Skip to content

azurermLinuxVirtualMachineScaleSet

Manages a Linux Virtual Machine Scale Set.

Disclaimers

-> NOTE: As of the v2.86.0 (November 19, 2021) release of the provider this resource will only create Virtual Machine Scale Sets with the Uniform Orchestration Mode.

-> NOTE: All arguments including the administrator login and password will be stored in the raw state as plain-text. Read more about sensitive data in state.

-> NOTE: Terraform will automatically update & reimage the nodes in the Scale Set (if Required) during an Update - this behaviour can be configured using the features setting within the Provider block.

Example Usage

This example provisions a basic Linux Virtual Machine Scale Set on an internal network. Additional examples of how to use the azurermLinuxVirtualMachineScaleSet resource can be found in the ./examples/vm-scale-set/linux` directory within the GitHub Repository.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
  features: [{}],
});
const firstPublicKey =
  "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+wWK73dCr+jgQOAxNsHAnNNNMEMWOHYEccp6wJm2gotpr9katuF/ZAdou5AaW1C61slRkHRkpRRX9FA9CYBiitZgvCCz+3nWNN7l/Up54Zps/pHWGZLHNJZRYyAB6j5yVLMVHIHriY49d/GZTZVNB8GoJv9Gakwc/fuEZYYl4YDFiGMBP///TzlI4jhiJzjKnEvqPFki5p2ZRJqcbCiF4pJrxUQR/RXqVFQdbRLZgYfJ8xGB878RENq3yQ39d8dVOkq4edbkzwcUmwwwkYVPIoDGsYLaRHnG+To7FvMeyO7xDVQkMKzopTQV8AuKpyvpqu0a9pWOMaiCyDytO7GGN you@me.com";
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
  this,
  "example_2",
  {
    address_space: ["10.0.0.0/16"],
    location: azurermResourceGroupExample.location,
    name: "example-network",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const azurermSubnetInternal = new azurerm.subnet.Subnet(this, "internal", {
  address_prefixes: ["10.0.2.0/24"],
  name: "internal",
  resource_group_name: azurermResourceGroupExample.name,
  virtual_network_name: azurermVirtualNetworkExample.name,
});
const azurermLinuxVirtualMachineScaleSetExample =
  new azurerm.linuxVirtualMachineScaleSet.LinuxVirtualMachineScaleSet(
    this,
    "example_4",
    {
      admin_ssh_key: [
        {
          public_key: firstPublicKey,
          username: "adminuser",
        },
      ],
      admin_username: "adminuser",
      instances: 1,
      location: azurermResourceGroupExample.location,
      name: "example-vmss",
      network_interface: [
        {
          ip_configuration: [
            {
              name: "internal",
              primary: true,
              subnet_id: azurermSubnetInternal.id,
            },
          ],
          name: "example",
          primary: true,
        },
      ],
      os_disk: [
        {
          caching: "ReadWrite",
          storage_account_type: "Standard_LRS",
        },
      ],
      resource_group_name: azurermResourceGroupExample.name,
      sku: "Standard_F2",
      source_image_reference: [
        {
          offer: "UbuntuServer",
          publisher: "Canonical",
          sku: "16.04-LTS",
          version: "latest",
        },
      ],
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLinuxVirtualMachineScaleSetExample.overrideLogicalId("example");

Argument Reference

  • name - (Required) The name of the Linux Virtual Machine Scale Set. Changing this forces a new resource to be created.

  • location - (Required) The Azure location where the Linux Virtual Machine Scale Set should exist. Changing this forces a new resource to be created.

  • resourceGroupName - (Required) The name of the Resource Group in which the Linux Virtual Machine Scale Set should be exist. Changing this forces a new resource to be created.

  • adminUsername - (Required) The username of the local administrator on each Virtual Machine Scale Set instance. Changing this forces a new resource to be created.

  • instances - (Optional) The number of Virtual Machines in the Scale Set. Defaults to 0.

-> NOTE: If you are using AutoScaling, you may wish to use Terraform's ignoreChanges functionality to ignore changes to this field.

