Enable encryption at host for vms

core/terraform/resource_processor/vmss_porter/main.tf

@@ -79,7 +79,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "vm_linux" {
   disable_password_authentication = false
   admin_password                  = random_password.password.result
   custom_data                     = data.template_cloudinit_config.config.rendered
-  encryption_at_host_enabled      = false
+  encryption_at_host_enabled      = true
   upgrade_mode                    = "Automatic"
   tags                            = local.tre_core_tags
 

core/terraform/servicebus.tf

@@ -32,8 +32,9 @@ resource "azurerm_servicebus_namespace" "sb" {
   dynamic "customer_managed_key" {
     for_each = var.enable_cmk_encryption ? [1] : []
     content {
-      key_vault_key_id = azurerm_key_vault_key.tre_encryption[0].id
-      identity_id      = azurerm_user_assigned_identity.encryption[0].id
+      key_vault_key_id                  = azurerm_key_vault_key.tre_encryption[0].id
+      identity_id                       = azurerm_user_assigned_identity.encryption[0].id
+      infrastructure_encryption_enabled = true
     }
   }
 

core/version.txt

@@ -1 +1 @@
-__version__ = "0.11.17"
+__version__ = "0.11.18"

resource_processor/_version.py

@@ -1 +1 @@
-__version__ = "0.11.0"
+__version__ = "0.11.1"

templates/shared_services/admin-vm/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-admin-vm
-version: 0.5.1
+version: 0.5.2
 description: "An admin vm shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

templates/shared_services/admin-vm/terraform/admin-jumpbox.tf

@@ -36,6 +36,7 @@ resource "azurerm_windows_virtual_machine" "jumpbox" {
   admin_username             = "adminuser"
   admin_password             = random_password.password.result
   tags                       = local.tre_shared_service_tags
+  encryption_at_host_enabled = true
 
   source_image_reference {
     publisher = "MicrosoftWindowsDesktop"

templates/shared_services/sonatype-nexus-vm/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-sonatype-nexus
-version: 3.3.1
+version: 3.3.2
 description: "A Sonatype Nexus shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

templates/shared_services/sonatype-nexus-vm/terraform/vm.tf

@@ -103,6 +103,7 @@ resource "azurerm_linux_virtual_machine" "nexus" {
   admin_username                  = "adminuser"
   admin_password                  = random_password.nexus_vm_password.result
   tags                            = local.tre_shared_service_tags
+  encryption_at_host_enabled      = true
 
   custom_data = data.template_cloudinit_config.nexus_config.rendered
 

templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-guacamole-export-reviewvm
-version: 0.2.1
+version: 0.2.2
 description: "An Azure TRE User Resource Template for reviewing Airlock export requests"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf

@@ -124,6 +124,7 @@ resource "azurerm_windows_virtual_machine" "windowsvm" {
   allow_extension_operations = true
   admin_username             = random_string.username.result
   admin_password             = random_password.password.result
+  encryption_at_host_enabled = true
 
   custom_data = base64encode(data.template_file.download_review_data_script.rendered)
 

templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-guacamole-import-reviewvm
-version: 0.3.1
+version: 0.3.2
 description: "An Azure TRE User Resource Template for reviewing Airlock import requests"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf

@@ -45,6 +45,7 @@ resource "azurerm_windows_virtual_machine" "windowsvm" {
   allow_extension_operations = true
   admin_username             = random_string.username.result
   admin_password             = random_password.password.result
+  encryption_at_host_enabled = true
 
   custom_data = base64encode(data.template_file.download_review_data_script.rendered)
 

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-service-guacamole-linuxvm
-version: 1.2.3
+version: 1.2.4
 description: "An Azure TRE User Resource Template for Guacamole (Linux)"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf

@@ -44,6 +44,7 @@ resource "azurerm_linux_virtual_machine" "linuxvm" {
   disable_password_authentication = false
   admin_username                  = random_string.username.result
   admin_password                  = random_password.password.result
+  encryption_at_host_enabled      = true
 
   custom_data = data.template_cloudinit_config.config.rendered
 

templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf

@@ -45,6 +45,7 @@ resource "azurerm_windows_virtual_machine" "windowsvm" {
   allow_extension_operations = true
   admin_username             = random_string.username.result
   admin_password             = random_password.password.result
+  encryption_at_host_enabled = true
 
   custom_data = base64encode(templatefile(
     "${path.module}/vm_config.ps1", {