The azure-native:compute:GalleryImageVersion resource, part of the Pulumi Azure Native provider, defines a versioned snapshot of a gallery image, capturing OS and data disk state for distribution across regions. This guide focuses on three capabilities: creating versions from VMs and snapshots, multi-region replication with encryption, and shallow replication and UEFI secure boot.
Image versions belong to an Azure Compute Gallery and reference source VMs, snapshots, or VHDs. They may also reference DiskEncryptionSet resources for encryption and storage accounts for VHD access. The examples are intentionally small. Combine them with your own gallery infrastructure and encryption configuration.
Create a version from a running VM
Teams building golden images often capture a configured VM as a gallery image version, preserving its OS and data disk state for reuse across deployments.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const galleryImageVersion = new azure_native.compute.GalleryImageVersion("galleryImageVersion", {
galleryImageName: "myGalleryImageName",
galleryImageVersionName: "1.0.0",
galleryName: "myGalleryName",
location: "West US",
publishingProfile: {
targetRegions: [
{
encryption: {
dataDiskImages: [
{
diskEncryptionSetId: "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myOtherWestUSDiskEncryptionSet",
lun: 0,
},
{
diskEncryptionSetId: "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet",
lun: 1,
},
],
osDiskImage: {
diskEncryptionSetId: "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet",
},
},
excludeFromLatest: false,
name: "West US",
regionalReplicaCount: 2,
},
{
encryption: {
dataDiskImages: [
{
diskEncryptionSetId: "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myOtherEastUSDiskEncryptionSet",
lun: 0,
},
{
diskEncryptionSetId: "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet",
lun: 1,
},
],
osDiskImage: {
diskEncryptionSetId: "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet",
},
},
excludeFromLatest: false,
name: "East US",
regionalReplicaCount: 2,
storageAccountType: azure_native.compute.StorageAccountType.Standard_ZRS,
},
],
},
resourceGroupName: "myResourceGroup",
safetyProfile: {
allowDeletionOfReplicatedLocations: false,
blockDeletionBeforeEndOfLife: false,
},
storageProfile: {
source: {
virtualMachineId: "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/virtualMachines/{vmName}",
},
},
});
import pulumi
import pulumi_azure_native as azure_native
gallery_image_version = azure_native.compute.GalleryImageVersion("galleryImageVersion",
gallery_image_name="myGalleryImageName",
gallery_image_version_name="1.0.0",
gallery_name="myGalleryName",
location="West US",
publishing_profile={
"target_regions": [
{
"encryption": {
"data_disk_images": [
{
"disk_encryption_set_id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myOtherWestUSDiskEncryptionSet",
"lun": 0,
},
{
"disk_encryption_set_id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet",
"lun": 1,
},
],
"os_disk_image": {
"disk_encryption_set_id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet",
},
},
"exclude_from_latest": False,
"name": "West US",
"regional_replica_count": 2,
},
{
"encryption": {
"data_disk_images": [
{
"disk_encryption_set_id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myOtherEastUSDiskEncryptionSet",
"lun": 0,
},
{
"disk_encryption_set_id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet",
"lun": 1,
},
],
"os_disk_image": {
"disk_encryption_set_id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet",
},
},
"exclude_from_latest": False,
"name": "East US",
"regional_replica_count": 2,
"storage_account_type": azure_native.compute.StorageAccountType.STANDARD_ZRS,
},
],
},
resource_group_name="myResourceGroup",
safety_profile={
"allow_deletion_of_replicated_locations": False,
"block_deletion_before_end_of_life": False,
},
storage_profile={
"source": {
"virtual_machine_id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/virtualMachines/{vmName}",
},
})
package main
import (
compute "github.com/pulumi/pulumi-azure-native-sdk/compute/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewGalleryImageVersion(ctx, "galleryImageVersion", &compute.GalleryImageVersionArgs{
GalleryImageName: pulumi.String("myGalleryImageName"),
GalleryImageVersionName: pulumi.String("1.0.0"),
GalleryName: pulumi.String("myGalleryName"),
Location: pulumi.String("West US"),
PublishingProfile: &compute.GalleryImageVersionPublishingProfileArgs{
TargetRegions: compute.TargetRegionArray{
&compute.TargetRegionArgs{
Encryption: &compute.EncryptionImagesArgs{
DataDiskImages: compute.DataDiskImageEncryptionArray{
&compute.DataDiskImageEncryptionArgs{
DiskEncryptionSetId: pulumi.String("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myOtherWestUSDiskEncryptionSet"),
Lun: pulumi.Int(0),
},
&compute.DataDiskImageEncryptionArgs{
DiskEncryptionSetId: pulumi.String("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet"),
Lun: pulumi.Int(1),
},
},
OsDiskImage: &compute.OSDiskImageEncryptionArgs{
DiskEncryptionSetId: pulumi.String("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet"),
},
},
ExcludeFromLatest: pulumi.Bool(false),
Name: pulumi.String("West US"),
RegionalReplicaCount: pulumi.Int(2),
},
&compute.TargetRegionArgs{
Encryption: &compute.EncryptionImagesArgs{
DataDiskImages: compute.DataDiskImageEncryptionArray{
&compute.DataDiskImageEncryptionArgs{
DiskEncryptionSetId: pulumi.String("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myOtherEastUSDiskEncryptionSet"),
Lun: pulumi.Int(0),
},
&compute.DataDiskImageEncryptionArgs{
DiskEncryptionSetId: pulumi.String("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet"),
Lun: pulumi.Int(1),
},
},
OsDiskImage: &compute.OSDiskImageEncryptionArgs{
DiskEncryptionSetId: pulumi.String("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet"),
},
},
ExcludeFromLatest: pulumi.Bool(false),
Name: pulumi.String("East US"),
RegionalReplicaCount: pulumi.Int(2),
StorageAccountType: pulumi.String(compute.StorageAccountType_Standard_ZRS),
},
},
},
ResourceGroupName: pulumi.String("myResourceGroup"),
SafetyProfile: &compute.GalleryImageVersionSafetyProfileArgs{
AllowDeletionOfReplicatedLocations: pulumi.Bool(false),
BlockDeletionBeforeEndOfLife: pulumi.Bool(false),
},
StorageProfile: &compute.GalleryImageVersionStorageProfileArgs{
Source: &compute.GalleryArtifactVersionFullSourceArgs{
VirtualMachineId: pulumi.String("/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/virtualMachines/{vmName}"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var galleryImageVersion = new AzureNative.Compute.GalleryImageVersion("galleryImageVersion", new()
