Resolves #4235

What is being addressed

Provide Secure Boot and vTPM options to VMs running in the TRE.

Since enabling Secure Boot and vTPM in terraform is a destructive action, we need to be careful about how this is enabled and make use of ignore_changes to prevent certain machines being recreated.

1. Guacamole VMs

Surface the Secure Boot and vTPM VM options in porter.yaml, to allow easier setting of these, and on a per image basis since not all images support these options.

e.g.

  image_options:
    "Windows 10":
      source_image_reference:
        publisher: MicrosoftWindowsDesktop
        offer: Windows-10
        sku: win10-22h2-pro-g2
        version: latest
      conda_config: false
      secure_boot_enabled: true
      vtpm_enabled: true

lifecycle { ignore_changes = [secure_boot_enabled, vtpm_enabled] } is set to prevent recreation of existing machines.

Guacamole images enabled for secure boot

The following images within Guacamole templates have secure_boot_enabled: true and vtpm_enabled: true:

• windows10 / win10-22h2-pro-g2
• windows 11 / win11-24h2-pro
• Ubuntu 22_04-lts-gen2

Guacamole images NOT enabled for secure boot

The following images within Guacamole templates have secure_boot_enabled: false and vtpm_enabled: false because the image is not a gen2 image:

• winserver 2019 / dsvm-win-2019

2. Other VMs

a) Resource Processor

Enable both options, and allow recreation of scale set.

b) Admin VM

Enable both options, but set lifecycle { ignore_changes = [secure_boot_enabled, vtpm_enabled] } to prevent recreation of existing machines.

c) Sonotype Nexus VM

Enable both options, but set lifecycle { ignore_changes = [secure_boot_enabled, vtpm_enabled] } to prevent recreation of existing machines.