  • sku - (Required) The Virtual Machine SKU for the Scale Set, such as standardF2.

  • networkInterface - (Required) One or more networkInterface blocks as defined below.

  • osDisk - (Required) An osDisk block as defined below.

  • additionalCapabilities - (Optional) An additionalCapabilities block as defined below.

  • adminPassword - (Optional) The Password which should be used for the local-administrator on this Virtual Machine. Changing this forces a new resource to be created.

-> NOTE: When an adminPassword is specified disablePasswordAuthentication must be set to false.

-> NOTE: One of either adminPassword or adminSshKey must be specified.

  • adminSshKey - (Optional) One or more adminSshKey blocks as defined below.

-> NOTE: One of either adminPassword or adminSshKey must be specified.

  • automaticOsUpgradePolicy - (Optional) An automaticOsUpgradePolicy block as defined below. This can only be specified when upgradeMode is set to either automatic or rolling.

  • automaticInstanceRepair - (Optional) An automaticInstanceRepair block as defined below. To enable the automatic instance repair, this Virtual Machine Scale Set must have a valid healthProbeId or an Application Health Extension.

-> NOTE: For more information about Automatic Instance Repair, please refer to this doc.

  • bootDiagnostics - (Optional) A bootDiagnostics block as defined below.

  • capacityReservationGroupId - (Optional) Specifies the ID of the Capacity Reservation Group which the Virtual Machine Scale Set should be allocated to. Changing this forces a new resource to be created.

-> NOTE: capacityReservationGroupId cannot be used with proximityPlacementGroupId

\~> NOTE: singlePlacementGroup must be set to false when capacityReservationGroupId is specified.

  • computerNamePrefix - (Optional) The prefix which should be used for the name of the Virtual Machines in this Scale Set. If unspecified this defaults to the value for the name field. If the value of the name field is not a valid computerNamePrefix, then you must specify computerNamePrefix. Changing this forces a new resource to be created.

  • customData - (Optional) The Base64-Encoded Custom Data which should be used for this Virtual Machine Scale Set.

-> NOTE: When Custom Data has been configured, it's not possible to remove it without tainting the Virtual Machine Scale Set, due to a limitation of the Azure API.

  • dataDisk - (Optional) One or more dataDisk blocks as defined below.

  • disablePasswordAuthentication - (Optional) Should Password Authentication be disabled on this Virtual Machine Scale Set? Defaults to true.

-> In general we'd recommend using SSH Keys for authentication rather than Passwords - but there's tradeoff's to each - please see this thread for more information.

-> NOTE: When a adminPassword is specified disablePasswordAuthentication must be set to false.

  • doNotRunExtensionsOnOverprovisionedMachines - (Optional) Should Virtual Machine Extensions be run on Overprovisioned Virtual Machines in the Scale Set? Defaults to false.

  • edgeZone - (Optional) Specifies the Edge Zone within the Azure Region where this Linux Virtual Machine Scale Set should exist. Changing this forces a new Linux Virtual Machine Scale Set to be created.

  • encryptionAtHostEnabled - (Optional) Should all of the disks (including the temp disk) attached to this Virtual Machine be encrypted by enabling Encryption at Host?

  • extension - (Optional) One or more extension blocks as defined below

  • extensionOperationsEnabled - (Optional) Should extension operations be allowed on the Virtual Machine Scale Set? Possible values are true or false. Defaults to true. Changing this forces a new Linux Virtual Machine Scale Set to be created.

-> NOTE: extensionOperationsEnabled may only be set to false if there are no extensions defined in the extension field.

  • extensionsTimeBudget - (Optional) Specifies the duration allocated for all extensions to start. The time duration should be between 15 minutes and 120 minutes (inclusive) and should be specified in ISO 8601 format. Defaults to 90 minutes (pt1H30M).

  • evictionPolicy - (Optional) Specifies the eviction policy for Virtual Machines in this Scale Set. Possible values are deallocate and delete. Changing this forces a new resource to be created.