{
GalleryImageName = "myGalleryImageName",
GalleryImageVersionName = "1.0.0",
GalleryName = "myGalleryName",
Location = "West US",
PublishingProfile = new AzureNative.Compute.Inputs.GalleryImageVersionPublishingProfileArgs
{
TargetRegions = new[]
{
new AzureNative.Compute.Inputs.TargetRegionArgs
{
Encryption = new AzureNative.Compute.Inputs.EncryptionImagesArgs
{
DataDiskImages = new[]
{
new AzureNative.Compute.Inputs.DataDiskImageEncryptionArgs
{
DiskEncryptionSetId = "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myOtherWestUSDiskEncryptionSet",
Lun = 0,
},
new AzureNative.Compute.Inputs.DataDiskImageEncryptionArgs
{
DiskEncryptionSetId = "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet",
Lun = 1,
},
},
OsDiskImage = new AzureNative.Compute.Inputs.OSDiskImageEncryptionArgs
{
DiskEncryptionSetId = "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet",
},
},
ExcludeFromLatest = false,
Name = "West US",
RegionalReplicaCount = 2,
},
new AzureNative.Compute.Inputs.TargetRegionArgs
{
Encryption = new AzureNative.Compute.Inputs.EncryptionImagesArgs
{
DataDiskImages = new[]
{
new AzureNative.Compute.Inputs.DataDiskImageEncryptionArgs
{
DiskEncryptionSetId = "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myOtherEastUSDiskEncryptionSet",
Lun = 0,
},
new AzureNative.Compute.Inputs.DataDiskImageEncryptionArgs
{
DiskEncryptionSetId = "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet",
Lun = 1,
},
},
OsDiskImage = new AzureNative.Compute.Inputs.OSDiskImageEncryptionArgs
{
DiskEncryptionSetId = "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet",
},
},
ExcludeFromLatest = false,
Name = "East US",
RegionalReplicaCount = 2,
StorageAccountType = AzureNative.Compute.StorageAccountType.Standard_ZRS,
},
},
},
ResourceGroupName = "myResourceGroup",
SafetyProfile = new AzureNative.Compute.Inputs.GalleryImageVersionSafetyProfileArgs
{
AllowDeletionOfReplicatedLocations = false,
BlockDeletionBeforeEndOfLife = false,
},
StorageProfile = new AzureNative.Compute.Inputs.GalleryImageVersionStorageProfileArgs
{
Source = new AzureNative.Compute.Inputs.GalleryArtifactVersionFullSourceArgs
{
VirtualMachineId = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/virtualMachines/{vmName}",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.compute.GalleryImageVersion;
import com.pulumi.azurenative.compute.GalleryImageVersionArgs;
import com.pulumi.azurenative.compute.inputs.GalleryImageVersionPublishingProfileArgs;
import com.pulumi.azurenative.compute.inputs.GalleryImageVersionSafetyProfileArgs;
import com.pulumi.azurenative.compute.inputs.GalleryImageVersionStorageProfileArgs;
import com.pulumi.azurenative.compute.inputs.GalleryArtifactVersionFullSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var galleryImageVersion = new GalleryImageVersion("galleryImageVersion", GalleryImageVersionArgs.builder()
.galleryImageName("myGalleryImageName")
.galleryImageVersionName("1.0.0")
.galleryName("myGalleryName")
.location("West US")
.publishingProfile(GalleryImageVersionPublishingProfileArgs.builder()
.targetRegions(
TargetRegionArgs.builder()
.encryption(EncryptionImagesArgs.builder()
.dataDiskImages(
DataDiskImageEncryptionArgs.builder()
.diskEncryptionSetId("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myOtherWestUSDiskEncryptionSet")
.lun(0)
.build(),
DataDiskImageEncryptionArgs.builder()
.diskEncryptionSetId("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet")
.lun(1)
.build())
.osDiskImage(OSDiskImageEncryptionArgs.builder()
.diskEncryptionSetId("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet")
.build())
.build())
.excludeFromLatest(false)
.name("West US")
.regionalReplicaCount(2)
.build(),
TargetRegionArgs.builder()
.encryption(EncryptionImagesArgs.builder()
.dataDiskImages(
DataDiskImageEncryptionArgs.builder()
.diskEncryptionSetId("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myOtherEastUSDiskEncryptionSet")
.lun(0)
.build(),
DataDiskImageEncryptionArgs.builder()
.diskEncryptionSetId("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet")
.lun(1)
.build())
.osDiskImage(OSDiskImageEncryptionArgs.builder()
.diskEncryptionSetId("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet")
.build())
.build())
.excludeFromLatest(false)
.name("East US")
.regionalReplicaCount(2)
.storageAccountType("Standard_ZRS")
.build())
.build())
.resourceGroupName("myResourceGroup")
.safetyProfile(GalleryImageVersionSafetyProfileArgs.builder()
.allowDeletionOfReplicatedLocations(false)
.blockDeletionBeforeEndOfLife(false)
.build())
.storageProfile(GalleryImageVersionStorageProfileArgs.builder()
.source(GalleryArtifactVersionFullSourceArgs.builder()
.virtualMachineId("/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/virtualMachines/{vmName}")
.build())
.build())
.build());
}
}
resources:
galleryImageVersion:
type: azure-native:compute:GalleryImageVersion
properties:
galleryImageName: myGalleryImageName
galleryImageVersionName: 1.0.0
galleryName: myGalleryName
location: West US
publishingProfile:
targetRegions:
- encryption:
dataDiskImages:
- diskEncryptionSetId: /subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myOtherWestUSDiskEncryptionSet
lun: 0
- diskEncryptionSetId: /subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet
lun: 1
osDiskImage:
diskEncryptionSetId: /subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet
excludeFromLatest: false
name: West US
regionalReplicaCount: 2
- encryption:
dataDiskImages:
- diskEncryptionSetId: /subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myOtherEastUSDiskEncryptionSet
lun: 0
- diskEncryptionSetId: /subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet
lun: 1
osDiskImage:
diskEncryptionSetId: /subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet
excludeFromLatest: false
name: East US
regionalReplicaCount: 2
storageAccountType: Standard_ZRS
resourceGroupName: myResourceGroup
safetyProfile:
allowDeletionOfReplicatedLocations: false
blockDeletionBeforeEndOfLife: false
storageProfile:
source:
virtualMachineId: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/virtualMachines/{vmName}
The storageProfile.source.virtualMachineId points to the VM you want to capture. Azure snapshots the VM’s disks and stores them in the gallery. The publishingProfile.targetRegions array controls where replicas are stored, with regionalReplicaCount setting how many copies exist per region. The encryption block specifies DiskEncryptionSet resources for OS and data disks, identified by LUN (logical unit number).
