published
Run in Cisco Cloud IDE
Github tag
Terraform registry downloads total
My Public profile

Deploy Virtual Appliance from Azure Marketplace using Terraform module

This Terraform module facilitates the deployment of a Linux-based Virtual Appliance from Azure Marketplace. This allows for the automatic provisioning of various virtual appliances such as Cisco Catalyst 8000V Edge SD-WAN, FTDv, ASAv, ACI-CLOUD-APIC-Virtual,Infoblox and more, subject to the acceptance of the appliance image's "terms of service."

Default Deployment

By default, the module deploys the virtual appliance with four network interfaces on four distinct subnet. However, the module provides flexibility in configuring the deployment to suit your specific requirements. You have the ability to adjust the default behavior as needed to accommodate different configurations and preferences. For instance, you can customize the number of network interfaces, subnets, routes, network security groups (NSGs) and other settings to align with your desired deployment scenarios.

Functional Examples

For detailed guidance and real-world use cases, check out the examples directory. These examples will help you understand how to configure and deploy different vendor virtual appliances.

Please be aware that this module has not been tested for deployments involving Scale Sets or high availability configurations.

Finding an Image in the Marketplace

You must have a user account and subscription with Microsoft Azure.
To deploy a virtual appliance from the Azure Marketplace, you need specific details like Offer, Publisher, SKU, and Version. You can obtain these details by using Azure CLI. For instance, if you're looking for Cisco images, use the following commands :

# Find all cisco images
az vm image list -o table --publisher cisco --all

# Find cisco ftdv images
az vm image list -o table --publisher cisco --offer cisco-ftdv --all

The module supports both Bring Your Own License (BYOL) and Pay-As-You-Go (PAYG) licensing model.

Usage

Once you have the detail you can now use these elements to build out the storage_image_reference and plan blocks:

module "ftdv" {
  source = "gehoumi/marketplace-linux-vm/azurerm"

  name                         = "FTDv"
  accept_marketplace_agreement = true
  source_image_reference       = {
    offer     = "cisco-ftdv"
    publisher = "cisco"
    sku       = "ftdv-azure-byol"
    version   = "74.1.132"
  }
  boot_diagnostics             = true
}

Accepting Marketplace legal terms

When deploying an image from the Marketplace, this module will create a resource azurerm_marketplace_agreement to accept the End User License Agreement (EULA) for the Virtual Appliance image that is being deployed. Once the EULA is accepted one time in an Azure subscription, you should be able to deploy the same appliance again without needing to accept the terms again.

To disable the resource re-creation, set the following option:

accept_marketplace_agreement = false

If you want to revoke the acceptance with Azure CLI, you can use the az vm image terms cancel command.
Example:

az vm image terms cancel --plan ftdv-azure-byol --publisher cisco --offer cisco-ftdv

Requirements

Name Version
terraform >= 1.2, < 2.0

Providers

Name Version
azurerm n/a
http n/a
random n/a

Modules

No modules.

Resources

Name Type
azurerm_linux_virtual_machine.vm_linux resource
azurerm_marketplace_agreement.default resource
azurerm_network_interface.this resource
azurerm_network_security_group.this resource
azurerm_network_security_rule.this resource
azurerm_public_ip.this resource
azurerm_resource_group.this resource
azurerm_route.this resource
azurerm_route_table.this resource
azurerm_subnet.this resource
azurerm_subnet_network_security_group_association.this resource
azurerm_subnet_route_table_association.this resource
azurerm_virtual_network.this resource
random_password.this resource
random_string.suffix resource
azurerm_public_ip.this data source
azurerm_subnet.this data source
azurerm_virtual_network.this data source
http_http.this data source

