The Azure Polaris Terraform Module provisions confidential computing containers in Azure Container Instances (ACI) with optional Azure Key Vault integration. It deploys three containers:
- Polaris Proxy: Exposes a secure service with configurable encryption, CORS, and logging.
- Client Workload: Runs your custom workload application.
- SKR Sidecar: (When Key Vault is enabled) Handles secure key release protocol.
Optional integration with Azure Key Vault enables enhanced security through hardware attestation and secure key release policies.
For more detailed information about Polaris, please visit the Polaris documentation
| Requirement | Details |
|---|---|
| Terraform | >= 1.0.0 |
| Azure Provider | >= 4.22.0 |
| Azure API Provider | >= 2.3.0 |
| Azure Subscription | Active with necessary permissions |
- Polaris: Basic container group with Docker containers.
- Polaris Pro: In addition to the standard setup, it enables Azure Key Vault integration, providing enhanced security via HSM-backed key vault and secure key release, which may incur additional costs.
Be aware that deploying with enable_key_vault = true may incur additional costs compared to the standard deployment. This mode leverages Azure Key Vault Premium tier and confidential computing features, which have their own pricing. Please refer to Azure pricing documentation for detailed cost estimates.
| Name | Type | Description | Default |
|---|---|---|---|
| name | string | Base name for all resources | N/A |
| location | string | Azure region for deployment | N/A |
| subscription_id | string | Azure subscription ID | N/A |
| Name | Type | Description | Default |
|---|---|---|---|
| container_cpu | number | CPU cores for main workload container | 1 |
| container_memory | number | Memory size in GB for main workload container | 4 |
| Name | Type | Description | Default |
|---|---|---|---|
| new_vnet_enabled | bool | Whether to create a new virtual network | true |
| networking_type | string | Networking type (Public or Private) | Public |
| dns_name_label | string | DNS name label for public IP | "" |
| vnet_name | string | Name of existing virtual network | "" |
| vnet_resource_group | string | Resource group of existing virtual network | "" |
| vnet_address_space | list(string) | Address space for new virtual network | ["10.0.0.0/16"] |
| subnet_name | string | Subnet name | "default" |
| subnet_address_prefix | string | Subnet address prefix | "10.0.1.0/24" |
| Name | Type | Description | Default |
|---|---|---|---|
| enable_key_vault | bool | Enable key vault integration | true |
| polaris_proxy_source_ranges | list(string) | IP ranges allowed to access the Polaris proxy | ["0.0.0.0/0"] |
| polaris_proxy_enable_input_encryption | bool | Enable input encryption | false |
| polaris_proxy_enable_output_encryption | bool | Enable output encryption | false |
| attestation_policy | object | Custom attestation policy for secure key release | Default policy (see below) |
| Name | Type | Description | Default |
|---|---|---|---|
| polaris_proxy_image_version | string | Polaris proxy image version/tag | "latest" |
| polaris_proxy_port | number | Port exposed by the Polaris proxy | 3000 |
| polaris_proxy_enable_cors | bool | Enable CORS for API endpoints | false |
| polaris_proxy_enable_logging | bool | Enable enhanced logging | true |
| maa_endpoint | string | Microsoft Azure Attestation endpoint for SKR | "sharedweu.weu.attest.azure.net" |
| Name | Type | Description | Default |
|---|---|---|---|
| workload_image | string | Container image for the workload | N/A |
| workload_port | number | Port exposed by the workload | 8000 |
| workload_env_vars | map(string) | Environment variables for the workload | {} |
| workload_arguments | list(string) | Command arguments for the workload | [] |
| Name | Type | Description | Default |
|---|---|---|---|
| registry_login_server | string | Custom registry login server | "" |
| registry_username | string | Custom registry username | "" |
| registry_password | string | Custom registry password | "" |
The module offers two modes depending on the value of enable_key_vault:
| Feature | Polaris (enable_key_vault = false) | Polaris Pro (enable_key_vault = true) |
|---|---|---|
| Container Group | Standard container group | Confidential container group with SKR sidecar |
| Authentication | Basic container identity | System-assigned managed identity |
| Key Management | Ephemeral keys | Azure Key Vault integration with secure key release |
| Security | Container isolation | Hardware attestation and secure key release |
| Output Name | Description |
|---|---|
| resource_group_name | Name of the resource group |
| container_group_name | Name of the container group |
| container_group_ip | IP address of the container group (public networking) |
| container_group_fqdn | FQDN of the container group (public networking) |
| key_vault_name | Name of the key vault (when enabled) |
| key_vault_uri | URI of the key vault (when enabled) |
| key_name | Name of the key (when enabled) |
The module provisions these core resources:
- Resource Group
- Container Registry (ACR)
- Container Group with:
- Polaris Proxy Container
- Client Workload Container
- SKR Sidecar Container (Polaris Pro only)
- Virtual Network & NSG (when using private networking)
- Key Vault with HSM-backed keys (Polaris Pro only)
- Azure Confidential Containers: When
enable_key_vault = true, the module deploys Confidential Containers using Azure's Confidential Computing platform. - Hardware Attestation: The system leverages Azure Attestation Service for hardware-level validation of container integrity.
- Secure Key Release: Uses Azure Key Vault's SKR protocol to only release keys to validated confidential environments.
- Polaris Proxy Container: Front-facing service that handles API requests, enforces security policies, and manages encryption.
- Client Workload Container: Your application code running in an isolated environment.
- SKR Sidecar Container: In Polaris Pro mode, facilitates communication with Azure Attestation and Key Vault for key management.
- Public vs Private Networking: Choose between public-facing deployments or private VNET integration.
- IP Restrictions: Configure
polaris_proxy_source_rangesto limit access to specific IP addresses. - Delegation Setup: For private networking, the module configures proper subnet delegation for ACI.
- HSM-Backed Keys: In Polaris Pro mode, keys are stored in Azure Key Vault's Hardware Security Modules.
- Attestation Policy: Customize the attestation requirements for key release with the
attestation_policyvariable. - MAA Integration: Configure regional Microsoft Azure Attestation endpoints via the
maa_endpointvariable.
This module requires:
- An authenticated Azure session (via CLI, service principal, or managed identity)
- The
subscription_idparameter must match your authenticated session's subscription - The authenticated identity must have the following permissions:
- Contributor role on the subscription or resource group
- User Access Administrator role (for managing identities)
- Key Vault Administrator role (if using
enable_key_vault = true)
Ensure these Azure resource providers are registered in your subscription:
az provider register --namespace Microsoft.ContainerInstance
az provider register --namespace Microsoft.ContainerRegistry
az provider register --namespace Microsoft.KeyVault
az provider register --namespace Microsoft.Network
az provider register --namespace Microsoft.ManagedIdentitymodule "polaris_azure_module" {
source = "Fr0ntierX/polaris/azure"
subscription_id = "your-subscription-id"
name = "polaris-example"
location = "West Europe"
# Security & Encryption
enable_key_vault = true
# Container Resources
container_memory = 4
container_cpu = 2
# Networking Configuration
networking_type = "Public"
new_vnet_enabled = true
dns_name_label = "polaris-example-app"
# Polaris Proxy Configuration
polaris_proxy_enable_input_encryption = true
polaris_proxy_enable_output_encryption = true
polaris_proxy_enable_cors = true
polaris_proxy_enable_logging = true
# Workload Configuration
workload_image = "your-registry.azurecr.io/your-workload:latest"
workload_port = 8000
}