Terraform module for deploying Azure Virtual Desktop. Deploys a single personal or shared host pool.
Here are some short examples with referenced resources cut out. See examples-directory for full examples.
This method is useful if you want each user to have their own assignment and you want to maintain access with Terraform. Full example here.
module "avd" {
source = "decensas/azure-virtual-desktop/azurerm"
version = "0.1.2"
system_name = "avd"
resource_group_name = azurerm_resource_group.main.name
data_location = azurerm_resource_group.main.location
host_location = azurerm_resource_group.main.location
vm_size = "Standard_D2s_v3"
number_of_hosts = 3
host_pool_type = "Pooled"
host_pool_load_balancer_type = "BreadthFirst"
avd_users_upns = ["user1@domain.com", "user2@domain.com"]
avd_admins_upns = ["admin@domain.com"]
workspace_friendly_name = "User assigned shared hosts"
subnet_id = azurerm_subnet.main.id
}
This method is useful if you have Azure AD groups that you want to assign as users and admins, giving you the possibility to add assignments manually. Full example here.
A variation of this can also be used where you enter object ids directly into avd_users_object_ids
and avd_admins_object_ids
. This is useful if Terraform doesn't have Directory.Read-access to Azure AD.
Note that the values of
avd_users_object_ids
andavd_admins_object_ids
must already be known to Terraform at apply, meaning they can't depend on resources being deployed in the same step.
module "avd" {
source = "decensas/azure-virtual-desktop/azurerm"
version = "0.1.2"
system_name = "avd"
resource_group_name = azurerm_resource_group.main.name
data_location = azurerm_resource_group.main.location
host_location = azurerm_resource_group.main.location
vm_size = "Standard_D2s_v3"
number_of_hosts = 3
host_pool_type = "Pooled"
host_pool_load_balancer_type = "BreadthFirst"
avd_admins_object_ids = [data.azuread_group.admins.object_id]
avd_users_object_ids = [data.azuread_group.users.object_id]
workspace_friendly_name = "Groups assigned shared hosts"
subnet_id = azurerm_subnet.main.id
}
This is an example on how to deploy personal hosts. The hosts will be assigned when a user first logs in and the assignments will last unitl manually unassigned. Keep in mind that the users will still have access to other hosts through RDP if the network permits it. Full example here.
module "avd" {
source = "decensas/azure-virtual-desktop/azurerm"
version = "0.1.2"
system_name = "avd"
resource_group_name = azurerm_resource_group.main.name
data_location = azurerm_resource_group.main.location
host_location = azurerm_resource_group.main.location
vm_size = "Standard_D2s_v3"
number_of_hosts = 3
host_pool_type = "Personal"
start_vm_on_connect = true
avd_users_upns = ["user1@domain.com", "user2@domain.com"]
avd_admins_upns = ["admin@domain.com"]
workspace_friendly_name = "User assigned personal hosts"
subnet_id = azurerm_subnet.main.id
}
This example shows how to make the module deploy an availability set for the VMs. Full example here.
module "avd" {
source = "decensas/azure-virtual-desktop/azurerm"
version = "0.1.2"
system_name = "avd"
resource_group_name = azurerm_resource_group.main.name
data_location = azurerm_resource_group.main.location
host_location = azurerm_resource_group.main.location
use_availability_set = true
availability_number_of_fault_domains = 3
availability_number_of_update_domains = 20
vm_size = "Standard_D2s_v3"
number_of_hosts = 3
host_pool_type = "Personal"
avd_users_upns = ["user1@domain.com", "user2@domain.com"]
avd_admins_upns = ["admin@domain.com"]
workspace_friendly_name = "Availability set"
subnet_id = azurerm_subnet.main.id
}
Name | Version |
---|---|
terraform | >= 1.2.8 |
azuread | ~> 2.0 |
azurerm | ~> 3.0 |
random | ~> 3.0 |
time | ~> 0.8.0 |
Name | Version |
---|---|
azuread | ~> 2.0 |
azurerm | ~> 3.0 |
random | ~> 3.0 |
time | ~> 0.8.0 |
No modules.
