Terraform-provider-azurerm: Intended method of configuring an Azure VM for WinRM?
_This issue was originally opened by @DavidR91 as hashicorp/terraform#9961. It was migrated here as part of the provider split. The original body of the issue is below._
Terraform Version
0.7.8
Affected Resource(s)
- azurerm_virtual_machine
- azurerm_key_vault
- chef
Terraform Configuration Files
N/A
Expected Behavior
It should be possible to provision an Azure VM using azurerm_virtual_machine and have it use a WinRM listener which is in a state for future provisional to use (e.g. chef)
Actual Behavior
- WinRM on most stock images is disabled by default
- Even enabling it yields Basic + unecrypted by default
- It is possible to enable HTTPS using
winrmin the virtual machine resource. But, the URL is supposed to be a KeyVault URL (certificate_url) - Terraform can provision a keyvault (
azurerm_key_vault) but it (from what I can tell) cannot add or modify this vault in any way (so even if you could dynamically dotls_self_signed_certeach time as the WinRM cert you cannot do anything with it) - WinRM certificates could be created ahead of time, but ideally the certificates are bound to the machine's name/hostname, which kind of prevents us from doing this
Overall
What is the intended method/use case for an HTTPS WinRM listener on Azure?
- Are there add-to-keyvault methods I have missed (?)
- Should there just be a single fixed certificate in a KeyVault (manually added ahead of time) and
insecurespecified on each connection? - Is there an obvious way to exploit
additionalUnattendContentto do WinRM config steps without requiring a first logon? - Should I be dropping back to
local-execto create and upload a certificate specific to the host being provisioned? (Ideally no)
hashibot
All 12 comments
It isn't documented anywhere but basically you need to:
- Add custom_data field under os_profile, to copy a base64 converted powershell script (the script will create self signed certificate and register it in store including enabling winrm)
- Add additional_unattend_config under os_profile_windows_config with setting_name autologon, that will logon to the vm
- Add additional_unattend_config under os_profile_windows_config with setting_name firstlogoncommands that will include an xml that will run that powershell
then you can use the provisioners..
why isn't it documented anywhere? no idea
pixelicous
on 31 Dec 2017
This issue was originally filed before the Azure provider supported extensions
My approach to doing this with recent versions of Terraform has been to add an extension which executes Powershell. The powershell downloads a 'kit' of tools for enabling WinRM and then proceeds to do so
(typically a bundle with makecert + .ps1 for setting the listener up)
The kit files are here, minus makecert.exe
The scripts are not my own, and were derived from an Azure example hosted by Microsoft on github (that has since disappeared?)
applied as follows:
# Process the JSON to pass a DNS name for enabling WinRM
data "template_file" "winrm_arm_settings" {
template = "${file("${path.module}/winrm-arm-settings.template.json")}"
vars {
dns_name = "${var.name}"
}
}
..............
# Enable WinRM
resource "azurerm_virtual_machine_extension" "powershell_winrm" {
name = "EnableWinRM"
location = "${azurerm_virtual_machine.primary.location}"
resource_group_name = "${azurerm_virtual_machine.primary.resource_group_name}"
virtual_machine_name = "${azurerm_virtual_machine.primary.name}"
publisher = "Microsoft.Compute"
type = "CustomScriptExtension"
type_handler_version = "1.7"
settings = "${data.template_file.winrm_arm_settings.rendered}" <--- The JSON file from the kit
}
DavidR91
on 4 Jan 2018
@DavidR91 the problem with this approach is that the provisioners run as part of the vm resource provisioning, if you finish provision, go out to put cse on vm.. You fant go back to provisioners on the vm resource.. And you cant add a dependency only for the provisioners of the vm
pixelicous
on 4 Jan 2018
@pixelicous not really hit this issue I don't think? We had Chef provision each machine after WinRM was set up, without any problems
I imagine I just added a null_resource which depends on the machine being done, and then put the provisioner inside of it?
It's misuse of the intended structure, but it works
DavidR91
on 4 Jan 2018
@DavidR91 is there anything you still need addressed in this? A missing wait that would be helpful?
paultyng
on 16 Mar 2018
@DavidR91 i think using the null_resource isn't a misuse, it was provided especially for using provisioners after the resource creation, but at some more complex deployments its not the cleanest method.. besides that doesn't solve how to enable winrm on the machine so provisioners can be executed, you still need to use azure's cse but if you already have a cse on that same vm you need to remove it first, i still have no clue how to do that..
pixelicous
on 17 Mar 2018
hi @DavidR91
Thanks for opening this issue - apologies for the delayed response here!
What is the intended method/use case for an HTTPS WinRM listener on Azure?
The recommended way of configuring a WinRM Connection within Azure is to make use of the certificate_url in the winrm block to load a certificate that's been generated via the azurerm_key_vault_certificate resource. There's an example for this from our test suite here:
Here's another example (purely for demonstration purposes / not recommended) of using the additional_unattended_config block within the azurerm_virtual_machine resource to enable Basic Auth in WinRM:
It's worth noting that the azurerm_key_vault_certificate resource was added fairly recently - as such you'd have needed to make use of the azurerm_template_deployment resource to achieve this using older versions of the AzureRM Provider.
Once the connections provisioned - we'd probably recommend using the provisioner within a null_resource (because the IP Address used to connect to a Virtual Machine isn't necessarily available until it's booted, for a Dynamic IP Address); and pulling that information via the azurerm_network_interface or azurerm_public_ip Data Sources.
Thanks!
tombuildsstuff
on 17 Apr 2018
Hi! Today I already wasted about 4h of my time trying to setup a VM with WinRM enabled. I would really appreciate if azurerm provider would include example how to do this. There are many samples on GitHub but none was clear and easy to follow. The documentation is also very sparse and lacking.
marcin-chwedczuk-meow
on 25 Jul 2018
@marcin-chwedczuk-meow I think its just a matter of adding winrm block like this in the azurerm_virtual_machine resource (initial configuration with http)
os_profile_windows_config {
provision_vm_agent = "true"
enable_automatic_upgrades = "true"
winrm {
protocol = "HTTP"
}
}
erikanderson
on 3 Aug 2018
hey @marcin-chwedczuk-meow
With the release of v1.12 of the AzureRM Provider we now set the connection information for a Virtual Machine automatically and have examples of how to use Provisioners with both WinRM and SSH here: https://github.com/terraform-providers/terraform-provider-azurerm/tree/master/examples/virtual-machines/provisioners
Thanks!
tombuildsstuff
on 4 Aug 2018
The link you provided was not found.
sherylhanfis
on 22 Mar 2020
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 22 Mar 2020
Related issues
pdeva
·
3Comments
JayDoubleu
·
3Comments
MMollyy
·
3Comments
Kanikamiglani31
·
3Comments
whytoe
·
3Comments
Most helpful comment
Hi! Today I already wasted about 4h of my time trying to setup a VM with WinRM enabled. I would really appreciate if azurerm provider would include example how to do this. There are many samples on GitHub but none was clear and easy to follow. The documentation is also very sparse and lacking.