Bicep Module Documentation
← Back to Overview
Module virtual-machine
virtualMachine
| Property | Value | Description |
|---|---|---|
| general (required) | general | |
| identity | identity | |
| plan | plan | |
| additionalCapabilities | additionalCapabilities | |
| applicationProfile | applicationProfile | Specifies the gallery applications that should be made available to the VM/VMSS |
| availabilitySetId | string | Specifies information about the availability set that the virtual machine should be assigned to. Virtual machines specified in the same availability set are allocated to different nodes to maximize availability. Currently, a VM can only be added to availability set at creation time. The availability set to which the VM is being added should be under the same resource group as the availability set resource. An existing VM cannot be added to an availability set |
| billingProfile | billingProfile | Specifies the billing related details of a Azure Spot virtual machine |
| capacityReservationGroupId | string | Specifies information about the capacity reservation that is used to allocate virtual machine |
| diagnosticsProfile | diagnosticsProfile | Specifies the boot diagnostic settings state |
| evictionPolicy | 'Deallocate' 'Delete' |
Specifies the eviction policy for the Azure Spot virtual machine and Azure Spot scale set. For Azure Spot virtual machines, both "Deallocate" and "Delete" are supported |
| extensionsTimeBudget | string | Specifies the time alloted for all extensions to start. The time duration should be between 15 minutes and 120 minutes (inclusive) and should be specified in ISO 8601 format (default: 90 minutes or PT1H30M) |
| hardwareProfile (required) | hardwareProfile | Specifies the hardware settings for the virtual machine |
| hostId | string | Specifies information about the dedicated host that the virtual machine resides in |
| hostGroupId | string | Specifies information about the dedicated host group that the virtual machine resides in |
| licenseType | 'RHEL_BYOS' 'SLES_BYOS' 'Windows_Client' 'Windows_Server' |
Specifies that the image or disk that is being used was licensed on-premises (hybrid benefit) |
| networkProfile (required) | networkProfile | Specifies the network interfaces of the virtual machine |
| osProfile (required) | osProfile | Specifies the operating system settings used while creating the virtual machine. Some of the settings cannot be changed once VM is provisioned |
| platformFaultDomain | int | Specifies the scale set logical fault domain into which the Virtual Machine will be created. By default, the Virtual Machine will by automatically assigned to a fault domain that best maintains balance across available fault domains. This is applicable only if the "virtualMachineScaleSet" property of this Virtual Machine is set. The Virtual Machine Scale Set that is referenced, must have "platformFaultDomainCount" greater than 1. This property cannot be updated once the Virtual Machine is created |
| priority | 'Low' 'Regular' 'Spot' |
Specifies the priority for the virtual machine |
| proximityPlacementGroupId | string | Specifies information about the proximity placement group that the virtual machine should be assigned to |
| scheduledEventsProfile | scheduledEventsProfile | Specifies Scheduled Event related configurations |
| securityProfile | securityProfile | Specifies the Security related profile settings for the virtual machine |
| storageProfile (required) | virtualMachineStorageProfile | Specifies the storage settings for the virtual machine disks |
| userData | string | UserData for the VM, which must be base-64 encoded. Customer should not pass any secrets in here |
| virtualMachineScaleSetId | string | Specifies information about the virtual machine scale set that the virtual machine should be assigned to. Virtual machines specified in the same virtual machine scale set are allocated to different nodes to maximize availability. Currently, a VM can only be added to virtual machine scale set at creation time. An existing VM cannot be added to a virtual machine scale set |
| zones | string[] | Zones where the virtual machine should be deployed [Array of strings] |
| autoShutdown | autoShutdown | Auto-shutdown schedule for the virtual machine |
| sqlConfiguration | sqlConfiguration | SQL settings when deploying SQL on IaaS. |
identity
| Property | Value | Description |
|---|---|---|
| type | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
The types of identities associated with this resource. (default: none) |
| userAssignedIdentities | string[] | Resource IDs of User Assigned Identities to associate with this resource |
plan
| Property | Value | Description |
|---|---|---|
| name (required) | string | The plan ID |
| product (required) | string | Specifies the product of the image from the marketplace. This is the same value as Offer under the imageReference element |
| promotionCode | string | The promotion code |
| publisher (required) | string | The publisher ID |
additionalCapabilities
| Property | Value | Description |
|---|---|---|