Create a version from disk snapshots
Organizations managing infrastructure as code often build images from snapshots of OS and data disks, allowing precise control over disk contents without running VMs.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const galleryImageVersion = new azure_native.compute.GalleryImageVersion("galleryImageVersion", {
galleryImageName: "myGalleryImageName",
galleryImageVersionName: "1.0.0",
galleryName: "myGalleryName",
location: "West US",
publishingProfile: {
targetRegions: [
{
encryption: {
dataDiskImages: [{
diskEncryptionSetId: "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet",
lun: 1,
}],
osDiskImage: {
diskEncryptionSetId: "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet",
},
},
excludeFromLatest: false,
name: "West US",
regionalReplicaCount: 1,
},
{
encryption: {
dataDiskImages: [{
diskEncryptionSetId: "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet",
lun: 1,
}],
osDiskImage: {
diskEncryptionSetId: "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet",
},
},
excludeFromLatest: false,
name: "East US",
regionalReplicaCount: 2,
storageAccountType: azure_native.compute.StorageAccountType.Standard_ZRS,
},
],
},
resourceGroupName: "myResourceGroup",
safetyProfile: {
allowDeletionOfReplicatedLocations: false,
blockDeletionBeforeEndOfLife: false,
},
storageProfile: {
dataDiskImages: [{
hostCaching: azure_native.compute.HostCaching.None,
lun: 1,
source: {
id: "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/disks/{dataDiskName}",
},
}],
osDiskImage: {
hostCaching: azure_native.compute.HostCaching.ReadOnly,
source: {
id: "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/snapshots/{osSnapshotName}",
},
},
},
});
import pulumi
import pulumi_azure_native as azure_native
gallery_image_version = azure_native.compute.GalleryImageVersion("galleryImageVersion",
gallery_image_name="myGalleryImageName",
gallery_image_version_name="1.0.0",
gallery_name="myGalleryName",
location="West US",
publishing_profile={
"target_regions": [
{
"encryption": {
"data_disk_images": [{
"disk_encryption_set_id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet",
"lun": 1,
}],
"os_disk_image": {
"disk_encryption_set_id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet",
},
},
"exclude_from_latest": False,
"name": "West US",
"regional_replica_count": 1,
},
{
"encryption": {
"data_disk_images": [{
"disk_encryption_set_id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet",
"lun": 1,
}],
"os_disk_image": {
"disk_encryption_set_id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet",
},
},
"exclude_from_latest": False,
"name": "East US",
"regional_replica_count": 2,
"storage_account_type": azure_native.compute.StorageAccountType.STANDARD_ZRS,
},
],
},
resource_group_name="myResourceGroup",
safety_profile={
"allow_deletion_of_replicated_locations": False,
"block_deletion_before_end_of_life": False,
},
storage_profile={
"data_disk_images": [{
"host_caching": azure_native.compute.HostCaching.NONE,
"lun": 1,
"source": {
"id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/disks/{dataDiskName}",
},
}],
"os_disk_image": {
"host_caching": azure_native.compute.HostCaching.READ_ONLY,
"source": {
"id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/snapshots/{osSnapshotName}",
},
},
})
package main
import (
compute "github.com/pulumi/pulumi-azure-native-sdk/compute/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewGalleryImageVersion(ctx, "galleryImageVersion", &compute.GalleryImageVersionArgs{
GalleryImageName: pulumi.String("myGalleryImageName"),
GalleryImageVersionName: pulumi.String("1.0.0"),
GalleryName: pulumi.String("myGalleryName"),
Location: pulumi.String("West US"),
PublishingProfile: &compute.GalleryImageVersionPublishingProfileArgs{
TargetRegions: compute.TargetRegionArray{
&compute.TargetRegionArgs{
Encryption: &compute.EncryptionImagesArgs{
DataDiskImages: compute.DataDiskImageEncryptionArray{
&compute.DataDiskImageEncryptionArgs{
DiskEncryptionSetId: pulumi.String("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet"),
Lun: pulumi.Int(1),
},
},
OsDiskImage: &compute.OSDiskImageEncryptionArgs{
DiskEncryptionSetId: pulumi.String("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet"),
},
},
ExcludeFromLatest: pulumi.Bool(false),
Name: pulumi.String("West US"),
RegionalReplicaCount: pulumi.Int(1),
},
&compute.TargetRegionArgs{
Encryption: &compute.EncryptionImagesArgs{
DataDiskImages: compute.DataDiskImageEncryptionArray{
&compute.DataDiskImageEncryptionArgs{
DiskEncryptionSetId: pulumi.String("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet"),
Lun: pulumi.Int(1),
},
},
OsDiskImage: &compute.OSDiskImageEncryptionArgs{
DiskEncryptionSetId: pulumi.String("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet"),
},
},
ExcludeFromLatest: pulumi.Bool(false),
Name: pulumi.String("East US"),
RegionalReplicaCount: pulumi.Int(2),
StorageAccountType: pulumi.String(compute.StorageAccountType_Standard_ZRS),
},
},
},
ResourceGroupName: pulumi.String("myResourceGroup"),
SafetyProfile: &compute.GalleryImageVersionSafetyProfileArgs{
AllowDeletionOfReplicatedLocations: pulumi.Bool(false),
BlockDeletionBeforeEndOfLife: pulumi.Bool(false),
},
StorageProfile: &compute.GalleryImageVersionStorageProfileArgs{
DataDiskImages: compute.GalleryDataDiskImageArray{
&compute.GalleryDataDiskImageArgs{
HostCaching: compute.HostCachingNone,
Lun: pulumi.Int(1),
Source: &compute.GalleryDiskImageSourceArgs{
Id: pulumi.String("/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/disks/{dataDiskName}"),
},
},
},
OsDiskImage: &compute.GalleryOSDiskImageArgs{
HostCaching: compute.HostCachingReadOnly,
Source: &compute.GalleryDiskImageSourceArgs{
Id: pulumi.String("/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/snapshots/{osSnapshotName}"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var galleryImageVersion = new AzureNative.Compute.GalleryImageVersion("galleryImageVersion", new()
{
GalleryImageName = "myGalleryImageName",
GalleryImageVersionName = "1.0.0",
GalleryName = "myGalleryName",
Location = "West US",
PublishingProfile = new AzureNative.Compute.Inputs.GalleryImageVersionPublishingProfileArgs
{
TargetRegions = new[]
{
