Allow enablement of Trusted Launch and vTPM for VMs

CHANGELOG.md

@@ -34,6 +34,7 @@ ENHANCEMENTS:
 * Update Guacamole dependencies ([[#4232](https://github.com/microsoft/AzureTRE/issues/4232)])
 * Add option to force tunnel TRE's Firewall ([#4237](https://github.com/microsoft/AzureTRE/issues/4237))
 * Add EventGrid diagnostics to identify airlock issues ([#4258](https://github.com/microsoft/AzureTRE/issues/4258))
+* Allow enablement of Trusted Launch and vTPM for Guacamole VMs ([#4235](https://github.com/microsoft/AzureTRE/issues/4235))
 
 BUG FIXES:
 * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112))

core/terraform/resource_processor/vmss_porter/main.tf

@@ -82,6 +82,8 @@ resource "azurerm_linux_virtual_machine_scale_set" "vm_linux" {
   encryption_at_host_enabled      = false
   upgrade_mode                    = "Automatic"
   tags                            = local.tre_core_tags
+  secure_boot_enabled             = true
+  vtpm_enabled                    = true
 
   extension {
     auto_upgrade_minor_version = true
@@ -127,7 +129,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "vm_linux" {
   source_image_reference {
     publisher = "Canonical"
     offer     = "0001-com-ubuntu-server-jammy"
-    sku       = "22_04-lts"
+    sku       = "22_04-lts-gen2"
     version   = "latest"
   }
 

core/version.txt

@@ -1 +1 @@
-__version__ = "0.11.17"
+__version__ = "0.11.18"

templates/shared_services/admin-vm/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-admin-vm
-version: 0.5.1
+version: 0.5.2
 description: "An admin vm shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

templates/shared_services/admin-vm/terraform/admin-jumpbox.tf

@@ -36,6 +36,8 @@ resource "azurerm_windows_virtual_machine" "jumpbox" {
   admin_username             = "adminuser"
   admin_password             = random_password.password.result
   tags                       = local.tre_shared_service_tags
+  secure_boot_enabled        = true
+  vtpm_enabled               = true
 
   source_image_reference {
     publisher = "MicrosoftWindowsDesktop"
@@ -51,7 +53,10 @@ resource "azurerm_windows_virtual_machine" "jumpbox" {
     disk_encryption_set_id = var.enable_cmk_encryption ? azurerm_disk_encryption_set.jumpbox_disk_encryption[0].id : null
   }
 
-  lifecycle { ignore_changes = [tags] }
+  # ignore changes to secure_boot_enabled and vtpm_enabled as these are destructive
+  # (may be allowed once https://github.com/hashicorp/terraform-provider-azurerm/issues/25808 is fixed)
+  #
+  lifecycle { ignore_changes = [tags, secure_boot_enabled, vtpm_enabled] }
 }
 
 resource "azurerm_disk_encryption_set" "jumpbox_disk_encryption" {

templates/shared_services/sonatype-nexus-vm/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-sonatype-nexus
-version: 3.3.1
+version: 3.3.2
 description: "A Sonatype Nexus shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

templates/shared_services/sonatype-nexus-vm/terraform/vm.tf

@@ -103,10 +103,15 @@ resource "azurerm_linux_virtual_machine" "nexus" {
   admin_username                  = "adminuser"
   admin_password                  = random_password.nexus_vm_password.result
   tags                            = local.tre_shared_service_tags
+  secure_boot_enabled             = true
+  vtpm_enabled                    = true
 
   custom_data = data.template_cloudinit_config.nexus_config.rendered
 
-  lifecycle { ignore_changes = [tags] }
+  # ignore changes to secure_boot_enabled and vtpm_enabled as these are destructive
+  # (may be allowed once https://github.com/hashicorp/terraform-provider-azurerm/issues/25808 is fixed)
+  #
+  lifecycle { ignore_changes = [tags, secure_boot_enabled, vtpm_enabled] }
 
   source_image_reference {
     publisher = "Canonical"

templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-guacamole-export-reviewvm
-version: 0.2.1
+version: 0.2.2
 description: "An Azure TRE User Resource Template for reviewing Airlock export requests"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@@ -18,6 +18,8 @@ custom:
         sku: winserver-2019
         version: latest
       conda_config: true
+      secure_boot_enabled: false  # dsvm-win-2019 is not a gen2 image
+      vtpm_enabled: false
 
 credentials:
   - name: azure_tenant_id

templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/locals.tf

@@ -24,6 +24,8 @@ locals {
   # selected_image_source_refs is an array to enable easy use of a dynamic block
   selected_image_source_refs = lookup(local.selected_image, "source_image_reference", null) == null ? [] : [local.selected_image.source_image_reference]
   selected_image_source_id   = lookup(local.selected_image, "source_image_name", null) == null ? null : "${var.image_gallery_id}/images/${local.selected_image.source_image_name}"
+  secure_boot_enabled        = lookup(local.selected_image, "trusted_launch_enabled", false)
+  vtpm_enabled               = lookup(local.selected_image, "vtpm_enabled", false)
 
