Terraform module to deploy Confidential Virtual Machines on Azure, supporting both Intel TDX and AMD SEV-SNP secure execution environments.

The module focuses on deploying VMs for BuilderNet using custom images and does not support Azure VM Agent functionality. I.e., no cloud-init, disabled credentials passthrough, etc.

Overview

The module handles the following infrastructure components:

• Creates an Azure Compute Gallery;
• Imports a custom VM image from Azure Blob Storage;
• Deploys a Confidential VM using the imported image.

Prerequisites

Before using this module, you must:

• Set up an Azure Blob Storage account and create a Container;
• Upload your VM image to the Blob Storage Container;
• Obtain the blob URI for your image.

Important Notes

The module does not create or manage the Azure Blob Storage infrastructure. You are responsible for setting up and maintaining the storage account where your VM image resides.

Usage

Refer to the examples directory for detailed configuration examples.

Requirements

Name	Version
terraform	>= 1.1
azurerm	~> 4.14.0

Providers

Name	Version
azurerm	~> 4.14.0

Inputs

Name	Description	Type	Default	Required
blob_storage_account_id	Resource ID of the storage account containing VM image blobs	string	n/a	yes
gallery_name	Name of the Azure Shared Image Gallery for storing VM images	string	"confidential_vm_images"	no
image_disk_controller_type_nvme_enabled	Enable NVMe disk controller for the shared image	bool	true	no
image_identifier	Identifier information for the shared image in Azure Marketplace format	object({ publisher = string offer = string sku = string })	{ "offer": "BuilderNet", "publisher": "ACME, Inc.", "sku": "builder" }	no
image_min_recommended_memory_in_gb	Minimum recommended memory in GB for VMs created from this image	number	32	no
image_min_recommended_vcpu_count	Minimum recommended vCPU count for VMs created from this image	number	8	no
image_name	Name of the shared image in the gallery	string	"builder"	no
image_version_blob_storage_uris	List of image versions and their corresponding blob storage URIs for VM images	list(object({ image_version = string uri = string }))	n/a	yes
location	The Azure region where all resources will be created	string	n/a	yes
resource_group	The name of the Azure resource group where all resources will be deployed	string	n/a	yes
vms	Virtual machine configurations	map(object({ size = optional(string) image_version = optional(string, "latest") secure_boot_enabled = optional(bool) vtpm_enabled = optional(bool) os_disk_caching = optional(string) os_disk_size_gb = optional(number) data_disk_size_gb = string data_disk_storage_account_type = optional(string) data_disk_performance_plus_enabled = optional(bool) data_disk_tier = optional(string) data_disk_caching_type = optional(string) data_disk_lun = optional(number) subnet_id = string security_group_egress_ranges = optional(map(list(string))) security_group_ingress_ranges = optional(map(list(string))) }))	n/a	yes

Outputs

Name	Description
vm_details	Virtual Machine details

Note for contributors

Make sure to use terraform-docs to generate the configuration parameters of the module (provider requirements, input variables, outputs) should you update them.