Merge pull request openshift#7312 from mresvanis/add-confidential-vm-support-for-azure

MGMT-13628: add support for confidential VMs on Azure

Author: openshift-merge-robot

data/data/azure/bootstrap/main.tf

@@ -204,6 +204,8 @@ resource "azurerm_linux_virtual_machine" "bootstrap" {
   admin_password                  = "NotActuallyApplied!"
   disable_password_authentication = false
   encryption_at_host_enabled      = var.azure_master_encryption_at_host_enabled
+  secure_boot_enabled             = var.azure_master_secure_boot == "Enabled"
+  vtpm_enabled                    = var.azure_master_virtualized_trusted_platform_module == "Enabled"
 
   identity {
     type         = "UserAssigned"
@@ -216,6 +218,9 @@ resource "azurerm_linux_virtual_machine" "bootstrap" {
     storage_account_type   = var.azure_master_root_volume_type
     disk_size_gb           = 100
     disk_encryption_set_id = var.azure_master_disk_encryption_set_id
+
+    security_encryption_type         = var.azure_master_security_encryption_type
+    secure_vm_disk_encryption_set_id = var.azure_master_secure_vm_disk_encryption_set_id
   }
 
   # Either source_image_id or source_image_reference must be defined

data/data/azure/cluster/main.tf

@@ -48,6 +48,11 @@ module "master" {
   vm_image_sku               = var.azure_marketplace_image_sku
   vm_image_version           = var.azure_marketplace_image_version
 
+  security_encryption_type            = var.azure_master_security_encryption_type
+  secure_vm_disk_encryption_set_id    = var.azure_master_secure_vm_disk_encryption_set_id
+  secure_boot                         = var.azure_master_secure_boot
+  virtualized_trusted_platform_module = var.azure_master_virtualized_trusted_platform_module
+
   use_ipv4 = var.use_ipv4
   use_ipv6 = var.use_ipv6
 }

data/data/azure/cluster/master/master.tf

@@ -100,6 +100,8 @@ resource "azurerm_linux_virtual_machine" "master" {
   admin_password                  = "NotActuallyApplied!"
   disable_password_authentication = false
   encryption_at_host_enabled      = var.encryption_at_host_enabled
+  secure_boot_enabled             = var.secure_boot == "Enabled"
+  vtpm_enabled                    = var.virtualized_trusted_platform_module == "Enabled"
 
   additional_capabilities {
     ultra_ssd_enabled = var.ultra_ssd_enabled
@@ -116,6 +118,9 @@ resource "azurerm_linux_virtual_machine" "master" {
     storage_account_type   = var.os_volume_type
     disk_size_gb           = var.os_volume_size
     disk_encryption_set_id = var.disk_encryption_set_id
+
+    security_encryption_type         = var.security_encryption_type
+    secure_vm_disk_encryption_set_id = var.secure_vm_disk_encryption_set_id
   }
 
   # Either source_image_id or source_image_reference must be defined

data/data/azure/cluster/master/variables.tf

@@ -174,3 +174,36 @@ networking_type specifies whether to enable accelerated networking. Accelerated
 enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance.
 EOF
 }
+
+variable "security_encryption_type" {
+  type = string
+  default = null
+
+  description = <<EOF
+Defines the encryption type when the Virtual Machine is a Confidential VM. Possible values are VMGuestStateOnly and DiskWithVMGuestState.
+When set to "VMGuestStateOnly" vtpm_enabled should be set to true.
+When set to "DiskWithVMGuestState" both vtpm_enabled and secure_boot_enabled should be true.
+EOF
+}
+
+variable "secure_vm_disk_encryption_set_id" {
+  type    = string
+  default = null
+
+  description = <<EOF
+Defines the ID of the Disk Encryption Set which should be used to encrypt this OS Disk when the Virtual Machine is a Confidential VM.
+It can only be set when security_encryption_type is set to "DiskWithVMGuestState".
+EOF
+}
+
+variable "secure_boot" {
+  type = string
+  default = ""
+  description = "Defines whether secure boot should be enabled on the virtual machine."
+}
+
+variable "virtualized_trusted_platform_module" {
+  type = string
+  default = ""
+  description = "Defines whether vTPM should be enabled on the virtual machine."
+}

data/data/azure/variables-azure.tf

@@ -250,3 +250,36 @@ variable "azure_marketplace_image_version" {
   description = "Version of the marketplace image"
   default     = ""
 }
+
+variable "azure_master_security_encryption_type" {
+  type    = string
+  default = null
+
+  description = <<EOF
+Defines the encryption type when the Virtual Machine is a Confidential VM. Possible values are VMGuestStateOnly and DiskWithVMGuestState.
+When set to "VMGuestStateOnly" azure_master_vtpm_enabled should be set to true.
+When set to "DiskWithVMGuestState" both azure_master_vtp_enabled and azure_master_secure_boot_enabled should be true.
+EOF
+}
+
+variable "azure_master_secure_vm_disk_encryption_set_id" {
+  type = string
+  default = null
+
+  description = <<EOF
+Defines the ID of the Disk Encryption Set which should be used to encrypt this OS Disk when the Virtual Machine is a Confidential VM.
+It can only be set when azure_master_security_encryption_type is set to "DiskWithVMGuestState".
+EOF
+}
+
+variable "azure_master_secure_boot" {
+  type        = string
+  description = "Defines whether the instance should have secure boot enabled."
+  default     = ""
+}
+
+variable "azure_master_virtualized_trusted_platform_module" {
+  type        = string
+  description = "Defines whether the instance should have vTPM enabled."
+  default     = ""
+}

data/data/azure/vnet/main.tf

@@ -128,6 +128,10 @@ resource "azurerm_shared_image" "clustergen2" {
   hyper_v_generation  = "V2"
   architecture        = var.azure_vm_architecture
 
+  confidential_vm_supported = var.azure_master_security_encryption_type != null ? true : null
+
+  trusted_launch_enabled = var.azure_master_security_encryption_type == null ? (var.azure_master_secure_boot == "Enabled" || var.azure_master_virtualized_trusted_platform_module == "Enabled") : null
+
   identifier {
     publisher = "RedHat-gen2"
     offer     = "rhcos-gen2"