Inputs

Name Description Type Default Required
accelerated_networking Enable Azure accelerated networking (SR-IOV) for all network interfaces except the primary one. bool true no
accept_marketplace_agreement Allows accepting the Legal Terms for a Marketplace Image, when using bring your own license.
You don't need set to true when you have already accepted the legal terms on your current subscription.
Check available in market place: az vm image list -o table --publisher cisco --offer cisco-Virtual Appliance --all
https://azuremarketplace.microsoft.com/en-us/home
bool false no
additional_network_security_groups Map of Network Security Groups to create.
List of available attributes of each Network Security Group entry:
- name : Name of the Network Security Group.
- location : (Optional) Specifies the Azure location where to deploy the resource.
- rules: (Optional) A list of objects representing a Network Security Rule. The key of each entry acts as the name of the rule and
needs to be unique across all rules in the Network Security Group.
List of attributes available to define a Network Security Rule.
Notice, all port values are integers between 0 and 65535. Port ranges can be specified as minimum-maximum port value, example: 21-23:
- priority : Numeric priority of the rule. The value can be between 100 and 4096 and must be unique for each rule in the collection.
The lower the priority number, the higher the priority of the rule.
- direction : The direction specifies if rule will be evaluated on incoming or outgoing traffic. Possible values are Inbound and Outbound.
- access : Specifies whether network traffic is allowed or denied. Possible values are Allow and Deny.
- protocol : Network protocol this rule applies to. Possible values include Tcp, Udp, Icmp, or * (which matches all). For supported values refer to the provider documentation
- source_port_range : A source port or a range of ports. This can also be an * to match all.
- source_port_ranges : A list of source ports or ranges of ports. This can be specified only if source_port_range was not used.
- destination_port_range : A destination port or a range of ports. This can also be an * to match all.
- destination_port_ranges : A list of destination ports or a ranges of ports. This can be specified only if destination_port_range was not used.
- source_address_prefix : Source CIDR or IP range or * to match any IP. This can also be a tag. To see all available tags for a region use the following command (example for US West Central): az network list-service-tags --location westcentralus.
- source_address_prefixes : A list of source address prefixes. Tags are not allowed. Can be specified only if source_address_prefix was not used.
- destination_address_prefix : Destination CIDR or IP range or * to match any IP. Tags are allowed, see source_address_prefix for details.
- destination_address_prefixes : A list of destination address prefixes. Tags are not allowed. Can be specified only if destination_address_prefix was not used.
any null no
address_space The address space used by the virtual network. You can supply more than one address space. list(string)
[
"10.100.0.0/16"
]
no
admin_password The Password which should be used for the local-administrator on this Virtual Machine. Changing this forces a new resource to be created. When an admin_password is specified disable_password_authentication must be set to false. One of either admin_password or admin_ssh_key must be specified. string null no
admin_ssh_keys set(object({
public_key = "(Required) The Public Key which should be used for authentication, which needs to be at least 2048-bit and in ssh-rsa format. Changing this forces a new resource to be created."
username = "(Optional) The Username for which this Public SSH Key should be configured. Changing this forces a new resource to be created. The Azure VM Agent only allows creating SSH Keys at the path /home/{admin_username}/.ssh/authorized_keys - as such this public key will be written to the authorized keys file. If no username is provided this module will use var.admin_username."
}))
set(object({
public_key = string
username = optional(string)
}))
[] no
admin_username The admin username of the VM that will be deployed. string "azureuser" no
allow_extension_operations Should Extension Operations be allowed on this Virtual Machine bool false no
allow_inbound_mgmt_ips List of IP CIDR ranges that are allowed to access management interface. list(string) [] no