| hibernationEnabled | bool | The flag that enables or disables hibernation capability on the VM |
applicationProfile
| Property | Value | Description |
|---|---|---|
| galleryApplications | virtualMachineGalleryApplication[] | Specifies the gallery applications that should be made available to the VM/VMSS |
billingProfile
| Property | Value | Description |
|---|---|---|
| maxPrice | string |
diagnosticsProfile
| Property | Value | Description |
|---|---|---|
| enableBootDiagnostics | bool | Whether boot diagnostics should be enabled on the Virtual Machine (default: true) |
| bootDiagnosticsStorageAccountUri | string | Uri of the storage account to use for placing the console output and screenshot. If storageUri is not specified while enabling boot diagnostics, managed storage will be used |
vmSizeProperties
| Property | Value | Description |
|---|---|---|
| vCPUsAvailable (required) | int | Specifies the number of vCPUs available for the VM |
| vCPUsPerCore (required) | int | Specifies the vCPU to physical core ratio, setting this property to 1 also means that hyper-threading is disabled |
hardwareProfile
| Property | Value | Description |
|---|---|---|
| vmSize (required) | string | Specifies the size of the virtual machine |
| vmSizeProperties | vmSizeProperties | Specifies the properties for customizing the size of the virtual machine, this feature is still in preview mode and is not supported for VirtualMachineScaleSet |
networkProfile
| Property | Value | Description |
|---|---|---|
| networkInterfaces | virtualMachineNetworkInterface[] | Specifies the list of resource Ids for the network interfaces associated with the virtual machine |
osProfile
| Property | Value | Description |
|---|---|---|
| adminUsername | string | Specifies the name of the administrator account, This property cannot be updated after the VM is created. Windows-only restriction: Cannot end in "." Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5" (default: arxus) |
| allowExtensionOperations | bool | Specifies whether extension operations should be allowed on the virtual machine. This may only be set to False when no extensions are present on the virtual machine |
| keyVaultId (required) | string | Key vault id where to get the password |
| keyVaultSecretName (required) | string | Name of the key vault secret in the key vault |
| computerName | string | Specifies the host OS name of the virtual machine. This name cannot be updated after the VM is created, max 15 characters for Windows (default: same as virtual machine name) |
| customData | string | Specifies a base-64 encoded string of custom data. The base-64 encoded string is decoded to a binary array that is saved as a file on the Virtual Machine. The maximum length of the binary array is 65535 bytes. Note: Do not pass any secrets or passwords in customData property |
| linuxConfiguration | virtualMachineLinuxConfiguration | Specifies the Linux operating system settings on the virtual machine |
| requireGuestProvisionSignal | bool | Optional property which must either be set to True or omitted |
| secrets | virtualMachineOSSecrets[] | Specifies set of certificates that should be installed onto the virtual machine |
| windowsConfiguration | virtualMachineWindowsConfiguration | Specifies Windows operating system settings on the virtual machine |
osImageNotificationProfile
| Property | Value | Description |
|---|---|---|
| enable | bool | Specifies whether the OS Image Scheduled event is enabled or disabled |
| notBeforeTimeout | string | Length of time a Virtual Machine being reimaged or having its OS upgraded will have to potentially approve the OS Image Scheduled Event before the event is auto approved (timed out). The configuration is specified in ISO 8601 format, and the value must be 15 minutes (PT15M) |
scheduledEventsProfile
| Property | Value | Description |
|---|---|---|
| osImageNotificationProfile | osImageNotificationProfile |
uefiSettings
| Property | Value | Description |
|---|---|---|
| secureBootEnabled | bool | Specifies whether secure boot should be enabled on the virtual machine |
| vTpmEnabled | bool | Specifies whether vTPM should be enabled on the virtual machine |
securityProfile
| Property | Value | Description |
|---|---|---|
| secureVMDiskEncryptionSetId (required) | string | ResourceId of the disk encryption set associated to Confidential VM supported disk encrypted with customer managed key |
| securityType (required) | 'ConfidentialVM_DiskEncryptedWithCustomerKey' 'ConfidentialVM_DiskEncryptedWithPlatformKey' 'ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey' 'TrustedLaunch' |
Specifies the SecurityType of the VM. Applicable for OS disks only |
notificationSettings
| Property | Value | Description |
|---|---|---|
| emailRecipient | string | The email recipient to send notifications to (can be a list of semi-colon separated email addresses). |
| status | 'Disabled' 'Enabled' |
If notifications are enabled for this schedule (i.e. Enabled, Disabled). |
| webhookUrl | string | The webhook URL to which the notification will be sent. |
autoShutdown
| Property | Value | Description |