new AzureNative.Compute.Inputs.TargetRegionArgs
{
Encryption = new AzureNative.Compute.Inputs.EncryptionImagesArgs
{
DataDiskImages = new[]
{
new AzureNative.Compute.Inputs.DataDiskImageEncryptionArgs
{
DiskEncryptionSetId = "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet",
Lun = 1,
},
},
OsDiskImage = new AzureNative.Compute.Inputs.OSDiskImageEncryptionArgs
{
DiskEncryptionSetId = "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet",
},
},
ExcludeFromLatest = false,
Name = "West US",
RegionalReplicaCount = 1,
},
new AzureNative.Compute.Inputs.TargetRegionArgs
{
Encryption = new AzureNative.Compute.Inputs.EncryptionImagesArgs
{
DataDiskImages = new[]
{
new AzureNative.Compute.Inputs.DataDiskImageEncryptionArgs
{
DiskEncryptionSetId = "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet",
Lun = 1,
},
},
OsDiskImage = new AzureNative.Compute.Inputs.OSDiskImageEncryptionArgs
{
DiskEncryptionSetId = "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet",
},
},
ExcludeFromLatest = false,
Name = "East US",
RegionalReplicaCount = 2,
StorageAccountType = AzureNative.Compute.StorageAccountType.Standard_ZRS,
},
},
},
ResourceGroupName = "myResourceGroup",
SafetyProfile = new AzureNative.Compute.Inputs.GalleryImageVersionSafetyProfileArgs
{
AllowDeletionOfReplicatedLocations = false,
BlockDeletionBeforeEndOfLife = false,
},
StorageProfile = new AzureNative.Compute.Inputs.GalleryImageVersionStorageProfileArgs
{
DataDiskImages = new[]
{
new AzureNative.Compute.Inputs.GalleryDataDiskImageArgs
{
HostCaching = AzureNative.Compute.HostCaching.None,
Lun = 1,
Source = new AzureNative.Compute.Inputs.GalleryDiskImageSourceArgs
{
Id = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/disks/{dataDiskName}",
},
},
},
OsDiskImage = new AzureNative.Compute.Inputs.GalleryOSDiskImageArgs
{
HostCaching = AzureNative.Compute.HostCaching.ReadOnly,
Source = new AzureNative.Compute.Inputs.GalleryDiskImageSourceArgs
{
Id = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/snapshots/{osSnapshotName}",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.compute.GalleryImageVersion;
import com.pulumi.azurenative.compute.GalleryImageVersionArgs;
import com.pulumi.azurenative.compute.inputs.GalleryImageVersionPublishingProfileArgs;
import com.pulumi.azurenative.compute.inputs.GalleryImageVersionSafetyProfileArgs;
import com.pulumi.azurenative.compute.inputs.GalleryImageVersionStorageProfileArgs;
import com.pulumi.azurenative.compute.inputs.GalleryOSDiskImageArgs;
import com.pulumi.azurenative.compute.inputs.GalleryDiskImageSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var galleryImageVersion = new GalleryImageVersion("galleryImageVersion", GalleryImageVersionArgs.builder()
.galleryImageName("myGalleryImageName")
.galleryImageVersionName("1.0.0")
.galleryName("myGalleryName")
.location("West US")
.publishingProfile(GalleryImageVersionPublishingProfileArgs.builder()
.targetRegions(
TargetRegionArgs.builder()
.encryption(EncryptionImagesArgs.builder()
.dataDiskImages(DataDiskImageEncryptionArgs.builder()
.diskEncryptionSetId("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet")
.lun(1)
.build())
.osDiskImage(OSDiskImageEncryptionArgs.builder()
.diskEncryptionSetId("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet")
.build())
.build())
.excludeFromLatest(false)
.name("West US")
.regionalReplicaCount(1)
.build(),
TargetRegionArgs.builder()
.encryption(EncryptionImagesArgs.builder()
.dataDiskImages(DataDiskImageEncryptionArgs.builder()
.diskEncryptionSetId("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet")
.lun(1)
.build())
.osDiskImage(OSDiskImageEncryptionArgs.builder()
.diskEncryptionSetId("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet")
.build())
.build())
.excludeFromLatest(false)
.name("East US")
.regionalReplicaCount(2)
.storageAccountType("Standard_ZRS")
.build())
.build())
.resourceGroupName("myResourceGroup")
.safetyProfile(GalleryImageVersionSafetyProfileArgs.builder()
.allowDeletionOfReplicatedLocations(false)
.blockDeletionBeforeEndOfLife(false)
.build())
.storageProfile(GalleryImageVersionStorageProfileArgs.builder()
.dataDiskImages(GalleryDataDiskImageArgs.builder()
.hostCaching("None")
.lun(1)
.source(GalleryDiskImageSourceArgs.builder()
.id("/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/disks/{dataDiskName}")
.build())
.build())
.osDiskImage(GalleryOSDiskImageArgs.builder()
.hostCaching("ReadOnly")
.source(GalleryDiskImageSourceArgs.builder()
.id("/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/snapshots/{osSnapshotName}")
.build())
.build())
.build())
.build());
}
}
resources:
galleryImageVersion:
type: azure-native:compute:GalleryImageVersion
properties:
galleryImageName: myGalleryImageName
galleryImageVersionName: 1.0.0
galleryName: myGalleryName
location: West US
publishingProfile:
targetRegions:
- encryption:
dataDiskImages:
- diskEncryptionSetId: /subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet
lun: 1
osDiskImage:
diskEncryptionSetId: /subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myWestUSDiskEncryptionSet
excludeFromLatest: false
name: West US
regionalReplicaCount: 1
- encryption:
dataDiskImages:
- diskEncryptionSetId: /subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet
lun: 1
osDiskImage:
diskEncryptionSetId: /subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myEastUSDiskEncryptionSet
excludeFromLatest: false
name: East US
regionalReplicaCount: 2
storageAccountType: Standard_ZRS
resourceGroupName: myResourceGroup
safetyProfile:
allowDeletionOfReplicatedLocations: false
blockDeletionBeforeEndOfLife: false
storageProfile:
dataDiskImages:
- hostCaching: None
lun: 1
source:
id: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/disks/{dataDiskName}
osDiskImage:
hostCaching: ReadOnly
source:
id: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/snapshots/{osSnapshotName}
The storageProfile.osDiskImage and dataDiskImages arrays reference snapshot or disk IDs directly. Each data disk requires a lun property to match the disk’s attachment point. The hostCaching property controls read/write caching behavior (ReadOnly, ReadWrite, or None). This approach lets you version images without maintaining running VMs.
