Merge pull request #4 from DevSecNinja/feature/add-avd-extension

Add support for the AVD extension

.github/workflows/pre-release.yml

@@ -0,0 +1,24 @@
+---
+name: Create pre-release
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  pre-release:
+    name: "Pre-release"
+    runs-on: "ubuntu-latest"
+
+    steps:
+      - uses: "marvinpinto/action-automatic-releases@latest"
+        with:
+          repo_token: "${{ secrets.GITHUB_TOKEN }}"
+          automatic_release_tag: "latest"
+          prerelease: true
+          title: "Automatic pre-release"
+          files: |
+            LICENSE
+            readme.md
+            *.tf

networking.tf

@@ -17,6 +17,10 @@ resource "azurerm_network_interface" "vm_nic" {
     private_ip_address_allocation = "Dynamic"
     public_ip_address_id          = var.deploy_public_ip_address ? azurerm_public_ip.vm_pip[count.index].id : null
   }
+
+  depends_on = [
+    time_sleep.wait_60_seconds # Needed for the policy exemption to become active
+  ]
 }
 
 #

policy_exemption.tf

@@ -16,7 +16,7 @@ resource "azurerm_resource_group_policy_exemption" "backup" {
   count = var.disable_backup ? 0 : 1
 
   name                 = "DisableBackups"
-  display_name         = "Disable backups on VMs in the '${azurerm_resource_group.vm_rg}' Resource Group"
+  display_name         = "Disable backups on VMs in the '${azurerm_resource_group.vm_rg.name}' Resource Group"
   resource_group_id    = azurerm_resource_group.vm_rg.id
   policy_assignment_id = "/providers/microsoft.management/managementgroups/${var.config.generic.org.root_id}-landing-zones/providers/microsoft.authorization/policyassignments/deploy-vm-backup"
   exemption_category   = "Waiver"

readme.md

@@ -121,6 +121,7 @@ No modules.
 | [azurerm_security_center_server_vulnerability_assessment_virtual_machine.vm](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_server_vulnerability_assessment_virtual_machine) | resource |
 | [azurerm_virtual_machine_data_disk_attachment.data_01](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_data_disk_attachment) | resource |
 | [azurerm_virtual_machine_data_disk_attachment.shared_01](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_data_disk_attachment) | resource |
+| [azurerm_virtual_machine_extension.avd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_extension) | resource |
 | [azurerm_virtual_machine_extension.domain_join_azuread](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_extension) | resource |
 | [azurerm_virtual_machine_extension.vm_amaagent](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_extension) | resource |
 | [azurerm_virtual_machine_extension.vm_linux](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_extension) | resource |
@@ -135,6 +136,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_avd_extension"></a> [avd\_extension](#input\_avd\_extension) | Installs the Azure Virtual Desktop extension | `map` | <pre>{<br>  "aadJoin": true,<br>  "enabled": false,<br>  "hostPoolName": null,<br>  "registrationInfoToken": null<br>}</pre> | no |
 | <a name="input_config"></a> [config](#input\_config) | Provide the decoded data from the files in generic/json/config | `any` | n/a | yes |
 | <a name="input_custom_data"></a> [custom\_data](#input\_custom\_data) | Base64encoded string of the custom data config | `string` | `null` | no |
 | <a name="input_custom_script_extension"></a> [custom\_script\_extension](#input\_custom\_script\_extension) | Installs the specified custom script extension. Script should be a base64encoded string | `map` | <pre>{<br>  "enabled": false,<br>  "name": null,<br>  "script": null<br>}</pre> | no |

variables.tf

@@ -182,4 +182,14 @@ variable "custom_script_extension" {
     name = null
     script = null
   }
+}
+
+variable "avd_extension" {
+  description = "Installs the Azure Virtual Desktop extension"
+  default = {
+    enabled = false
+    hostPoolName = null
+    aadJoin = true
+    registrationInfoToken = null
+  }
 }

vm.extensions.tf

@@ -29,9 +29,40 @@ resource "azurerm_virtual_machine_extension" "vm_windows" {
   type                 = "CustomScriptExtension"
   type_handler_version = "1.10"
 
-  protected_settings  = <<PROTECTEDSETTINGS
+  protected_settings  = <<SETTINGS
     {
         "commandToExecute": "powershell -ExecutionPolicy Unrestricted -encodedCommand ${var.custom_script_extension.script}"
     }
-PROTECTEDSETTINGS
+SETTINGS
+}
+
+# Azure Virtual Desktop
+# Despite the other VM extension taking care of the Azure AD Join, we have to specify the property here too.
+resource "azurerm_virtual_machine_extension" "avd" {
+  count = var.avd_extension.enabled && local.is_linux != true ? var.instances : 0
+
+  name                       = "AzureVirtualDesktopSessionHost"
+  virtual_machine_id         = azurerm_windows_virtual_machine.vm[count.index].id
+  publisher                  = "Microsoft.Powershell"
+  type                       = "DSC"
+  type_handler_version       = "2.73"
+
+  settings = <<-SETTINGS
+    {
+      "modulesUrl": "${var.config.compute.virtualMachines.azure_virtual_desktop.config.agentUrl}",
+      "configurationFunction": "Configuration.ps1\\AddSessionHost",
+      "properties": {
+        "HostPoolName":"${var.avd_extension.hostPoolName}",
+        "aadJoin": ${var.avd_extension.aadJoin}
+      }
+    }
+SETTINGS
+
+  protected_settings = <<PROTECTED_SETTINGS
+  {
+    "properties": {
+      "registrationInfoToken": "${var.avd_extension.registrationInfoToken}"
+    }
+  }
+PROTECTED_SETTINGS
 }