-> NOTE: This can only be configured when priority is set to spot.

  • galleryApplication - (Optional) A galleryApplication block as defined below.

  • healthProbeId - (Optional) The ID of a Load Balancer Probe which should be used to determine the health of an instance. This is Required and can only be specified when upgradeMode is set to automatic or rolling.

  • hostGroupId - (Optional) Specifies the ID of the dedicated host group that the virtual machine scale set resides in. Changing this forces a new resource to be created.

  • identity - (Optional) An identity block as defined below.

  • maxBidPrice - (Optional) The maximum price you're willing to pay for each Virtual Machine in this Scale Set, in US Dollars; which must be greater than the current spot price. If this bid price falls below the current spot price the Virtual Machines in the Scale Set will be evicted using the evictionPolicy. Defaults to 1, which means that each Virtual Machine in this Scale Set should not be evicted for price reasons.

-> NOTE: This can only be configured when priority is set to spot.

  • overprovision - (Optional) Should Azure over-provision Virtual Machines in this Scale Set? This means that multiple Virtual Machines will be provisioned and Azure will keep the instances which become available first - which improves provisioning success rates and improves deployment time. You're not billed for these over-provisioned VM's and they don't count towards the Subscription Quota. Defaults to true.

  • plan - (Optional) A plan block as defined below. Changing this forces a new resource to be created.

-> NOTE: When using an image from Azure Marketplace a plan must be specified.

  • platformFaultDomainCount - (Optional) Specifies the number of fault domains that are used by this Linux Virtual Machine Scale Set. Changing this forces a new resource to be created.

  • priority - (Optional) The Priority of this Virtual Machine Scale Set. Possible values are regular and spot. Defaults to regular. Changing this value forces a new resource.

-> NOTE: When priority is set to spot an evictionPolicy must be specified.

  • provisionVmAgent - (Optional) Should the Azure VM Agent be provisioned on each Virtual Machine in the Scale Set? Defaults to true. Changing this value forces a new resource to be created.

  • proximityPlacementGroupId - (Optional) The ID of the Proximity Placement Group in which the Virtual Machine Scale Set should be assigned to. Changing this forces a new resource to be created.

  • rollingUpgradePolicy - (Optional) A rollingUpgradePolicy block as defined below. This is Required and can only be specified when upgradeMode is set to automatic or rolling. Changing this forces a new resource to be created.

  • scaleIn - (Optional) A scaleIn block as defined below.

  • secret - (Optional) One or more secret blocks as defined below.

  • secureBootEnabled - (Optional) Specifies whether secure boot should be enabled on the virtual machine. Changing this forces a new resource to be created.

  • singlePlacementGroup - (Optional) Should this Virtual Machine Scale Set be limited to a Single Placement Group, which means the number of instances will be capped at 100 Virtual Machines. Defaults to true.

  • sourceImageId - (Optional) The ID of an Image which each Virtual Machine in this Scale Set should be based on. Possible Image ID types include imageIds, sharedImageIds, sharedImageVersionIds, communityGalleryImageIds, communityGalleryImageVersionIds, sharedGalleryImageIds and sharedGalleryImageVersionIds.

-> NOTE: One of either sourceImageId or sourceImageReference must be set.

  • sourceImageReference - (Optional) A sourceImageReference block as defined below.

-> NOTE: One of either sourceImageId or sourceImageReference must be set.

  • spotRestore - (Optional) A spotRestore block as defined below.

  • tags - (Optional) A mapping of tags which should be assigned to this Virtual Machine Scale Set.

  • terminateNotification - (Optional) A terminateNotification block as defined below.

-> Note: This property has been deprecated in favour of the terminationNotification property and will be removed in version 4.0 of the provider.

  • terminationNotification - (Optional) A terminationNotification block as defined below.

  • upgradeMode - (Optional) Specifies how Upgrades (e.g. changing the Image/SKU) should be performed to Virtual Machine Instances. Possible values are automatic, manual and rolling. Defaults to manual. Changing this forces a new resource to be created.

