/terraform-azurerm-azure-virtual-desktop

Terraform module for deploying Azure Virtual Desktop.

Primary LanguageHCLMIT LicenseMIT

azurerm-azure-virtual-desktop

Terraform module for deploying Azure Virtual Desktop. Deploys a single personal or shared host pool.

Examples

Here are some short examples with referenced resources cut out. See examples-directory for full examples.

Shared hosts with user-assignments

This method is useful if you want each user to have their own assignment and you want to maintain access with Terraform. Full example here.

module "avd" {
  source  = "decensas/azure-virtual-desktop/azurerm"
  version = "0.1.2"

  system_name         = "avd"
  resource_group_name = azurerm_resource_group.main.name
  data_location       = azurerm_resource_group.main.location
  host_location       = azurerm_resource_group.main.location

  vm_size                      = "Standard_D2s_v3"
  number_of_hosts              = 3
  host_pool_type               = "Pooled"
  host_pool_load_balancer_type = "BreadthFirst"

  avd_users_upns  = ["user1@domain.com", "user2@domain.com"]
  avd_admins_upns = ["admin@domain.com"]

  workspace_friendly_name = "User assigned shared hosts"

  subnet_id = azurerm_subnet.main.id
}

Shared hosts with group-assignments

This method is useful if you have Azure AD groups that you want to assign as users and admins, giving you the possibility to add assignments manually. Full example here.

A variation of this can also be used where you enter object ids directly into avd_users_object_ids and avd_admins_object_ids. This is useful if Terraform doesn't have Directory.Read-access to Azure AD.

Note that the values of avd_users_object_ids and avd_admins_object_ids must already be known to Terraform at apply, meaning they can't depend on resources being deployed in the same step.

module "avd" {
  source  = "decensas/azure-virtual-desktop/azurerm"
  version = "0.1.2"

  system_name         = "avd"
  resource_group_name = azurerm_resource_group.main.name
  data_location       = azurerm_resource_group.main.location
  host_location       = azurerm_resource_group.main.location

  vm_size                      = "Standard_D2s_v3"
  number_of_hosts              = 3
  host_pool_type               = "Pooled"
  host_pool_load_balancer_type = "BreadthFirst"

  avd_admins_object_ids = [data.azuread_group.admins.object_id]
  avd_users_object_ids  = [data.azuread_group.users.object_id]

  workspace_friendly_name = "Groups assigned shared hosts"

  subnet_id = azurerm_subnet.main.id
}

Personal hosts

This is an example on how to deploy personal hosts. The hosts will be assigned when a user first logs in and the assignments will last unitl manually unassigned. Keep in mind that the users will still have access to other hosts through RDP if the network permits it. Full example here.

module "avd" {
  source  = "decensas/azure-virtual-desktop/azurerm"
  version = "0.1.2"

  system_name         = "avd"
  resource_group_name = azurerm_resource_group.main.name
  data_location       = azurerm_resource_group.main.location
  host_location       = azurerm_resource_group.main.location

  vm_size             = "Standard_D2s_v3"
  number_of_hosts     = 3
  host_pool_type      = "Personal"
  start_vm_on_connect = true

  avd_users_upns  = ["user1@domain.com", "user2@domain.com"]
  avd_admins_upns = ["admin@domain.com"]

  workspace_friendly_name = "User assigned personal hosts"

  subnet_id = azurerm_subnet.main.id
}

Availability set

This example shows how to make the module deploy an availability set for the VMs. Full example here.

module "avd" {
  source  = "decensas/azure-virtual-desktop/azurerm"
  version = "0.1.2"

  system_name         = "avd"
  resource_group_name = azurerm_resource_group.main.name
  data_location       = azurerm_resource_group.main.location
  host_location       = azurerm_resource_group.main.location

  use_availability_set                  = true
  availability_number_of_fault_domains  = 3
  availability_number_of_update_domains = 20

  vm_size         = "Standard_D2s_v3"
  number_of_hosts = 3
  host_pool_type  = "Personal"

  avd_users_upns  = ["user1@domain.com", "user2@domain.com"]
  avd_admins_upns = ["admin@domain.com"]

  workspace_friendly_name = "Availability set"

  subnet_id = azurerm_subnet.main.id
}

Requirements

Name Version
terraform >= 1.2.8
azuread ~> 2.0
azurerm ~> 3.0
random ~> 3.0
time ~> 0.8.0

Providers

Name Version
azuread ~> 2.0
azurerm ~> 3.0
random ~> 3.0
time ~> 0.8.0

Modules

No modules.

Resources

Name Type
azurerm_availability_set.main resource
azurerm_network_interface.main resource
azurerm_role_assignment.admins resource
azurerm_role_assignment.appgroup resource
azurerm_role_assignment.start_on_connect resource
azurerm_role_assignment.users resource
azurerm_virtual_desktop_application_group.main resource
azurerm_virtual_desktop_host_pool.main resource
azurerm_virtual_desktop_host_pool_registration_info.main resource
azurerm_virtual_desktop_workspace.main resource
azurerm_virtual_desktop_workspace_application_group_association.main resource
azurerm_virtual_machine_extension.aad_join resource
azurerm_virtual_machine_extension.hostpool_join resource
azurerm_windows_virtual_machine.main resource
random_password.main resource
time_static.registration_token_expiration resource
azuread_service_principal.avd data source
azuread_users.admins data source
azuread_users.users data source
azurerm_subscription.main data source

