This Terraform module facilitates the deployment of a Linux-based Virtual Appliance from Azure Marketplace. This allows for the automatic provisioning of various virtual appliances such as Cisco Catalyst 8000V Edge SD-WAN, FTDv, ASAv, ACI-CLOUD-APIC-Virtual,Infoblox and more, subject to the acceptance of the appliance image's "terms of service."
By default, the module deploys the virtual appliance with four network interfaces on four distinct subnet. However, the module provides flexibility in configuring the deployment to suit your specific requirements. You have the ability to adjust the default behavior as needed to accommodate different configurations and preferences. For instance, you can customize the number of network interfaces, subnets, routes, network security groups (NSGs) and other settings to align with your desired deployment scenarios.
For detailed guidance and real-world use cases, check out the examples directory. These examples will help you understand how to configure and deploy different vendor virtual appliances.
Please be aware that this module has not been tested for deployments involving Scale Sets or high availability configurations.
You must have a user account and subscription with Microsoft Azure.
To deploy a virtual appliance from the Azure Marketplace, you need specific details like Offer, Publisher, SKU, and Version. You can obtain these details by using Azure CLI. For instance, if you're looking for Cisco images, use the following commands :
# Find all cisco images az vm image list -o table --publisher cisco --all # Find cisco ftdv images az vm image list -o table --publisher cisco --offer cisco-ftdv --all
The module supports both Bring Your Own License (BYOL) and Pay-As-You-Go (PAYG) licensing model.
Once you have the detail you can now use these elements to build out the storage_image_reference
and plan blocks:
module "ftdv" { source = "gehoumi/marketplace-linux-vm/azurerm" name = "FTDv" accept_marketplace_agreement = true source_image_reference = { offer = "cisco-ftdv" publisher = "cisco" sku = "ftdv-azure-byol" version = "74.1.132" } boot_diagnostics = true }
When deploying an image from the Marketplace, this module will create a resource azurerm_marketplace_agreement
to accept the End User License Agreement (EULA) for the Virtual Appliance image that is being deployed. Once the EULA is accepted one time in an Azure subscription, you should be able to deploy the same appliance again without needing to accept the terms again.
To disable the resource re-creation, set the following option:
accept_marketplace_agreement = false
If you want to revoke the acceptance with Azure CLI, you can use the az vm image terms cancel
command.
Example:
az vm image terms cancel --plan ftdv-azure-byol --publisher cisco --offer cisco-ftdv
Name | Version |
---|---|
terraform | >= 1.2, < 2.0 |
Name | Version |
---|---|
azurerm | n/a |
http | n/a |
random | n/a |
No modules.
Name | Type |
---|---|
azurerm_linux_virtual_machine.vm_linux | resource |
azurerm_marketplace_agreement.default | resource |
azurerm_network_interface.this | resource |
azurerm_network_security_group.this | resource |
azurerm_network_security_rule.this | resource |
azurerm_public_ip.this | resource |
azurerm_resource_group.this | resource |
azurerm_route.this | resource |
azurerm_route_table.this | resource |
azurerm_subnet.this | resource |
azurerm_subnet_network_security_group_association.this | resource |
azurerm_subnet_route_table_association.this | resource |
azurerm_virtual_network.this | resource |
random_password.this | resource |
random_string.suffix | resource |
azurerm_public_ip.this | data source |
azurerm_subnet.this | data source |
azurerm_virtual_network.this | data source |
http_http.this | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
accelerated_networking | Enable Azure accelerated networking (SR-IOV) for all network interfaces except the primary one. | bool |
true |
no |
accept_marketplace_agreement | Allows accepting the Legal Terms for a Marketplace Image, when using bring your own license. You don't need set to true when you have already accepted the legal terms on your current subscription.Check available in market place: az vm image list -o table --publisher cisco --offer cisco-Virtual Appliance --all https://azuremarketplace.microsoft.com/en-us/home |
bool |
false |
no |
additional_network_security_groups | Map of Network Security Groups to create. List of available attributes of each Network Security Group entry: - name : Name of the Network Security Group.- location : (Optional) Specifies the Azure location where to deploy the resource.- rules : (Optional) A list of objects representing a Network Security Rule. The key of each entry acts as the name of the rule andneeds to be unique across all rules in the Network Security Group. List of attributes available to define a Network Security Rule. Notice, all port values are integers between 0 and 65535 . Port ranges can be specified as minimum-maximum port value, example: 21-23 :- priority : Numeric priority of the rule. The value can be between 100 and 4096 and must be unique for each rule in the collection.The lower the priority number, the higher the priority of the rule. - direction : The direction specifies if rule will be evaluated on incoming or outgoing traffic. Possible values are Inbound and Outbound .- access : Specifies whether network traffic is allowed or denied. Possible values are Allow and Deny .