availability_set_id The identifier of the Availability Set to use. When using this variable, set avzone = null. string null no
avzone The availability zone to use, for example "1", "2", "3". Ignored if enable_zones is false. Conflicts with avset_id, in which case use avzone = null. string "1" no
avzones After provider version 3.x you need to specify in which availability zone(s) you want to place IP.
ie: for zone-redundant with 3 availability zone in current region value will be:
["1","2","3"]
list(string) [] no
boot_diagnostics (Optional) Enable or Disable boot diagnostics. bool false no
bootstrap_options Bootstrap options to pass to Virtual Appliance, refer to the provider documentation. string "" no
computer_name (Optional) Specifies the Hostname which should be used for this Virtual Machine. If unspecified this defaults to the value for the vm_name field. If the value of the vm_name field is not a valid computer_name, then you must specify computer_name. Changing this forces a new resource to be created. string null no
create_subnets If true, create the Subnets inside the Virtual Network, otherwise use a pre-existing subnets. bool true no
create_virtual_network If true, create the Virtual Network, otherwise just use a pre-existing network. bool true no
custom_data (Optional) The Base64-Encoded Custom Data which should be used for this Virtual Machine. Changing this forces a new resource to be created. string null no
disable_password_authentication Should Password Authentication be disabled on this Virtual Machine. Changing this forces a new resource to be created. bool false no
enable_plan Enable usage of the Offer/Plan on Azure Marketplace. Even plan sku "byol", which means "bring your own license", still requires accepting on the Marketplace. Can be set to false when using a custom image. bool true no
enable_zones If false, the input avzone is ignored and also all created Public IP addresses default to not to use Availability Zones (the No-Zone setting). It is intended for the regions that do not yet support Availability Zones. bool true no
encryption_at_host_enabled (Optional) Should all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host? bool false no
extensions_time_budget (Optional) Specifies the duration allocated for all extensions to start. The time duration should be between 15 minutes and 120 minutes (inclusive) and should be specified in ISO 8601 format. Defaults to 90 minutes (PT1H30M). string "PT1H30M" no
identity object({
type = "Specifies the type of Managed Service Identity that should be configured on this Linux Virtual Machine. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both)."
identity_ids = "Specifies a list of User Assigned Managed Identity IDs to be assigned to this Linux Virtual Machine. This is required when type is set to UserAssigned or SystemAssigned, UserAssigned."
})
object({
type = string
identity_ids = optional(set(string))
})
{
"identity_ids": [],
"type": "SystemAssigned"
}
no
location The Azure location where the Virtual Machine should exist. Changing this forces a new resource to be created. string "eastus" no
management_network_security_groups The default management network security group attached to the first interface.
The default management network security group is merged with any additional network security groups provided in 'var.additional_network_security_groups'
to construst 'local.network_security_groups'.
any null no
max_bid_price (Optional) The maximum price you're willing to pay for this Virtual Machine, in US Dollars; which must be greater than the current spot price. If this bid price falls below the current spot price the Virtual Machine will be evicted using the eviction_policy. Defaults to -1, which means that the Virtual Machine should not be evicted for price reasons. This can only be configured when priority is set to Spot. number -1 no
name (Required) The name of Virtual Appliance. Changing this forces a new resource to be created. string n/a yes
name_prefix A prefix added to vnet resource name string "vnet-" no
network_interface_ids A list of Network Interface IDs which should be attached to this Virtual Machine. The first Network Interface ID in this list will be the Primary Network Interface on the Virtual Machine. Cannot be used along with new_network_interface. list(string) null no
network_interfaces List of the network interface specifications.

