Enable encryption at host for vms

CHANGELOG.md

@@ -36,6 +36,7 @@ ENHANCEMENTS:
 * Add EventGrid diagnostics to identify airlock issues ([#4258](https://github.com/microsoft/AzureTRE/issues/4258))
 * Allow enablement of Secure Boot and vTPM for Guacamole VMs ([#4235](https://github.com/microsoft/AzureTRE/issues/4235))
 * Surface the server-layout parameter of Guacamole [server-layout](https://guacamole.apache.org/doc/gug/configuring-guacamole.html#session-settings) ([#4234](https://github.com/microsoft/AzureTRE/issues/4234))
+* Add encryption at host for VMs ([#4263](https://github.com/microsoft/AzureTRE/pull/4263))
 
 BUG FIXES:
 * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112))

core/terraform/resource_processor/vmss_porter/main.tf

@@ -79,7 +79,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "vm_linux" {
   disable_password_authentication = false
   admin_password                  = random_password.password.result
   custom_data                     = data.template_cloudinit_config.config.rendered
-  encryption_at_host_enabled      = false
+  encryption_at_host_enabled      = true
   upgrade_mode                    = "Automatic"
   tags                            = local.tre_core_tags
   secure_boot_enabled             = true

core/terraform/servicebus.tf

@@ -32,8 +32,9 @@ resource "azurerm_servicebus_namespace" "sb" {
   dynamic "customer_managed_key" {
     for_each = var.enable_cmk_encryption ? [1] : []
     content {
-      key_vault_key_id = azurerm_key_vault_key.tre_encryption[0].id
-      identity_id      = azurerm_user_assigned_identity.encryption[0].id
+      key_vault_key_id                  = azurerm_key_vault_key.tre_encryption[0].id
+      identity_id                       = azurerm_user_assigned_identity.encryption[0].id
+      infrastructure_encryption_enabled = true
     }
   }
 

core/version.txt

@@ -1 +1 @@
-__version__ = "0.11.18"
+__version__ = "0.11.19"

resource_processor/_version.py

@@ -1 +1 @@
-__version__ = "0.11.0"
+__version__ = "0.11.1"

templates/shared_services/admin-vm/terraform/admin-jumpbox.tf

@@ -36,6 +36,7 @@ resource "azurerm_windows_virtual_machine" "jumpbox" {
   admin_username             = "adminuser"
   admin_password             = random_password.password.result
   tags                       = local.tre_shared_service_tags
+  encryption_at_host_enabled = true
   secure_boot_enabled        = true
   vtpm_enabled               = true
 

templates/shared_services/sonatype-nexus-vm/terraform/vm.tf

@@ -103,6 +103,7 @@ resource "azurerm_linux_virtual_machine" "nexus" {
   admin_username                  = "adminuser"
   admin_password                  = random_password.nexus_vm_password.result
   tags                            = local.tre_shared_service_tags
+  encryption_at_host_enabled      = true
   secure_boot_enabled             = true
   vtpm_enabled                    = true
 

templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf

@@ -124,6 +124,7 @@ resource "azurerm_windows_virtual_machine" "windowsvm" {
   allow_extension_operations = true
   admin_username             = random_string.username.result
   admin_password             = random_password.password.result
+  encryption_at_host_enabled = true
   secure_boot_enabled        = local.secure_boot_enabled
   vtpm_enabled               = local.vtpm_enabled
 

templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf

@@ -45,6 +45,7 @@ resource "azurerm_windows_virtual_machine" "windowsvm" {
   allow_extension_operations = true
   admin_username             = random_string.username.result
   admin_password             = random_password.password.result
+  encryption_at_host_enabled = true
   secure_boot_enabled        = local.secure_boot_enabled
   vtpm_enabled               = local.vtpm_enabled
 

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf

@@ -44,6 +44,7 @@ resource "azurerm_linux_virtual_machine" "linuxvm" {
   disable_password_authentication = false
   admin_username                  = random_string.username.result
   admin_password                  = random_password.password.result
+  encryption_at_host_enabled      = true
   secure_boot_enabled             = local.secure_boot_enabled
   vtpm_enabled                    = local.vtpm_enabled
 

templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf

@@ -45,6 +45,7 @@ resource "azurerm_windows_virtual_machine" "windowsvm" {
   allow_extension_operations = true
   admin_username             = random_string.username.result
   admin_password             = random_password.password.result
+  encryption_at_host_enabled = true
   secure_boot_enabled        = local.secure_boot_enabled
   vtpm_enabled               = local.vtpm_enabled