Use shallow replication for faster distribution
When distributing images to many regions, shallow replication copies only metadata initially, deferring full data replication until VMs are deployed in each region.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const galleryImageVersion = new azure_native.compute.GalleryImageVersion("galleryImageVersion", {
galleryImageName: "myGalleryImageName",
galleryImageVersionName: "1.0.0",
galleryName: "myGalleryName",
location: "West US",
publishingProfile: {
replicationMode: azure_native.compute.ReplicationMode.Shallow,
targetRegions: [{
excludeFromLatest: false,
name: "West US",
regionalReplicaCount: 1,
}],
},
resourceGroupName: "myResourceGroup",
safetyProfile: {
allowDeletionOfReplicatedLocations: false,
blockDeletionBeforeEndOfLife: false,
},
storageProfile: {
source: {
id: "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/images/{imageName}",
},
},
});
import pulumi
import pulumi_azure_native as azure_native
gallery_image_version = azure_native.compute.GalleryImageVersion("galleryImageVersion",
gallery_image_name="myGalleryImageName",
gallery_image_version_name="1.0.0",
gallery_name="myGalleryName",
location="West US",
publishing_profile={
"replication_mode": azure_native.compute.ReplicationMode.SHALLOW,
"target_regions": [{
"exclude_from_latest": False,
"name": "West US",
"regional_replica_count": 1,
}],
},
resource_group_name="myResourceGroup",
safety_profile={
"allow_deletion_of_replicated_locations": False,
"block_deletion_before_end_of_life": False,
},
storage_profile={
"source": {
"id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/images/{imageName}",
},
})
package main
import (
compute "github.com/pulumi/pulumi-azure-native-sdk/compute/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewGalleryImageVersion(ctx, "galleryImageVersion", &compute.GalleryImageVersionArgs{
GalleryImageName: pulumi.String("myGalleryImageName"),
GalleryImageVersionName: pulumi.String("1.0.0"),
GalleryName: pulumi.String("myGalleryName"),
Location: pulumi.String("West US"),
PublishingProfile: &compute.GalleryImageVersionPublishingProfileArgs{
ReplicationMode: pulumi.String(compute.ReplicationModeShallow),
TargetRegions: compute.TargetRegionArray{
&compute.TargetRegionArgs{
ExcludeFromLatest: pulumi.Bool(false),
Name: pulumi.String("West US"),
RegionalReplicaCount: pulumi.Int(1),
},
},
},
ResourceGroupName: pulumi.String("myResourceGroup"),
SafetyProfile: &compute.GalleryImageVersionSafetyProfileArgs{
AllowDeletionOfReplicatedLocations: pulumi.Bool(false),
BlockDeletionBeforeEndOfLife: pulumi.Bool(false),
},
StorageProfile: &compute.GalleryImageVersionStorageProfileArgs{
Source: &compute.GalleryArtifactVersionFullSourceArgs{
Id: pulumi.String("/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/images/{imageName}"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var galleryImageVersion = new AzureNative.Compute.GalleryImageVersion("galleryImageVersion", new()
{
GalleryImageName = "myGalleryImageName",
GalleryImageVersionName = "1.0.0",
GalleryName = "myGalleryName",
Location = "West US",
PublishingProfile = new AzureNative.Compute.Inputs.GalleryImageVersionPublishingProfileArgs
{
ReplicationMode = AzureNative.Compute.ReplicationMode.Shallow,
TargetRegions = new[]
{
new AzureNative.Compute.Inputs.TargetRegionArgs
{
ExcludeFromLatest = false,
Name = "West US",
RegionalReplicaCount = 1,
},
},
},
ResourceGroupName = "myResourceGroup",
SafetyProfile = new AzureNative.Compute.Inputs.GalleryImageVersionSafetyProfileArgs
{
AllowDeletionOfReplicatedLocations = false,
BlockDeletionBeforeEndOfLife = false,
},
StorageProfile = new AzureNative.Compute.Inputs.GalleryImageVersionStorageProfileArgs
{
Source = new AzureNative.Compute.Inputs.GalleryArtifactVersionFullSourceArgs
{
Id = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/images/{imageName}",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.compute.GalleryImageVersion;
import com.pulumi.azurenative.compute.GalleryImageVersionArgs;
import com.pulumi.azurenative.compute.inputs.GalleryImageVersionPublishingProfileArgs;
import com.pulumi.azurenative.compute.inputs.GalleryImageVersionSafetyProfileArgs;
import com.pulumi.azurenative.compute.inputs.GalleryImageVersionStorageProfileArgs;
import com.pulumi.azurenative.compute.inputs.GalleryArtifactVersionFullSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var galleryImageVersion = new GalleryImageVersion("galleryImageVersion", GalleryImageVersionArgs.builder()
.galleryImageName("myGalleryImageName")
.galleryImageVersionName("1.0.0")
.galleryName("myGalleryName")
.location("West US")
.publishingProfile(GalleryImageVersionPublishingProfileArgs.builder()
.replicationMode("Shallow")
.targetRegions(TargetRegionArgs.builder()
.excludeFromLatest(false)
.name("West US")
.regionalReplicaCount(1)
.build())
.build())
.resourceGroupName("myResourceGroup")
.safetyProfile(GalleryImageVersionSafetyProfileArgs.builder()
.allowDeletionOfReplicatedLocations(false)
.blockDeletionBeforeEndOfLife(false)
.build())
.storageProfile(GalleryImageVersionStorageProfileArgs.builder()
.source(GalleryArtifactVersionFullSourceArgs.builder()
.id("/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/images/{imageName}")
.build())
.build())
.build());
}
}
resources:
galleryImageVersion:
type: azure-native:compute:GalleryImageVersion
properties:
galleryImageName: myGalleryImageName
galleryImageVersionName: 1.0.0
galleryName: myGalleryName
location: West US
publishingProfile:
replicationMode: Shallow
targetRegions:
- excludeFromLatest: false
name: West US
regionalReplicaCount: 1
resourceGroupName: myResourceGroup
safetyProfile:
allowDeletionOfReplicatedLocations: false
blockDeletionBeforeEndOfLife: false
storageProfile:
source:
id: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/images/{imageName}
The publishingProfile.replicationMode property set to “Shallow” changes how Azure distributes the image. Instead of copying all disk data upfront, Azure replicates metadata and copies data on-demand when VMs are created. This reduces initial replication time but may increase VM creation latency in new regions.