  • userData - (Optional) The Base64-Encoded User Data which should be used for this Virtual Machine Scale Set.

  • vtpmEnabled - (Optional) Specifies whether vTPM should be enabled on the virtual machine. Changing this forces a new resource to be created.

  • zoneBalance - (Optional) Should the Virtual Machines in this Scale Set be strictly evenly distributed across Availability Zones? Defaults to false. Changing this forces a new resource to be created.

-> NOTE: This can only be set to true when one or more zones are configured.

  • zones - (Optional) Specifies a list of Availability Zones in which this Linux Virtual Machine Scale Set should be located. Changing this forces a new Linux Virtual Machine Scale Set to be created.

An additionalCapabilities block supports the following:

  • ultraSsdEnabled - (Optional) Should the capacity to enable Data Disks of the ultraSsdLrs storage account type be supported on this Virtual Machine Scale Set? Possible values are true or false. Defaults to false. Changing this forces a new resource to be created.

An adminSshKey block supports the following:

  • publicKey - (Required) The Public Key which should be used for authentication, which needs to be at least 2048-bit and in sshRsa format.

  • username - (Required) The Username for which this Public SSH Key should be configured.

-> NOTE: The Azure VM Agent only allows creating SSH Keys at the path /home/{username}/Ssh/authorizedKeys - as such this public key will be added/appended to the authorized keys file.

An automaticOsUpgradePolicy block supports the following:

  • disableAutomaticRollback - (Required) Should automatic rollbacks be disabled?

  • enableAutomaticOsUpgrade - (Required) Should OS Upgrades automatically be applied to Scale Set instances in a rolling fashion when a newer version of the OS Image becomes available?

An automaticInstanceRepair block supports the following:

  • enabled - (Required) Should the automatic instance repair be enabled on this Virtual Machine Scale Set?

  • gracePeriod - (Optional) Amount of time (in minutes, between 30 and 90, defaults to 30 minutes) for which automatic repairs will be delayed. The grace period starts right after the VM is found unhealthy. The time duration should be specified in ISO 8601 format. Defaults to pt30M.

A bootDiagnostics block supports the following:

  • storageAccountUri - (Optional) The Primary/Secondary Endpoint for the Azure Storage Account which should be used to store Boot Diagnostics, including Console Output and Screenshots from the Hypervisor.

-> NOTE: Passing a null value will utilize a Managed Storage Account to store Boot Diagnostics.

A certificate block supports the following:

  • url - (Required) The Secret URL of a Key Vault Certificate.

-> NOTE: This can be sourced from the secretId field within the azurermKeyVaultCertificate Resource.

-> NOTE: The certificate must have been uploaded/created in PFX format, PEM certificates are not currently supported by Azure.

A dataDisk block supports the following:

  • name - (Optional) The name of the Data Disk.

  • caching - (Required) The type of Caching which should be used for this Data Disk. Possible values are none, readOnly and readWrite.

  • createOption - (Optional) The create option which should be used for this Data Disk. Possible values are empty and fromImage. Defaults to empty. (fromImage should only be used if the source image includes data disks).

  • diskSizeGb - (Required) The size of the Data Disk which should be created.

  • lun - (Required) The Logical Unit Number of the Data Disk, which must be unique within the Virtual Machine.

  • storageAccountType - (Required) The Type of Storage Account which should back this Data Disk. Possible values include standardLrs, standardSsdLrs, standardSsdZrs, premiumLrs, premiumV2Lrs, premiumZrs and ultraSsdLrs.

-> NOTE: ultraSsdLrs is only supported when ultraSsdEnabled within the additionalCapabilities block is enabled.

  • diskEncryptionSetId - (Optional) The ID of the Disk Encryption Set which should be used to encrypt this Data Disk. Changing this forces a new resource to be created.

