Open jdub403 opened 1 year ago
Edited for Update:
Update: _For me, removing the "temp_resource_group_name" and using the "build_resource_groupname", seemed to allow the build to not error out.
Issue seems to exist on Packer version 1.6.4 and 1.8.5.
2023-01-28T03:40:16Z: Build 'azure-arm' errored after 1 minute 24 seconds: Code="DeploymentFailed" Message="At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details." Details=[{"code":"Conflict","message":"{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\": \"KeyVaultAccessForbidden\",\r\n \"message\": \"Key Vault https://<static_key_vault_name>.vault.azure.net/secrets/packerKeyVaultSecret/a0f1160b80cc4440a62186ee15a47594 either has not been enabled for deployment or the vault id provided, /subscriptions/<subscription_id>/resourceGroups/<temp_rg_name>/providers/Microsoft.KeyVault/vaults/<static_key_vault_name>, does not match the Key Vault's true resource id.\"\r\n }\r\n ]\r\n }\r\n}"}]
@SweetestSufferance I had the exact same error than you after removing temp_resource_group_name
Going to the KeyVault --> Access configuration, and enabling both
solved the problem
I previously had checked 'Azure Resource Manager for template deployment' so I think that the first one did the trick, but in case of doubt, keep both activated
@SweetestSufferance what about the latter error around resource id not found? Did you find a way around it? Iv been told that the key vault must be in the same resource group as the build resource group which is not be possible in my case as key vault is in a different subscription.
I created a static key vault to manage the keys generated instead of it creating temporary key vaults. My key vault is in the same resource group, so probably why it worked for me. Once that change was made, I had to remove the temp_resource_group option, and use the build_resource_group_name.
Unfortunately, I had very little time to actually troubleshoot the problem fully, so I just stuck with my workaround and will have to just live with it. For me minimum viable product is the answer.
Community Note
When filing a bug, please include the following headings if possible. Any example text in this template can be deleted.
Overview of the Issue
Due to company policy on our azure subscription, all key vaults must have purge protection and soft delete enabled. Since this is not an option when trying to use packer to have it create a key vault with this, I've tried to use an existing key vault instead by passing in a value to the packer build with the "build_key_vault_name" parameter as per documentation. Even though I pass in an existing though, packer is still trying to create a new key vault. It appears the parameter is not functioning as intended.
Reproduction Steps
Packer version
From
1.8.3
Simplified Packer Template
Cannot share this as it has private info
Operating system and Environment details
Trying to build a win 2019 machine
Log Fragments and crash.log files
Key Vault Name: XXXXXXXXXX Build windows2019 VM vhd: output will be in this color.
==> vhd: Running builder ... ==> vhd: Getting tokens using client secret ==> vhd: Getting tokens using client secret vhd: Creating Azure Resource Manager (ARM) client ... ==> vhd: Warning: You are using Azure Packer Builder to create VHDs which is being deprecated, consider using Managed Images. Learn more https://www.packer.io/docs/builders/azure/arm#azure-arm-builder-specific-options ==> vhd: Getting source image id for the deployment ... ==> vhd: Using existing resource group ... ==> vhd: Validating deployment template ... ==> vhd: Deploying deployment template ... ==> vhd: ERROR: -> InvalidTemplateDeployment : The template deployment failed because of policy violation. Please see details for more information. ==> vhd: ERROR: -> RequestDisallowedByPolicy : Resource 'pkrkva7b06watyj' was disallowed by policy. Reasons: 'As per XXXXX Security Policy, key vault soft delete and purge protection must be enabled'. See error details for policy resource IDs. ==> vhd: ==> vhd: resources.DeploymentsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="InvalidTemplateDeployment" Message="The template deployment failed because of policy violation. Please see details for more information." Details=[{"additionalInfo":[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.KeyVault/vaults","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.KeyVault/vaults"},{"expression":"Microsoft.KeyVault/vaults/createMode","expressionKind":"Field","operator":"Equals","path":"properties.createMode","result":"False","targetValue":"recover"},{"expression":"Microsoft.KeyVault/vaults/enablePurgeProtection","expressionKind":"Field","operator":"Exists","path":"properties.enablePurgeProtection","result":"True","targetValue":"false"}],"reason":"As