Hello,

I need to have double-encryption (Customer-managed key + Platform key) 
supported for an Azure VM image I am creating with Packer. I have two 
challenges associated with it:

1)  When publishing into Azure Compute Gallery, is it possible to create 
disk snapshots before pushing a VM Image Version from a generalised VM? The 
reason for this is to allow the use of CMK-encrypted source and sharing 
across subscriptions. If you create a VM image version from a VHD or from a 
running VM, then all the encryption stuff must be in the same subscription, 
for both source and target. That's obviously not what I need to achieve.

So, at least in Az CLI, the process should look something like this:

[image: image (1).png]

However, I can't find any such option in the azure-arm runner. The snapshot 
option works *only *when pushing to a Managed Disk. Azure Compute Gallery 
block does not support it.

Here's the code I am using:

source "azure-arm" "imageBuild" {
  async_resourcegroup_delete = true
  azure_tags = {
    Env               = "Dev"
    "Image Offer"     = "${var.image_offer}"
    "Image Publisher" = "${var.image_publisher}"
    "Image SKU"       = "${var.image_sku}"
    Task              = "Packer"
  }
  build_key_vault_name                = "${var.build_key_vault_name}"
  build_resource_group_name           = "${var.rgName}"
  client_id                           = "${var.client_id}"
  client_secret                       = "${var.client_secret}"
  communicator                        = "winrm"
  disk_encryption_set_id              = "${var.disk_encryption_set_id}"
  image_offer                         = "${var.image_offer}"
  image_publisher                     = "${var.image_publisher}"
  image_sku                           = "${var.image_sku}"
  os_type                             = "Windows"
  secure_boot_enabled                 = true
  shared_image_gallery_destination {
    subscription        = "${var.subscription_id}"
    gallery_name        = "${var.acgName}"
    image_name          = "${var.image_name}"
    image_version       = "${var.image_version}"
    replication_regions = ["${var.location}"]
    resource_group      = "${var.rgName}"
  }
  shared_image_gallery_replica_count = 1
  subscription_id                    = "${var.subscription_id}"
  tenant_id                          = "${var.tenant_id}"
  vm_size                            = "${var.vmSize}"
  winrm_insecure                     = true
  winrm_timeout                      = "7m"
  winrm_use_ssl                      = true
  winrm_username                     = "packer"
}

build {
  sources = ["source.azure-arm.imageBuild"]

  provisioner "powershell" {
    inline = ["mkdir C:\\Windows\\Azure", 
"& $env:SystemRoot\\System32\\Sysprep\\Sysprep.exe /oobe /generalize /quiet 
/quit"
, 
"while($true) { $imageState = Get-ItemProperty 
HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\State | Select 
ImageState; if($imageState.ImageState -ne 
'IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE') { Write-Output $imageState.ImageState; 
Start-Sleep -s 10  } else { break } }"
]
  }

  post-processor "shell-local" {
    execute_command = ["powershell", "-NoProfile", "{{ .Script }}"]
    script          = "packer_pp2.ps1"
  }
}

2) I need to enable TrustedLaunch on the VM image.

Unfortunately, I can't do that. Here's the code that I am using for a VM 
Image Definition:

az sig image-definition create -g rg-acg-build `
    -r acg_trla `
    -i 'Trusted_Launch_Image' `
    --features SecurityType=TrustedLaunch `
    -p MicrosoftWindowsServer `
    -f WindowsServer `
    -s 2022-datacenter-g2 `
    --os-type Windows `
    --os-state Generalized `
    --hyper-v-generation V2

Here are the options I am using for the HCL Packer file:

secure_boot_enabled                 = truevtpm_enabled
                        = true

When I do that, the image compiles without problems, but during the Azure 
Compute Gallery push, I am getting the following error:

==> azure-arm.imageBuild: ERROR: -> InternalOperationError : Replication 
failed in this region due to 'Contract.Assert failed: Data model 
DiskEncryptionSetId '' does not match DiskRP returned DiskEncryptionSetId 
'/subscriptions/[redacted]/resourceGroups/RG-ACG-BUILD/providers/Microsoft.Compute/diskEncryptionSets/desPlatform'

Any help or ideas are appreciated!

-- 
This mailing list is governed under the HashiCorp Community Guidelines - 
https://www.hashicorp.com/community-guidelines.html. Behavior in violation of 
those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/packer/issues
IRC: #packer-tool on Freenode
--- 
You received this message because you are subscribed to the Google Groups 
"Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/packer-tool/7167a5a2-3446-4e6b-9483-b6e1f2cf2b61n%40googlegroups.com.

Reply via email to