-> NOTE: The Disk Encryption Set must have the reader Role Assignment scoped on the Key Vault - in addition to an Access Policy to the Key Vault

-> NOTE: Disk Encryption Sets are in Public Preview in a limited set of regions

  • ultraSsdDiskIopsReadWrite - (Optional) Specifies the Read-Write IOPS for this Data Disk. Only settable for UltraSSD disks.

  • ultraSsdDiskMbpsReadWrite - (Optional) Specifies the bandwidth in MB per second for this Data Disk. Only settable for UltraSSD disks.

  • writeAcceleratorEnabled - (Optional) Should Write Accelerator be enabled for this Data Disk? Defaults to false.

-> NOTE: This requires that the storageAccountType is set to premiumLrs and that caching is set to none.

A diffDiskSettings block supports the following:

  • option - (Required) Specifies the Ephemeral Disk Settings for the OS Disk. At this time the only possible value is local. Changing this forces a new resource to be created.

  • placement - (Optional) Specifies where to store the Ephemeral Disk. Possible values are cacheDisk and resourceDisk. Defaults to cacheDisk. Changing this forces a new resource to be created.

An extension block supports the following:

  • name - (Required) The name for the Virtual Machine Scale Set Extension.

  • publisher - (Required) Specifies the Publisher of the Extension.

  • type - (Required) Specifies the Type of the Extension.

  • typeHandlerVersion - (Required) Specifies the version of the extension to use, available versions can be found using the Azure CLI.

  • autoUpgradeMinorVersion - (Optional) Should the latest version of the Extension be used at Deployment Time, if one is available? This won't auto-update the extension on existing installation. Defaults to true.

  • automaticUpgradeEnabled - (Optional) Should the Extension be automatically updated whenever the Publisher releases a new version of this VM Extension?

  • forceUpdateTag - (Optional) A value which, when different to the previous value can be used to force-run the Extension even if the Extension Configuration hasn't changed.

  • protectedSettings - (Optional) A JSON String which specifies Sensitive Settings (such as Passwords) for the Extension.

-> NOTE: Keys within the protectedSettings block are notoriously case-sensitive, where the casing required (e.g. TitleCase vs snakeCase) depends on the Extension being used. Please refer to the documentation for the specific Virtual Machine Extension you're looking to use for more information.

-> NOTE: Rather than defining JSON inline you can use the jsonencode interpolation function to define this in a cleaner way.

  • protectedSettingsFromKeyVault - (Optional) A protectedSettingsFromKeyVault block as defined below.

\~> Note: protectedSettingsFromKeyVault cannot be used with protectedSettings

  • provisionAfterExtensions - (Optional) An ordered list of Extension names which this should be provisioned after.

  • settings - (Optional) A JSON String which specifies Settings for the Extension.

-> NOTE: Keys within the settings block are notoriously case-sensitive, where the casing required (e.g. TitleCase vs snakeCase) depends on the Extension being used. Please refer to the documentation for the specific Virtual Machine Extension you're looking to use for more information.

-> NOTE: Rather than defining JSON inline you can use the jsonencode interpolation function to define this in a cleaner way.

A galleryApplication block supports the following:

  • versionId - (Required) Specifies the Gallery Application Version resource ID. Changing this forces a new resource to be created.

  • configurationBlobUri - (Optional) Specifies the URI to an Azure Blob that will replace the default configuration for the package if provided. Changing this forces a new resource to be created.

  • order - (Optional) Specifies the order in which the packages have to be installed. Possible values are between 0 and 2,147,483,647. Changing this forces a new resource to be created.

  • tag - (Optional) Specifies a passthrough value for more generic context. This field can be any valid string value. Changing this forces a new resource to be created.

An identity block supports the following:

  • type - (Required) Specifies the type of Managed Service Identity that should be configured on this Linux Virtual Machine Scale Set. Possible values are systemAssigned, userAssigned, systemAssigned,UserAssigned (to enable both).

  • identityIds - (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Linux Virtual Machine Scale Set.

-> NOTE: This is required when type is set to userAssigned or systemAssigned,UserAssigned.

An ipConfiguration block supports the following:

  • name - (Required) The Name which should be used for this IP Configuration.