- protocol : Network protocol this rule applies to. Possible values include Tcp , Udp , Icmp , or * (which matches all). For supported values refer to the provider documentation- source_port_range : A source port or a range of ports. This can also be an * to match all.- source_port_ranges : A list of source ports or ranges of ports. This can be specified only if source_port_range was not used.- destination_port_range : A destination port or a range of ports. This can also be an * to match all.- destination_port_ranges : A list of destination ports or a ranges of ports. This can be specified only if destination_port_range was not used.- source_address_prefix : Source CIDR or IP range or * to match any IP. This can also be a tag. To see all available tags for a region use the following command (example for US West Central): az network list-service-tags --location westcentralus .- source_address_prefixes : A list of source address prefixes. Tags are not allowed. Can be specified only if source_address_prefix was not used.- destination_address_prefix : Destination CIDR or IP range or * to match any IP. Tags are allowed, see source_address_prefix for details.- destination_address_prefixes : A list of destination address prefixes. Tags are not allowed. Can be specified only if destination_address_prefix was not used. |
any |
null |
no |
address_space | The address space used by the virtual network. You can supply more than one address space. | list(string) |
[ |
no |
admin_password | The Password which should be used for the local-administrator on this Virtual Machine. Changing this forces a new resource to be created. When an admin_password is specified disable_password_authentication must be set to false . One of either admin_password or admin_ssh_key must be specified. |
string |
null |
no |
admin_ssh_keys | set(object({ public_key = "(Required) The Public Key which should be used for authentication, which needs to be at least 2048-bit and in ssh-rsa format. Changing this forces a new resource to be created."username = "(Optional) The Username for which this Public SSH Key should be configured. Changing this forces a new resource to be created. The Azure VM Agent only allows creating SSH Keys at the path /home/{admin_username}/.ssh/authorized_keys - as such this public key will be written to the authorized keys file. If no username is provided this module will use var.admin_username."})) |
set(object({ |
[] |
no |
admin_username | The admin username of the VM that will be deployed. | string |
"azureuser" |
no |
allow_extension_operations | Should Extension Operations be allowed on this Virtual Machine | bool |
false |
no |
allow_inbound_mgmt_ips | List of IP CIDR ranges that are allowed to access management interface. | list(string) |
[] |
no |
availability_set_id | The identifier of the Availability Set to use. When using this variable, set avzone = null . |
string |
null |
no |
avzone | The availability zone to use, for example "1", "2", "3". Ignored if enable_zones is false. Conflicts with avset_id , in which case use avzone = null . |
string |
"1" |
no |
avzones | After provider version 3.x you need to specify in which availability zone(s) you want to place IP. ie: for zone-redundant with 3 availability zone in current region value will be: ["1","2","3"] |
list(string) |
[] |
no |
boot_diagnostics | (Optional) Enable or Disable boot diagnostics. | bool |
false |
no |
bootstrap_options | Bootstrap options to pass to Virtual Appliance, refer to the provider documentation. | string |
"" |
no |
computer_name | (Optional) Specifies the Hostname which should be used for this Virtual Machine. If unspecified this defaults to the value for the vm_name field. If the value of the vm_name field is not a valid computer_name , then you must specify computer_name . Changing this forces a new resource to be created. |
string |
null |
no |
create_subnets | If true, create the Subnets inside the Virtual Network, otherwise use a pre-existing subnets. | bool |
true |
no |
create_virtual_network | If true, create the Virtual Network, otherwise just use a pre-existing network. | bool |
true |
no |
custom_data | (Optional) The Base64-Encoded Custom Data which should be used for this Virtual Machine. Changing this forces a new resource to be created. | string |
null |
no |
disable_password_authentication | Should Password Authentication be disabled on this Virtual Machine. Changing this forces a new resource to be created. | bool |
false |
no |
enable_plan | Enable usage of the Offer/Plan on Azure Marketplace. Even plan sku "byol", which means "bring your own license", still requires accepting on the Marketplace. Can be set to false when using a custom image. |
bool |
true |
no |
enable_zones | If false, the input avzone is ignored and also all created Public IP addresses default to not to use Availability Zones (the No-Zone setting). It is intended for the regions that do not yet support Availability Zones. |
bool |
true |
no |
encryption_at_host_enabled | (Optional) Should all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host? | bool |
false |
no |
extensions_time_budget | (Optional) Specifies the duration allocated for all extensions to start. The time duration should be between 15 minutes and 120 minutes (inclusive) and should be specified in ISO 8601 format. Defaults to 90 minutes (PT1H30M ). |
string |
"PT1H30M" |
no |
