Enable Azure Monitor for existing Virtual machines using terraform - terraform

I am trying to enable azure monitor feature for existing virtual machines which checks for health and performance of the VM using terraform but I am not able to find the right documentation for the same. Can you help me for the same because I want detailed monitoring for azure?


For enabling VMinsights on Existing Vm’s you need to have the data source for the VM and then deploy Storage account,log analytics workspace ,log analytics solution,log analytics agent for OS of the VM and a depending agent for the OS of the VM.
provider "azurerm" {
features {}
}
data "azurerm_virtual_machine" "example" {
name = "test1"
resource_group_name = "testgroup"# where your VM resides in your subscription
}
output "virtual_machine_id" {
value = data.azurerm_virtual_machine.example.id
}
resource "azurerm_storage_account" "main" {
name = "vminsightstest1234"
resource_group_name = data.azurerm_virtual_machine.example.resource_group_name # where your VM resides in your subscription
location = data.azurerm_virtual_machine.example.location # which region your VM resides
account_tier = "Standard"
account_replication_type = "GRS"
}
resource "azurerm_log_analytics_workspace" "LAW" {
name = "vminsights-logAnalytics"
location = data.azurerm_virtual_machine.example.location #which region your VM resides
resource_group_name = data.azurerm_virtual_machine.example.resource_group_name # where your VM resides in your subscription
sku = "PerGB2018"
retention_in_days = 30
}
resource "azurerm_log_analytics_solution" "example" {
solution_name = "ContainerInsights"
location = data.azurerm_virtual_machine.example.location # which region your VM resides
resource_group_name = data.azurerm_virtual_machine.example.resource_group_name # where your VM resides in your subscription
workspace_resource_id = azurerm_log_analytics_workspace.LAW.id
workspace_name = azurerm_log_analytics_workspace.LAW.name
plan {
publisher = "Microsoft"
product = "OMSGallery/ContainerInsights"
}
}
# Agent for Linux
resource "azurerm_virtual_machine_extension" "OMS" {
name = "test-OMSExtension"
virtual_machine_id = data.azurerm_virtual_machine.example.id
publisher = "Microsoft.EnterpriseCloud.Monitoring"
type = "OmsAgentForLinux"
type_handler_version = "1.13"
auto_upgrade_minor_version = true
settings = <<SETTINGS
{
"workspaceId" : "${azurerm_log_analytics_workspace.LAW.workspace_id}"
}
SETTINGS
protected_settings = <<PROTECTED_SETTINGS
{
"workspaceKey" : "${azurerm_log_analytics_workspace.LAW.primary_shared_key}"
}
PROTECTED_SETTINGS
}
# Dependency Agent for Linux
resource "azurerm_virtual_machine_extension" "da" {
name = "DAExtension"
virtual_machine_id = data.azurerm_virtual_machine.example.id
publisher = "Microsoft.Azure.Monitoring.DependencyAgent"
type = "DependencyAgentLinux"
type_handler_version = "9.5"
auto_upgrade_minor_version = true
}
#Agent for Windows
resource "azurerm_virtual_machine_extension" "MMA" {
name = "test-MMAextension"
virtual_machine_id = data.azurerm_virtual_machine.example.id
publisher = "Microsoft.EnterpriseCloud.Monitoring"
type = "MicrosoftMonitoringAgent"
type_handler_version = "1.0"
auto_upgrade_minor_version = true
settings = <<SETTINGS
{
"workspaceId" : "${azurerm_log_analytics_workspace.LAW.workspace_id}"
}
SETTINGS
protected_settings = <<PROTECTED_SETTINGS
{
"workspaceKey" : "${azurerm_log_analytics_workspace.LAW.primary_shared_key}"
}
PROTECTED_SETTINGS
}
# Dependency Agent for Windows
resource "azurerm_virtual_machine_extension" "da" {
name = "DAExtension"
virtual_machine_id = data.azurerm_virtual_machine.example.id
publisher = "Microsoft.Azure.Monitoring.DependencyAgent"
type = "DependencyAgentWindows"
type_handler_version = "9.5"
auto_upgrade_minor_version = true
}
Note: Add Monitoring Agent and dependency agent as per your OS requirement.
The above code I have tested in my lab for a Windows VM that I had created.

