fix: update ad extension for windows

_example/linux-vm/example.tf

@@ -87,6 +87,7 @@ module "security_group" {
 #-----------------------------------------------------------------------------
 module "key_vault" {
   source                      = "clouddrove/key-vault/azure"
+  version                     = "1.1.0"
   name                        = "app"
   environment                 = "test"
   label_order                 = ["name", "environment", ]
@@ -101,8 +102,6 @@ module "key_vault" {
   enable_private_endpoint = true
   ##RBAC
   enable_rbac_authorization = true
-  principal_id              = ["71xxxxxxxxxxxxxxxxxx1166d7c97"]
-  role_definition_name      = ["Key Vault Administrator"]
 }
 
 ##-----------------------------------------------------------------------------
@@ -124,7 +123,7 @@ module "virtual-machine" {
   user_object_id = {
     "user1" = {
       role_definition_name = "Virtual Machine Administrator Login"
-      principal_id         = "xxxxxxxxxxxxxxxxx"
+      principal_id         = "xxxxxxxxxxxxx"
     },
   }
   ## Network Interface
@@ -147,7 +146,7 @@ module "virtual-machine" {
   ip_version        = "IPv4"
   ## Virtual Machine
   vm_size        = "Standard_B1s"
-  public_key     = "vweGBuAqKX+xxxxxxxxxxx" # Enter valid public key here
+  public_key     = "ssh-rsa EqO/kArB4p4KeF+pc84rX5GkM4fn5SsMMpJTZmhhJYA2YW/E" # Enter valid p key here
   admin_username = "ubuntu"
   #  admin_password                  = "P@ssw0rd!123!" # It is compulsory when disable_password_authentication = false
   caching                         = "ReadWrite"
@@ -157,7 +156,7 @@ module "virtual-machine" {
   image_offer                     = "0001-com-ubuntu-server-jammy"
   image_sku                       = "22_04-lts-gen2"
   image_version                   = "latest"
-  enable_disk_encryption_set      = false
+  enable_disk_encryption_set      = true
   key_vault_id                    = module.key_vault.id
   addtional_capabilities_enabled  = true
   ultra_ssd_enabled               = false

_example/windows-vm/example.tf

@@ -112,6 +112,14 @@ module "virtual-machine" {
   create_option       = "Empty"
   disk_size_gb        = 128
   provision_vm_agent  = true
+  identity_enabled    = true
+  sa_type             = "SystemAssigned"
+  user_object_id = {
+    "user1" = {
+      role_definition_name = "Virtual Machine Administrator Login"
+      principal_id         = "3xxxxxxxxxxxxxxxxxxxe"
+    },
+  }
   ## Network Interface
   subnet_id                     = module.subnet.default_subnet_id
   private_ip_address_version    = "IPv4"
@@ -135,7 +143,7 @@ module "virtual-machine" {
   admin_password    = "Password@123"
   image_publisher   = "MicrosoftWindowsServer"
   image_offer       = "WindowsServer"
-  image_sku         = "2019-Datacenter"
+  image_sku         = "2019-datacenter"
   image_version     = "latest"
   caching           = "ReadWrite"
   data_disks = [
@@ -148,29 +156,12 @@ module "virtual-machine" {
 
   # Extension
   extensions = [{
-    extension_publisher            = "Microsoft.Azure.Security"
-    extension_name                 = "CustomExt"
-    extension_type                 = "IaaSAntimalware"
-    extension_type_handler_version = "1.3"
+    extension_publisher            = "Microsoft.Azure.ActiveDirectory"
+    extension_name                 = "AADLogin"
+    extension_type                 = "AADLoginForWindows"
+    extension_type_handler_version = "1.0"
     auto_upgrade_minor_version     = true
     automatic_upgrade_enabled      = false
-    settings                       = <<SETTINGS
-                                        {
-                                          "AntimalwareEnabled": true,
-                                          "RealtimeProtectionEnabled": "true",
-                                          "ScheduledScanSettings": {
-                                              "isEnabled": "false",
-                                              "day": "7",
-                                              "time": "120",
-                                              "scanType": "Quick"
-                                          },
-                                          "Exclusions": {
-                                              "Extensions": "",
-                                              "Paths": "",
-                                              "Processes": ""
-                                          }
-                                        }
-                                      SETTINGS
   }]
   #### enable diagnostic setting
   diagnostic_setting_enable  = false

