Azure Linux VM Scale Set (Uniform)

azure-vmss

Status: static-validated, live-test pending. Ships under live-test quarantine until promoted by the Azure live lane. Schema is validated against the azurerm v4 provider docs.

A Linux Virtual Machine Scale Set (Uniform orchestration) on Azure, fully self-contained by default. One tofu apply creates everything — resource group, virtual network, subnet, NSG and the scale set — and tofu destroy removes all of it (including the resource group). Point subnet_id at an existing subnet to instead consume your own network. Works with Terraform and OpenTofu (>= 1.6), azurerm provider >= 4.0, < 5.0.

What it provisions

• azurerm_resource_group (created and destroyed by this module)
• azurerm_virtual_network + azurerm_subnet (self-contained mode only)
• azurerm_network_security_group + subnet association — deny-all inbound by default; SSH (22) opened only from allowed_ssh_cidr when set (self-contained mode only)
• azurerm_linux_virtual_machine_scale_set — SSH-key-only, system-assigned managed identity, no public IPs, overprovision = false, managed boot diagnostics

Secure defaults

• SSH-key auth only — disable_password_authentication = true; a valid admin_ssh_public_key is required.
• No public IPs on instances — they are private behind the VNet (reach them via a bastion, VPN or peering).
• Deny-all inbound NSG by default — SSH is opened only when you set allowed_ssh_cidr, and only from that CIDR.
• System-assigned managed identity for least-privilege role grants.
• OS disks encrypted at rest with platform-managed keys (always on in Azure); optional encryption-at-host and Trusted Launch (Secure Boot + vTPM).
• overprovision = false — the running instance count stays exactly equal to instances (predictable cost and quota; no transient extra VMs).

Verification

Static-validated (tofu fmt, tofu validate, tflint, checkov). Live apply/verify/destroy testing pending an Azure sandbox subscription — see catalog status.

License

Commercial — LicenseRef-IaCBazaar-Commercial