Skip to content

Commit

Permalink
Add security_profile options to azure_rm_virtualmachine (#1033)
Browse files Browse the repository at this point in the history 
* Add security_profile options to azure_rm_virtualmachine

* fix sanity fail

* fix sanity fail

* Add security_profile to azure_rm_virtualmachinescalset
  • Loading branch information
@Fred-sun
Fred-sun authored Feb 13, 2023
1 parent 48c2c25 commit c889f64
Show file tree
Hide file tree
Showing 3 changed files with 317 additions and 1 deletion.
116 changes: 116 additions & 0 deletions plugins/modules/azure_rm_virtualmachine.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -429,6 +429,36 @@
- Indicates whether Automatic Updates is enabled for the Windows virtual machine.
type: bool
required: True
security_profile:
description:
- Specifies the Security related profile settings for the virtual machine.
type: dict
suboptions:
encryption_at_host:
description:
- This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine.
- This will enable the encryption for all the disks including Resource/Temp disk at host itself.
type: bool
security_type:
description:
- Specifies the SecurityType of the virtual machine.
- It is set as TrustedLaunch to enable UefiSettings.
type: str
choices:
- TrustedLaunch
uefi_settings:
description:
- Specifies the security settings like secure boot and vTPM used while creating the virtual machine.
type: dict
suboptions:
secure_boot_enabled:
description:
- Specifies whether secure boot should be enabled on the virtual machine.
type: bool
v_tpm_enabled:
description:
- Specifies whether vTPM should be enabled on the virtual machine.
type: bool
extends_documentation_fragment:
- azure.azcollection.azure
Expand Down Expand Up @@ -652,6 +682,29 @@
image: customimage001
zones: [1]
- name: Create a VM with security profile
azure_rm_virtualmachine:
resource_group: "{{ resource_group }}"
name: "{{ vm_name }}"
vm_size: Standard_D4s_v3
managed_disk_type: Standard_LRS
admin_username: "{{ username }}"
admin_password: "{{ password }}"
security_profile:
uefi_settings:
secure_boot_enabled: True
v_tpm_enabled: True
encryption_at_host: True
security_type: TrustedLaunch
ssh_public_keys:
- path: /home/azureuser/.ssh/authorized_keys
key_data: "ssh-rsa *****"
image:
offer: 0001-com-ubuntu-server-jammy
publisher: Canonical
sku: 22_04-lts-gen2
version: latest
- name: Remove a VM and all resources that were autocreated
azure_rm_virtualmachine:
resource_group: myResourceGroup
Expand Down Expand Up @@ -942,6 +995,7 @@ def __init__(self):
ephemeral_os_disk=dict(type='bool'),
windows_config=dict(type='dict', options=windows_configuration_spec),
linux_config=dict(type='dict', options=linux_configuration_spec),
security_profile=dict(type='dict'),
)

self.resource_group = None
Expand Down Expand Up @@ -992,6 +1046,7 @@ def __init__(self):
self.ephemeral_os_disk = None
self.linux_config = None
self.windows_config = None
self.security_profile = None

self.results = dict(
changed=False,
Expand Down Expand Up @@ -1274,6 +1329,39 @@ def exec_module(self, **kwargs):
differences.append('License Type')
changed = True

if self.security_profile is not None:
update_security_profile = False
if 'securityProfile' not in vm_dict['properties'].keys():
update_security_profile = True
differences.append('security_profile')
else:
if self.security_profile.get('encryption_at_host') is not None:
if bool(self.security_profile.get('encryption_at_host')) != bool(vm_dict['properties']['securityProfile']['encryptionAtHost']):
update_security_profle = True
else:
self.security_profile['encryption_at_host'] = vm_dict['properties']['securityProfile']['encryptionAtHost']
if self.security_profile.get('security_type') is not None:
if self.security_profile.get('security_type') != vm_dict['properties']['securityProfile']['securityType']:
update_security_profile = True
if self.security_profile.get('uefi_settings') is not None:
if self.security_profile['uefi_settings'].get('secure_boot_enabled') is not None:
if bool(self.security_profile['uefi_settings']['secure_boot_enabled']) != \
bool(vm_dict['properties']['securityProfile']['uefiSettings']['secureBootEnabled']):
update_security_profile = True
else:
self.security_profile['uefi_settings']['secure_boot_enabled'] = \
vm_dict['properties']['securityProfile']['uefiSettings']['secureBootEnabled']
if self.security_profile['uefi_settings'].get('v_tpm_enabled') is not None:
if bool(self.security_profile['uefi_settings']['v_tpm_enabled']) != \
bool(vm_dict['properties']['securityProfile']['uefiSettings']['vTpmEnabled']):
update_security_profile = True
else:
self.security_profile['uefi_settings']['v_tpm_enabled'] = \
vm_dict['properties']['securityProfile']['uefiSettings']['vTpmEnabled']
if update_security_profile:
changed = True
differences.append('security_profile')