Configure custom UEFI secure boot keys
Secure boot scenarios require custom UEFI signature databases to validate OS loaders and drivers, particularly for specialized compliance or security requirements.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const galleryImageVersion = new azure_native.compute.GalleryImageVersion("galleryImageVersion", {
galleryImageName: "myGalleryImageName",
galleryImageVersionName: "1.0.0",
galleryName: "myGalleryName",
location: "West US",
publishingProfile: {
targetRegions: [
{
encryption: {
dataDiskImages: [{
diskEncryptionSetId: "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myOtherDiskEncryptionSet",
lun: 1,
}],
osDiskImage: {
diskEncryptionSetId: "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myDiskEncryptionSet",
},
},
excludeFromLatest: false,
name: "West US",
regionalReplicaCount: 1,
},
{
excludeFromLatest: false,
name: "East US",
regionalReplicaCount: 2,
storageAccountType: azure_native.compute.StorageAccountType.Standard_ZRS,
},
],
},
resourceGroupName: "myResourceGroup",
safetyProfile: {
allowDeletionOfReplicatedLocations: false,
blockDeletionBeforeEndOfLife: false,
},
securityProfile: {
uefiSettings: {
additionalSignatures: {
db: [{
type: azure_native.compute.UefiKeyType.X509,
value: ["<x509 value>"],
}],
dbx: [{
type: azure_native.compute.UefiKeyType.X509,
value: ["<x509 value>"],
}],
kek: [{
type: azure_native.compute.UefiKeyType.Sha256,
value: ["<sha256 value>"],
}],
},
signatureTemplateNames: [azure_native.compute.UefiSignatureTemplateName.MicrosoftUefiCertificateAuthorityTemplate],
},
},
storageProfile: {
dataDiskImages: [{
hostCaching: azure_native.compute.HostCaching.None,
lun: 1,
source: {
storageAccountId: "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/{storageAccount}",
uri: "https://gallerysourcencus.blob.core.windows.net/myvhds/Windows-Server-2012-R2-20171216-en.us-128GB.vhd",
},
}],
osDiskImage: {
hostCaching: azure_native.compute.HostCaching.ReadOnly,
source: {
storageAccountId: "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/{storageAccount}",
uri: "https://gallerysourcencus.blob.core.windows.net/myvhds/Windows-Server-2012-R2-20171216-en.us-128GB.vhd",
},
},
},
});
import pulumi
import pulumi_azure_native as azure_native
gallery_image_version = azure_native.compute.GalleryImageVersion("galleryImageVersion",
gallery_image_name="myGalleryImageName",
gallery_image_version_name="1.0.0",
gallery_name="myGalleryName",
location="West US",
publishing_profile={
"target_regions": [
{
"encryption": {
"data_disk_images": [{
"disk_encryption_set_id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myOtherDiskEncryptionSet",
"lun": 1,
}],
"os_disk_image": {
"disk_encryption_set_id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myDiskEncryptionSet",
},
},
"exclude_from_latest": False,
"name": "West US",
"regional_replica_count": 1,
},
{
"exclude_from_latest": False,
"name": "East US",
"regional_replica_count": 2,
"storage_account_type": azure_native.compute.StorageAccountType.STANDARD_ZRS,
},
],
},
resource_group_name="myResourceGroup",
safety_profile={
"allow_deletion_of_replicated_locations": False,
"block_deletion_before_end_of_life": False,
},
security_profile={
"uefi_settings": {
"additional_signatures": {
"db": [{
"type": azure_native.compute.UefiKeyType.X509,
"value": ["<x509 value>"],
}],
"dbx": [{
"type": azure_native.compute.UefiKeyType.X509,
"value": ["<x509 value>"],
}],
"kek": [{
"type": azure_native.compute.UefiKeyType.SHA256,
"value": ["<sha256 value>"],
}],
},
"signature_template_names": [azure_native.compute.UefiSignatureTemplateName.MICROSOFT_UEFI_CERTIFICATE_AUTHORITY_TEMPLATE],
},
},
storage_profile={
"data_disk_images": [{
"host_caching": azure_native.compute.HostCaching.NONE,
"lun": 1,
"source": {
"storage_account_id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/{storageAccount}",
"uri": "https://gallerysourcencus.blob.core.windows.net/myvhds/Windows-Server-2012-R2-20171216-en.us-128GB.vhd",
},
}],
"os_disk_image": {
"host_caching": azure_native.compute.HostCaching.READ_ONLY,
"source": {
"storage_account_id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/{storageAccount}",
"uri": "https://gallerysourcencus.blob.core.windows.net/myvhds/Windows-Server-2012-R2-20171216-en.us-128GB.vhd",
},
},
})
package main
import (
compute "github.com/pulumi/pulumi-azure-native-sdk/compute/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewGalleryImageVersion(ctx, "galleryImageVersion", &compute.GalleryImageVersionArgs{
GalleryImageName: pulumi.String("myGalleryImageName"),
GalleryImageVersionName: pulumi.String("1.0.0"),
GalleryName: pulumi.String("myGalleryName"),
Location: pulumi.String("West US"),
PublishingProfile: &compute.GalleryImageVersionPublishingProfileArgs{
TargetRegions: compute.TargetRegionArray{
&compute.TargetRegionArgs{
Encryption: &compute.EncryptionImagesArgs{
DataDiskImages: compute.DataDiskImageEncryptionArray{
&compute.DataDiskImageEncryptionArgs{
DiskEncryptionSetId: pulumi.String("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myOtherDiskEncryptionSet"),
Lun: pulumi.Int(1),
},
},
OsDiskImage: &compute.OSDiskImageEncryptionArgs{
DiskEncryptionSetId: pulumi.String("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myDiskEncryptionSet"),
},
},
ExcludeFromLatest: pulumi.Bool(false),
Name: pulumi.String("West US"),
RegionalReplicaCount: pulumi.Int(1),
},
&compute.TargetRegionArgs{
ExcludeFromLatest: pulumi.Bool(false),
Name: pulumi.String("East US"),
RegionalReplicaCount: pulumi.Int(2),
StorageAccountType: pulumi.String(compute.StorageAccountType_Standard_ZRS),
},
},
},
ResourceGroupName: pulumi.String("myResourceGroup"),
SafetyProfile: &compute.GalleryImageVersionSafetyProfileArgs{
AllowDeletionOfReplicatedLocations: pulumi.Bool(false),
BlockDeletionBeforeEndOfLife: pulumi.Bool(false),
},
SecurityProfile: &compute.ImageVersionSecurityProfileArgs{
UefiSettings: &compute.GalleryImageVersionUefiSettingsArgs{
AdditionalSignatures: &compute.UefiKeySignaturesArgs{
Db: compute.UefiKeyArray{
&compute.UefiKeyArgs{
Type: pulumi.String(compute.UefiKeyTypeX509),
Value: pulumi.StringArray{
pulumi.String("<x509 value>"),
},
},
},
Dbx: compute.UefiKeyArray{
&compute.UefiKeyArgs{
Type: pulumi.String(compute.UefiKeyTypeX509),
Value: pulumi.StringArray{
pulumi.String("<x509 value>"),
},
},
},
Kek: compute.UefiKeyArray{
&compute.UefiKeyArgs{
Type: pulumi.String(compute.UefiKeyTypeSha256),
Value: pulumi.StringArray{
pulumi.String("<sha256 value>"),
},
},
},
},
SignatureTemplateNames: pulumi.StringArray{
