search

Azure / bicep-registry-modules

Bicep registry modules
MIT License
408 stars 271 forks source link

[Bug Report]: VMSS #2408

Open Jackmt9 opened 2 months ago

Jackmt9 commented 2 months ago

Describe the bug

When configuring a custom script on a VMSS, it is explicitly using a SAS token for the storage account. This SAS code seems to expire after about a day. On top of that, when using this module for a self-hosted agent I am facing many issues, especially with the custom script. This needs to be addressed. Also there should be a way to add the devops extension via code as well (see below). While it isn't necessary since devops automatically configures it - it would be nice.

// resource resDevOpsAgent 'Microsoft.Compute/virtualMachineScaleSets/extensions@2021-07-01' = { // name: 'Microsoft.Azure.DevOps.Pipelines.Agent' // parent: resVirtualMachineScaleSet // properties: { // publisher: 'Microsoft.VisualStudio.Services' // type: 'TeamServicesAgent' // typeHandlerVersion: '1.31' // autoUpgradeMinorVersion: false // } // }

To reproduce

Run code below and add a document to the storage account. Configure a devops agent using this vmss.

Code snippet

// This should be configured as a self-hosted agent in Azure DevOps. For more information, see here: https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/scale-set-agents?view=azure-devops
module modVirtualMachineScaleSet 'br/reference:carml/res/compute/virtual-machine-scale-set/main:1.0' = {
  name: 'Vmss-${uniqueString(deployment().name)}'
  params: {
    name: virtualMachineScaleSet.name
    tags: general.tags
    adminUsername: 'vmssadmin'
    adminPassword: '' // secret value
    imageReference: {
      publisher: 'MicrosoftWindowsServer'
      offer: 'WindowsServer'
      sku: '2022-datacenter-azure-edition'
      version: 'latest'
    }
    encryptionAtHost: false
    osDisk: {
      createOption: 'FromImage'
      diskSizeGB: 127
      managedDisk: {
        storageAccountType: 'StandardSSD_LRS'
      }
    }
    extensionCustomScriptConfig: {
      enabled: true
      fileData: [
        {
          storageAccountId: modStorageAccount.outputs.resourceId
          uri: 'https://${virtualMachineScaleSet.storageAccount.name}.blob.${environment().suffixes.storage}/scripts/customScript.ps1'
        }
      ]
      protectedSettings: {
        commandToExecute: 'powershell -ExecutionPolicy Unrestricted -Command "& ./customScript.ps1"'
      }
    }
    osType: 'Windows'
    skuName: 'Standard_D2s_v3'
    skuCapacity: 1
    singlePlacementGroup: false
    scaleSetFaultDomain: 1
    nicConfigurations: [
      {
        nicSuffix: '.nic'
        ipConfigurations: [
          {
            name: '${virtualMachineScaleSet.name}-defaultIpConfiguration'
            properties: {
              primary: true
              subnet: {
                id: virtualMachineSubnetId
              }
              privateIPAddressVersion: 'IPv4'
            }
          }
        ]
      }
    ]
    // diagnosticSettings: [
    //   {
    //     workspaceResourceId: resourceId(
    //       logAnalytics.resourceGroup,
    //       'Microsoft.OperationalInsights/workspaces',
    //       logAnalytics.name
    //     )
    //   }
    // ]
  }
  dependsOn: [resStorageUpload]
}

Relevant log output

No response

microsoft-github-policy-service[bot] commented 2 weeks ago

[!IMPORTANT] The "Needs: Triage :mag:" label must be removed once the triage process is complete!

[!TIP] For additional guidance on how to triage this issue/PR, see the BRM Issue Triage documentation.

AlexanderSehr commented 2 weeks ago

Hey @rahalan, I just migrated this issue over from CARML. Please take a look and triage if still relevant :)

rahalan commented 6 days ago

@Jackmt9 you can set the SAS token validityPeriod. The default is 8h, see image

Could you please elaborate, which issues you are facing?

microsoft-github-policy-service[bot] commented 1 day ago

[!IMPORTANT] @Jackmt9, this issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.

[!TIP] To prevent further actions to take effect, one of the following conditions must be met:

  • The author must respond in a comment within 3 days of this comment.
  • The "Status: No Recent Activity :zzz:" label must be removed.
  • If applicable, the "Status: Long Term :hourglass_flowing_sand:" or the "Needs: Module Owner :mega:" label must be added.