Related

Provisioning Azure Data Factory with Managed private endpoints using Terraform?

I am developing a Terraform Script to provision the Azure Data Factory that reads the data from the storage account and updates the Azure SQL Server. It works.
I have created the Private Endpoints for both the Storage account and Azure SQL Server
Storage Account Private Endpoint
SQL Server Private Endpoint
Now, I want to update the Azure Data factory to use these private endpoints. I do understand that I need to setup the IR & managed private endpoints in the Azure Data Factory.
How do I achieve this using Terraform? Below is my script so far
# Create a Data Factory
resource "azurerm_data_factory" "terraform-demo-factory" {
name = "tf-demo-factory"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
github_configuration {
account_name = "kavija"
branch_name = "main"
git_url = "https://github.com/kavija/azure-data-factory-etl-demo"
repository_name = "azure-data-factory-etl-demo"
root_folder = "/"
}
tags = {
creator = "Terraform"
project = "terraform-demo"
}
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.uai_adf.id]
}
}
# Assign role to ADF Service Principal
resource "azurerm_role_assignment" "uai_adf_storage_access_reader" {
scope = module.storage_account.storage_account_id
role_definition_name = "Storage Account Reader"
principal_id = azurerm_user_assigned_identity.uai_adf.principal_id
}
resource "azurerm_role_assignment" "uai_adf_storage_access_blob_contributor" {
scope = module.storage_account.storage_account_id
role_definition_name = "Storage Blob Data Contributor"
principal_id = azurerm_user_assigned_identity.uai_adf.principal_id
}
Also, Is there a way to create a Private Endpoint for Azure Data Factory itself? so that it will be with in my VNET.

I was able to setup using the below terraform code
resource "azurerm_virtual_machine" "selfhostvm" {
name = "${var.prefix}-VM"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
network_interface_ids = [azurerm_network_interface.example.id]
vm_size = "Standard_B1s"
storage_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2016-Datacenter"
version = "latest"
}
storage_os_disk {
name = "myosdisk1"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
os_profile {
computer_name = "${var.prefix}-VM"
admin_username = "testadmin"
admin_password = "Password1234!"
}
os_profile_windows_config {
timezone = "Pacific Standard Time"
provision_vm_agent = true
}
}
resource "azurerm_data_factory_integration_runtime_self_hosted" "host" {
name = "${var.prefix}IntegrationRuntimeHOST"
data_factory_id = azurerm_data_factory.host.id
}
resource "azurerm_virtual_machine_extension" "test" {
name = "${var.prefix}-EXT"
virtual_machine_id = azurerm_virtual_machine.selfhostvm.id
publisher = "Microsoft.Compute"
type = "CustomScriptExtension"
type_handler_version = "1.10"
settings = jsonencode({
"fileUris" = ["https://raw.githubusercontent.com/kvija85/install-df-agent/main/gatewayInstall.ps1"],
"commandToExecute" = "powershell -ExecutionPolicy Unrestricted -File gatewayInstall.ps1 ${azurerm_data_factory_integration_runtime_self_hosted.host.primary_authorization_key} && timeout /t 120"
})
}

Terraform issue setting up VM logging 'Microsoft.EnterpriseCloud.Monitoring' and type 'MicrosoftMonitoringAgent'