pulumi.String(compute.UefiSignatureTemplateNameMicrosoftUefiCertificateAuthorityTemplate),
},
},
},
StorageProfile: &compute.GalleryImageVersionStorageProfileArgs{
DataDiskImages: compute.GalleryDataDiskImageArray{
&compute.GalleryDataDiskImageArgs{
HostCaching: compute.HostCachingNone,
Lun: pulumi.Int(1),
Source: &compute.GalleryDiskImageSourceArgs{
StorageAccountId: pulumi.String("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/{storageAccount}"),
Uri: pulumi.String("https://gallerysourcencus.blob.core.windows.net/myvhds/Windows-Server-2012-R2-20171216-en.us-128GB.vhd"),
},
},
},
OsDiskImage: &compute.GalleryOSDiskImageArgs{
HostCaching: compute.HostCachingReadOnly,
Source: &compute.GalleryDiskImageSourceArgs{
StorageAccountId: pulumi.String("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/{storageAccount}"),
Uri: pulumi.String("https://gallerysourcencus.blob.core.windows.net/myvhds/Windows-Server-2012-R2-20171216-en.us-128GB.vhd"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var galleryImageVersion = new AzureNative.Compute.GalleryImageVersion("galleryImageVersion", new()
{
GalleryImageName = "myGalleryImageName",
GalleryImageVersionName = "1.0.0",
GalleryName = "myGalleryName",
Location = "West US",
PublishingProfile = new AzureNative.Compute.Inputs.GalleryImageVersionPublishingProfileArgs
{
TargetRegions = new[]
{
new AzureNative.Compute.Inputs.TargetRegionArgs
{
Encryption = new AzureNative.Compute.Inputs.EncryptionImagesArgs
{
DataDiskImages = new[]
{
new AzureNative.Compute.Inputs.DataDiskImageEncryptionArgs
{
DiskEncryptionSetId = "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myOtherDiskEncryptionSet",
Lun = 1,
},
},
OsDiskImage = new AzureNative.Compute.Inputs.OSDiskImageEncryptionArgs
{
DiskEncryptionSetId = "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myDiskEncryptionSet",
},
},
ExcludeFromLatest = false,
Name = "West US",
RegionalReplicaCount = 1,
},
new AzureNative.Compute.Inputs.TargetRegionArgs
{
ExcludeFromLatest = false,
Name = "East US",
RegionalReplicaCount = 2,
StorageAccountType = AzureNative.Compute.StorageAccountType.Standard_ZRS,
},
},
},
ResourceGroupName = "myResourceGroup",
SafetyProfile = new AzureNative.Compute.Inputs.GalleryImageVersionSafetyProfileArgs
{
AllowDeletionOfReplicatedLocations = false,
BlockDeletionBeforeEndOfLife = false,
},
SecurityProfile = new AzureNative.Compute.Inputs.ImageVersionSecurityProfileArgs
{
UefiSettings = new AzureNative.Compute.Inputs.GalleryImageVersionUefiSettingsArgs
{
AdditionalSignatures = new AzureNative.Compute.Inputs.UefiKeySignaturesArgs
{
Db = new[]
{
new AzureNative.Compute.Inputs.UefiKeyArgs
{
Type = AzureNative.Compute.UefiKeyType.X509,
Value = new[]
{
"<x509 value>",
},
},
},
Dbx = new[]
{
new AzureNative.Compute.Inputs.UefiKeyArgs
{
Type = AzureNative.Compute.UefiKeyType.X509,
Value = new[]
{
"<x509 value>",
},
},
},
Kek = new[]
{
new AzureNative.Compute.Inputs.UefiKeyArgs
{
Type = AzureNative.Compute.UefiKeyType.Sha256,
Value = new[]
{
"<sha256 value>",
},
},
},
},
SignatureTemplateNames = new[]
{
AzureNative.Compute.UefiSignatureTemplateName.MicrosoftUefiCertificateAuthorityTemplate,
},
},
},
StorageProfile = new AzureNative.Compute.Inputs.GalleryImageVersionStorageProfileArgs
{
DataDiskImages = new[]
{
new AzureNative.Compute.Inputs.GalleryDataDiskImageArgs
{
HostCaching = AzureNative.Compute.HostCaching.None,
Lun = 1,
Source = new AzureNative.Compute.Inputs.GalleryDiskImageSourceArgs
{
StorageAccountId = "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/{storageAccount}",
Uri = "https://gallerysourcencus.blob.core.windows.net/myvhds/Windows-Server-2012-R2-20171216-en.us-128GB.vhd",
},
},
},
OsDiskImage = new AzureNative.Compute.Inputs.GalleryOSDiskImageArgs
{
HostCaching = AzureNative.Compute.HostCaching.ReadOnly,
Source = new AzureNative.Compute.Inputs.GalleryDiskImageSourceArgs
{
StorageAccountId = "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/{storageAccount}",
Uri = "https://gallerysourcencus.blob.core.windows.net/myvhds/Windows-Server-2012-R2-20171216-en.us-128GB.vhd",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.compute.GalleryImageVersion;
import com.pulumi.azurenative.compute.GalleryImageVersionArgs;
import com.pulumi.azurenative.compute.inputs.GalleryImageVersionPublishingProfileArgs;
import com.pulumi.azurenative.compute.inputs.GalleryImageVersionSafetyProfileArgs;
import com.pulumi.azurenative.compute.inputs.ImageVersionSecurityProfileArgs;
import com.pulumi.azurenative.compute.inputs.GalleryImageVersionUefiSettingsArgs;
import com.pulumi.azurenative.compute.inputs.UefiKeySignaturesArgs;
import com.pulumi.azurenative.compute.inputs.GalleryImageVersionStorageProfileArgs;
import com.pulumi.azurenative.compute.inputs.GalleryOSDiskImageArgs;
import com.pulumi.azurenative.compute.inputs.GalleryDiskImageSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var galleryImageVersion = new GalleryImageVersion("galleryImageVersion", GalleryImageVersionArgs.builder()
.galleryImageName("myGalleryImageName")
.galleryImageVersionName("1.0.0")
.galleryName("myGalleryName")
.location("West US")
.publishingProfile(GalleryImageVersionPublishingProfileArgs.builder()
.targetRegions(
TargetRegionArgs.builder()
.encryption(EncryptionImagesArgs.builder()
.dataDiskImages(DataDiskImageEncryptionArgs.builder()
.diskEncryptionSetId("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myOtherDiskEncryptionSet")
.lun(1)
.build())
.osDiskImage(OSDiskImageEncryptionArgs.builder()
.diskEncryptionSetId("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myDiskEncryptionSet")
.build())
.build())
.excludeFromLatest(false)
.name("West US")
.regionalReplicaCount(1)
.build(),
TargetRegionArgs.builder()
.excludeFromLatest(false)
.name("East US")
.regionalReplicaCount(2)
.storageAccountType("Standard_ZRS")
.build())
.build())
.resourceGroupName("myResourceGroup")
.safetyProfile(GalleryImageVersionSafetyProfileArgs.builder()
.allowDeletionOfReplicatedLocations(false)
.blockDeletionBeforeEndOfLife(false)
.build())
.securityProfile(ImageVersionSecurityProfileArgs.builder()
.uefiSettings(GalleryImageVersionUefiSettingsArgs.builder()
.additionalSignatures(UefiKeySignaturesArgs.builder()
.db(UefiKeyArgs.builder()
.type("x509")
.value("<x509 value>")
.build())
.dbx(UefiKeyArgs.builder()
.type("x509")
.value("<x509 value>")
.build())
.kek(UefiKeyArgs.builder()
.type("sha256")
.value("<sha256 value>")
.build())
.build())
.signatureTemplateNames("MicrosoftUefiCertificateAuthorityTemplate")
.build())
.build())
