azurerm_linux_virtual_machine_scale_set SecurityType ConfidentialVM can only be set with secure boot

[malt3]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.2

AzureRM Provider Version

3.23.0

Affected Resource(s)/Data Source(s)

azurerm_linux_virtual_machine_scale_set

Terraform Configuration Files

resource "azurerm_linux_virtual_machine_scale_set" "scale_set" {
  name                            = "my-scale-set"
  resource_group_name             = "my-rg"
  location                        = "northeurope"
  sku                             = "Standard_DC4as_v5"
  instances                       = 1
  admin_username                  = "adminuser"
  admin_password                  = random_password.password.result
  overprovision                   = false
  vtpm_enabled                    = true
  disable_password_authentication = false
  upgrade_mode                    = "Manual"
  secure_boot_enabled             = false
  source_image_id                 = var.image_id

  os_disk {
    security_encryption_type = "VMGuestStateOnly"
    caching                  = "ReadWrite"
    storage_account_type     = "Premium_LRS"
  }

  network_interface {
    name    = "example"
    primary = true

    ip_configuration {
      name      = "internal"
      primary   = true
      subnet_id = azurerm_subnet.internal.id
    }
  }
}

Debug Output/Panic Output

Error: `secure_boot_enabled` must be set to `true` when `os_disk.0.security_encryption_type` is specified

  with module.scale_set_worker.azurerm_linux_virtual_machine_scale_set.scale_set,
  on modules/scale_set/main.tf line 18, in resource "azurerm_linux_virtual_machine_scale_set" "scale_set":
  18: resource "azurerm_linux_virtual_machine_scale_set" "scale_set" {

Expected Behaviour

Virtual Machine Scale Set with security type ConfidentialVM, OS disk encryption type VMGuestStateOnly and disabled secure boot should be created.

Actual Behaviour

An error occurs and the scale set is never created

Steps to Reproduce

terraform apply

Important Factoids

No response

References

No response

[WodansSon]

@malt3, while this fixes the issue for the Linux version of the the VMSS resource shouldn't this fix also be incorporated into the Windows azurerm_windows_virtual_machine_scale_set resource as well? I feel that a test case for this scenario being added to each of the flavors of VMSS(e.g. Linux and Windows) would also prolly be prudent? Thoughts?

[malt3]

I am not very familiar with Windows VMSS on Azure with SecurityType ConfidentialVM. I can implement the same behavior but cannot make statements on whether this is actually correct or not. Happy to improve the PR and add tests.

[WodansSon]

@malt3, it is my understanding that both Linux and Windows share the same behavior but I will reach out to the service team to get a definitive answer on that.

[malt3]

I wrote tests and saw that

• secure boot can be disabled on windows and linux
• vtpm has to be enabled in all cases

[github-actions]

This functionality has been released in v3.28.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[jjindrich]

@xfrm74

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.