  • applicationGatewayBackendAddressPoolIds - (Optional) A list of Backend Address Pools ID's from a Application Gateway which this Virtual Machine Scale Set should be connected to.

  • applicationSecurityGroupIds - (Optional) A list of Application Security Group ID's which this Virtual Machine Scale Set should be connected to.

  • loadBalancerBackendAddressPoolIds - (Optional) A list of Backend Address Pools ID's from a Load Balancer which this Virtual Machine Scale Set should be connected to.

-> NOTE: When the Virtual Machine Scale Set is configured to have public IPs per instance are created with a load balancer, the SKU of the Virtual Machine instance IPs is determined by the SKU of the Virtual Machine Scale Sets Load Balancer (e.g. basic or standard). Alternatively, you may use the publicIpPrefixId field to generate instance-level IPs in a virtual machine scale set as well. The zonal properties of the prefix will be passed to the Virtual Machine instance IPs, though they will not be shown in the output. To view the public IP addresses assigned to the Virtual Machine Scale Sets Virtual Machine instances use the az vmss list-instance-public-ips --resource-group resourceGroupName --name virtualMachineScaleSetName CLI command.

-> NOTE: When using this field you'll also need to configure a Rule for the Load Balancer, and use a dependsOn between this resource and the Load Balancer Rule.

  • loadBalancerInboundNatRulesIds - (Optional) A list of NAT Rule ID's from a Load Balancer which this Virtual Machine Scale Set should be connected to.

-> NOTE: When using this field you'll also need to configure a Rule for the Load Balancer, and use a dependsOn between this resource and the Load Balancer Rule.

  • primary - (Optional) Is this the Primary IP Configuration for this Network Interface? Defaults to false.

-> NOTE: One ipConfiguration block must be marked as Primary for each Network Interface.

  • publicIpAddress - (Optional) A publicIpAddress block as defined below.

  • subnetId - (Optional) The ID of the Subnet which this IP Configuration should be connected to.

-> subnetId is required if version is set to iPv4.

  • version - (Optional) The Internet Protocol Version which should be used for this IP Configuration. Possible values are iPv4 and iPv6. Defaults to iPv4.

An ipTag block supports the following:

  • tag - (Required) The IP Tag associated with the Public IP, such as sql or storage. Changing this forces a new resource to be created.

  • type - (Required) The Type of IP Tag, such as firstPartyUsage. Changing this forces a new resource to be created.

A networkInterface block supports the following:

  • name - (Required) The Name which should be used for this Network Interface. Changing this forces a new resource to be created.

  • ipConfiguration - (Required) One or more ipConfiguration blocks as defined above.

  • dnsServers - (Optional) A list of IP Addresses of DNS Servers which should be assigned to the Network Interface.

  • enableAcceleratedNetworking - (Optional) Does this Network Interface support Accelerated Networking? Defaults to false.

  • enableIpForwarding - (Optional) Does this Network Interface support IP Forwarding? Defaults to false.

  • networkSecurityGroupId - (Optional) The ID of a Network Security Group which should be assigned to this Network Interface.

  • primary - (Optional) Is this the Primary IP Configuration?

-> NOTE: If multiple networkInterface blocks are specified, one must be set to primary.

An osDisk block supports the following:

  • caching - (Required) The Type of Caching which should be used for the Internal OS Disk. Possible values are none, readOnly and readWrite.

  • storageAccountType - (Required) The Type of Storage Account which should back this the Internal OS Disk. Possible values include standardLrs, standardSsdLrs, standardSsdZrs, premiumLrs and premiumZrs. Changing this forces a new resource to be created.

  • diffDiskSettings - (Optional) A diffDiskSettings block as defined above. Changing this forces a new resource to be created.

  • diskEncryptionSetId - (Optional) The ID of the Disk Encryption Set which should be used to encrypt this OS Disk. Conflicts with secureVmDiskEncryptionSetId. Changing this forces a new resource to be created.