|---|---|---|
| dailyRecurrenceTime (required) | string | If the schedule will occur once each day of the week, specify the daily recurrence. (example: 7:00 PM = 1900) |
| status (required) | 'Disabled' 'Enabled' |
The status of the schedule (i.e. Enabled, Disabled) |
| notificationSettings | notificationSettings | Notification settings |
| timeZoneId | string | The time zone ID (e.g. China Standard Time, Greenland Standard Time, Pacific Standard time, etc.). The possible values for this property can be found in IReadOnlyCollection<string> TimeZoneConverter.TZConvert.KnownWindowsTimeZoneIds (default: Central Europe Standard Time) |
virtualMachineStorageProfile
| Property | Value | Description |
|---|---|---|
| dataDisks | virtualMachineDisk[] | Specifies the parameters that are used to add a data disk to a virtual machine |
| diskControllerType | 'NVMe' 'SCSI' |
Specifies the disk controller type configured for the VM. Note: This property will be set to the default disk controller type if not specified provided virtual machine is being created with "hyperVGeneration" set to V2 based on the capabilities of the operating system disk and VM size from the the specified minimum api version. You need to deallocate the VM before updating its disk controller type unless you are updating the VM size in the VM configuration which implicitly deallocates and reallocates the VM |
| imageReference | virtualMachineImageReference | Specifies information about the image to use. You can specify information about platform images, marketplace images, or virtual machine images. This element is required when you want to use a platform image, marketplace image, or virtual machine image, but is not used in other creation operations |
| osDisk (required) | virtualMachineDisk | Specifies information about the operating system disk used by the virtual machine |
virtualMachineImageReference
| Property | Value | Description |
|---|---|---|
| communityGalleryImageId | string | Specified the community gallery image unique id for vm deployment. This can be fetched from community gallery image GET call |
| id | string | The resource id of the image |
| offer | string | Specifies the offer of the platform image or marketplace image used to create the virtual machine |
| publisher | string | The image publisher |
| sharedGalleryImageId | string | Specified the shared gallery image unique id for vm deployment |
| sku | string | The image SKU |
| version | string | Specifies the version of the platform image or marketplace image used to create the virtual machine. The allowed formats are Major.Minor.Build or "latest". Major, Minor, and Build are decimal numbers. Specify "latest" to use the latest version of an image available at deploy time. Even if you use "latest", the VM image will not automatically update after deploy time even if a new version becomes available. Please do not use field "version" for gallery image deployment, gallery image should always use "id" field for deployment, to use "latest" version of gallery image, just set "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/galleries/{galleryName}/images/{imageName}" in the "id" field without version input. |
virtualMachineDisk
| Property | Value | Description |
|---|---|---|
| naming | naming | |
| copyExistingManagedDiskId | string | Resource id of the managed disk to copy as the boot drive for this virtual machine |
| diffDiskSettings | diffDiskSettings | Specifies the ephemeral Disk Settings for the operating system disk used by the virtual machine |
| managedDisk | managedDisk | The managed disk parameters |
| caching | 'None' 'ReadOnly' 'ReadWrite' |
Specifies the caching requirements (default: None for standard & ReadOnly for premium) |
| createOption | 'Attach' 'Empty' 'FromImage' |
Specifies how the virtual machine should be created. Possible values are: Attach. This value is used when you are using a specialized disk to create the virtual machine. FromImage. This value is used when you are using an image to create the virtual machine. If you are using a platform image, you should also use the imageReference element described above. If you are using a marketplace image, you should also use the plan element previously described (default: empty) |
| deleteOption | 'Delete' 'Detach' |
Specifies whether data disk should be deleted or detached upon VM deletion. Possible values are: Delete. If this value is used, the data disk is deleted when VM is deleted. Detach. If this value is used, the data disk is retained after VM is deleted. The default value is set to Detach |
| detachOption | 'ForceDetach' | Specifies the detach behavior to be used while detaching a disk or which is already in the process of detachment from the virtual machine. Supported values: ForceDetach. detachOption: ForceDetach is applicable only for managed data disks. If a previous detachment attempt of the data disk did not complete due to an unexpected failure from the virtual machine and the disk is still not released then use force-detach as a last resort option to detach the disk forcibly from the VM. All writes might not have been flushed when using this detach behavior. This feature is still in preview mode and is not supported for VirtualMachineScaleSet. To force-detach a data disk update toBeDetached to "true" along with setting detachOption: "ForceDetach" |