Inputs

Name Description Type Default Required
aad_joined_allow_access_from_nonjoined Only applicable if using Azure AD authentication: adds a custom RDP property that allows access to the hosts from non-joined clients. bool true no
availability_number_of_fault_domains The number of fault domains to configure for the availability set. The number of supported domains varies from region to region. See a list here. Requires var.use_availability_sets to be true. number 2 no
availability_number_of_update_domains The number of update domains to configure for the availability set. Must be between 1 and 20. Requires var.use_availability_set to be true. number 5 no
avd_admins_object_ids Set of object IDs of the identites (Azure AD users or groups) who will be authorized to log into the VMs as local administrator. Useful if the identity running Terraform doesn't have Directory.Read-access to Azure AD or if you wish to assign a group, otherwise use var.avd_admins_upns. set(string) [] no
avd_admins_upns Set of user principal names for the users who will be authorized to log into the VMs as local administrator. set(string) [] no
avd_users_object_ids Set of object IDs of the identites (Azure AD users or groups) who will be authorized to log into the VMs as regular users. Useful if the identity running Terraform doesn't have Directory.Read-access to Azure AD or if you wish to assign a group, otherwise use var.avd_users_upns. set(string) [] no
avd_users_upns Set of user principal names for the users who will be authorized to log into the VMs as regular users. set(string) [] no
custom_rdp_properties Set of strings that will be added as custom RDP properties. E.g.: ["audiocapturemode:i:1", "audiomode:i:0"] set(string) [] no
data_location The location to which metadata-resources will be deployed. This includes the host-pool, application group and workspace. Location of the virtual machines is defined by var.host_location. See Data locations for Azure Virtual Desktop. string n/a yes
desktop_application_group_name_override Overrides the default name for the deskop application group. Defaults to <var.system_name>-appgroup. string "" no
enable_accelerated_networking Should accelerated networking be enabled on the hosts? Only supported by certain vm sizes. bool false no
host_location The location to which the hosts (VMs) will be deployed. string n/a yes
host_pool_load_balancer_type Only applicable if var.host_pool_type is Pooled: Load balancing method used for new users sessions across the availiable hosts. Valid options are: BreadthFirst, DepthFirst. string "BreadthFirst" no
host_pool_name_override Overrides the default name for the host pool. Defaults to <var.system_name>-hostpool. string "" no
host_pool_type The type of the host pool. Valid options are Personal or Pooled string n/a yes
host_source_image_reference The reference to the operating system that will be used in the hosts. You can find this with az cli or PowerShell. This should most likely be a variant of Windows 10/11 enterprise multi session-edition or Windows Server.
object({
publisher = string
offer = string
sku = string
version = string
})
{
"offer": "windows-11",
"publisher": "microsoftwindowsdesktop",
"sku": "win11-21h2-avd",
"version": "latest"
}
no
license_type Specifies a type of on-premises license to be used with the session hosts. Sometimes referred to as Azure Hybrid Benefit. You must have a license with mutli-tenant hosting rights (Windows Server or Windows 10/11). Possible values are None, Windows_Client and Windows_Server. string "None" no
local_admin_password The password of the local admin account on the hosts. Defaults to generating a random password per host. This will be saved in state. string "" no
local_admin_username The username of the local admin account on the hosts. string "azureuser" no
network_interface_name_format The format of the NIC names. The string is var.system_name. The number is the NIC number. See format-function. string "%s-nic%02d" no
number_of_hosts The number of hosts that will be deployed. number n/a yes
resource_group_name The name of the resource group in which to deploy the AVD-resources. string n/a yes
start_vm_on_connect Will enable automatic start of hosts on connection when required. Separate automation is required to stop and deallocate hosts. bool false no
subnet_id The ID of the subnet to where the hosts will be deployed. Must be in the same region as var.host_location. string n/a yes
system_name The main name of the system. Will be used as a part of naming for multiple resources. string n/a yes
tags Tags that will be applied to all deployed resources. map(string) {} no
use_availability_set Should the VMs be deployed to an availability set? bool false no
virtual_machine_name_format The format of the VM names. The string is var.system_name. The number is the VM number. See format-function. string "%s-vm%02d" no
vm_size The size of the hosts. E.g. Standard_D2s_v3. See Microsoft Docs: VM sizes. string n/a yes
workspace_friendly_name Gives the ability to give a user-facing name to the AVD workspace. Will by default appear to the user as <var.system_name>-workspace. string "" no
workspace_name_override Overrides the default name for the workspace. Defaults to <var.system_name>-workspace. string "" no

Outputs

Name Description
network_interfaces An array of the NIC-objects created by this module.
virtual_machines An array of the VM-objects created by this module.

ℹ️ Users with MFA required

If you're assigning users with MFA required, do note that they need to connect from a client that is joined to the same Azure AD and using Windows 10 2004 or later using either the Windows Client or Microsoft Edge. If this isn't a possibility, you must exclude the Windows VM Login application from MFA using Azure AD Conditional Access. If set up correctly, MFA will still be required to use the Azure Virtual Desktop application.

⚠️ Security note

Be aware that the module sets role assignments on the resource group level. Meaning that admins and users defined in the input variables will be given the same access to other VMs in the same resource group.

Feature: Start VM on connect

You can enable the Start VM on Connect-feature by setting var.start_vm_on_connect. This will allocate deallocated VMs on user sign-in when required. It will not stop and/or deallocate running VMs. Separate automation can be set up for deallocation of unused hosts.

Roadmap