I'm trying to provision a windows VM with logging with Terraform, But I had several different errors trying to add the required components. The current error is
No version found in the artifact repository that satisfies the requested version '1.0' for VM extension with publisher 'Microsoft.EnterpriseCloud.Monitoring' and type 'MicrosoftMonitoringAgent'
resource "azurerm_log_analytics_workspace" "law" {
name = "${local.vm_name}-law"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
sku = "PerGB2018"
retention_in_days = "30"
internet_ingestion_enabled= true
internet_query_enabled = false
tags = local.common_tags
}
resource "azurerm_log_analytics_solution" "vminsights" {
solution_name = "VMInsights"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
workspace_resource_id = azurerm_log_analytics_workspace.law.id
workspace_name = azurerm_log_analytics_workspace.law.name
tags = local.common_tags
plan {
publisher = "Microsoft"
product = "OMSGallery/VMInsights"
}
}
resource "azurerm_virtual_machine_extension" "omsext" {
name = "OMSExtension"
virtual_machine_id = azurerm_virtual_machine.iis-vm.id
publisher = "Microsoft.EnterpriseCloud.Monitoring"
type = "MicrosoftMonitoringAgent"
type_handler_version = "1.0"
auto_upgrade_minor_version = true
settings = <<SETTINGS
{
"workspaceId": "${azurerm_log_analytics_workspace.law.workspace_id}"
}
SETTINGS
protected_settings = <<PROTECTED_SETTINGS
{
"workspaceKey": "${azurerm_log_analytics_workspace.law.primary_shared_key}"
}
PROTECTED_SETTINGS
tags = local.common_tags
}
resource "azurerm_virtual_machine_extension" "DAAgent" {
name = "${local.vm_name}-daa"
virtual_machine_id = azurerm_virtual_machine.iis-vm.id
publisher = "Microsoft.Azure.Monitoring.DependencyAgent"
type = "DependencyAgentWindows"
type_handler_version = "9.10"
auto_upgrade_minor_version = true
tags = local.common_tags
}
variable "iis_vm_image" {
type = map(string)
description = "Virtual machine source image information"
default = {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2022-datacenter-azure-edition"
version = "latest"
}
}
I have tried the 1.0.x.x version, but then get an invalid version message

I see that you put type_handler_version = "1.0" however the extension type MicrosoftMonitoringAgent has version format 1.0.X.X
The Publisher, Type of Virtual Machine Extensions and version of the extension to use can be found using the Azure CLI, via:
az vm extension image list --location mylocation -o table
Here is an output of the above command:

Terraform enable VM Insights

Did someone managed to enable via terraforms Insights for a VM?
i'm able to create a VM, enable logging, but not enable insights..
i've seen this question: but don't find a clear answer..
How to enable azure vm application insights monitoring agent using terraform
Here is my full terraform script that i'm using for tests, i'm running it directly on the cloud shell from azure.
# Configure the Azure provider
provider "azurerm" {
# The "feature" block is required for AzureRM provider 2.x.
features {}
}
variable "prefix" {
default = "tfvmex"
}
resource "azurerm_resource_group" "main" {
name = "${var.prefix}-resources"
location = "West Europe"
}
resource "azurerm_virtual_network" "main" {
name = "${var.prefix}-network"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
}
resource "azurerm_subnet" "internal" {
name = "internal"
resource_group_name = azurerm_resource_group.main.name
virtual_network_name = azurerm_virtual_network.main.name
address_prefixes = ["10.0.2.0/24"]
}
resource "azurerm_network_interface" "main" {
name = "${var.prefix}-nic"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
ip_configuration {
name = "testconfiguration1"
subnet_id = azurerm_subnet.internal.id
private_ip_address_allocation = "Dynamic"
}
}
resource "azurerm_virtual_machine" "main" {
name = "${var.prefix}-vm"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
network_interface_ids = [azurerm_network_interface.main.id]
vm_size = "Standard_DS1_v2"
# Uncomment this line to delete the OS disk automatically when deleting the VM
# delete_os_disk_on_termination = true
# Uncomment this line to delete the data disks automatically when deleting the VM
# delete_data_disks_on_termination = true
storage_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}
storage_os_disk {
name = "myosdisk1"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
os_profile {
computer_name = "hostname"
admin_username = "testadmin"
admin_password = "Password1234!"
}
os_profile_linux_config {
disable_password_authentication = false
}
tags = {
environment = "staging"
}
}
resource "azurerm_storage_account" "main" {
name = "omstesttest22"
resource_group_name = azurerm_resource_group.main.name
location = "westus"
account_tier = "Standard"
account_replication_type = "GRS"
tags = {
environment = "staging"
}
}
resource "azurerm_log_analytics_workspace" "law02" {
name = "${var.prefix}-logAnalytics"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
sku = "PerGB2018"
retention_in_days = 30
}
resource "azurerm_log_analytics_solution" "example" {
solution_name = "ContainerInsights"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
workspace_resource_id = azurerm_log_analytics_workspace.law02.id
workspace_name = azurerm_log_analytics_workspace.law02.name
plan {
publisher = "Microsoft"
product = "OMSGallery/ContainerInsights"
}
}
#===================================================================
# Set Monitoring and Log Analytics Workspace
#===================================================================
resource "azurerm_virtual_machine_extension" "oms_mma02" {
name = "test-OMSExtension"
virtual_machine_id = azurerm_virtual_machine.main.id
publisher = "Microsoft.EnterpriseCloud.Monitoring"
type = "OmsAgentForLinux"
type_handler_version = "1.12"
auto_upgrade_minor_version = true
settings = <<SETTINGS
{
"workspaceId" : "${azurerm_log_analytics_workspace.law02.workspace_id}"
}
SETTINGS
protected_settings = <<PROTECTED_SETTINGS
{
"workspaceKey" : "${azurerm_log_analytics_workspace.law02.primary_shared_key}"
}
PROTECTED_SETTINGS
}
Hope it was clear.
Thanks!

