "[variables('publicIPAddressType')]" + }, + "type": "Microsoft.Network/publicIPAddresses" + }, + { + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[variables('virtualNetworkName')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnetName')]", + "properties": { + "addressPrefix": "[variables('subnetAddressPrefix')]" + } + } + ] + }, + "type": "Microsoft.Network/virtualNetworks" + }, + { + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', parameters('publicIPAddressName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('nicName')]", + "properties": { + "ipConfigurations": [ + { + "name": "ipconfig", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddressName'))]" + }, + "subnet": { + "id": "[variables('subnetRef')]" + } + } + } + ] + }, + "type": "Microsoft.Network/networkInterfaces" + }, + { + "apiVersion": "[variables('computeApiVersion')]", + "dependsOn": [ + "[concat('Microsoft.Network/networkInterfaces/', parameters('nicName'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "properties": { + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": false + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]" + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computerName": "[parameters('vmName')]", + "linuxConfiguration": { + "ssh": { + "publicKeys": [ + { + "keyData": "", + "path": "[variables('sshKeyPath')]" + } + ] + } + } + }, + "securityProfile": { + "encryptionAtHost": true + }, + "storageProfile": { + "imageReference": { + "offer": "ignored00", + "publisher": "ignored00", + "sku": "ignored00", + "version": "latest" + }, + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "name": "[parameters('osDiskName')]", + "vhd": { + "uri": "[concat(parameters('storageAccountBlobEndpoint'),variables('vmStorageAccountContainerName'),'/', parameters('osDiskName'),'.vhd')]" + } + } + } + }, + "type": "Microsoft.Compute/virtualMachines" + }, + { + "apiVersion": "[variables('computeApiVersion')]", + "condition": "[not(empty(parameters('commandToExecute')))]", + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/', parameters('vmName'))]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '/extension-customscript')]", + "properties": { + "autoUpgradeMinorVersion": true, + "publisher": "Microsoft.Compute", + "settings": { + "commandToExecute": "[parameters('commandToExecute')]" + }, + "type": "CustomScriptExtension", + "typeHandlerVersion": "1.10" + }, + "type": "Microsoft.Compute/virtualMachines/extensions" + } + ], + "variables": { + "addressPrefix": "10.0.0.0/16", + "computeApiVersion": "2023-03-01", + "location": "[resourceGroup().location]", + "networkApiVersion": "2023-04-01", + "publicIPAddressType": "Dynamic", + "sshKeyPath": "[concat('/home/',parameters('adminUsername'),'/.ssh/authorized_keys')]", + "subnetAddressPrefix": "10.0.0.0/24", + "subnetName": "[parameters('subnetName')]", + "subnetRef": "[concat(variables('vnetID'),'/subnets/',variables('subnetName'))]", + "virtualNetworkName": "[parameters('virtualNetworkName')]", + "virtualNetworkResourceGroup": "[resourceGroup().name]", + "vmStorageAccountContainerName": "images", + "vnetID": "[resourceId(variables('virtualNetworkResourceGroup'), 'Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]" + } +} \ No newline at end of file diff --git a/builder/azure/arm/template_factory_test.TestEncryptionAtHost02.approved.json b/builder/azure/arm/template_factory_test.TestEncryptionAtHost02.approved.json new file mode 100644 index 00000000..e84a067a --- /dev/null +++ b/builder/azure/arm/template_factory_test.TestEncryptionAtHost02.approved.json @@ -0,0 +1,201 