NOTICE. The ORDER in which you specify the interfaces DOES MATTER.
Interfaces will be attached to VM in the order you define here, therefore:
* The first should be the management interface, which does not participate in data filtering.
* The name must be 'management-security-group' for the first interface.
* The remaining ones are the dataplane interfaces.

Options for an interface object:
- name - Interface name
- address_prefixes - The address prefix to use for the subnet. Only required when a subnet will be created.
- network_security_group - The Network Security Group identifier to associate with the subnet. The name must be 'management-security-group' for the first interface.
- route_table_id - The Route Table identifier to associate with the subnet.
- enable_storage_service_endpoint - Flag that enables Microsoft.Storage service endpoint on a subnet. This is a suggested setting for the management interface when full bootstrapping using an Azure Storage Account is used. Defaults to false.
- create_public_ip - If true, create a public IP for the interface and ignore the public_ip_address_id. Default is false.
- private_ip_address - Static private IP to asssign to the interface. If null, dynamic one is allocated.
- public_ip_name - Name of an existing public IP to associate to the interface, used only when create_public_ip is false.
- public_ip_resource_group - Name of a Resource Group that contains public IP resource to associate to the interface. When not specified defaults to var.resource_group_name. Used only when create_public_ip is false.
- availability_zone - Availability zone to create public IP in. If not specified, set based on avzone and enable_zones.
- enable_ip_forwarding - If true, the network interface will not discard packets sent to an IP address other than the one assigned. If false, the network interface only accepts traffic destined to its IP address.
- tags - Tags to assign to the interface and public IP (if created). Overrides contents of tags variable.
map(object({
name = string
address_prefixes = list(string)
network_security_group = optional(string, "management-security-group")
route_table_id = optional(string)
enable_storage_service_endpoint = optional(bool, false)
create_public_ip = optional(bool, false)
private_ip_address = optional(string)
public_ip_name = optional(string)
public_ip_resource_group = optional(string)
availability_zone = optional(string)
enable_ip_forwarding = optional(string)
tags = optional(map(string))
}))
{
"if-nic0": {
"address_prefixes": [
"10.100.0.0/24"
],
"create_public_ip": true,
"enable_storage_service_endpoint": true,
"name": "management-subnet-0",
"network_security_group": "management-security-group"
},
"if-nic1": {
"address_prefixes": [
"10.100.1.0/24"
],
"name": "private-subnet-1"
},
"if-nic2": {
"address_prefixes": [
"10.100.2.0/24"
],
"name": "private-subnet-2"
},
"if-nic3": {
"address_prefixes": [
"10.100.3.0/24"
],
"name": "private-subnet-3"
}
}
no
os_disk object({
caching = "(Required) The Type of Caching which should be used for the Internal OS Disk. Possible values are None, ReadOnly and ReadWrite."
storage_account_type = "(Required) The Type of Storage Account which should back this the Internal OS Disk. Possible values are Standard_LRS, StandardSSD_LRS, Premium_LRS, StandardSSD_ZRS and Premium_ZRS. Changing this forces a new resource to be created."
disk_encryption_set_id = "(Optional) The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk. Conflicts with secure_vm_disk_encryption_set_id. The Disk Encryption Set must have the Reader Role Assignment scoped on the Key Vault - in addition to an Access Policy to the Key Vault"
disk_size_gb = "(Optional) The Size of the Internal OS Disk in GB.if you wish to vary from the size used in the image this Virtual Machine is sourced from. If specified this must be equal to or larger than the size of the Image the Virtual Machine is based on. When creating a larger disk than exists in the image you'll need to repartition the disk to use the remaining space."
name = "(Optional) The name which should be used for the Internal OS Disk. Changing this forces a new resource to be created."
secure_vm_disk_encryption_set_id = "(Optional) The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk when the Virtual Machine is a Confidential VM. Conflicts with disk_encryption_set_id. Changing this forces a new resource to be created. secure_vm_disk_encryption_set_id can only be specified when security_encryption_type is set to DiskWithVMGuestState."
security_encryption_type = "(Optional) Encryption Type when the Virtual Machine is a Confidential VM. Possible values are VMGuestStateOnly and DiskWithVMGuestState. Changing this forces a new resource to be created. vtpm_enabled must be set to true when security_encryption_type is specified. encryption_at_host_enabled cannot be set to true when security_encryption_type is set to DiskWithVMGuestState."
write_accelerator_enabled = "(Optional) Should Write Accelerator be Enabled for this OS Disk? Defaults to false. This requires that the storage_account_type is set to Premium_LRS and that caching is set to None."
diff_disk_settings = optional(object({
option = "(Required) Specifies the Ephemeral Disk Settings for the OS Disk. At this time the only possible value is Local. Changing this forces a new resource to be created."
placement = "(Optional) Specifies where to store the Ephemeral Disk. Possible values are CacheDisk and ResourceDisk. Defaults to CacheDisk. Changing this forces a new resource to be created."
}), [])
})
object({
caching = string
storage_account_type = string
disk_encryption_set_id = optional(string)
disk_size_gb = optional(number)
name = optional(string)
secure_vm_disk_encryption_set_id = optional(string)
security_encryption_type = optional(string)
write_accelerator_enabled = optional(bool, false)
diff_disk_settings = optional(object({
option = string
placement = optional(string, "CacheDisk")
}), null)
})
{
"caching": "ReadWrite",
"name": "default-disk",
"storage_account_type": "StandardSSD_LRS",
"write_accelerator_enabled": false
}
no
patch_assessment_mode (Optional) Specifies the mode of VM Guest Patching for the Virtual Machine. Possible values are AutomaticByPlatform or ImageDefault. Defaults to ImageDefault. string "ImageDefault" no
patch_mode (Optional) Specifies the mode of in-guest patching to this Linux Virtual Machine. Possible values are AutomaticByPlatform and ImageDefault. Defaults to ImageDefault. For more information on patch modes please see the product documentation. string "ImageDefault" no
priority (Optional) Specifies the priority of this Virtual Machine. Possible values are Regular and Spot. Defaults to Regular. Changing this forces a new resource to be created. string "Regular" no
provision_vm_agent (Optional) Should the Azure VM Agent be provisioned on this Virtual Machine? Defaults to true. Changing this forces a new resource to be created. If provision_vm_agent is set to false then allow_extension_operations must also be set to false. bool true no
resource_group_name The name of the Resource Group in which the Virtual Machine should be exist. Changing this forces a new resource to be created. string null no
route_tables Map of objects describing a Route Table.
List of available attributes of each Route Table entry:
- name: Name of a Route Table.
- location : (Optional) Specifies the Azure location where to deploy the resource.
- routes : (Optional) Map of routes within the Route Table.
List of available attributes of each route entry:
- address_prefix : The destination CIDR to which the route applies, such as 10.1.0.0/16.
- next_hop_type : The type of Azure hop the packet should be sent to.
Possible values are: VirtualNetworkGateway, VnetLocal, Internet, VirtualAppliance and None.
- next_hop_in_ip_address : Contains the IP address packets should be forwarded to.
Next hop values are only allowed in routes where the next hop type is VirtualAppliance.