main.tf

@@ -282,7 +282,7 @@ resource "azurerm_network_interface_security_group_association" "default" {
 ## Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.
 ##-----------------------------------------------------------------------------
 resource "azurerm_disk_encryption_set" "example" {
-  count               = var.enable_disk_encryption_set ? var.machine_count : 0
+  count               = var.enabled && var.enable_disk_encryption_set ? var.machine_count : 0
   name                = var.vm_addon_name == null ? format("vm-%s-dsk-encrpt-%s", module.labels.id, count.index + 1) : format("vm-%s-dsk-encrpt-%s", module.labels.id, var.vm_addon_name)
   resource_group_name = var.resource_group_name
   location            = var.location
@@ -297,15 +297,15 @@ resource "azurerm_disk_encryption_set" "example" {
 ## The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
 ##-----------------------------------------------------------------------------
 resource "azurerm_role_assignment" "azurerm_disk_encryption_set_key_vault_access" {
-  count                = var.enable_disk_encryption_set ? var.machine_count : 0
+  count                = var.enabled && var.enable_disk_encryption_set ? var.machine_count : 0
   scope                = var.key_vault_id
   role_definition_name = var.role_definition_name
   principal_id         = azurerm_disk_encryption_set.example[0].identity[0].principal_id
 }
 
 resource "azurerm_role_assignment" "ad_role_assignment" {
-  for_each             = var.user_object_id
-  scope                = azurerm_linux_virtual_machine.default[0].id
+  for_each             = var.enabled ? var.user_object_id : {}
+  scope                = var.is_vm_windows ? azurerm_windows_virtual_machine.win_vm[0].id : azurerm_linux_virtual_machine.default[0].id
   role_definition_name = lookup(each.value, "role_definition_name", "")
   principal_id         = lookup(each.value, "principal_id", "")
 }
@@ -357,11 +357,11 @@ resource "azurerm_key_vault_access_policy" "main" {
 ##  This is where you are creating the managed disk. The name argument specifies the name of the disk.
 ##-----------------------------------------------------------------------------
 resource "azurerm_managed_disk" "data_disk" {
-  for_each = { for it, data_disk in var.data_disks : data_disk.name => {
+  for_each = var.enabled ? { for it, data_disk in var.data_disks : data_disk.name => {
     it : it,
     data_disk : data_disk,
     }
-  }
+  } : {}
   name                   = format("%s-%s-managed-disk", module.labels.id, each.value.data_disk.name)
   resource_group_name    = var.resource_group_name
   location               = var.location
@@ -378,11 +378,11 @@ resource "azurerm_managed_disk" "data_disk" {
 ## Manages attaching a Disk to a Virtual Machine.
 ##-----------------------------------------------------------------------------
 resource "azurerm_virtual_machine_data_disk_attachment" "data_disk" {
-  for_each = { for it, data_disk in var.data_disks : data_disk.name => {
+  for_each = var.enabled ? { for it, data_disk in var.data_disks : data_disk.name => {
     it : it,
     data_disk : data_disk,
     }
-  }
+  } : {}
   managed_disk_id    = azurerm_managed_disk.data_disk[each.key].id
   virtual_machine_id = var.is_vm_windows ? azurerm_windows_virtual_machine.win_vm[0].id : azurerm_linux_virtual_machine.default[0].id
   lun                = each.value.it
@@ -393,9 +393,9 @@ resource "azurerm_virtual_machine_data_disk_attachment" "data_disk" {
 ## azurerm_virtual_machine_extension. Manages a Virtual Machine Extension to provide post deployment configuration and run automated tasks.
 ##-----------------------------------------------------------------------------
 resource "azurerm_virtual_machine_extension" "vm_insight_monitor_agent" {
-  for_each                   = { for extension in var.extensions : extension.extension_name => extension }
+  for_each                   = var.enabled ? { for extension in var.extensions : extension.extension_name => extension } : {}
   name                       = each.value.extension_name
-  virtual_machine_id         = var.is_vm_linux != true ? azurerm_windows_virtual_machine.win_vm[0].id : azurerm_linux_virtual_machine.default[0].id
+  virtual_machine_id         = var.is_vm_windows ? azurerm_windows_virtual_machine.win_vm[0].id : azurerm_linux_virtual_machine.default[0].id
   publisher                  = each.value.extension_publisher
   type                       = each.value.extension_type
   type_handler_version       = each.value.extension_type_handler_version
@@ -410,7 +410,7 @@ resource "azurerm_virtual_machine_extension" "vm_insight_monitor_agent" {
 ## This resource allows you to manage a Diagnostic Setting for an Azure resource.
 ##-----------------------------------------------------------------------------
 resource "azurerm_monitor_diagnostic_setting" "pip_gw" {
-  count                          = var.diagnostic_setting_enable && var.public_ip_enabled ? var.machine_count : 0
+  count                          = var.enabled && var.diagnostic_setting_enable && var.public_ip_enabled ? var.machine_count : 0
   name                           = var.vm_addon_name == null ? format("%s-vm-pip-%s-diagnostic-log", module.labels.id, count.index + 1) : format("%s-vm-pip-%s-diagnostic-log", module.labels.id, var.vm_addon_name)
   target_resource_id             = join("", azurerm_public_ip.default[0].id)
   storage_account_id             = var.storage_account_id
@@ -451,10 +451,10 @@ resource "azurerm_monitor_diagnostic_setting" "pip_gw" {
 }
 