| diskSizeGB | int | Specifies the size of an empty data disk in gigabytes. This element can be used to overwrite the size of the disk in a virtual machine image |
| imageURI | string | The source user image virtual hard disk. The virtual hard disk will be copied before being attached to the virtual machine. If SourceImage is provided, the destination virtual hard drive must not exist |
| toBeDetached | bool | Specifies whether the data disk is in process of detachment from the VirtualMachine/VirtualMachineScaleset |
| vhdURI | string | The virtual hard disk |
| writeAcceleratorEnabled | bool | Specifies whether writeAccelerator should be enabled or disabled on the disk |
| sku | 'PremiumV2_LRS' 'Premium_LRS' 'Premium_ZRS' 'StandardSSD_LRS' 'StandardSSD_ZRS' 'Standard_LRS' 'UltraSSD_LRS' |
The disks sku name |
| zones | string[] | The Logical zone list for Disk |
| burstingEnabled | bool | Set to true to enable bursting beyond the provisioned performance target of the disk. Bursting is disabled by default. Does not apply to Ultra disks |
| creationData | creationData | Disk source information. CreationData information cannot be changed after the disk has been created |
| dataAccessAuthMode | 'AzureActiveDirectory' 'None' |
Additional authentication requirements when exporting or uploading to a disk or snapshot |
| diskAccessId | string | ARM id of the DiskAccess resource for using private endpoints on disks |
| diskIOPSReadWrite | int | The number of IOPS allowed for this disk; only settable for UltraSSD disks. One operation can transfer between 4k and 256k bytes |
| diskMBpsReadWrite | int | The bandwidth allowed for this disk; only settable for UltraSSD disks. MBps means millions of bytes per second - MB here uses the ISO notation, of powers of 10 |
| hyperVGeneration | 'V1' 'V2' |
The hypervisor generation of the Virtual Machine. Applicable to OS disks only |
| maxShares | int | The maximum number of VMs that can attach to the disk at the same time. Value greater than one indicates a disk that can be mounted on multiple VMs at the same time |
| networkAccessPolicy | 'AllowAll' 'AllowPrivate' 'DenyAll' |
Policy for accessing the disk via network |
| optimizedForFrequentAttach | bool | Setting this property to true improves reliability and performance of data disks that are frequently (more than 5 times a day) by detached from one virtual machine and attached to another. This property should not be set for disks that are not detached and attached frequently as it causes the disks to not align with the fault domain of the virtual machine |
| osType | 'Linux' 'Windows' |
The Operating System type |
| publicNetworkAccess | 'Disabled' 'Enabled' |
Policy for controlling export on the disk |
| purchasePlan | virtualMachinePurchasePlan | Purchase plan information for the the image from which the OS disk was created |
| securityProfile | securityProfile | Contains the security related information for the resource |
| supportedCapabilities | virtualMachineDiskCapabilities | List of supported capabilities for the image from which the OS disk was created |
| supportsHibernation | bool | Indicates the OS on a disk supports hibernation |
| tier | string | Performance tier of the disk, does not apply to premium v2 and ultra disks |
diffDiskSettings
| Property | Value | Description |
|---|---|---|
| option | 'Local' | Specifies the ephemeral disk settings for operating system disk |
| placement (required) | 'CacheDisk' 'ResourceDisk' |
Specifies the ephemeral disk placement for operating system disk. Possible values are: CacheDisk, ResourceDisk. The defaulting behavior is: CacheDisk if one is configured for the VM size otherwise ResourceDisk is used. Refer to the VM size documentation for Windows VM at /azure/virtual-machines/windows/sizes and Linux VM at /azure/virtual-machines/linux/sizes to check which VM sizes exposes a cache disk |
managedDisk
| Property | Value | Description |
|---|---|---|
| id | string | Resource id of the disk |
| securityProfile | securityProfile |
creationData
| Property | Value | Description |
|---|---|---|
| createOption | 'Attach' 'Copy' 'CopyStart' 'Empty' 'FromImage' 'Import' 'ImportSecure' 'Restore' 'Upload' 'UploadPreparedSecure' |
This enumerates the possible sources of a disk creation |
| galleryImageReference | virtualMachineDiskImageReference | Required if creating from a Gallery Image. The id/sharedGalleryImageId/communityGalleryImageId of the ImageDiskReference will be the ARM id of the shared galley image version from which to create a disk |
| imageReference | virtualMachineDiskImageReference | Disk source information for PIR or user images |
| logicalSectorSize | int | Logical sector size in bytes for Ultra disks. Supported values are 512 ad 4096. 4096 is the default |