Name | Type |
---|---|
azurerm_availability_set.main | resource |
azurerm_network_interface.main | resource |
azurerm_role_assignment.admins | resource |
azurerm_role_assignment.appgroup | resource |
azurerm_role_assignment.start_on_connect | resource |
azurerm_role_assignment.users | resource |
azurerm_virtual_desktop_application_group.main | resource |
azurerm_virtual_desktop_host_pool.main | resource |
azurerm_virtual_desktop_host_pool_registration_info.main | resource |
azurerm_virtual_desktop_workspace.main | resource |
azurerm_virtual_desktop_workspace_application_group_association.main | resource |
azurerm_virtual_machine_extension.aad_join | resource |
azurerm_virtual_machine_extension.hostpool_join | resource |
azurerm_windows_virtual_machine.main | resource |
random_password.main | resource |
time_static.registration_token_expiration | resource |
azuread_service_principal.avd | data source |
azuread_users.admins | data source |
azuread_users.users | data source |
azurerm_subscription.main | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
aad_joined_allow_access_from_nonjoined | Only applicable if using Azure AD authentication: adds a custom RDP property that allows access to the hosts from non-joined clients. | bool |
true |
no |
availability_number_of_fault_domains | The number of fault domains to configure for the availability set. The number of supported domains varies from region to region. See a list here. Requires var.use_availability_sets to be true. |
number |
2 |
no |
availability_number_of_update_domains | The number of update domains to configure for the availability set. Must be between 1 and 20. Requires var.use_availability_set to be true. |
number |
5 |
no |
avd_admins_object_ids | Set of object IDs of the identites (Azure AD users or groups) who will be authorized to log into the VMs as local administrator. Useful if the identity running Terraform doesn't have Directory.Read-access to Azure AD or if you wish to assign a group, otherwise use var.avd_admins_upns. | set(string) |
[] |
no |
avd_admins_upns | Set of user principal names for the users who will be authorized to log into the VMs as local administrator. | set(string) |
[] |
no |
avd_users_object_ids | Set of object IDs of the identites (Azure AD users or groups) who will be authorized to log into the VMs as regular users. Useful if the identity running Terraform doesn't have Directory.Read-access to Azure AD or if you wish to assign a group, otherwise use var.avd_users_upns. | set(string) |
[] |
no |
avd_users_upns | Set of user principal names for the users who will be authorized to log into the VMs as regular users. | set(string) |
[] |
no |
custom_rdp_properties | Set of strings that will be added as custom RDP properties. E.g.: ["audiocapturemode:i:1", "audiomode:i:0"] | set(string) |
[] |
no |
data_location | The location to which metadata-resources will be deployed. This includes the host-pool, application group and workspace. Location of the virtual machines is defined by var.host_location. See Data locations for Azure Virtual Desktop. | string |
n/a | yes |
desktop_application_group_name_override | Overrides the default name for the deskop application group. Defaults to <var.system_name>-appgroup . |
string |
"" |
no |
enable_accelerated_networking | Should accelerated networking be enabled on the hosts? Only supported by certain vm sizes. | bool |
false |
no |
host_location | The location to which the hosts (VMs) will be deployed. | string |
n/a | yes |
host_pool_load_balancer_type | Only applicable if var.host_pool_type is Pooled: Load balancing method used for new users sessions across the availiable hosts. Valid options are: BreadthFirst , DepthFirst . |
string |
"BreadthFirst" |
no |
host_pool_name_override | Overrides the default name for the host pool. Defaults to <var.system_name>-hostpool . |
string |
"" |
no |
host_pool_type | The type of the host pool. Valid options are Personal or Pooled |
string |
n/a | yes |
host_source_image_reference | The reference to the operating system that will be used in the hosts. You can find this with az cli or PowerShell. This should most likely be a variant of Windows 10/11 enterprise multi session-edition or Windows Server. | object({ |
{ |
no |
license_type | Specifies a type of on-premises license to be used with the session hosts. Sometimes referred to as Azure Hybrid Benefit. You must have a license with mutli-tenant hosting rights (Windows Server or Windows 10/11). Possible values are None , Windows_Client and Windows_Server . |
string |
"None" |
no |
local_admin_password | The password of the local admin account on the hosts. Defaults to generating a random password per host. This will be saved in state. | string |
"" |
no |
local_admin_username | The username of the local admin account on the hosts. | string |
"azureuser" |
no |
network_interface_name_format | The format of the NIC names. The string is var.system_name. The number is the NIC number. See format-function. | string |
"%s-nic%02d" |
no |
number_of_hosts | The number of hosts that will be deployed. | number |
n/a | yes |
resource_group_name | The name of the resource group in which to deploy the AVD-resources. | string |
n/a | yes |
start_vm_on_connect | Will enable automatic start of hosts on connection when required. Separate automation is required to stop and deallocate hosts. | bool |
false |
no |
subnet_id | The ID of the subnet to where the hosts will be deployed. Must be in the same region as var.host_location. | string |
n/a | yes |
system_name | The main name of the system. Will be used as a part of naming for multiple resources. | string |
n/a | yes |
tags | Tags that will be applied to all deployed resources. | map(string) |
{} |
no |
use_availability_set | Should the VMs be deployed to an availability set? | bool |
false |
no |
virtual_machine_name_format | The format of the VM names. The string is var.system_name. The number is the VM number. See format-function. | string |
"%s-vm%02d" |
no |
vm_size | The size of the hosts. E.g. Standard_D2s_v3 . See Microsoft Docs: VM sizes. |
string |
n/a | yes |
workspace_friendly_name | Gives the ability to give a user-facing name to the AVD workspace. Will by default appear to the user as <var.system_name>-workspace . |
string |
"" |
no |
workspace_name_override | Overrides the default name for the workspace. Defaults to <var.system_name>-workspace . |
string |
"" |
no |
Name | Description |
---|---|
network_interfaces | An array of the NIC-objects created by this module. |
virtual_machines | An array of the VM-objects created by this module. |
If you're assigning users with MFA required, do note that they need to connect from a client that is joined to the same Azure AD and using Windows 10 2004 or later using either the Windows Client or Microsoft Edge. If this isn't a possibility, you must exclude the Windows VM Login application from MFA using Azure AD Conditional Access. If set up correctly, MFA will still be required to use the Azure Virtual Desktop application.
Be aware that the module sets role assignments on the resource group level. Meaning that admins and users defined in the input variables will be given the same access to other VMs in the same resource group.
You can enable the Start VM on Connect-feature by setting
var.start_vm_on_connect
. This will allocate deallocated VMs on user sign-in when required. It will not stop and/or deallocate running VMs. Separate automation can be set up for deallocation of unused hosts.
- Azure AD authentication to hosts
- Autoscale plans
- Personal user profile roaming using fslogix
- Infrastructure redundancy
- Add flags for default RDP properties