per XXXXX Security Policy, key vault soft delete and purge protection must be enabled"},"policyAssignmentDisplayName":"Key vaults should have purge protection enabled","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/EnbRoot/providers/Microsoft.Authorization/policyAssignments/92a517dd3ae549dba170e966","policyAssignmentName":"92a517dd3ae549dba170e966","policyAssignmentParameters":{"effect":"Deny"},"policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/EnbRoot","policyDefinitionDisplayName":"Key vaults should have purge protection enabled","policyDefinitionEffect":"Deny","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","policyDefinitionName":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"},"type":"PolicyViolation"}],"code":"RequestDisallowedByPolicy","message":"Resource 'pkrkva7b06watyj' was disallowed by policy. Reasons: 'As per XXXXX Security Policy, key vault soft delete and purge protection must be enabled'. See error details for policy resource IDs.","target":"pkrkva7b06watyj"}] ==> vhd: ==> vhd: Deleting individual resources ... ==> vhd: Error deleting resource. Please delete manually. ==> vhd: ==> vhd: Name: 59620_windows2019 ==> vhd: Error: resources.DeploymentOperationsClient#List: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="DeploymentNotFound" Message="Deployment 'kvpkrdpa7b06watyj' could not be found." ==> vhd: resources.DeploymentOperationsClient#List: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="DeploymentNotFound" Message="Deployment 'kvpkrdpa7b06watyj' could not be found." ==> vhd: Error deleting resource. Please delete manually. ==> vhd: ==> vhd: Name: 59620_windows2019 ==> vhd: Error: resources.DeploymentOperationsClient#List: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="DeploymentNotFound" Message="Deployment 'kvpkrdpa7b06watyj' could not be found." ==> vhd: resources.DeploymentOperationsClient#List: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="DeploymentNotFound" Message="Deployment 'kvpkrdpa7b06watyj' could not be found." ==> vhd: Failed to find temporary OS disk on VM. Please delete manually. ==> vhd: ==> vhd: VM Name: pkrvma7b06watyj ==> vhd: Error: resources.DeploymentOperationsClient#List: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="DeploymentNotFound" Message="Deployment 'kvpkrdpa7b06watyj' could not be found." ==> vhd: Removing the created Deployment object: 'kvpkrdpa7b06watyj' ==> vhd: ==> vhd: The resource group was not created by Packer, not deleting ... Build 'vhd' errored after 1 second 444 milliseconds: resources.DeploymentsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="InvalidTemplateDeployment" Message="The template deployment failed because of policy violation. Please see details for more information." Details=[{"additionalInfo":[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.KeyVault/vaults","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.KeyVault/vaults"},{"expression":"Microsoft.KeyVault/vaults/createMode","expressionKind":"Field","operator":"Equals","path":"properties.createMode","result":"False","targetValue":"recover"},{"expression":"Microsoft.KeyVault/vaults/enablePurgeProtection","expressionKind":"Field","operator":"Exists","path":"properties.enablePurgeProtection","result":"True","targetValue":"false"}],"reason":"As per XXXXX Security Policy, key vault soft delete and purge protection must be enabled"},"policyAssignmentDisplayName":"Key vaults should have purge protection enabled","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/EnbRoot/providers/Microsoft.Authorization/policyAssignments/92a517dd3ae549dba170e966","policyAssignmentName":"92a517dd3ae549dba170e966","policyAssignmentParameters":{"effect":"Deny"},"policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/EnbRoot","policyDefinitionDisplayName":"Key vaults should have purge protection enabled","policyDefinitionEffect":"Deny","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53","policyDefinitionName":"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"},"type":"PolicyViolation"}],"code":"RequestDisallowedByPolicy","message":"Resource 'pkrkva7b06watyj' was disallowed by policy. Reasons: 'As per XXXXX Security Policy, key vault soft delete and purge protection must be enabled'. See error details for policy resource IDs.","target":"pkrkva7b06watyj"}]
Set the env var
PACKER_LOG=1
for maximum log detail.