if self.windows_config is not None and vm_dict['properties']['osProfile'].get('windowsConfiguration') is not None:
if self.windows_config['enable_automatic_updates'] != vm_dict['properties']['osProfile']['windowsConfiguration']['enableAutomaticUpdates']:
self.fail("(PropertyChangeNotAllowed) Changing property 'windowsConfiguration.enableAutomaticUpdates' is not allowed.")
Expand Down Expand Up @@ -1611,6 +1699,20 @@ def exec_module(self, **kwargs):
"Only service admin/account admin users can purchase images " +
"from the marketplace. - {2}").format(self.name, self.plan, str(exc)))

if self.security_profile is not None:
uefi_settings_spec = None
if self.security_profile.get('uefi_settings') is not None:
uefi_settings_spec = self.compute_models.UefiSettings(
secure_boot_enabled=self.security_profile['uefi_settings'].get('secure_boot_enabled'),
v_tpm_enabled=self.security_profile['uefi_settings'].get('v_tpm_enabled'),
)
security_profile = self.compute_models.SecurityProfile(
uefi_settings=uefi_settings_spec,
encryption_at_host=self.security_profile.get('encryption_at_host'),
security_type=self.security_profile.get('security_type'),
)
vm_resource.security_profile = security_profile

self.log("Create virtual machine with parameters:")
self.create_or_update_vm(vm_resource, 'all_autocreated' in self.remove_on_absent)

Expand Down Expand Up @@ -1779,6 +1881,20 @@ def exec_module(self, **kwargs):
))
vm_resource.storage_profile.data_disks = data_disks

if self.security_profile is not None:
uefi_settings_spec = None
if self.security_profile.get('uefi_settings') is not None:
uefi_settings_spec = self.compute_models.UefiSettings(
secure_boot_enabled=self.security_profile['uefi_settings'].get('secure_boot_enabled'),
v_tpm_enabled=self.security_profile['uefi_settings'].get('v_tpm_enabled'),
)
security_profile = self.compute_models.SecurityProfile(
uefi_settings=uefi_settings_spec,
encryption_at_host=self.security_profile.get('encryption_at_host'),
security_type=self.security_profile.get('security_type'),
)
vm_resource.security_profile = security_profile

self.log("Update virtual machine with parameters:")
self.create_or_update_vm(vm_resource, False)

Expand Down
47 changes: 47 additions & 0 deletions plugins/modules/azure_rm_virtualmachine_info.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -271,6 +271,44 @@
returned: always
type: str
sample: running
security_profile:
description:
- Specifies the Security related profile settings for the virtual machine.
type: complex
returned: always
contains:
encryption_at_host:
description:
- This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine.
- This will enable the encryption for all the disks including Resource/Temp disk at host itself.
type: bool
returned: always
sample: True
security_type:
description:
- Specifies the SecurityType of the virtual machine.
- It is set as TrustedLaunch to enable UefiSettings.
type: str
returned: always
sample: TrustedLaunch
uefi_settings:
description:
- Specifies the security settings like secure boot and vTPM used while creating the virtual machine.
type: complex
returned: always
contains:
secure_boot_enabled:
description:
- Specifies whether secure boot should be enabled on the virtual machine.
type: bool
returned: always
sample: True
v_tpm_enabled:
description:
- Specifies whether vTPM should be enabled on the virtual machine.
type: bool
returned: always
sample: True
'''

try:
Expand Down Expand Up @@ -417,6 +455,15 @@ def serialize_vm(self, vm):
break

new_result = {}

if vm.security_profile is not None:
new_result['security_profile'] = dict()
new_result['security_profile']['encryption_at_host'] = vm.security_profile.encryption_at_host
new_result['security_profile']['security_type'] = vm.security_profile.security_type
new_result['security_profile']['uefi_settings'] = dict()
new_result['security_profile']['uefi_settings']['secure_boot_enabled'] = vm.security_profile.uefi_settings.secure_boot_enabled
new_result['security_profile']['uefi_settings']['v_tpm_enabled'] = vm.security_profile.uefi_settings.v_tpm_enabled

new_result['power_state'] = power_state
new_result['display_status'] = display_status
new_result['provisioning_state'] = vm.provisioning_state
Expand Down
Loading

0 comments on commit c889f64

Please sign in to comment.