SweetestSufferance
commented
1 year ago Edited for Update:
Update: _For me, removing the "temp_resource_group_name" and using the "build_resource_groupname", seemed to allow the build to not error out.
Issue seems to exist on Packer version 1.6.4 and 1.8.5.
2023-01-28T03:40:16Z: Build 'azure-arm' errored after 1 minute 24 seconds: Code="DeploymentFailed" Message="At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details." Details=[{"code":"Conflict","message":"{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\": \"KeyVaultAccessForbidden\",\r\n \"message\": \"Key Vault https://<static_key_vault_name>.vault.azure.net/secrets/packerKeyVaultSecret/a0f1160b80cc4440a62186ee15a47594 either has not been enabled for deployment or the vault id provided, /subscriptions/<subscription_id>/resourceGroups/<temp_rg_name>/providers/Microsoft.KeyVault/vaults/<static_key_vault_name>, does not match the Key Vault's true resource id.\"\r\n }\r\n ]\r\n }\r\n}"}]
mnieto
dsinghe
Community Note
When filing a bug, please include the following headings if possible. Any example text in this template can be deleted.
Overview of the Issue
Due to company policy on our azure subscription, all key vaults must have purge protection and soft delete enabled. Since this is not an option when trying to use packer to have it create a key vault with this, I've tried to use an existing key vault instead by passing in a value to the packer build with the "build_key_vault_name" parameter as per documentation. Even though I pass in an existing though, packer is still trying to create a new key vault. It appears the parameter is not functioning as intended.
Reproduction Steps
Packer version
From
1.8.3Simplified Packer Template
Cannot share this as it has private info
Operating system and Environment details
Trying to build a win 2019 machine
Log Fragments and crash.log files
Key Vault Name: XXXXXXXXXX Build windows2019 VM vhd: output will be in this color.
==> vhd: Running builder ... ==> vhd: Getting tokens using client secret ==> vhd: Getting tokens using client secret vhd: Creating Azure Resource Manager (ARM) client ... ==> vhd: Warning: You are using Azure Packer Builder to create VHDs which is being deprecated, consider using Managed Images. Learn more https://www.packer.io/docs/builders/azure/arm#azure-arm-builder-specific-options ==> vhd: Getting source image id for the deployment ... ==> vhd: Using existing resource group ... ==> vhd: Validating deployment template ... ==> vhd: Deploying deployment template ... ==> vhd: ERROR: -> InvalidTemplateDeployment : The template deployment failed because of policy violation. Please see details for more information. ==> vhd: ERROR: -> RequestDisallowedByPolicy : Resource 'pkrkva7b06watyj' was disallowed by policy. Reasons: 'As per XXXXX Security Policy, key vault soft delete and purge protection must be enabled'. See error details for policy resource IDs. ==> vhd: ==> vhd: resources.DeploymentsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="InvalidTemplateDeployment" Message="The template deployment failed because of policy violation. Please see details for more information." Details=[{"additionalInfo":[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.KeyVault/vaults","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.KeyVault/vaults"},{"expression":"Microsoft.KeyVault/vaults/createMode","expressionKind":"Field","operator":"Equals","path":"properties.createMode","result":"False","targetValue":"recover"},{"expression":"Microsoft.KeyVault/vaults/enablePurgeProtection","expressionKind":"Field","operator":"Exists","path":"properties.enablePurgeProtection","result":"True","targetValue":"false"}],"reason":"As per XXXXX Security Policy, key vault soft delete and purge protection must be enabled"},"policyAssignmentDisplayName":"Key vaults should have purge protection enabled","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/EnbRoot/providers/Microsoft.Authorization/policyAssignments/92a517dd3ae549dba170e966","policyAssignmentName":"92a517dd3ae549dba170e966","policyAssignmentParameters":{"effect":"Deny"},"policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/EnbRoot","policyDefinitionDisplayName":"Key vaults should have purge protection enabled","policyDefinitionEffect":"Deny","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","policyDefinitionName":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"},"type":"PolicyViolation"}],"code":"RequestDisallowedByPolicy","message":"Resource 'pkrkva7b06watyj' was disallowed by policy. Reasons: 'As per XXXXX Security Policy, key vault soft delete and purge protection must be enabled'. See error details for policy resource IDs.","target":"pkrkva7b06watyj"}] ==> vhd: ==> vhd: Deleting individual resources ... ==> vhd: Error deleting resource. Please delete manually. ==> vhd: ==> vhd: Name: 59620_windows2019 ==> vhd: Error: resources.DeploymentOperationsClient#List: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="DeploymentNotFound" Message="Deployment 'kvpkrdpa7b06watyj' could not be found." ==> vhd: resources.DeploymentOperationsClient#List: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="DeploymentNotFound" Message="Deployment 'kvpkrdpa7b06watyj' could not be found." ==> vhd: Error deleting resource. Please delete manually. ==> vhd: ==> vhd: Name: 59620_windows2019 ==> vhd: Error: resources.DeploymentOperationsClient#List: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="DeploymentNotFound" Message="Deployment 'kvpkrdpa7b06watyj' could not be found." ==> vhd: resources.DeploymentOperationsClient#List: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="DeploymentNotFound" Message="Deployment 'kvpkrdpa7b06watyj' could not be found." ==> vhd: Failed to find temporary OS disk on VM. Please delete manually. ==> vhd: ==> vhd: VM Name: pkrvma7b06watyj ==> vhd: Error: resources.DeploymentOperationsClient#List: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="DeploymentNotFound" Message="Deployment 'kvpkrdpa7b06watyj' could not be found." ==> vhd: Removing the created Deployment object: 'kvpkrdpa7b06watyj' ==> vhd: ==> vhd: The resource group was not created by Packer, not deleting ... Build 'vhd' errored after 1 second 444 milliseconds: resources.DeploymentsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="InvalidTemplateDeployment" Message="The template deployment failed because of policy violation. Please see details for more information." Details=[{"additionalInfo":[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.KeyVault/vaults","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.KeyVault/vaults"},{"expression":"Microsoft.KeyVault/vaults/createMode","expressionKind":"Field","operator":"Equals","path":"properties.createMode","result":"False","targetValue":"recover"},{"expression":"Microsoft.KeyVault/vaults/enablePurgeProtection","expressionKind":"Field","operator":"Exists","path":"properties.enablePurgeProtection","result":"True","targetValue":"false"}],"reason":"As per XXXXX Security Policy, key vault soft delete and purge protection must be enabled"},"policyAssignmentDisplayName":"Key vaults should have purge protection enabled","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/EnbRoot/providers/Microsoft.Authorization/policyAssignments/92a517dd3ae549dba170e966","policyAssignmentName":"92a517dd3ae549dba170e966","policyAssignmentParameters":{"effect":"Deny"},"policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/EnbRoot","policyDefinitionDisplayName":"Key vaults should have purge protection enabled","policyDefinitionEffect":"Deny","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","policyDefinitionName":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"},"type":"PolicyViolation"}],"code":"RequestDisallowedByPolicy","message":"Resource 'pkrkva7b06watyj' was disallowed by policy. Reasons: 'As per XXXXX Security Policy, key vault soft delete and purge protection must be enabled'. See error details for policy resource IDs.","target":"pkrkva7b06watyj"}]
Set the env var
PACKER_LOG=1for maximum log detail.