From 7d55c1113e743188580363b7612618dd02e29792 Mon Sep 17 00:00:00 2001
From: Yuval Yaron <yuvalyaron@microsoft.com>
Date: Wed, 8 Jan 2025 10:45:56 +0000
Subject: [PATCH] enable encryption at host for vms

---
 core/terraform/resource_processor/vmss_porter/main.tf        | 2 +-
 core/terraform/servicebus.tf                                 | 5 +++--
 .../shared_services/admin-vm/terraform/admin-jumpbox.tf      | 1 +
 templates/shared_services/sonatype-nexus-vm/terraform/vm.tf  | 1 +
 .../guacamole-azure-export-reviewvm/terraform/windowsvm.tf   | 1 +
 .../guacamole-azure-import-reviewvm/terraform/windowsvm.tf   | 1 +
 .../guacamole-azure-linuxvm/terraform/linuxvm.tf             | 1 +
 .../guacamole-azure-windowsvm/terraform/windowsvm.tf         | 1 +
 8 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/core/terraform/resource_processor/vmss_porter/main.tf b/core/terraform/resource_processor/vmss_porter/main.tf
index 3adaae391b..5e6fb5a8f0 100644
--- a/core/terraform/resource_processor/vmss_porter/main.tf
+++ b/core/terraform/resource_processor/vmss_porter/main.tf
@@ -79,7 +79,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "vm_linux" {
   disable_password_authentication = false
   admin_password                  = random_password.password.result
   custom_data                     = data.template_cloudinit_config.config.rendered
-  encryption_at_host_enabled      = false
+  encryption_at_host_enabled      = true
   upgrade_mode                    = "Automatic"
   tags                            = local.tre_core_tags
 
diff --git a/core/terraform/servicebus.tf b/core/terraform/servicebus.tf
index faef9322d7..f686a8e08e 100644
--- a/core/terraform/servicebus.tf
+++ b/core/terraform/servicebus.tf
@@ -32,8 +32,9 @@ resource "azurerm_servicebus_namespace" "sb" {
   dynamic "customer_managed_key" {
     for_each = var.enable_cmk_encryption ? [1] : []
     content {
-      key_vault_key_id = azurerm_key_vault_key.tre_encryption[0].id
-      identity_id      = azurerm_user_assigned_identity.encryption[0].id
+      key_vault_key_id                  = azurerm_key_vault_key.tre_encryption[0].id
+      identity_id                       = azurerm_user_assigned_identity.encryption[0].id
+      infrastructure_encryption_enabled = true
     }
   }
 
diff --git a/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf b/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf
index e89ff05203..ca0d88b6ea 100644
--- a/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf
+++ b/templates/shared_services/admin-vm/terraform/admin-jumpbox.tf
@@ -36,6 +36,7 @@ resource "azurerm_windows_virtual_machine" "jumpbox" {
   admin_username             = "adminuser"
   admin_password             = random_password.password.result
   tags                       = local.tre_shared_service_tags
+  encryption_at_host_enabled = true
 
   source_image_reference {
     publisher = "MicrosoftWindowsDesktop"
diff --git a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf
index 7d3de07039..521d943f56 100644
--- a/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf
+++ b/templates/shared_services/sonatype-nexus-vm/terraform/vm.tf
@@ -103,6 +103,7 @@ resource "azurerm_linux_virtual_machine" "nexus" {
   admin_username                  = "adminuser"
   admin_password                  = random_password.nexus_vm_password.result
   tags                            = local.tre_shared_service_tags
+  encryption_at_host_enabled      = true
 
   custom_data = data.template_cloudinit_config.nexus_config.rendered
 
diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf
index 318ff29761..a718a84a5b 100644
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-export-reviewvm/terraform/windowsvm.tf
@@ -124,6 +124,7 @@ resource "azurerm_windows_virtual_machine" "windowsvm" {
   allow_extension_operations = true
   admin_username             = random_string.username.result
   admin_password             = random_password.password.result
+  encryption_at_host_enabled = true
 
   custom_data = base64encode(data.template_file.download_review_data_script.rendered)
 
diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf
index a4d250b7f4..003853fac8 100644
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-import-reviewvm/terraform/windowsvm.tf
@@ -45,6 +45,7 @@ resource "azurerm_windows_virtual_machine" "windowsvm" {
   allow_extension_operations = true
   admin_username             = random_string.username.result
   admin_password             = random_password.password.result
+  encryption_at_host_enabled = true
 
   custom_data = base64encode(data.template_file.download_review_data_script.rendered)
 
diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf
index fb2b0b4ce8..ea1984dca1 100644
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-linuxvm/terraform/linuxvm.tf
@@ -44,6 +44,7 @@ resource "azurerm_linux_virtual_machine" "linuxvm" {
   disable_password_authentication = false
   admin_username                  = random_string.username.result
   admin_password                  = random_password.password.result
+  encryption_at_host_enabled       = true
 
   custom_data = data.template_cloudinit_config.config.rendered
 
diff --git a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf
index 336293814d..d00d47a1c0 100644
--- a/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf
+++ b/templates/workspace_services/guacamole/user_resources/guacamole-azure-windowsvm/terraform/windowsvm.tf
@@ -45,6 +45,7 @@ resource "azurerm_windows_virtual_machine" "windowsvm" {
   allow_extension_operations = true
   admin_username             = random_string.username.result
   admin_password             = random_password.password.result
+  encryption_at_host_enabled = true
 
   custom_data = base64encode(templatefile(
     "${path.module}/vm_config.ps1", {