   cmk_name                 = "tre-encryption-${local.workspace_resource_name_suffix}"
   encryption_identity_name = "id-encryption-${var.tre_id}-${local.short_workspace_id}"

templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf

@@ -124,6 +124,8 @@ resource "azurerm_windows_virtual_machine" "windowsvm" {
   allow_extension_operations = true
   admin_username             = random_string.username.result
   admin_password             = random_password.password.result
+  secure_boot_enabled        = local.secure_boot_enabled
+  vtpm_enabled               = local.vtpm_enabled
 
   custom_data = base64encode(data.template_file.download_review_data_script.rendered)
 
@@ -152,7 +154,10 @@ resource "azurerm_windows_virtual_machine" "windowsvm" {
 
   tags = local.tre_user_resources_tags
 
-  lifecycle { ignore_changes = [tags] }
+  # ignore changes to secure_boot_enabled and vtpm_enabled as these are destructive
+  # (may be allowed once https://github.com/hashicorp/terraform-provider-azurerm/issues/25808 is fixed)
+  #
+  lifecycle { ignore_changes = [tags, secure_boot_enabled, vtpm_enabled] }
 }
 
 resource "azurerm_disk_encryption_set" "windowsvm_disk_encryption" {

templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-guacamole-import-reviewvm
-version: 0.3.1
+version: 0.3.2
 description: "An Azure TRE User Resource Template for reviewing Airlock import requests"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@@ -18,11 +18,15 @@ custom:
         sku: winserver-2019
         version: latest
       conda_config: true
+      secure_boot_enabled: false  # dsvm-win-2019 is not a gen2 image
+      vtpm_enabled: false
     # For information on using custom images, see README.me in the guacamole/user-resources folder
     # "Custom Image From Gallery":
     #   source_image_name: sltestwin1
     #   source_image_reference: null,
     #   conda_config: true
+    #   secure_boot_enabled: false
+    #   vtpm_enabled: false
 
 credentials:
   - name: azure_tenant_id

templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/locals.tf

@@ -24,6 +24,8 @@ locals {
   # selected_image_source_refs is an array to enable easy use of a dynamic block
   selected_image_source_refs = lookup(local.selected_image, "source_image_reference", null) == null ? [] : [local.selected_image.source_image_reference]
   selected_image_source_id   = lookup(local.selected_image, "source_image_name", null) == null ? null : "${var.image_gallery_id}/images/${local.selected_image.source_image_name}"
+  secure_boot_enabled        = lookup(local.selected_image, "trusted_launch_enabled", false)
+  vtpm_enabled               = lookup(local.selected_image, "vtpm_enabled", false)
 
   cmk_name                 = "tre-encryption-${local.workspace_resource_name_suffix}"
   encryption_identity_name = "id-encryption-${var.tre_id}-${local.short_workspace_id}"

templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf

@@ -45,6 +45,8 @@ resource "azurerm_windows_virtual_machine" "windowsvm" {
   allow_extension_operations = true
   admin_username             = random_string.username.result
   admin_password             = random_password.password.result
+  secure_boot_enabled        = local.secure_boot_enabled
+  vtpm_enabled               = local.vtpm_enabled
 
   custom_data = base64encode(data.template_file.download_review_data_script.rendered)
 
@@ -73,7 +75,10 @@ resource "azurerm_windows_virtual_machine" "windowsvm" {
 
   tags = local.tre_user_resources_tags
 
-  lifecycle { ignore_changes = [tags] }
+  # ignore changes to secure_boot_enabled and vtpm_enabled as these are destructive
+  # (may be allowed once https://github.com/hashicorp/terraform-provider-azurerm/issues/25808 is fixed)
+  #
+  lifecycle { ignore_changes = [tags, secure_boot_enabled, vtpm_enabled] }
 }
 
 resource "azurerm_disk_encryption_set" "windowsvm_disk_encryption" {

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-guacamole-linuxvm
-version: 1.2.3
+version: 1.2.4
 description: "An Azure TRE User Resource Template for Guacamole (Linux)"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@@ -23,11 +23,15 @@ custom:
         apt_sku: 22.04
       install_ui: true
       conda_config: false
+      secure_boot_enabled: true
+      vtpm_enabled: true
     # For information on using custom images, see README.me in the guacamole/user-resources folder
     # "Custom Image From Gallery":
     #   source_image_name: your-image
     #   install_ui: true
     #   conda_config: true
+    #   secure_boot_enabled: false
+    #   vtpm_enabled: false
 