| performancePlus | bool | Set this flag to true to get a boost on the performance target of the disk deployed, see here on the respective performance target. This flag can only be set on disk creation time and cannot be disabled after enabled |
| securityDataUri | string | If createOption is ImportSecure, this is the URI of a blob to be imported into VM guest state |
| sourceResourceId | string | If createOption is Copy, this is the ARM id of the source snapshot or disk |
| sourceUri | string | If createOption is Import, this is the URI of a blob to be imported into a managed disk |
| storageAccountId | string | Required if createOption is Import. The Azure Resource Manager identifier of the storage account containing the blob to import as a disk |
| uploadSizeBytes | int | If createOption is Upload, this is the size of the contents of the upload including the VHD footer. This value should be between 20972032 (20 MiB + 512 bytes for the VHD footer) and 35183298347520 bytes (32 TiB + 512 bytes for the VHD footer) |
virtualMachineDiskImageReference
| Property | Value | Description |
|---|---|---|
| communityGalleryImageId | string | A relative uri containing a community Azure Compute Gallery image reference |
| id | string | A relative uri containing either a Platform Image Repository, user image, or Azure Compute Gallery image reference |
| sharedGalleryImageId | string | A relative uri containing a direct shared Azure Compute Gallery image reference |
virtualMachineDiskCapabilities
| Property | Value | Description |
|---|---|---|
| acceleratedNetwork | bool | True if the image from which the OS disk is created supports accelerated networking |
| architecture | 'Arm64' 'x64' |
CPU architecture supported by an OS disk |
| diskControllerTypes | 'NVME, SCSI' 'SCSI' 'SCSI, NVME' |
The disk controllers that an OS disk supports |
virtualMachinePurchasePlan
| Property | Value | Description |
|---|---|---|
| name (required) | string | The plan ID |
| product (required) | string | Specifies the product of the image from the marketplace. This is the same value as Offer under the imageReference element |
| promotionCode | string | The promotion code |
| publisher (required) | string | The publisher ID |
virtualMachineDiskEncryptionSetting
| Property | Value | Description |
|---|---|---|
| diskEncryptionKey (required) | diskEncryptionKey | Key Vault Secret Url and vault id of the disk encryption key |
| keyEncryptionKey | keyEncryptionKey | Key Vault Key Url and vault id of the key encryption key. KeyEncryptionKey is optional and when provided is used to unwrap the disk encryption key |
diskEncryptionKey
| Property | Value | Description |
|---|---|---|
| secretUrl (required) | string | Url pointing to a key or secret in KeyVault |
| sourceVaultId (required) | string | Resource id of the KeyVault containing the key or secret |
keyEncryptionKey
| Property | Value | Description |
|---|---|---|
| keyUrl (required) | string | Url pointing to a key or secret in KeyVault |
| sourceVaultId (required) | string | Resource id of the KeyVault containing the key or secret |
virtualMachineOSSecrets
| Property | Value | Description |
|---|---|---|
| sourceVault (required) | sourceVault | The relative URL of the Key Vault containing all of the certificates in VaultCertificates |
| vaultCertificates (required) | virtualMachineOSSecretsVaultCertificate[] | The list of key vault references in SourceVault which contain certificates |
sourceVault
| Property | Value | Description |
|---|---|---|
| id (required) | string |
virtualMachineOSSecretsVaultCertificate
| Property | Value | Description |
|---|---|---|
| certificateStore (required) | string | For Windows VMs, specifies the certificate store on the Virtual Machine to which the certificate should be added. The specified certificate store is implicitly in the LocalMachine account. For Linux VMs, the certificate file is placed under the /var/lib/waagent directory, with the file name |
| certificateUrl (required) | string | This is the URL of a certificate that has been uploaded to Key Vault as a secret. In this case, your certificate needs to be the Base64 encoding of the following JSON Object which is encoded in UTF-8: { "data":"{Base64-encoded-certificate}", "dataType":"pfx", "password":"{pfx-file-password}" } |
virtualMachineLinuxConfiguration
| Property | Value | Description |
|---|---|---|
| disablePasswordAuthentication | bool | Specifies whether password authentication should be disabled |
| enableVMAgentPlatformUpdates | bool | Indicates whether VMAgent Platform Updates is enabled for the Linux virtual machine (default: false) |
| patchSettings | patchSettings | [Preview Feature] Specifies settings related to VM Guest Patching on Linux |
| provisionVMAgent | bool | Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later |
| ssh | ssh | Specifies the ssh key configuration for a Linux OS |
automaticByPlatformSettings
| Property | Value | Description |
|---|---|---|
| bypassPlatformSafetyChecksOnUserSchedule (required) | bool | Enables customer to schedule patching without accidental upgrades |
| rebootSetting (required) | 'Always' 'IfRequired' 'Never' 'Unknown' |
