diff --git a/examples/azure-2-vms-loadbalancer-lbrules/README.md b/examples/azure-2-vms-loadbalancer-lbrules/README.md index 3d547056e..a6f2bb334 100644 --- a/examples/azure-2-vms-loadbalancer-lbrules/README.md +++ b/examples/azure-2-vms-loadbalancer-lbrules/README.md @@ -19,4 +19,4 @@ If a `terraform.tfvars` file is present in the current directory, Terraform auto If you are committing this template to source control, please insure that you add this file to your .gitignore file. ## variables.tf -The `variables.tf` file contains all of the input parameters that the user can specify when deploying this Terraform template. +The `variables.tf` file contains all of the input parameters that the user can specify when deploying this Terraform template. \ No newline at end of file diff --git a/examples/azure-encrypt-running-linux-vm/README.md b/examples/azure-encrypt-running-linux-vm/README.md new file mode 100644 index 000000000..9ef27d9ee --- /dev/null +++ b/examples/azure-encrypt-running-linux-vm/README.md @@ -0,0 +1,44 @@ +# Enable encryption on a running Linux VM. + +This Terraform template was based on [this](https://github.com/Azure/azure-quickstart-templates/tree/master/201-encrypt-running-linux-vm) Azure Quickstart Template. Changes to the ARM template that may have occurred since the creation of this example may not be reflected in this Terraform template. + +This template enables encryption on a running linux vm using AAD client secret. This template assumes that the VM is located in the same region as the resource group. If not, please edit the template to pass appropriate location for the VM sub-resources. + +## Prerequisites: +Azure Disk Encryption securely stores the encryption secrets in a specified Azure Key Vault. + +Create the Key Vault and assign appropriate access policies. You may use this script to ensure that your vault is properly configured: [AzureDiskEncryptionPreRequisiteSetup.ps1](https://github.com/Azure/azure-powershell/blob/10fc37e9141af3fde6f6f79b9d46339b73cf847d/src/ResourceManager/Compute/Commands.Compute/Extension/AzureDiskEncryption/Scripts/AzureDiskEncryptionPreRequisiteSetup.ps1) + +Use the below PS cmdlet for getting the `key_vault_secret_url` and `key_vault_resource_id`. + +``` + Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $rgname +``` + +References: + +- [White paper](https://azure.microsoft.com/en-us/documentation/articles/azure-security-disk-encryption/) +- [Explore Azure Disk Encryption with Azure Powershell](https://blogs.msdn.microsoft.com/azuresecurity/2015/11/16/explore-azure-disk-encryption-with-azure-powershell/) +- [Explore Azure Disk Encryption with Azure PowerShell – Part 2](http://blogs.msdn.com/b/azuresecurity/archive/2015/11/21/explore-azure-disk-encryption-with-azure-powershell-part-2.aspx) + + +## main.tf +The `main.tf` file contains the actual resources that will be deployed. It also contains the Azure Resource Group definition and any defined variables. + +## outputs.tf +This data is outputted when `terraform apply` is called, and can be queried using the `terraform output` command. + +## provider.tf +You may leave the provider block in the `main.tf`, as it is in this template, or you can create a file called `provider.tf` and add it to your `.gitignore` file. + +Azure requires that an application is added to Azure Active Directory to generate the `client_id`, `client_secret`, and `tenant_id` needed by Terraform (`subscription_id` can be recovered from your Azure account details). Please go [here](https://www.terraform.io/docs/providers/azurerm/) for full instructions on how to create this to populate your `provider.tf` file. + +## terraform.tfvars +If a `terraform.tfvars` file is present in the current directory, Terraform automatically loads it to populate variables. We don't recommend saving usernames and password to version control, but you can create a local secret variables file and use `-var-file` to load it. + +If you are committing this template to source control, please insure that you add this file to your .gitignore file. + +## variables.tf +The `variables.tf` file contains all of the input parameters that the user can specify when deploying this Terraform template. + +![graph](/examples/azure-encrypt-running-linux-vm/graph.png) \ No newline at end of file diff --git a/examples/azure-encrypt-running-linux-vm/deploy.ci.sh b/examples/azure-encrypt-running-linux-vm/deploy.ci.sh new file mode 100755 index 000000000..c85e3aea7 --- /dev/null +++ b/examples/azure-encrypt-running-linux-vm/deploy.ci.