diff --git a/plugins/modules/azure_rm_virtualmachine.py b/plugins/modules/azure_rm_virtualmachine.py index 220fa7a6c..21d39b6d5 100644 --- a/plugins/modules/azure_rm_virtualmachine.py +++ b/plugins/modules/azure_rm_virtualmachine.py @@ -429,6 +429,36 @@ - Indicates whether Automatic Updates is enabled for the Windows virtual machine. type: bool required: True + security_profile: + description: + - Specifies the Security related profile settings for the virtual machine. + type: dict + suboptions: + encryption_at_host: + description: + - This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. + - This will enable the encryption for all the disks including Resource/Temp disk at host itself. + type: bool + security_type: + description: + - Specifies the SecurityType of the virtual machine. + - It is set as TrustedLaunch to enable UefiSettings. + type: str + choices: + - TrustedLaunch + uefi_settings: + description: + - Specifies the security settings like secure boot and vTPM used while creating the virtual machine. + type: dict + suboptions: + secure_boot_enabled: + description: + - Specifies whether secure boot should be enabled on the virtual machine. + type: bool + v_tpm_enabled: + description: + - Specifies whether vTPM should be enabled on the virtual machine. + type: bool extends_documentation_fragment: - azure.azcollection.azure @@ -652,6 +682,29 @@ image: customimage001 zones: [1] +- name: Create a VM with security profile + azure_rm_virtualmachine: + resource_group: "{{ resource_group }}" + name: "{{ vm_name }}" + vm_size: Standard_D4s_v3 + managed_disk_type: Standard_LRS + admin_username: "{{ username }}" + admin_password: "{{ password }}" + security_profile: + uefi_settings: + secure_boot_enabled: True + v_tpm_enabled: True + encryption_at_host: True + security_type: TrustedLaunch + ssh_public_keys: + - path: /home/azureuser/.ssh/authorized_keys + key_data: "ssh-rsa *****" + image: + offer: 0001-com-ubuntu-server-jammy + publisher: Canonical + sku: 22_04-lts-gen2 + version: latest + - name: Remove a VM and all resources that were autocreated azure_rm_virtualmachine: resource_group: myResourceGroup @@ -942,6 +995,7 @@ def __init__(self): ephemeral_os_disk=dict(type='bool'), windows_config=dict(type='dict', options=windows_configuration_spec), linux_config=dict(type='dict', options=linux_configuration_spec), + security_profile=dict(type='dict'), ) self.resource_group = None @@ -992,6 +1046,7 @@ def __init__(self): self.ephemeral_os_disk = None self.linux_config = None self.windows_config = None + self.security_profile = None self.results = dict( changed=False, @@ -1274,6 +1329,39 @@ def exec_module(self, **kwargs): differences.append('License Type') changed = True + if self.security_profile is not None: + update_security_profile = False + if 'securityProfile' not in vm_dict['properties'].keys(): + update_security_profile = True + differences.append('security_profile') + else: + if self.security_profile.get('encryption_at_host') is not None: + if bool(self.security_profile.get('encryption_at_host')) != bool(vm_dict['properties']['securityProfile']['encryptionAtHost']): + update_security_profle = True + else: + self.security_profile['encryption_at_host'] = vm_dict['properties']['securityProfile']['encryptionAtHost'] + if self.security_profile.get('security_type') is not None: + if self.security_profile.get('security_type') != vm_dict['properties']['securityProfile']['securityType']: + update_security_profile = True + if self.security_profile.get('uefi_settings') is not None: + if self.security_profile['uefi_settings'].get('secure_boot_enabled') is not None: + if bool(self.security_profile['uefi_settings']['secure_boot_enabled']) != \ + bool(vm_dict['properties']['securityProfile']['uefiSettings']['secureBootEnabled']): + update_security_profile = True + else: + self.security_profile['uefi_settings']['secure_boot_enabled'] = \ + vm_dict['properties']['securityProfile']['uefiSettings']['secureBootEnabled'] + if self.security_profile['uefi_settings'].get('v_tpm_enabled') is not None: + if bool(self.security_profile['uefi_settings']['v_tpm_enabled']) != \ + bool(vm_dict['properties']['securityProfile']['uefiSettings']['vTpmEnabled']): + update_security_profile = True + else: + self.security_profile['uefi_settings']['v_tpm_enabled'] = \ + vm_dict['properties']['securityProfile']['uefiSettings']['vTpmEnabled'] + if update_security_profile: + changed = True + differences.append('security_profile') + if self.windows_config is not None and vm_dict['properties']['osProfile'].get('windowsConfiguration') is not None: if self.windows_config['enable_automatic_updates'] != vm_dict['properties']['osProfile']['windowsConfiguration']['enableAutomaticUpdates']: self.fail("(PropertyChangeNotAllowed) Changing property 'windowsConfiguration.enableAutomaticUpdates' is not allowed.") @@ -1611,6 +1699,20 @@ def exec_module(self, **kwargs): "Only service admin/account admin users can purchase images " + "from the marketplace. - {2}").format(self.name, self.plan, str(exc))) + if self.security_profile is not None: + uefi_settings_spec = None + if self.security_profile.get('uefi_settings') is not None: + uefi_settings_spec = self.compute_models.UefiSettings( + secure_boot_enabled=self.security_profile['uefi_settings'].get('secure_boot_enabled'), + v_tpm_enabled=self.security_profile['uefi_settings'].get('v_tpm_enabled'), + ) + security_profile = self.compute_models.SecurityProfile( + uefi_settings=uefi_settings_spec, + encryption_at_host=self.security_profile.get('encryption_at_host'), + security_type=self.security_profile.get('security_type'), + ) + vm_resource.security_profile = security_profile + self.log("Create virtual machine with parameters:") self.create_or_update_vm(vm_resource, 'all_autocreated' in self.remove_on_absent) @@ -1779,6 +1881,20 @@ def exec_module(self, **kwargs): )) vm_resource.storage_profile.data_disks = data_disks + if self.security_profile is not None: + uefi_settings_spec = None + if self.security_profile.get('uefi_settings') is not None: + uefi_settings_spec = self.compute_models.UefiSettings( + secure_boot_enabled=self.security_profile['uefi_settings'].get('secure_boot_enabled'), + v_tpm_enabled=self.security_profile['uefi_settings'].get('v_tpm_enabled'), + ) + security_profile = self.compute_models.SecurityProfile( + uefi_settings=uefi_settings_spec, + encryption_at_host=self.security_profile.get('encryption_at_host'), + security_type=self.security_profile.get('security_type'), + ) + vm_resource.security_profile = security_profile + self.log("Update virtual machine with parameters:") self.create_or_update_vm(vm_resource, False) diff --git a/plugins/modules/azure_rm_virtualmachine_info.py b/plugins/modules/azure_rm_virtualmachine_info.py index a804c1296..b473462a1 100644 --- a/plugins/modules/azure_rm_virtualmachine_info.py +++ b/plugins/modules/azure_rm_virtualmachine_info.py @@ -271,6 +271,44 @@ returned: always type: str sample: running + security_profile: + description: + - Specifies the Security related profile settings for the virtual machine. + type: complex + returned: always + contains: + encryption_at_host: + description: + - This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. + - This will enable the encryption for all the disks including Resource/Temp disk at host itself. + type: bool + returned: always + sample: True + security_type: + description: + - Specifies the SecurityType of the virtual machine. + - It is set as TrustedLaunch to enable UefiSettings. + type: str + returned: always + sample: TrustedLaunch + uefi_settings: + description: + - Specifies the security settings like secure boot and vTPM used while creating the virtual machine. + type: complex + returned: always + contains: + secure_boot_enabled: + description: + - Specifies whether secure boot should be enabled on the virtual machine. + type: bool + returned: always + sample: True + v_tpm_enabled: + description: + - Specifies whether vTPM should be enabled on the virtual machine. + type: bool + returned: always + sample: True ''' try: @@ -417,6 +455,15 @@ def serialize_vm(self, vm): break new_result = {} + + if vm.security_profile is not None: + new_result['security_profile'] = dict() + new_result['security_profile']['encryption_at_host'] = vm.security_profile.encryption_at_host + new_result['security_profile']['security_type'] = vm.security_profile.security_type + new_result['security_profile']['uefi_settings'] = dict() + new_result['security_profile']['uefi_settings']['secure_boot_enabled'] = vm.security_profile.uefi_settings.secure_boot_enabled + new_result['security_profile']['uefi_settings']['v_tpm_enabled'] = vm.security_profile.uefi_settings.v_tpm_enabled + new_result['power_state'] = power_state new_result['display_status'] = display_status new_result['provisioning_state'] = vm.provisioning_state diff --git a/plugins/modules/azure_rm_virtualmachinescaleset.py b/plugins/modules/azure_rm_virtualmachinescaleset.py index f12bcfa0a..f532897de 100644 --- a/plugins/modules/azure_rm_virtualmachinescaleset.py +++ b/plugins/modules/azure_rm_virtualmachinescaleset.py @@ -284,6 +284,37 @@ choices: - Flexible - Uniform + security_profile: + description: + - Specifies the Security related profile settings for the virtual machine sclaset. + type: dict + suboptions: + encryption_at_host: + description: + - This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine sclaset. + - This will enable the encryption for all the disks including Resource/Temp disk at host itself. + type: bool + security_type: + description: + - Specifies the SecurityType of the virtual machine sclaset. + - It is set as TrustedLaunch to enable UefiSettings. + type: str + choices: + - TrustedLaunch + uefi_settings: + description: + - Specifies the security settings like secure boot and vTPM used while creating the virtual machine scalset. + type: dict + suboptions: + secure_boot_enabled: + description: + - Specifies whether secure boot should be enabled on the virtual machine sclaset. + type: bool + v_tpm_enabled: + description: + - Specifies whether vTPM should be enabled on the virtual machine scalset. + type: bool + extends_documentation_fragment: - azure.azcollection.azure - azure.azcollection.azure_tags @@ -413,6 +444,40 @@ managed_disk_type: Standard_LRS image: customimage001 +- name: Create VMSS with security group + azure_rm_virtualmachinescaleset: + resource_group: "{{ resource_group }}" + name: testVMSS{{ rpfx }} + vm_size: Standard_D4s_v3 + admin_username: testuser + single_placement_group: False + platform_fault_domain_count: 1 + public_ip_per_vm: True + ssh_password_enabled: false + ssh_public_keys: + - path: /home/testuser/.ssh/authorized_keys + key_data: "ssh-rsa ****" + virtual_network_name: VMSStestVnet + subnet_name: VMSStestSubnet + managed_disk_type: Standard_LRS + orchestration_mode: Flexible + os_disk_caching: ReadWrite + security_profile: + uefi_settings: + secure_boot_enabled: True + v_tpm_enabled: False + encryption_at_host: False + security_type: TrustedLaunch + image: + offer: 0001-com-ubuntu-server-jammy + publisher: Canonical + sku: 22_04-lts-gen2 + version: latest + data_disks: + - lun: 0 + disk_size_gb: 64 + caching: ReadWrite + managed_disk_type: Standard_LRS ''' RETURN = ''' @@ -502,6 +567,14 @@ "sku": "20_04-lts-gen2", "version": "20.04.202111210" }, + "securityProfile": { + "encryptionAtHost": false, + "securityType": "TrustedLaunch", + "uefiSettings": { + "secureBootEnabled": true, + "vTpmEnabled": false + } + }, "osDisk": { "caching": "ReadWrite", "createOption": "fromImage", @@ -591,7 +664,21 @@ def __init__(self): ephemeral_os_disk=dict(type='bool'), orchestration_mode=dict(type='str', choices=['Uniform', 'Flexible']), platform_fault_domain_count=dict(type='int', default=1), - os_disk_size_gb=dict(type='int') + os_disk_size_gb=dict(type='int'), + security_profile=dict( + type='dict', + options=dict( + encryption_at_host=dict(type='bool'), + security_type=dict(type='str', choices=['TrustedLaunch']), + uefi_settings=dict( + type='dict', + options=dict( + secure_boot_enabled=dict(type='bool'), + v_tpm_enabled=dict(type='bool'), + ) + ) + ) + ), ) self.resource_group = None @@ -633,6 +720,7 @@ def __init__(self): self.ephemeral_os_disk = None self.orchestration_mode = None self.os_disk_size_gb = None + self.security_profile = None mutually_exclusive = [('load_balancer', 'application_gateway')] self.results = dict( @@ -897,6 +985,42 @@ def exec_module(self, **kwargs): if self.platform_fault_domain_count and self.platform_fault_domain_count != vmss_dict['properties'].get('platformFaultDomainCount'): self.fail("The