patchSettings
| Property | Value | Description |
|---|---|---|
| assessmentMode (required) | 'AutomaticByPlatform' 'ImageDefault' |
Specifies the mode of VM Guest patch assessment for the IaaS virtual machine |
| automaticByPlatformSettings (required) | automaticByPlatformSettings | Specifies additional settings for patch mode AutomaticByPlatform in VM Guest Patching on Windows |
| enableHotpatching | bool | Enables customers to patch their Azure VMs without requiring a reboot. For enableHotpatching, the "provisionVMAgent" must be set to true and "patchMode" must be set to "AutomaticByPlatform" |
| patchMode (required) | 'AutomaticByPlatform' 'ImageDefault' 'Manual' |
Specifies the mode of VM Guest Patching to IaaS virtual machine or virtual machines associated to virtual machine scale set with OrchestrationMode as Flexible |
ssh
| Property | Value | Description |
|---|---|---|
| publicKeys (required) | virtualMachineSSHPublicKey[] |
virtualMachineSSHPublicKey
| Property | Value | Description |
|---|---|---|
| keyData (required) | string | SSH public key certificate used to authenticate with the VM through ssh. The key needs to be at least 2048-bit and in ssh-rsa format |
| path (required) | string | Specifies the full path on the created VM where ssh public key is stored. If the file already exists, the specified key is appended to the file. Example: /home/user/.ssh/authorized_keys |
virtualMachineWindowsConfiguration
| Property | Value | Description |
|---|---|---|
| additionalUnattendContent | virtualMachineAdditionalUnattendContent[] | Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup |
| enableAutomaticUpdates | bool | Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning |
| patchSettings | patchSettings | [Preview Feature] Specifies settings related to VM Guest Patching on Windows |
| provisionVMAgent | bool | Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, it is set to true by default. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later |
| timeZone | string | Specifies the time zone of the virtual machine. e.g. "Romance Standard Time" |
| winRM | winRM | Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell |
winRM
| Property | Value | Description |
|---|---|---|
| listeners (required) | virtualMachineWindowsConfigurationWinRMListener[] |
virtualMachineWindowsConfigurationWinRMListener
| Property | Value | Description |
|---|---|---|
| certificateUrl (required) | string | |
| protocol (required) | 'Http' 'Https' |
virtualMachineWinRMListener
| Property | Value | Description |
|---|---|---|
| certificateUrl (required) | string | This is the URL of a certificate that has been uploaded to Key Vault as a secret. In this case, your certificate needs to be the Base64 encoding of the following JSON Object which is encoded in UTF-8: { "data":"{Base64-encoded-certificate}", "dataType":"pfx", "password":"{pfx-file-password}" } |
| protocol (required) | 'Http' 'Https' |
Specifies the protocol of WinRM listener |
virtualMachineAdditionalUnattendContent
| Property | Value | Description |
|---|---|---|
| componentName | 'Microsoft-Windows-Shell-Setup' | The component name. Currently, the only allowable value is Microsoft-Windows-Shell-Setup |
| content (required) | string | Specifies the XML formatted content that is added to the unattend.xml file for the specified path and component. The XML must be less than 4KB and must include the root element for the setting or feature that is being inserted |
| passName | 'OobeSystem' | The pass name. Currently, the only allowable value is OobeSystem |
| settingName (required) | 'AutoLogon' 'FirstLogonCommands' |
Specifies the name of the setting to which the content applies. Possible values are: FirstLogonCommands and AutoLogon |
virtualMachineNetworkInterface
| Property | Value | Description |
|---|---|---|
| naming | naming | |
| enableNetworkSecurityGroup | bool | Deploy a network security group for this nic (default: false unless public IP) |
| networkSecurityGroupNaming | naming | Override the network security group name |
| networkSecurityGroupRules | securityRule[] | List of rules which should be applied to the network security group |
| enableAcceleratedNetworking | bool | Specifies whether the network interface is accelerated networking-enabled |
| enableFpga | bool | Specifies whether the network interface is FPGA networking-enabled |
| enableIPForwarding | bool | Whether IP forwarding enabled on this NIC |
| auxiliaryMode | 'AcceleratedConnections' 'Floating' 'MaxConnections' 'None' |
Auxiliary mode of Network Interface resource |
| auxiliarySku | 'A1' 'A2' 'A4' 'A8' 'None' |
Auxiliary sku of Network Interface resource |
| migrationPhase | 'Abort' 'Commit' 'Committed' 'None' 'Prepare' |
Migration phase of Network Interface resource |
| nicType | 'Elastic' 'Standard' |
Type of Network Interface resource |
| ipConfigs | virtualMachineIPConfig[] | |
| deleteOption | 'Delete' 'Detach' |
Specify what happens to the network interface when the VM is deleted |
| primary | bool | Specifies the primary network interface in case the virtual machine has more than 1 network interface |
