IaC Bazaar
AzureLive-tested

Azure Linux Virtual Machine (self-contained)

A fully self-contained general-purpose Linux VM on Azure — one apply creates the resource group, VNet, subnet, NSG, NIC, optional public IP and an SSH-key-only VM with a system-assigned identity.

terraformAzure#azure
azure-virtual-machineterraform v1.7

Verification

Live-tested

Really deployed, verified, idempotent and destroyed in a cloud sandbox.

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live-tested — applied, verified, destroyed

Last verified 2026-06-30 · how we verify

Documentation

azure-virtual-machine

Status: static-validated, live-test pending. Ships under live-test quarantine until promoted by the Azure live lane. Schema is validated against the azurerm v4 provider docs.

A fully self-contained general-purpose Linux VM on Azure. One tofu apply creates everything — resource group, virtual network, subnet, NSG, NIC, an optional public IP and the VM — and tofu destroy removes all of it (including the resource group). Bring your own bootstrap via custom_data, or deploy a plain VM and configure it later. Works with Terraform and OpenTofu (>= 1.6), azurerm provider >= 4.0, < 5.0.

What it provisions

  • azurerm_resource_group (created and destroyed by this module)
  • azurerm_virtual_network + azurerm_subnet
  • azurerm_network_security_group — SSH (ssh_port) allowed only from allowed_source_cidr, plus an explicit DenyAllInbound
  • azurerm_network_interface (+ NSG association)
  • optional azurerm_public_ip (Standard, static; create_public_ip)
  • azurerm_linux_virtual_machine (SSH-key-only, system-assigned identity, optional cloud-init bootstrap)

Secure defaults

  • SSH-key auth onlydisable_password_authentication = true; a valid admin_ssh_public_key is required.
  • No open ingress by defaultallowed_source_cidr is required (no default) and gates SSH; a catch-all rule denies everything else inbound.
  • System-assigned managed identity for least-privilege role grants, consumed by workloads on the VM via the Azure Instance Metadata Service (IMDS) at 169.254.169.254 (which requires the Metadata: true request header).
  • OS disk encrypted at rest with platform-managed keys (always on in Azure); optional host-based encryption via encryption_at_host_enabled.
  • Optional Trusted Launch (Secure Boot + vTPM) for capable VM sizes (secure_boot_enabled / vtpm_enabled, off by default so the cheapest B1s size always applies).

Verification

Static-validated (tofu fmt, tofu validate, tflint, checkov). Live apply/verify/destroy testing pending an Azure sandbox subscription — see catalog status.

License

Commercial — LicenseRef-IaCBazaar-Commercial

Usage code & full reference unlock after purchase

The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.

  • Usage
  • Inputs
  • Outputs
  • Requirements & notes