-> NOTE: The Disk Encryption Set must have the reader Role Assignment scoped on the Key Vault - in addition to an Access Policy to the Key Vault

-> NOTE: Disk Encryption Sets are in Public Preview in a limited set of regions

  • diskSizeGb - (Optional) The Size of the Internal OS Disk in GB, if you wish to vary from the size used in the image this Virtual Machine Scale Set is sourced from.

-> NOTE: If specified this must be equal to or larger than the size of the Image the VM Scale Set is based on. When creating a larger disk than exists in the image you'll need to repartition the disk to use the remaining space.

  • secureVmDiskEncryptionSetId - (Optional) The ID of the Disk Encryption Set which should be used to Encrypt the OS Disk when the Virtual Machine Scale Set is Confidential VMSS. Conflicts with diskEncryptionSetId. Changing this forces a new resource to be created.

-> NOTE: secureVmDiskEncryptionSetId can only be specified when securityEncryptionType is set to diskWithVmGuestState.

  • securityEncryptionType - (Optional) Encryption Type when the Virtual Machine Scale Set is Confidential VMSS. Possible values are vmGuestStateOnly and diskWithVmGuestState. Changing this forces a new resource to be created.

-> NOTE: vtpmEnabled must be set to true when securityEncryptionType is specified.

-> NOTE: encryptionAtHostEnabled cannot be set to true when securityEncryptionType is set to diskWithVmGuestState.

  • writeAcceleratorEnabled - (Optional) Should Write Accelerator be Enabled for this OS Disk? Defaults to false.

-> NOTE: This requires that the storageAccountType is set to premiumLrs and that caching is set to none.

A plan block supports the following:

  • name - (Required) Specifies the name of the image from the marketplace. Changing this forces a new resource to be created.

  • publisher - (Required) Specifies the publisher of the image. Changing this forces a new resource to be created.

  • product - (Required) Specifies the product of the image from the marketplace. Changing this forces a new resource to be created.

A protectedSettingsFromKeyVault block supports the following:

  • secretUrl - (Required) The URL to the Key Vault Secret which stores the protected settings.

  • sourceVaultId - (Required) The ID of the source Key Vault.

A scaleIn block supports the following:

  • rule - (Optional) The scale-in policy rule that decides which virtual machines are chosen for removal when a Virtual Machine Scale Set is scaled in. Possible values for the scale-in policy rules are default, newestVm and oldestVm, defaults to default. For more information about scale in policy, please refer to this doc.

  • forceDeletionEnabled - (Optional) Should the virtual machines chosen for removal be force deleted when the virtual machine scale set is being scaled-in? Possible values are true or false. Defaults to false.

A publicIpAddress block supports the following:

  • name - (Required) The Name of the Public IP Address Configuration.

  • domainNameLabel - (Optional) The Prefix which should be used for the Domain Name Label for each Virtual Machine Instance. Azure concatenates the Domain Name Label and Virtual Machine Index to create a unique Domain Name Label for each Virtual Machine.

  • idleTimeoutInMinutes - (Optional) The Idle Timeout in Minutes for the Public IP Address. Possible values are in the range 4 to 32.

  • ipTag - (Optional) One or more ipTag blocks as defined above. Changing this forces a new resource to be created.

  • publicIpPrefixId - (Optional) The ID of the Public IP Address Prefix from where Public IP Addresses should be allocated. Changing this forces a new resource to be created.

-> NOTE: This functionality is in Preview and must be opted into via azFeatureRegisterNamespaceMicrosoftNetworkNameAllowBringYourOwnPublicIpAddress and then azProviderRegisterNMicrosoftNetwork.

  • version - (Optional) The Internet Protocol Version which should be used for this public IP address. Possible values are iPv4 and iPv6. Defaults to iPv4. Changing this forces a new resource to be created.

A rollingUpgradePolicy block supports the following:

  • crossZoneUpgradesEnabled - (Optional) Should the Virtual Machine Scale Set ignore the Azure Zone boundaries when constructing upgrade batches? Possible values are true or false.