Example:
{
"rt_1" = {
name = "route_table_1"
routes = {
"route_1" = {
address_prefix = "10.1.0.0/16"
next_hop_type = "vnetlocal"
},
"route_2" = {
address_prefix = "10.2.0.0/16"
next_hop_type = "vnetlocal"
},
}
},
"rt_2" = {
name = "route_table_2"
routes = {
"route_3" = {
address_prefix = "0.0.0.0/0"
next_hop_type = "VirtualAppliance"
next_hop_in_ip_address = "10.112.0.100"
}
},
},
}
map {} no
secure_boot_enabled (Optional) Specifies whether secure boot should be enabled on the virtual machine. Changing this forces a new resource to be created. bool false no
size The SKU which should be used for this Virtual Machine. Consult the cisco Deployment Guide as only a few selected sizes are supported. string "Standard_D3_v2" no
source_image_reference object({
publisher = "(Required) Specifies the publisher of the image used to create the virtual machines. Changing this forces a new resource to be created."
offer = "(Required) Specifies the offer of the image used to create the virtual machines. Changing this forces a new resource to be created."
sku = "(Required) Specifies the SKU of the image used to create the virtual machines. Changing this forces a new resource to be created."
version = "(Required) Specifies the version of the image used to create the virtual machines. Changing this forces a new resource to be created."
})
object({
publisher = string
offer = string
sku = string
version = string
})
n/a yes
tags A map of the tags to use on the resources that are deployed with this module. map(string)
{
"source": "terraform"
}
no
user_data (Optional) The Base64-Encoded User Data which should be used for this Virtual Machine. string null no
virtual_machine_scale_set_id (Optional) Specifies the Orchestrated Virtual Machine Scale Set that this Virtual Machine should be created within. Conflicts with availability_set_id. Changing this forces a new resource to be created. string null no
vtpm_enabled (Optional) Specifies whether vTPM should be enabled on the virtual machine. Changing this forces a new resource to be created. bool false no

Outputs

Name Description
network_security_group_ids The identifiers of the created Network Security Groups.
password Initial administrative password.
private_ip_addresses The map of private IP addresses and interfaces.
public_ip_addresses The map of management IP addresses and interfaces. If create_public_ip was true, it is a public IP address, otherwise is 'null'.
route_table_ids The identifiers of the created Route Tables.
subnet_cidrs Subnet CIDRs (sourced or created).
subnet_ids The identifiers of the created or sourced Subnets.
username The username of the administrator configured in the Virtual Machine
virtual_network_id The identifier of the created or sourced Virtual Network.
vnet_cidr VNET address space.
View code on GitHub
  • Owner

  • Contributors

    +1Github contributor
  • Categories

  • Programming Languages

    HCL
  • License

    MIT License

Code Exchange Community

Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
Disclaimer:
Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.