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +set -o errexit -o nounset + +docker run --rm -it \ + -e ARM_CLIENT_ID \ + -e ARM_CLIENT_SECRET \ + -e ARM_SUBSCRIPTION_ID \ + -e ARM_TENANT_ID \ + -e AAD_CLIENT_ID \ + -e AAD_CLIENT_SECRET \ + -e KEY_ENCRYPTION_KEY_URL \ + -e KEY_VAULT_RESOURCE_ID \ + -v $(pwd):/data \ + --workdir=/data \ + --entrypoint "/bin/sh" \ + hashicorp/terraform:light \ + -c "/bin/terraform get; \ + /bin/terraform validate; \ + /bin/terraform plan -out=out.tfplan \ + -var resource_group=$KEY \ + -var hostname=$KEY \ + -var admin_username=$KEY \ + -var admin_password=$PASSWORD \ + -var passphrase=$PASSWORD \ + -var key_vault_name=$KEY_VAULT_NAME \ + -var aad_client_id=$AAD_CLIENT_ID \ + -var aad_client_secret=$AAD_CLIENT_SECRET \ + -var key_encryption_key_url=$KEY_ENCRYPTION_KEY_URL \ + -var key_vault_resource_id=$KEY_VAULT_RESOURCE_ID; \ + /bin/terraform apply out.tfplan" + +# cleanup deployed azure resources via azure-cli +docker run --rm -it \ + azuresdk/azure-cli-python \ + sh -c "az login --service-principal -u $ARM_CLIENT_ID -p $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID > /dev/null; \ + az vm show -g $KEY -n $KEY; \ + az vm encryption show -g $KEY -n $KEY" + +# cleanup deployed azure resources via terraform +docker run --rm -it \ + -e ARM_CLIENT_ID \ + -e ARM_CLIENT_SECRET \ + -e ARM_SUBSCRIPTION_ID \ + -e ARM_TENANT_ID \ + -v $(pwd):/data \ + --workdir=/data \ + --entrypoint "/bin/sh" \ + hashicorp/terraform:light \ + -c "/bin/terraform destroy -force \ + -var resource_group=$KEY \ + -var hostname=$KEY \ + -var admin_username=$KEY \ + -var admin_password=$PASSWORD \ + -var passphrase=$PASSWORD \ + -var key_vault_name=$KEY_VAULT_NAME \ + -var aad_client_id=$AAD_CLIENT_ID \ + -var aad_client_secret=$AAD_CLIENT_SECRET \ + -var key_encryption_key_url=$KEY_ENCRYPTION_KEY_URL \ + -var key_vault_resource_id=$KEY_VAULT_RESOURCE_ID;" \ No newline at end of file diff --git a/examples/azure-encrypt-running-linux-vm/deploy.mac.sh b/examples/azure-encrypt-running-linux-vm/deploy.mac.sh new file mode 100755 index 000000000..cc462bb57 --- /dev/null +++ b/examples/azure-encrypt-running-linux-vm/deploy.mac.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +set -o errexit -o nounset + +if docker -v; then + + # generate a unique string for CI deployment + export KEY=$(cat /dev/urandom | env LC_CTYPE=C tr -cd 'a-z' | head -c 12) + export PASSWORD=$KEY$(cat /dev/urandom | env LC_CTYPE=C tr -cd 'A-Z' | head -c 2)$(cat /dev/urandom | env LC_CTYPE=C tr -cd '0-9' | head -c 2) + export EXISTING_RESOURCE_GROUP=permanent + export KEY_VAULT_NAME=permanentkeyvault + +/bin/sh ./deploy.ci.sh + +else + echo "Docker is used to run terraform commands, please install before run: https://docs.docker.com/docker-for-mac/install/" +fi \ No newline at end of file diff --git a/examples/azure-encrypt-running-linux-vm/graph.png b/examples/azure-encrypt-running-linux-vm/graph.png new file mode 100644 index 000000000..ac5b3b272 Binary files /dev/null and b/examples/azure-encrypt-running-linux-vm/graph.png differ diff --git a/examples/azure-encrypt-running-linux-vm/main.tf b/examples/azure-encrypt-running-linux-vm/main.tf new file mode 100644 index 000000000..d87fa6efa --- /dev/null +++ b/examples/azure-encrypt-running-linux-vm/main.tf @@ -0,0 +1,223 @@ +# provider "azurerm" { +# subscription_id = "REPLACE-WITH-YOUR-SUBSCRIPTION-ID" +# client_id = "REPLACE-WITH-YOUR-CLIENT-ID" +# client_secret = "REPLACE-WITH-YOUR-CLIENT-SECRET" +# tenant_id = "REPLACE-WITH-YOUR-TENANT-ID" +# } + +resource "azurerm_resource_group" "rg" { + name = "${var.resource_group}" + location = "${var.location}" +} + +resource "azurerm_virtual_network" "vnet" { + name = "${var.hostname}vnet" + location = "${var.location}" + address_space = ["${var.address_space}"] + resource_group_name = "${azurerm_resource_group.rg.name}" +} + +resource "azurerm_subnet" "subnet" { + name = "${var.hostname}subnet" + virtual_network_name = "${azurerm_virtual_network.vnet.name}" + resource_group_name = "${azurerm_resource_group.rg.name}" + address_prefix = "${var.subnet_prefix}" +} + +resource "azurerm_network_interface" "nic" { + name = "nic" + location = "${var.location}" + resource_group_name = "${azurerm_resource_group.rg.name}" + + ip_configuration { + name = "ipconfig" + subnet_id = "${azurerm_subnet.subnet.id}" + private_ip_address_allocation = "Dynamic" + } +} + +resource "azurerm_storage_account" "stor" { + name = "${var.hostname}stor" + resource_group_name = "${azurerm_resource_group.rg.name}" + location = "${azurerm_resource_group.rg.location}" + account_type = "${var.storage_account_type}" +} + +resource "azurerm_virtual_machine" "vm" { + name = "${var.hostname}" + location = "${var.location}" + resource_group_name = "${azurerm_resource_group.rg.name}" + vm_size = "${var.vm_size}" + network_interface_ids = ["${azurerm_network_interface.nic.id}"] + + storage_image_reference { + publisher = "${var.image_publisher}" + offer = "${var.image_offer}" + sku = "${var.image_sku}" + version = "${var.image_version}" + } + + storage_os_disk { + name = "${var.hostname}osdisk" + create_option = "FromImage" + disk_size_gb = "15" + } + + os_profile { + computer_name = "${var.hostname}" + admin_username = "${var.admin_username}" + admin_password = "${var.admin_password}" + } + + os_profile_linux_config { + disable_password_authentication = false + } +} + +resource "azurerm_template_deployment" "linux_vm" { + name = "encrypt" + resource_group_name = "${azurerm_resource_group.rg.name}" + deployment_mode = "Incremental" + depends_on = ["azurerm_virtual_machine.vm"] + + template_body = <