From the document, VM insights require the following two agents to be installed on each virtual machine to be monitored.
Log Analytics agent. Collects events and performance data from the virtual machine or virtual machine scale set and delivers it to the Log Analytics workspace. Deployment methods for the Log Analytics agent on Azure resources use the VM extension for Windows and Linux.
Dependency agent. Collects discovered data about processes running on the virtual machine and external process dependencies, which are used by the Map feature in VM insights. The Dependency agent relies on the Log Analytics agent to deliver its data to Azure Monitor. Deployment methods for the Dependency agent on Azure resources use the VM extension for Windows and Linux.
After my validation, you can add the DependencyAgent extension to your existing code.
resource "azurerm_virtual_machine_extension" "da" {
name = "DAExtension"
virtual_machine_id = azurerm_virtual_machine.main.id
publisher = "Microsoft.Azure.Monitoring.DependencyAgent"
type = "DependencyAgentLinux"
type_handler_version = "9.5"
auto_upgrade_minor_version = true
}
For more information, read Configure Log Analytics workspace for VM insights and Enable VM insights guest health (preview)

please use the product "OMSGallery/VMInsights" (instead of "OMSGallery/ContainerInsights")
resource "azurerm_log_analytics_solution" "..." {
solution_name = "..."
location = ...
resource_group_name = ...
workspace_resource_id = ...
workspace_name = ...
plan {
publisher = "Microsoft"
product = "OMSGallery/VMInsights"
}
}

To deploy it using Terraform:
Deploy a log analytics workspace and a VMInsights solution associated with the workspace.
resource "azurerm_log_analytics_workspace" "law" {
name = "LogAnalyticsWorkspace"
location = "Your location"
resource_group_name = "Your resource group"
sku = "PerGB2018"
retention_in_days = "your retention in days"
internet_ingestion_enabled= true
internet_query_enabled = false
tags = "Your tags"
}
resource "azurerm_log_analytics_solution" "vminsights" {
solution_name = "VMInsights"
location = "Your location"
resource_group_name = "Your resource group"
workspace_resource_id = azurerm_log_analytics_workspace.law.id
workspace_name = azurerm_log_analytics_workspace.law.name
tags = "Your tags"
plan {
publisher = "Microsoft"
product = "OMSGallery/VMInsights"
}
}
Deploy VM with as usual with OMSAgent and DependencyAgentWindows extensions:
resource "azurerm_windows_virtual_machine" "vm" {
......
......
}
OMS for Windows:
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/oms-windows
resource "azurerm_virtual_machine_extension" "omsext" {
name = "OMSExtension"
virtual_machine_id = azurerm_windows_virtual_machine.vm.id
publisher = "Microsoft.EnterpriseCloud.Monitoring"
type = "MicrosoftMonitoringAgent"
type_handler_version = "1.0"
auto_upgrade_minor_version = true
settings = <<SETTINGS
{
"workspaceId": "${azurerm_log_analytics_workspace.law.id}"
}
SETTINGS
protected_settings = <<PROTECTED_SETTINGS
{
"workspaceKey": "${azurerm_log_analytics_workspace.law.primary_shared_key}"
}
PROTECTED_SETTINGS
tags = "Your tags"
}
DA Agent for Windows:
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-dependency-windows
resource "azurerm_virtual_machine_extension" "DAAgent" {
name = "DAAgentExtension"
virtual_machine_id = azurerm_windows_virtual_machine.vm.id
publisher = "Microsoft.Azure.Monitoring.DependencyAgent"
type = "DependencyAgentWindows"
type_handler_version = "9.10"
auto_upgrade_minor_version = true
tags = "Your tags"
}

