For a school project, we are currently trying to set up an AMD SEV confidential VM utilizing Terraform with Azure. However, we cannot find any documentation on how to create a confidential VM within this environment. Presumably, we should be able to achieve this by setting the security type
to Confidential
in the Terraform code. However, it is defaulting to a <NULL>
value. Our goal is to find the argument responsible for setting this value.
Part of our ‘main.tf’ file looks like this:
# Create virtual machine
resource "azurerm_linux_virtual_machine" "my_terraform_vm" {
name = "ccAmdVM"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
network_interface_ids = [azurerm_network_interface.my_terraform_nic.id]
size = "Standard_DC2as_v5"
os_disk {
name = "myOsDisk"
caching = "ReadWrite"
storage_account_type = "StandardSSD_LRS"
}
source_image_reference {
publisher = "Canonical"
offer = "0001-com-ubuntu-confidential-vm-focal"
sku = "20_04-lts-cvm"
version = "latest"
}
However, when we tried to apply this code with Terraform, we got the following error:
│ Error: creating Linux Virtual Machine: (Name "ccAmdVM" / Resource Group "rg-gorgeous-lynx"): compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="The VM size 'Standard_DC2as_v5' is not supported for creation of VMs and Virtual Machine Scale Set with '<NULL>' security type."
│
│ with azurerm_linux_virtual_machine.my_terraform_vm,
│ on main.tf line 111, in resource "azurerm_linux_virtual_machine" "my_terraform_vm":
│ 111: resource "azurerm_linux_virtual_machine" "my_terraform_vm" {
│
A few sources suggested using the security_encryption_type
argument with the value VMGuestStateOnly
inside the os_disk
block, but this generated the following error:
╷
│ Error: Unsupported argument
│
│ on main.tf line 122, in resource "azurerm_linux_virtual_machine" "my_terraform_vm":
│ 122: security_encryption_type = "VMGuestStateOnly"
│
│ An argument named "security_encryption_type" is not expected here.
We tried to create a confidential VM using the Azure GUI, which was successful. Here it was possible to set security type
to Standard
, Trusted Launch Virtual Machines
or Confidential Virtual Machines
, of which the latter value was used. After successfully creating the VM we could see that it was set to Confidential
in the Azure portal overview tab.
One would think the expected solution is fairly simple, e.g. by using the argument security_type
with a value such as confidential
. However, since confidential computing is a relatively new concept, there appears to be no answer or documentation on this anywhere.