.storageProfile(GalleryImageVersionStorageProfileArgs.builder()
.dataDiskImages(GalleryDataDiskImageArgs.builder()
.hostCaching("None")
.lun(1)
.source(GalleryDiskImageSourceArgs.builder()
.storageAccountId("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/{storageAccount}")
.uri("https://gallerysourcencus.blob.core.windows.net/myvhds/Windows-Server-2012-R2-20171216-en.us-128GB.vhd")
.build())
.build())
.osDiskImage(GalleryOSDiskImageArgs.builder()
.hostCaching("ReadOnly")
.source(GalleryDiskImageSourceArgs.builder()
.storageAccountId("/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/{storageAccount}")
.uri("https://gallerysourcencus.blob.core.windows.net/myvhds/Windows-Server-2012-R2-20171216-en.us-128GB.vhd")
.build())
.build())
.build())
.build());
}
}
resources:
galleryImageVersion:
type: azure-native:compute:GalleryImageVersion
properties:
galleryImageName: myGalleryImageName
galleryImageVersionName: 1.0.0
galleryName: myGalleryName
location: West US
publishingProfile:
targetRegions:
- encryption:
dataDiskImages:
- diskEncryptionSetId: /subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myOtherDiskEncryptionSet
lun: 1
osDiskImage:
diskEncryptionSetId: /subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSet/myDiskEncryptionSet
excludeFromLatest: false
name: West US
regionalReplicaCount: 1
- excludeFromLatest: false
name: East US
regionalReplicaCount: 2
storageAccountType: Standard_ZRS
resourceGroupName: myResourceGroup
safetyProfile:
allowDeletionOfReplicatedLocations: false
blockDeletionBeforeEndOfLife: false
securityProfile:
uefiSettings:
additionalSignatures:
db:
- type: x509
value:
- <x509 value>
dbx:
- type: x509
value:
- <x509 value>
kek:
- type: sha256
value:
- <sha256 value>
signatureTemplateNames:
- MicrosoftUefiCertificateAuthorityTemplate
storageProfile:
dataDiskImages:
- hostCaching: None
lun: 1
source:
storageAccountId: /subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/{storageAccount}
uri: https://gallerysourcencus.blob.core.windows.net/myvhds/Windows-Server-2012-R2-20171216-en.us-128GB.vhd
osDiskImage:
hostCaching: ReadOnly
source:
storageAccountId: /subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/{storageAccount}
uri: https://gallerysourcencus.blob.core.windows.net/myvhds/Windows-Server-2012-R2-20171216-en.us-128GB.vhd
The securityProfile.uefiSettings block defines custom UEFI keys for secure boot. The additionalSignatures property contains db (authorized signatures), dbx (forbidden signatures), and kek (key exchange keys). Each key specifies a type (x509 or sha256) and value array. The signatureTemplateNames property references predefined Microsoft templates. The storageProfile references VHDs in storage accounts via uri and storageAccountId.
Beyond these examples
These snippets focus on specific image version features: source types, multi-region replication and encryption, and shallow replication and UEFI secure boot. They’re intentionally minimal rather than full image management solutions.
The examples rely on pre-existing infrastructure such as Azure Compute Gallery and image definitions, source VMs, snapshots, managed images, or VHDs, DiskEncryptionSet resources for encryption, and storage accounts for VHD sources. They focus on configuring the image version rather than provisioning the surrounding infrastructure.
To keep things focused, common image version patterns are omitted, including:
- Version lifecycle (excludeFromLatest, end-of-life dates)
- Direct Drive replicas (additionalReplicaSets with PremiumV2_LRS)
- Extended location targeting for edge scenarios
- Validation profiles and policy enforcement
These omissions are intentional: the goal is to illustrate how each image version feature is wired, not provide drop-in image management modules. See the GalleryImageVersion resource reference for all available configuration options.
Let's manage Azure Compute Gallery Image Versions
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Image Sources & Storage
What sources can I use to create a gallery image version?
You can create a gallery image version from multiple sources:
- Virtual Machine - Use
virtualMachineIdinstorageProfile.source - Community Gallery - Use
communityGalleryImageId - Managed Image - Use
idpointing to a managed image - Snapshot - Use
idpointing to OS/data disk snapshots - VHD - Use
storageProfile.osDiskImageanddataDiskImageswith storage account URIs - Shared Image - Use
idpointing to another gallery image version
How do I create an image version from snapshots or VHDs?
Configure
storageProfile.osDiskImage and dataDiskImages directly, specifying source.id (for snapshots) or source.uri with source.storageAccountId (for VHDs). Each data disk requires a lun number and hostCaching setting.Replication & Distribution
How do I replicate my image to multiple regions?
Configure
publishingProfile.targetRegions as an array, with each region specifying name, regionalReplicaCount, and optionally storageAccountType (such as Standard_ZRS). Each region can have different replica counts and encryption settings.What's the difference between shallow and full replication?
Set
publishingProfile.replicationMode to Shallow for faster replication that copies only metadata, or omit it for full replication (default) that copies the entire image.How do I configure Direct Drive replicas?
Add
additionalReplicaSets to a target region, specifying regionalReplicaCount and storageAccountType (like PreviumV2_LRS) for high-performance storage.Security & Encryption
How do I encrypt images differently per region?
Within each
targetRegion, configure the encryption property with diskEncryptionSetId for osDiskImage and each dataDiskImages entry (identified by lun number). Each region can use different disk encryption sets.Can I use custom UEFI keys for secure boot?
Yes, configure
securityProfile.uefiSettings with additionalSignatures containing db, dbx, and kek keys (type x509 or sha256), plus signatureTemplateNames like MicrosoftUefiCertificateAuthorityTemplate.Resource Configuration
What properties can't be changed after creation?
The
location, galleryImageName, galleryImageVersionName, galleryName, and resourceGroupName are all immutable and cannot be modified after the resource is created.What do the safety profile settings control?
safetyProfile.allowDeletionOfReplicatedLocations controls whether replicated locations can be deleted, and blockDeletionBeforeEndOfLife prevents deletion before the end-of-life date. Examples typically set both to false for protection.