Microsoft have changed the settings needed in the MicrosoftMonitoringAgent extensions, and the terraform specified by #Bill no longer works as of June 2022. The Terraform that worked for me was:
# Import the subscription and resource groups
data "azurerm_subscription" "current" {
}
data "azurerm_resource_group" "rg" {
name = "rg-name"
provider = azurerm
}
resource "random_password" "windowsvm-password" {
length = 24
special = false
}
# Define the VM itself
resource "azurerm_windows_virtual_machine" "windowsvm-c" {
name = "mywindowsvm"
computer_name = "mywindowsvm"
resource_group_name = data.azurerm_resource_group.rg.name
location = data.azurerm_resource_group.rg.location
size = "Standard_B2s"
admin_username = "adminlogin"
admin_password = random_password.windowsvm-password.result
identity { type = "SystemAssigned" }
network_interface_ids = [
azurerm_network_interface.windowsvm-c-nic.id,
]
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
source_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2022-datacenter-azure-edition-core"
version = "latest"
}
patch_mode = "AutomaticByPlatform"
hotpatching_enabled = true
}
# Add logging and monitoring
resource "azurerm_log_analytics_workspace" "law" {
name = "vmloganalytics"
resource_group_name = data.azurerm_resource_group.rg-c.name
location = data.azurerm_resource_group.rg-c.location
sku = "PerGB2018"
retention_in_days = 365
internet_ingestion_enabled= true
internet_query_enabled = false
}
resource "azurerm_log_analytics_solution" "vminsights" {
solution_name = "vminsights"
resource_group_name = data.azurerm_resource_group.rg-c.name
location = data.azurerm_resource_group.rg-c.location
workspace_resource_id = azurerm_log_analytics_workspace.law.id
workspace_name = azurerm_log_analytics_workspace.law.name
plan {
publisher = "Microsoft"
product = "VMInsights"
}
}
# This extension is needed for other extensions
resource "azurerm_virtual_machine_extension" "daa-agent" {
name = "DependencyAgentWindows"
virtual_machine_id = azurerm_windows_virtual_machine.windowsvm-c.id
publisher = "Microsoft.Azure.Monitoring.DependencyAgent"
type = "DependencyAgentWindows"
type_handler_version = "9.10"
automatic_upgrade_enabled = true
auto_upgrade_minor_version = true
}
# Add logging and monitoring extensions
resource "azurerm_virtual_machine_extension" "monitor-agent" {
depends_on = [ azurerm_virtual_machine_extension.daa-agent ]
name = "AzureMonitorWindowsAgent"
virtual_machine_id = azurerm_windows_virtual_machine.windowsvm-c.id
publisher = "Microsoft.Azure.Monitor"
type = "AzureMonitorWindowsAgent"
type_handler_version = "1.5"
automatic_upgrade_enabled = true
auto_upgrade_minor_version = true
}
resource "azurerm_virtual_machine_extension" "msmonitor-agent" {
depends_on = [ azurerm_virtual_machine_extension.daa-agent ]
name = "MicrosoftMonitoringAgent" # Must be called this
virtual_machine_id = azurerm_windows_virtual_machine.windowsvm-c.id
publisher = "Microsoft.EnterpriseCloud.Monitoring"
type = "MicrosoftMonitoringAgent"
type_handler_version = "1.0"
# Not yet supported
# automatic_upgrade_enabled = true
# auto_upgrade_minor_version = true
settings = <<SETTINGS
{
"workspaceId": "${azurerm_log_analytics_workspace.law.id}",
"azureResourceId": "${azurerm_windows_virtual_machine.windowsvm-c.id}",
"stopOnMultipleConnections": "false"
}
SETTINGS
protected_settings = <<PROTECTED_SETTINGS
{
"workspaceKey": "${azurerm_log_analytics_workspace.law.primary_shared_key}"
}
PROTECTED_SETTINGS
}
Note the extended settings under "msmonitor-agent"