identity | object({ type = "Specifies the type of Managed Service Identity that should be configured on this Linux Virtual Machine. Possible values are SystemAssigned , UserAssigned , SystemAssigned, UserAssigned (to enable both)."identity_ids = "Specifies a list of User Assigned Managed Identity IDs to be assigned to this Linux Virtual Machine. This is required when type is set to UserAssigned or SystemAssigned, UserAssigned ."}) |
object({ |
{ |
no |
location | The Azure location where the Virtual Machine should exist. Changing this forces a new resource to be created. | string |
"eastus" |
no |
management_network_security_groups | The default management network security group attached to the first interface. The default management network security group is merged with any additional network security groups provided in 'var.additional_network_security_groups' to construst 'local.network_security_groups'. |
any |
null |
no |
max_bid_price | (Optional) The maximum price you're willing to pay for this Virtual Machine, in US Dollars; which must be greater than the current spot price. If this bid price falls below the current spot price the Virtual Machine will be evicted using the eviction_policy . Defaults to -1 , which means that the Virtual Machine should not be evicted for price reasons. This can only be configured when priority is set to Spot . |
number |
-1 |
no |
name | (Required) The name of Virtual Appliance. Changing this forces a new resource to be created. | string |
n/a | yes |
name_prefix | A prefix added to vnet resource name | string |
"vnet-" |
no |
network_interface_ids | A list of Network Interface IDs which should be attached to this Virtual Machine. The first Network Interface ID in this list will be the Primary Network Interface on the Virtual Machine. Cannot be used along with new_network_interface . |
list(string) |
null |
no |
network_interfaces | List of the network interface specifications. NOTICE. The ORDER in which you specify the interfaces DOES MATTER. Interfaces will be attached to VM in the order you define here, therefore: * The first should be the management interface, which does not participate in data filtering. * The name must be 'management-security-group' for the first interface. * The remaining ones are the dataplane interfaces. Options for an interface object: - name - Interface name- address_prefixes - The address prefix to use for the subnet. Only required when a subnet will be created.- network_security_group - The Network Security Group identifier to associate with the subnet. The name must be 'management-security-group' for the first interface.- route_table_id - The Route Table identifier to associate with the subnet.- enable_storage_service_endpoint - Flag that enables Microsoft.Storage service endpoint on a subnet. This is a suggested setting for the management interface when full bootstrapping using an Azure Storage Account is used. Defaults to false .- create_public_ip - If true, create a public IP for the interface and ignore the public_ip_address_id . Default is false.- private_ip_address - Static private IP to asssign to the interface. If null, dynamic one is allocated.- public_ip_name - Name of an existing public IP to associate to the interface, used only when create_public_ip is false .- public_ip_resource_group - Name of a Resource Group that contains public IP resource to associate to the interface. When not specified defaults to var.resource_group_name . Used only when create_public_ip is false .- availability_zone - Availability zone to create public IP in. If not specified, set based on avzone and enable_zones .- enable_ip_forwarding - If true, the network interface will not discard packets sent to an IP address other than the one assigned. If false, the network interface only accepts traffic destined to its IP address.- tags - Tags to assign to the interface and public IP (if created). Overrides contents of tags variable. |
map(object({ |
{ |
no |
os_disk | object({ caching = "(Required) The Type of Caching which should be used for the Internal OS Disk. Possible values are None , ReadOnly and ReadWrite ."storage_account_type = "(Required) The Type of Storage Account which should back this the Internal OS Disk. Possible values are Standard_LRS , StandardSSD_LRS , Premium_LRS , StandardSSD_ZRS and Premium_ZRS . Changing this forces a new resource to be created."disk_encryption_set_id = "(Optional) The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk. Conflicts with secure_vm_disk_encryption_set_id . The Disk Encryption Set must have the Reader Role Assignment scoped on the Key Vault - in addition to an Access Policy to the Key Vault"disk_size_gb = "(Optional) The Size of the Internal OS Disk in GB.if you wish to vary from the size used in the image this Virtual Machine is sourced from. If specified this must be equal to or larger than the size of the Image the Virtual Machine is based on. When creating a larger disk than exists in the image you'll need to repartition the disk to use the remaining space." name = "(Optional) The name which should be used for the Internal OS Disk. Changing this forces a new resource to be created." secure_vm_disk_encryption_set_id = "(Optional) The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk when the Virtual Machine is a Confidential VM. Conflicts with disk_encryption_set_id . Changing this forces a new resource to be created. secure_vm_disk_encryption_set_id can only be specified when security_encryption_type is set to DiskWithVMGuestState ."security_encryption_type = "(Optional) Encryption Type when the