platform_fault_domain_count parameter cannot be updated!") + if self.security_profile is not None: + update_security_profile = False + if 'securityProfile' not in vmss_dict['properties']['virtualMachineProfile'].keys(): + update_security_profile = True + differences.append('security_profile') + else: + if self.security_profile.get('encryption_at_host') is not None: + if bool(self.security_profile.get('encryption_at_host')) != \ + bool(vmss_dict['properties']['virtualMachineProfile']['securityProfile']['encryptionAtHost']): + update_security_profle = True + else: + self.security_profile['encryption_at_host'] = \ + vmss_dict['properties']['virtualMachineProfile']['securityProfile']['encryptionAtHost'] + if self.security_profile.get('security_type') is not None: + if self.security_profile.get('security_type') != \ + vmss_dict['properties']['virtualMachineProfile']['securityProfile']['securityType']: + update_security_profile = True + if self.security_profile.get('uefi_settings') is not None: + if self.security_profile['uefi_settings'].get('secure_boot_enabled') is not None: + if bool(self.security_profile['uefi_settings']['secure_boot_enabled']) != \ + bool(vmss_dict['properties']['virtualMachineProfile']['securityProfile']['uefiSettings']['secureBootEnabled']): + update_security_profile = True + else: + self.security_profile['uefi_settings']['secure_boot_enabled'] = \ + vmss_dict['properties']['virtualMachineProfile']['securityProfile']['uefiSettings']['secureBootEnabled'] + if self.security_profile['uefi_settings'].get('v_tpm_enabled') is not None: + if bool(self.security_profile['uefi_settings']['v_tpm_enabled']) != \ + bool(vmss_dict['properties']['virtualMachineProfile']['securityProfile']['uefiSettings']['vTpmEnabled']): + update_security_profile = True + else: + self.security_profile['uefi_settings']['v_tpm_enabled'] = \ + vmss_dict['properties']['virtualMachineProfile']['securityProfile']['uefiSettings']['vTpmEnabled'] + if update_security_profile: + changed = True + differences.append('security_profile') + self.differences = differences elif self.state == 'absent': @@ -1085,6 +1209,20 @@ def exec_module(self, **kwargs): "Only service admin/account admin users can purchase images " + "from the marketplace. - {2}").format(self.name, self.plan, str(exc))) + if self.security_profile is not None: + uefi_settings_spec = None + if self.security_profile.get('uefi_settings') is not None: + uefi_settings_spec = self.compute_models.UefiSettings( + secure_boot_enabled=self.security_profile['uefi_settings'].get('secure_boot_enabled'), + v_tpm_enabled=self.security_profile['uefi_settings'].get('v_tpm_enabled'), + ) + security_profile = self.compute_models.SecurityProfile( + uefi_settings=uefi_settings_spec, + encryption_at_host=self.security_profile.get('encryption_at_host'), + security_type=self.security_profile.get('security_type'), + ) + vmss_resource.virtual_machine_profile.security_profile = security_profile + self.log("Create virtual machine with parameters:") self.create_or_update_vmss(vmss_resource) @@ -1130,6 +1268,20 @@ def exec_module(self, **kwargs): )) vmss_resource.virtual_machine_profile.storage_profile.data_disks = data_disks + if self.security_profile is not None: + uefi_settings_spec = None + if self.security_profile.get('uefi_settings') is not None: + uefi_settings_spec = self.compute_models.UefiSettings( + secure_boot_enabled=self.security_profile['uefi_settings'].get('secure_boot_enabled'), + v_tpm_enabled=self.security_profile['uefi_settings'].get('v_tpm_enabled'), + ) + security_profile = self.compute_models.SecurityProfile( + uefi_settings=uefi_settings_spec, + encryption_at_host=self.security_profile.get('encryption_at_host'), + security_type=self.security_profile.get('security_type'), + ) + vmss_resource.virtual_machine_profile.security_profile = security_profile + if self.scale_in_policy: vmss_resource.scale_in_policy = self.gen_scale_in_policy() @@ -1138,6 +1290,7 @@ def exec_module(self, **kwargs): if image_reference is not None: vmss_resource.virtual_machine_profile.storage_profile.image_reference = image_reference + self.log("Update virtual machine with parameters:") self.create_or_update_vmss(vmss_resource)