| forceDefaultNaming | bool | Force the naming for nic, ipconfig, nsg and pip just like other resources following the naming convention instead of {vmname}-nic-index |
| subnetId (required) | string | The subnet to which this ipconfig should be associated |
| dnsServers | string[] | List of DNS servers IP addresses. UseAzureProvidedDNS to switch to azure provided DNS resolution. AzureProvidedDNS value cannot be combined with other IPs, it must be the only value in dnsServers collection. |
virtualMachineIPConfig
| Property | Value | Description |
|---|---|---|
| name | string | Override the IP config name (default: ipconfig-#) |
| publicIPNaming | naming | Override the public IP address name |
| enablePublicIP | bool | Deploy a public IP for this ipconfig |
| ddosProtectionMode | 'Disabled' 'Enabled' 'VirtualNetworkInherited' |
DDoS Protection plan for public IP, Enabled = configure per IP (default = VirtualNetworkInherited) |
| privateIPAddress | string | PrivateIPAddress of the network interface IP Configuration |
| primary | bool | Force this ipconfig as the primary for this nic (default: first ipconfig) |
| loadBalancerBackendAddressPoolIds | string[] | List of ids of the load balancer backend address pools |
| loadBalancerInboundNatRulesIds | string[] | List of ids of load balancer inbound NAT rules to associate with |
| applicationGatewayBackendAddressPoolIds | string[] | List of ids of the application gateway backend address pools |
| applicationSecurityGroupIds | string[] | List of ids of the application security groups |
| gatewayLoadBalancerId | string | Id of the gateway load balancer |
virtualMachineGalleryApplication
| Property | Value | Description |
|---|---|---|
| configurationReference | string | Optional, Specifies the uri to an azure blob that will replace the default configuration for the package if provided |
| enableAutomaticUpgrade | bool | If set to true, when a new Gallery Application version is available in PIR/SIG, it will be automatically updated for the VM/VMSS |
| order | int | Optional, Specifies the order in which the packages have to be installed |
| packageReferenceId (required) | string | Specifies the GalleryApplicationVersion resource id on the form of /subscriptions/{SubscriptionId}/resourceGroups/{ResourceGroupName}/providers/Microsoft.Compute/galleries/{galleryName}/applications/{application}/versions/{version} |
| tags | string | Optional, Specifies a passthrough value for more generic context |
| treatFailureAsDeploymentFailure | bool | Optional, If true, any failure for any operation in the VmApplication will fail the deployment |
sqlConfiguration
| Property | Value | Description |
|---|---|---|
| sqlServerLicenseType | 'AHUB' 'DR' 'PAYG' |
License type of the SQL server. This will impact your billing. Use AHUB if you have a SQL license you can bring to Azure. |
| storageConfigurationSettings (required) | storageConfigurationSettings | Storage specific configuration |
| leastPrivilegeMode | 'Enabled' 'NotSet' |
sqlDataSettings
| Property | Value | Description |
|---|---|---|
| defaultFilePath (required) | string | SQL Server default file path for data. |
| luns (required) | int[] | LUN numbers of the disks to be used for SQL data files. |
sqlLogSettings
| Property | Value | Description |
|---|---|---|
| defaultFilePath (required) | string | SQL Server default file path for logs. |
| luns (required) | int[] | LUN numbers of the disks to be used for SQL log files. |
sqlTempDbSettings
| Property | Value | Description |
|---|---|---|
| dataFileCount (required) | int | |
| dataFileSize (required) | int | |
| dataGrowth (required) | int | |
| defaultFilePath (required) | string | SQL Server default file path for tempdb. |
| logFileSize (required) | int | |
| logGrowth (required) | int | |
| luns | int[] | |
| persistFolder | bool | |
| persistFolderPath | string | |
| useStoragePool | bool | Use storage pool to build a drive if true (default: false). |
storageConfigurationSettings
| Property | Value | Description |
|---|---|---|
| storageWorkloadType | 'DW' 'GENERAL' 'OLTP' |
|
| diskConfigurationType | 'ADD' 'EXTEND' 'NEW' |
|
| sqlDataSettings (required) | sqlDataSettings | Settings related to SQL data files |
| sqlLogSettings (required) | sqlLogSettings | Settings related to SQL log files |
| sqlTempDbSettings | sqlTempDbSettings | Settings related to SQL tempdb files |
| sqlSystemDbOnDataDisk | bool |
resourceLock
| Property | Value | Description |
|---|---|---|
| name | string | Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Can't end in period. |
| level (required) | 'CanNotDelete' 'ReadOnly' |
The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. Read-Only locks must be commented to be able to deploy again |
| notes | string | Notes about the lock. Maximum of 512 characters. |
| owners | resourceLockOwner[] | The owners of the lock |
resourceLockOwner
| Property | Value | Description |
|---|---|---|
| applicationId (required) | string | The application ID of the lock owner. |
roleAssignment