Here are few articles for this topic, maybe you can reference to:
Azure Monitor for application monitoring with Terraform
Azure Insights: Terraform; Log Analytics Workspaces; Custom scripts with Arc-enabled servers; Virtual WAN resources

Terraform connect to aks cluster without running az login

My goal is to create an Ubuntu VM which will connect to aks without running az login.
The main idea behind that is that I want to let other people connect to that aks cluster only and not be able to read\write any other resources on Azure. Currently, I've tried to achieve that by creating a new role and assign this role to the VM, but, no luck so far.
My question is - is it possible to run az aks get-credentials ... without running az login?
Terraform template:
# Create AKS Cluster
resource "azurerm_kubernetes_cluster" "akscluster" {
count = var.cluster_count
name = "${var.cluster_name}-${count.index}"
location = var.location
resource_group_name = azurerm_resource_group.aksrg.name
dns_prefix = var.dns
default_node_pool {
name = var.node_pool_name
node_count = var.node_count
vm_size = var.vm_size
type = "VirtualMachineScaleSets"
}
service_principal {
client_id = var.kubernetes_client_id
client_secret = var.kubernetes_client_secret
}
tags = {
Environment = var.tags
}
}
# Create virtual machine
resource "azurerm_virtual_machine" "myterraformvm" {
count = var.cluster_count
name = "aks-${count.index}"
location = var.location
resource_group_name = azurerm_resource_group.aksrg.name
network_interface_ids = [azurerm_network_interface.myterraformnic.id]
vm_size = "Standard_DS1_v2"
storage_os_disk {
name = "myOsDisk"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Premium_LRS"
}
storage_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "18.04-LTS"
version = "latest"
}
os_profile {
computer_name = "hostname"
admin_username = "var.admin"
admin_password = "var.pass"
}
os_profile_linux_config {
disable_password_authentication = false
# ssh_keys {
# path = "/home/azureuser/.ssh/authorized_keys"
# key_data = "ssh-rsa AAAAB3Nz{snip}hwhqT9h"
# }
}
identity {
type = "SystemAssigned"
}
boot_diagnostics {
enabled = "true"
storage_uri = azurerm_storage_account.mystorageaccount.primary_blob_endpoint
}
tags = {
environment = var.tags
}
}
resource "azurerm_virtual_machine_extension" "example" {
count = var.cluster_count
name = "hostname"
virtual_machine_id = azurerm_virtual_machine.myterraformvm[count.index].id
publisher = "Microsoft.Azure.Extensions"
type = "CustomScript"
type_handler_version = "2.0"
settings = <<SETTINGS
{
"commandToExecute": "curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash"
}
SETTINGS
tags = {
environment = var.tags
}
}

You can create a remote file using the remote-exec provisioner, passing the azurerm_kubernetes_cluster.aks.kube_config_raw resource. I made an example for you here: https://github.com/ams0/terraform-templates/tree/master/aks-vm.
It creates a vnet with 2 subnets, an AKS in one and an ubuntu VM in the other one, and creates a local /home/ubuntu/.kube/config in the VM. You just need to download kubectl and you're good to go.