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "adminPassword": { + "type": "securestring" + }, + "adminUsername": { + "type": "string" + }, + "commandToExecute": { + "type": "string" + }, + "dataDiskName": { + "type": "string" + }, + "dnsNameForPublicIP": { + "type": "string" + }, + "nicName": { + "type": "string" + }, + "nsgName": { + "type": "string" + }, + "osDiskName": { + "type": "string" + }, + "publicIPAddressName": { + "type": "string" + }, + "storageAccountBlobEndpoint": { + "type": "string" + }, + "subnetName": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "vmSize": { + "type": "string" + } + }, + "resources": [ + { + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[parameters('publicIPAddressName')]", + "properties": { + "dnsSettings": { + "domainNameLabel": "[parameters('dnsNameForPublicIP')]" + }, + "publicIPAllocationMethod": "[variables('publicIPAddressType')]" + }, + "type": "Microsoft.Network/publicIPAddresses" + }, + { + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[variables('virtualNetworkName')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[variables('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnetName')]", + "properties": { + "addressPrefix": "[variables('subnetAddressPrefix')]" + } + } + ] + }, + "type": "Microsoft.Network/virtualNetworks" + }, + { + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', parameters('publicIPAddressName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('nicName')]", + "properties": { + "ipConfigurations": [ + { + "name": "ipconfig", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIPAddressName'))]" + }, + "subnet": { + "id": "[variables('subnetRef')]" + } + } + } + ] + }, + "type": "Microsoft.Network/networkInterfaces" + }, + { + "apiVersion": "[variables('computeApiVersion')]", + "dependsOn": [ + "[concat('Microsoft.Network/networkInterfaces/', parameters('nicName'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "properties": { + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": false + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]" + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computerName": "[parameters('vmName')]", + "linuxConfiguration": { + "ssh": { + "publicKeys": [ + { + "keyData": "", + "path": "[variables('sshKeyPath')]" + } + ] + } + } + }, + "securityProfile": {}, + "storageProfile": { + "imageReference": { + "offer": "ignored00", + "publisher": "ignored00", + "sku": "ignored00", + "version": "latest" + }, + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "name": "[parameters('osDiskName')]", + "vhd": { + "uri": "[concat(parameters('storageAccountBlobEndpoint'),variables('vmStorageAccountContainerName'),'/', parameters('osDiskName'),'.vhd')]" + } + } + } + }, + "type": "Microsoft.Compute/virtualMachines" + }, + { + "apiVersion": "[variables('computeApiVersion')]", + "condition": "[not(empty(parameters('commandToExecute')))]", + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/', parameters('vmName'))]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '/extension-customscript')]", + "properties": { + "autoUpgradeMinorVersion": true, + "publisher": "Microsoft.Compute", + "settings": { + "commandToExecute": "[parameters('commandToExecute')]" + }, + "type": "CustomScriptExtension", + "typeHandlerVersion": "1.10" + }, + "type": "Microsoft.Compute/virtualMachines/extensions" + } + ], + "variables": { + "addressPrefix": "10.0.0.0/16", + "computeApiVersion": "2023-03-01", + "location": "[resourceGroup().location]", + "networkApiVersion": "2023-04-01", + "publicIPAddressType": "Dynamic", + "sshKeyPath": "[concat('/home/',parameters('adminUsername'),'/.ssh/authorized_keys')]", + "subnetAddressPrefix": "10.0.0.0/24", + "subnetName": "[parameters('subnetName')]", + "subnetRef": "[concat(variables('vnetID'),'/subnets/',variables('subnetName'))]", + "virtualNetworkName": "[parameters('virtualNetworkName')]", + "virtualNetworkResourceGroup": "[resourceGroup().name]", + "vmStorageAccountContainerName": "images", + "vnetID": "[resourceId(variables('virtualNetworkResourceGroup'), 'Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]" + } +} \ No newline at end of file diff --git a/builder/azure/arm/template_factory_test.TestTrustedLaunch01.approved.json b/builder/azure/arm/template_factory_test.TestTrustedLaunch01.approved.json index ac848681..48c13862 100644 --- a/builder/azure/arm/template_factory_test.TestTrustedLaunch01.approved.json +++ b/builder/azure/arm/template_factory_test.TestTrustedLaunch01.approved.json @@ -144,7 +144,6 @@ } }, "securityProfile": { - "encryptionAtHost": false, "securityType": "TrustedLaunch", "uefiSettings": { "secureBootEnabled": true, diff --git a/builder/azure/arm/template_factory_test.go b/builder/azure/arm/template_factory_test.go index bba89516..bfa2dac4 100644 --- a/builder/azure/arm/template_factory_test.go +++ b/builder/azure/arm/template_factory_test.go @@ -746,3 +746,37 @@ func TestTrustedLaunch01(t *testing.T) { approvaltests.VerifyJSONStruct(t, deployment.Properties.Template) } + +func TestEncryptionAtHost01(t *testing.T) { + m := getArmBuilderConfiguration() + m["encryption_at_host"] = "true" + + var c Config + _, err := c.Prepare(m, getPackerConfiguration(), getPackerSSHPasswordCommunicatorConfiguration()) + if err != nil { + t.Fatal(err) + } + deployment, err := GetVirtualMachineDeployment(&c) + if err != nil { + t.Fatal(err) + } + + approvaltests.VerifyJSONStruct(t, deployment.Properties.Template) +} + +func TestEncryptionAtHost02(t *testing.T) { + m := getArmBuilderConfiguration() + m["encryption_at_host"] = "false" + + var c Config + _, err := c.Prepare(m, getPackerConfiguration(), getPackerSSHPasswordCommunicatorConfiguration()) + if err != nil { + t.Fatal(err) + } + deployment, err := GetVirtualMachineDeployment(&c) + if err != nil { + t.Fatal(err) + } + + approvaltests.VerifyJSONStruct(t, deployment.Properties.Template) +} diff --git a/builder/azure/common/template/template_builder.go b/builder/azure/common/template/template_builder.go index c7dcc9fc..946ec879 100644 --- a/builder/azure/common/template/template_builder.go +++ b/builder/azure/common/template/template_builder.go @@ -512,7 +512,7 @@ func (s *TemplateBuilder) SetLicenseType(licenseType string) error { return nil } -func (s *TemplateBuilder) SetSecurityProfile(secureBootEnabled bool, vtpmEnabled bool, encryptionAtHost bool) error { +func (s *TemplateBuilder) SetSecurityProfile(secureBootEnabled bool, vtpmEnabled bool, encryptionAtHost *bool) error { resource, err := s.getResourceByType(resourceVirtualMachine) if err != nil { return err @@ -526,7 +526,9 @@ func (s *TemplateBuilder) SetSecurityProfile(secureBootEnabled bool, vtpmEnabled resource.Properties.SecurityProfile.UefiSettings.SecureBootEnabled = common.BoolPtr(secureBootEnabled) resource.Properties.SecurityProfile.UefiSettings.VTpmEnabled = common.BoolPtr(vtpmEnabled) } - resource.Properties.SecurityProfile.EncryptionAtHost = common.BoolPtr(encryptionAtHost) + if encryptionAtHost != nil && *encryptionAtHost { + resource.Properties.SecurityProfile.EncryptionAtHost = encryptionAtHost + } return nil } diff --git a/docs-partials/builder/azure/arm/Config-not-required.mdx b/docs-partials/builder/azure/arm/Config-not-required.mdx index 1b3e9a5c..8ecff616 100644 --- a/docs-partials/builder/azure/arm/Config-not-required.mdx +++ b/docs-partials/builder/azure/arm/Config-not-required.mdx @@ -387,7 +387,7 @@ - `secure_boot_enabled` (bool) - Specifies if Secure Boot and Trusted Launch is enabled for the Virtual Machine. -- `encryption_at_host` (bool) - Specifies if Encryption at host is enabled for the Virtual Machine. +- `encryption_at_host` (\*bool) - Specifies if Encryption at host is enabled for the Virtual Machine. Requires enabling encryption at host in the Subscription read more [here](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell) - `vtpm_enabled` (bool) - Specifies if vTPM (virtual Trusted Platform Module) and Trusted Launch is enabled for the Virtual Machine.