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The principal ID |
| roleDefinitionId (required) | string | The role definition ID, data file can be used for this |
| condition | string | Condition on the role assignment |
| conditionVersion | string | Version of the condition. Currently the only accepted value is "2.0" |
| delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource |
| description | string | Description of role assignment |
general
| Property | Value | Description |
|---|---|---|
| tags | object | Tags of the resource [hashtable] |
| location (required) | string | Location of the resource |
| naming (required) | naming | Naming module of the resource |
| resourceGroupName (required) | string | Name of the resource group where the resource should be located |
| sharedNaming (required) | naming | Reference to the default naming |
| roleAssignments | roleAssignment[] | Role assignments on the resource |
| resourceLocks | resourceLock[] | Resource Locks on the resource |
naming
| Property | Value | Description |
|---|---|---|
| forceFunctionAsFullName | bool | Use the function value as the full name of the resource |
| abbreviation | string | Override the abbreviation of this resource with this parameter |
| environment | string | The resource environment (for example: dev, tst, acc, prd) |
| location | string | The resource location (for example: weu, we, westeurope) |
| customer | string | The name of the customer |
| delimiter | string | The delimiter between resources (default: -) |
| nameFormat | Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName' |
The order of the array defines the order of elements in the naming scheme |
| param1 | string | Extra parameter self defined |
| param2 | string | Extra parameter self defined |
| param3 | string | Extra parameter self defined |
| function (required) | string | Function of the resource [can be app, db, security,...] |
| useCaseName | string | Name of the use case [can be hub, spoke,...] |
| suffix | string | Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...] |
| forceDefaultNaming | bool | Force the CAF naming instead of default company naming |
securityRule
| Property | Value | Description |
|---|---|---|
| naming (required) | naming | |
| priority | int | The priority of the rule, the priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule (default: 1000+index of rule) [integer 100-4096] |
| direction (required) | 'Inbound' 'Outbound' |
The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic |
| access | 'Allow' 'Deny' |
The network traffic is allowed or denied (default: Allow) |
| protocol | '*' 'Ah' 'Esp' 'Icmp' 'Tcp' 'Udp' |
Network protocol this rule applies to (default: *) |
| sourceAddressPrefix | string | The source IP range (default: Any) [CIDR notation |
| sourceAddressPrefixes | string[] | The source IP ranges [Array of CIDR notations] |
| sourceApplicationSecurityGroups | string[] | The array of application security groups specified as source [Array of ResourceIds] |
| sourcePortRange | string | The source port range (default: Any) [string 0-65535] |
| sourcePortRanges | string[] | The source port ranges [array of strings 0-65535] |
| destinationAddressPrefix | string | The destination IP range (default: Any) [CIDR notation |
| destinationAddressPrefixes | string[] | The destination IP ranges [Array of CIDR notations or ServiceTags] |
| destinationApplicationSecurityGroups | string[] | The array of application security groups specified as destination [Array of ResourceIds] |
| destinationPortRange | string | The destination port range (default: Any) [string 0-65535] |
| destinationPortRanges | string[] | The destination port ranges [array of strings 0-65535] |
Changelog
10.0.0 (2025-10-08)
⚠ BREAKING CHANGES
- remove read-only param enableVMAgentPlatformUpdates in windowsConfiguration
Features
- remove read-only param enableVMAgentPlatformUpdates in windowsConfiguration
9.0.1 (2025-09-24)
Bug Fixes
- remove deployment name + cleanup
9.0.0 (2025-09-24)
⚠ BREAKING CHANGES
- remove deprecated outputs
Bug Fixes
- remove deprecated outputs
8.3.0 (2025-09-22)
Features
- add SQL VM resource configuration
8.2.6 (2025-08-12)
Bug Fixes
- make timeZone param optional in windowsConfiguration
8.2.5 (2025-07-09)
Bug Fixes
- remove unneeded parameter + formatting
8.2.4 (2025-06-19)
Bug Fixes
- securityProfile uefiSettings optional
8.2.3 (2025-05-05)
Bug Fixes
- return dataDisks value null if VM has no datadisks (eliminates issue with Marketplace offers that include a data disk)
8.2.2 (2025-04-29)
Bug Fixes
- add vm resource role assignments not applying
8.2.1 (2025-04-11)
Bug Fixes
- naming connected resources when forceFunctionAsFullName or forceDefaultNaming is true
8.2.0 (2025-03-26)
Features
- add resourceName output
8.1.1 (2025-03-21)
Bug Fixes
- mitigate bug when creating a VM with existing data disks
8.1.0 (2025-02-24)
Features
- add auto-shutdown capability
8.0.0 (2025-01-03)
⚠ BREAKING CHANGES
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.
Features
- use new toObject function for UserAssignedIdentities. Only breaking when using managed identities.