  • maxBatchInstancePercent - (Required) The maximum percent of total virtual machine instances that will be upgraded simultaneously by the rolling upgrade in one batch. As this is a maximum, unhealthy instances in previous or future batches can cause the percentage of instances in a batch to decrease to ensure higher reliability.

  • maxUnhealthyInstancePercent - (Required) The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch.

  • maxUnhealthyUpgradedInstancePercent - (Required) The maximum percentage of upgraded virtual machine instances that can be found to be in an unhealthy state. This check will happen after each batch is upgraded. If this percentage is ever exceeded, the rolling update aborts.

  • pauseTimeBetweenBatches - (Required) The wait time between completing the update for all virtual machines in one batch and starting the next batch. The time duration should be specified in ISO 8601 format.

  • prioritizeUnhealthyInstancesEnabled - (Optional) Upgrade all unhealthy instances in a scale set before any healthy instances. Possible values are true or false.

A secret block supports the following:

  • certificate - (Required) One or more certificate blocks as defined above.

  • keyVaultId - (Required) The ID of the Key Vault from which all Secrets should be sourced.

A terminateNotification block supports the following:

  • enabled - (Required) Should the terminate notification be enabled on this Virtual Machine Scale Set?

  • timeout - (Optional) Length of time (in minutes, between 5 and 15) a notification to be sent to the VM on the instance metadata server till the VM gets deleted. The time duration should be specified in ISO 8601 format. Defaults to pt5M.

-> NOTE: For more information about the terminate notification, please refer to this doc.

A terminationNotification block supports the following:

  • enabled - (Required) Should the termination notification be enabled on this Virtual Machine Scale Set?

  • timeout - (Optional) Length of time (in minutes, between 5 and 15) a notification to be sent to the VM on the instance metadata server till the VM gets deleted. The time duration should be specified in ISO 8601 format. Defaults to pt5M.

-> NOTE: For more information about the termination notification, please refer to this doc.

A sourceImageReference block supports the following:

  • publisher - (Required) Specifies the publisher of the image used to create the virtual machines. Changing this forces a new resource to be created.

  • offer - (Required) Specifies the offer of the image used to create the virtual machines. Changing this forces a new resource to be created.

  • sku - (Required) Specifies the SKU of the image used to create the virtual machines.

  • version - (Required) Specifies the version of the image used to create the virtual machines.

A spotRestore block supports the following:

  • enabled - (Optional) Should the Spot-Try-Restore feature be enabled? The Spot-Try-Restore feature will attempt to automatically restore the evicted Spot Virtual Machine Scale Set VM instances opportunistically based on capacity availability and pricing constraints. Possible values are true or false. Defaults to false. Changing this forces a new resource to be created.

  • timeout - (Optional) The length of time that the Virtual Machine Scale Set should attempt to restore the Spot VM instances which have been evicted. The time duration should be between 15 minutes and 120 minutes (inclusive). The time duration should be specified in the ISO 8601 format. Defaults to 90 minutes (e.g. pt1H30M). Changing this forces a new resource to be created.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The ID of the Linux Virtual Machine Scale Set.

  • identity - A identity block as defined below.

  • uniqueId - The Unique ID for this Linux Virtual Machine Scale Set.

A identity block exports the following:

  • principalId - The Principal ID associated with this Managed Service Identity.

  • tenantId - The Tenant ID associated with this Managed Service Identity.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 60 minutes) Used when creating the Linux Virtual Machine Scale Set.
  • read - (Defaults to 5 minutes) Used when reading the Linux Virtual Machine Scale Set.
  • update - (Defaults to 60 minutes) Used when updating (and rolling the instances of) the Linux Virtual Machine Scale Set (e.g. when changing SKU).
  • delete - (Defaults to 60 minutes) Used when deleting the Linux Virtual Machine Scale Set.

Import

Linux Virtual Machine Scale Sets can be imported using the resourceId, e.g.

terraform import azurerm_linux_virtual_machine_scale_set.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Compute/virtualMachineScaleSets/scaleset1