Virtual Machine is a Confidential VM. Possible values are VMGuestStateOnly and DiskWithVMGuestState . Changing this forces a new resource to be created. vtpm_enabled must be set to true when security_encryption_type is specified. encryption_at_host_enabled cannot be set to true when security_encryption_type is set to DiskWithVMGuestState ."write_accelerator_enabled = "(Optional) Should Write Accelerator be Enabled for this OS Disk? Defaults to false . This requires that the storage_account_type is set to Premium_LRS and that caching is set to None ."diff_disk_settings = optional(object({ option = "(Required) Specifies the Ephemeral Disk Settings for the OS Disk. At this time the only possible value is Local . Changing this forces a new resource to be created."placement = "(Optional) Specifies where to store the Ephemeral Disk. Possible values are CacheDisk and ResourceDisk . Defaults to CacheDisk . Changing this forces a new resource to be created."}), []) }) |
object({ |
{ |
no |
patch_assessment_mode | (Optional) Specifies the mode of VM Guest Patching for the Virtual Machine. Possible values are AutomaticByPlatform or ImageDefault . Defaults to ImageDefault . |
string |
"ImageDefault" |
no |
patch_mode | (Optional) Specifies the mode of in-guest patching to this Linux Virtual Machine. Possible values are AutomaticByPlatform and ImageDefault . Defaults to ImageDefault . For more information on patch modes please see the product documentation. |
string |
"ImageDefault" |
no |
priority | (Optional) Specifies the priority of this Virtual Machine. Possible values are Regular and Spot . Defaults to Regular . Changing this forces a new resource to be created. |
string |
"Regular" |
no |
provision_vm_agent | (Optional) Should the Azure VM Agent be provisioned on this Virtual Machine? Defaults to true . Changing this forces a new resource to be created. If provision_vm_agent is set to false then allow_extension_operations must also be set to false . |
bool |
true |
no |
resource_group_name | The name of the Resource Group in which the Virtual Machine should be exist. Changing this forces a new resource to be created. | string |
null |
no |
route_tables | Map of objects describing a Route Table. List of available attributes of each Route Table entry: - name : Name of a Route Table.- location : (Optional) Specifies the Azure location where to deploy the resource.- routes : (Optional) Map of routes within the Route Table.List of available attributes of each route entry: - address_prefix : The destination CIDR to which the route applies, such as 10.1.0.0/16 .- next_hop_type : The type of Azure hop the packet should be sent to.Possible values are: VirtualNetworkGateway , VnetLocal , Internet , VirtualAppliance and None .- next_hop_in_ip_address : Contains the IP address packets should be forwarded to. Next hop values are only allowed in routes where the next hop type is VirtualAppliance .Example: { |
map |
{} |
no |
secure_boot_enabled | (Optional) Specifies whether secure boot should be enabled on the virtual machine. Changing this forces a new resource to be created. | bool |
false |
no |
size | The SKU which should be used for this Virtual Machine. Consult the cisco Deployment Guide as only a few selected sizes are supported. | string |
"Standard_D3_v2" |
no |
source_image_reference | object({ publisher = "(Required) Specifies the publisher of the image used to create the virtual machines. Changing this forces a new resource to be created." offer = "(Required) Specifies the offer of the image used to create the virtual machines. Changing this forces a new resource to be created." sku = "(Required) Specifies the SKU of the image used to create the virtual machines. Changing this forces a new resource to be created." version = "(Required) Specifies the version of the image used to create the virtual machines. Changing this forces a new resource to be created." }) |
object({ |
n/a | yes |
tags | A map of the tags to use on the resources that are deployed with this module. | map(string) |
{ |
no |
user_data | (Optional) The Base64-Encoded User Data which should be used for this Virtual Machine. | string |
null |
no |
virtual_machine_scale_set_id | (Optional) Specifies the Orchestrated Virtual Machine Scale Set that this Virtual Machine should be created within. Conflicts with availability_set_id . Changing this forces a new resource to be created. |
string |
null |
no |
vtpm_enabled | (Optional) Specifies whether vTPM should be enabled on the virtual machine. Changing this forces a new resource to be created. | bool |
false |
no |
Name | Description |
---|---|
network_security_group_ids | The identifiers of the created Network Security Groups. |
password | Initial administrative password. |
private_ip_addresses | The map of private IP addresses and interfaces. |
public_ip_addresses | The map of management IP addresses and interfaces. If create_public_ip was true , it is a public IP address, otherwise is 'null'. |
route_table_ids | The identifiers of the created Route Tables. |
subnet_cidrs | Subnet CIDRs (sourced or created). |
subnet_ids | The identifiers of the created or sourced Subnets. |
username | The username of the administrator configured in the Virtual Machine |
virtual_network_id | The identifier of the created or sourced Virtual Network. |
vnet_cidr | VNET address space. |
Owner
Contributors
Categories
Programming Languages
HCLLicense
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community