 credentials:
   - name: azure_tenant_id

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf

@@ -44,6 +44,8 @@ resource "azurerm_linux_virtual_machine" "linuxvm" {
   disable_password_authentication = false
   admin_username                  = random_string.username.result
   admin_password                  = random_password.password.result
+  secure_boot_enabled             = local.secure_boot_enabled
+  vtpm_enabled                    = local.vtpm_enabled
 
   custom_data = data.template_cloudinit_config.config.rendered
 
@@ -72,7 +74,10 @@ resource "azurerm_linux_virtual_machine" "linuxvm" {
 
   tags = local.tre_user_resources_tags
 
-  lifecycle { ignore_changes = [tags] }
+  # ignore changes to secure_boot_enabled and vtpm_enabled as these are destructive
+  # (may be allowed once https://github.com/hashicorp/terraform-provider-azurerm/issues/25808 is fixed)
+  #
+  lifecycle { ignore_changes = [tags, secure_boot_enabled, vtpm_enabled] }
 }
 
 resource "azurerm_disk_encryption_set" "linuxvm_disk_encryption" {

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/locals.tf

@@ -25,6 +25,8 @@ locals {
   # selected_image_source_refs is an array to enable easy use of a dynamic block
   selected_image_source_refs = lookup(local.selected_image, "source_image_reference", null) == null ? [] : [local.selected_image.source_image_reference]
   selected_image_source_id   = lookup(local.selected_image, "source_image_name", null) == null ? null : "${var.image_gallery_id}/images/${local.selected_image.source_image_name}"
+  secure_boot_enabled        = lookup(local.selected_image, "trusted_launch_enabled", false)
+  vtpm_enabled               = lookup(local.selected_image, "vtpm_enabled", false)
   apt_sku                    = local.selected_image_source_refs[0]["apt_sku"]
 
   cmk_name                 = "tre-encryption-${local.workspace_resource_name_suffix}"

templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-guacamole-windowsvm
-version: 1.2.3
+version: 1.2.4
 description: "An Azure TRE User Resource Template for Guacamole (Windows 10)"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@@ -21,24 +21,32 @@ custom:
         sku: win10-22h2-pro-g2
         version: latest
       conda_config: false
+      secure_boot_enabled: true
+      vtpm_enabled: true
     "Windows 11":
       source_image_reference:
         publisher: microsoftwindowsdesktop
         offer: windows-11
         sku: win11-24h2-pro
         version: latest
       conda_config: false
+      secure_boot_enabled: true
+      vtpm_enabled: true
     "Server 2019 Data Science VM":
       source_image_reference:
         publisher: microsoft-dsvm
         offer: dsvm-win-2019
         sku: winserver-2019
         version: latest
       conda_config: true
+      secure_boot_enabled: false  # dsvm-win-2019 is not a gen2 image
+      vtpm_enabled: false
     # For information on using custom images, see README.me in the guacamole/user-resources folder
     # "Custom Image From Gallery":
     #   source_image_name: your-image
     #   conda_config: true
+    #  secure_boot_enabled: false
+    #  vtpm_enabled: false
 
 credentials:
   - name: azure_tenant_id

templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/locals.tf

@@ -26,6 +26,8 @@ locals {
   # selected_image_source_refs is an array to enable easy use of a dynamic block
   selected_image_source_refs = lookup(local.selected_image, "source_image_reference", null) == null ? [] : [local.selected_image.source_image_reference]
   selected_image_source_id   = lookup(local.selected_image, "source_image_name", null) == null ? null : "${var.image_gallery_id}/images/${local.selected_image.source_image_name}"
+  secure_boot_enabled        = lookup(local.selected_image, "trusted_launch_enabled", false)
+  vtpm_enabled               = lookup(local.selected_image, "vtpm_enabled", false)
 
   cmk_name                 = "tre-encryption-${local.workspace_resource_name_suffix}"
   encryption_identity_name = "id-encryption-${var.tre_id}-${local.short_workspace_id}"

templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf

@@ -45,6 +45,8 @@ resource "azurerm_windows_virtual_machine" "windowsvm" {
   allow_extension_operations = true
   admin_username             = random_string.username.result
   admin_password             = random_password.password.result
+  secure_boot_enabled        = local.secure_boot_enabled
+  vtpm_enabled               = local.vtpm_enabled
 
   custom_data = base64encode(templatefile(
     "${path.module}/vm_config.ps1", {
@@ -83,7 +85,10 @@ resource "azurerm_windows_virtual_machine" "windowsvm" {
 
   tags = local.tre_user_resources_tags
 
-  lifecycle { ignore_changes = [tags] }
+  # ignore changes to secure_boot_enabled and vtpm_enabled as these are destructive
+  # (may be allowed once https://github.com/hashicorp/terraform-provider-azurerm/issues/25808 is fixed)
+  #
+  lifecycle { ignore_changes = [tags, secure_boot_enabled, vtpm_enabled] }
 }
 
 resource "azurerm_disk_encryption_set" "windowsvm_disk_encryption" {