 ##-----------------------------------------------------------------------------
-## This resource allows you to manage a Diagnostic Setting for an Azure resource.
+## This resource allows you to manage a Diaresourcegnostic Setting for an Azure resource.
 ##-----------------------------------------------------------------------------
 resource "azurerm_monitor_diagnostic_setting" "nic_diagnostic" {
-  count                          = var.diagnostic_setting_enable ? var.machine_count : 0
+  count                          = var.enabled && var.diagnostic_setting_enable ? var.machine_count : 0
   name                           = var.vm_addon_name == null ? format("%s-network-interface-%s-diagnostic-log", module.labels.id, count.index + 1) : format("%s-network-interface-%s-diagnostic-log", module.labels.id, var.vm_addon_name)
   target_resource_id             = azurerm_network_interface.default[0].id
   storage_account_id             = var.storage_account_id

outputs.tf

@@ -1,15 +1,15 @@
 output "network_interface_id" {
-  value       = azurerm_network_interface.default[0].id
+  value       = azurerm_network_interface.default[*].id
   description = "The ID of the Network Interface."
 }
 
 output "network_interface_private_ip_addresses" {
-  value       = azurerm_network_interface.default[0].private_ip_addresses
+  value       = azurerm_network_interface.default[*].private_ip_addresses
   description = "The private IP addresses of the network interface."
 }
 
 output "availability_set_id" {
-  value       = azurerm_availability_set.default[0].id
+  value       = azurerm_availability_set.default[*].id
   description = "The ID of the Availability Set."
 }
 
@@ -33,9 +33,8 @@ output "windows_virtual_machine_id" {
   description = "The ID of the Windows Virtual Machine."
 }
 
-
 output "network_interface_sg_association_id" {
-  value       = azurerm_network_interface_security_group_association.default[0].id
+  value       = azurerm_network_interface_security_group_association.default[*].id
   description = "The (Terraform specific) ID of the Association between the Network Interface and the Network Interface."
 }
 

variables.tf

@@ -236,7 +236,7 @@ variable "identity_enabled" {
 
 variable "sa_type" {
   type        = string
-  default     = "SystemAssigned"
+  default     = ""
   description = "Specifies the identity type of the Storage Account. At this time the only allowed value is SystemAssigned."
 }
 
@@ -581,7 +581,7 @@ variable "enable_automatic_updates" {
 
 variable "windows_patch_mode" {
   type        = string
-  default     = "AutomaticByOS"
+  default     = "AutomaticByPlatform"
   description = "Optional) Specifies the mode of in-guest patching to this Windows Virtual Machine. Possible values are Manual, AutomaticByOS and AutomaticByPlatform. Defaults to AutomaticByOS. "
 }