Azure Terraform - Encrypt VM OS Disk

I am trying to encrypt the "storage_os_disk" on an Azure VM via Terraform.
I have set the managed disk type on the VM OS Disk, so it will be managed, since I know the disk must be managed to allow encryption.
I cannot seem to figure out how to encrypt the OS disk, in terraform
Here is my code i am trying:
resource "azurerm_network_interface" "nic" {
name = "${var.project_ident}-${var.env_ident}-${var.admin_vm_name}-${var.region_suffix}-encrpytest"
location = "${data.azurerm_resource_group.core-rg.location}"
resource_group_name = "${data.azurerm_resource_group.core-rg.name}"
depends_on = ["azurerm_virtual_machine.dns-vm"]
ip_configuration {
name = "${var.project_ident}-${var.env_ident}-${var.admin_vm_name}-${var.region_suffix}-encrpytest"
subnet_id ="${data.terraform_remote_state.network.sn1_id}"
private_ip_address_allocation = "static"
private_ip_address = "${cidrhost(data.terraform_remote_state.network.sn1_address_prefix, 6 )}"
}
}
resource "azurerm_virtual_machine" "admin-vm-encrpytest" {
name = "${var.project_ident}-${var.env_ident}-${var.admin_vm_name}-encrpytest"
location = "${data.azurerm_resource_group.core-rg.location}"
resource_group_name = "${data.azurerm_resource_group.core-rg.name}"
network_interface_ids = ["${azurerm_network_interface.nic.id}"]
vm_size = "Standard_B2s"
depends_on = ["azurerm_virtual_machine.dns-vm"]
# Requires LRS Storage Account
boot_diagnostics {
enabled = "True"
storage_uri = "${data.terraform_remote_state.sa.sa_2_prim_blob_ep}"
#storage_uri = "${data.azurerm_storage_account.storage-account-2.primary_blob_endpoint}"
}
storage_os_disk {
name = "${var.project_ident}-${var.env_ident}-${var.admin_vm_name}-${var.region_suffix}-encrpytest"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
encryption_settings {
enabled = "True"
key_encryption_key {
key_url = "${data.terraform_remote_state.kv.vault_key_1_id}"
source_vault_id = "${data.terraform_remote_state.kv.vault_id}"
}
disk_encryption_key {
secret_url = "${data.terraform_remote_state.kv.vault_key_2_id}"
source_vault_id = "${data.terraform_remote_state.kv.vault_id}"
}
}
}
os_profile {
computer_name = "encrpytest"
admin_username = "cactusadmin"
admin_password = "${var.admin_vm_password}"
}
os_profile_windows_config {
provision_vm_agent = true
enable_automatic_upgrades = true
}
# Uncomment this line to delete the OS disk automatically when deleting the VM
delete_os_disk_on_termination = true
# Uncomment this line to delete the data disks automatically when deleting the VM
delete_data_disks_on_termination = true
storage_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2016-Datacenter"
version = "latest"
}
}
Thank you

Firstly, the encryption_settings does not exist in the storage_os_disk block but azurerm_managed_disk. So you could create an individual azurerm_managed_disk resource then create VM from a managed disk with the platform image referring here.
Alternatively, you could try to use azurerm_virtual_machine_extension for disk-encryption, refer to this.
resource "azurerm_virtual_machine_extension" "disk-encryption" {
name = "DiskEncryption"
location = "${local.location}"
resource_group_name = "${azurerm_resource_group.environment-rg.name}"
virtual_machine_name = "${azurerm_virtual_machine.server.name}"
publisher = "Microsoft.Azure.Security"
type = "AzureDiskEncryption"
type_handler_version = "2.2"
settings = <<SETTINGS
{
"EncryptionOperation": "EnableEncryption",
"KeyVaultURL": "https://${local.vaultname}.vault.azure.net",
"KeyVaultResourceId": "/subscriptions/${local.subscriptionid}/resourceGroups/${local.vaultresourcegroup}/providers/Microsoft.KeyVault/vaults/${local.vaultname}",
"KeyEncryptionKeyURL": "https://${local.vaultname}.vault.azure.net/keys/${local.keyname}/${local.keyversion}",
"KekVaultResourceId": "/subscriptions/${local.subscriptionid}/resourceGroups/${local.vaultresourcegroup}/providers/Microsoft.KeyVault/vaults/${local.vaultname}",
"KeyEncryptionAlgorithm": "RSA-OAEP",
"VolumeType": "All"
}
SETTINGS
}

I used the vm extension example, and it worked perfectly. The OS disk on my newly deployed Windows VM, was instantly encrypted

Resources