packer-plugin-azure Error publishing an encrypted (SSE+CMK) image into an Azure Compute Gallery (fka. SIG) with TrustedLaunch enabled

Error publishing an encrypted (SSE+CMK) image into an Azure Compute Gallery (fka. SIG) with TrustedLaunch enabled

Open j7lloyd opened this issue 9 months ago • 3 comments

Overview of the Issue

Seemingly, this isn't the first time the error/bug has been reported. Almost a year ago, in issue #304, @oliverlabs shared an image that encapsulates and illustrates it perfectly, as follows:

Specifically, my Temp Packer VM represents the 2nd scenario. i.e. CMK using a Disk Encryption Set with Trusted Launch Security Type.

Reproduction Steps

Use of disk_encryption_set_id and security_type = "TrustedLaunch" together, as demonstrated in the below build file:

Plugin and Packer version

Packer version: 1.10.3 Plugin version: 2.1.4

Simplified Packer Buildfile

source "azure-arm" "windows-vm" {
  client_id       = var.client_id
  client_secret   = var.client_secret
  subscription_id = var.subscription_id
  tenant_id       = var.tenant_id

  build_resource_group_name = "packerbuildenvironment"
  disk_encryption_set_id    = var.des_resource_id
  boot_diag_storage_account = var.boot_diag_sa

  os_type = "Windows"
  vm_size = var.vm_size

  communicator   = "winrm"
  winrm_username = "packer"
  winrm_timeout  = "10m"
  winrm_use_ssl  = true
  winrm_insecure = true
  winrm_no_proxy = true
  winrm_use_ntlm = true

  # Security Type: Trusted Launch
  secure_boot_enabled = true
  vtpm_enabled        = true
  security_type       = "TrustedLaunch"

  virtual_network_resource_group_name = var.vnet_resource_group
  virtual_network_name                = var.vnet_name
  virtual_network_subnet_name         = var.vnet_subnet_name
  managed_image_storage_account_type  = "Premium_LRS"

  shared_image_gallery {
    subscription   = var.subscription_id
    resource_group = var.sig_resource_group
    gallery_name   = var.sig_gallery_name
    image_name     = var.sig_base_image_definition
  }

  shared_image_gallery_destination {
    subscription   = var.subscription_id
    resource_group = var.sig_resource_group
    gallery_name   = var.sig_gallery_name
    image_name     = var.sig_image_definition
    image_version  = var.sig_image_version
    specialized    = true
  }

  user_assigned_managed_identities = [var.uami_resource_id]
}

Operating system and Environment details

RHEL X64 ADOP SHA

Log Fragments and crash.log files

==> azure-arm.windows-apps-vm: Publishing to Shared Image Gallery ...
==> azure-arm.windows-apps-vm:  -> Source ID used for SIG publish        : '/subscriptions/{subscriptionId}/resourceGroups/packerbuildenvironment/providers/Microsoft.Compute/virtualMachines/pkrvm78tjysw78q'
==> azure-arm.windows-apps-vm:  -> SIG publish resource group            : '{resourceGroup}'
==> azure-arm.windows-apps-vm:  -> SIG gallery name                      : '{sigGalleryName}'
==> azure-arm.windows-apps-vm:  -> SIG image name                        : '{sigImageName}'
==> azure-arm.windows-apps-vm:  -> SIG image version                     : '1.0.0'
==> azure-arm.windows-apps-vm:  -> SIG target regions                    : '[{location}]'
==> azure-arm.windows-apps-vm:    -> Region 1 DES Id                     : '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/diskEncryptionSets/{diskEncryptionSet}'
==> azure-arm.windows-apps-vm:  -> SIG storage account type              : ''
==> azure-arm.windows-apps-vm:  -> SIG image version endoflife date      : ''
==> azure-arm.windows-apps-vm:  -> SIG image version exclude from latest : 'false'

==> azure-arm.windows-apps-vm: Call stack: 
==> azure-arm.windows-apps-vm: at Microsoft.Windows.Azure.GCM.Contract.Assert(Boolean condition, String userMessage) in X:\bt\1257000\repo\src\Shared\Lib\Common\Contracts.cs:line 82 
==> azure-arm.windows-apps-vm: at Microsoft.WindowsAzure.PlatformImageRepository.ArtifactService.GoalSeeking.ReplicationBlockBase`3.ValidateDiskRPEncryptionResult(Encryption dmEncryption, Encryption resultEncryption) in X:\bt\1253263\repo\src\CRP-PIR\ArtifactService\GoalSeeking\Blocks\ReplicationBlockBase.cs:line 357 
==> azure-arm.windows-apps-vm: at Microsoft.WindowsAzure.PlatformImageRepository.ArtifactService.GoalSeeking.AllocateSnapshotsBlock.ProcessSingleAllocateSnapshotResult(ReplicatedArtifact replicatedArtifact, VMImageSnapshotResult snapshotResult, Int32 maximumSourceDiskSizeInGb) in X:\bt\1253263\repo\src\CRP-PIR\ArtifactService\GoalSeeking\Blocks\AllocateSnapshotsBlock.cs:line 722 
==> azure-arm.windows-apps-vm: at Microsoft.WindowsAzure.PlatformImageRepository.ArtifactService.GoalSeeking.AllocateSnapshotsBlock.ProcessAllocateSnapshotResults(ReplicatedArtifact replicatedArtifact, VMImageAllocateSnapshotResults allocateSnapshotsResult, Int32 maximumSourceDiskSizeInGb) in X:\bt\1253263\repo\src\CRP-PIR\ArtifactService\GoalSeeking\Blocks\AllocateSnapshotsBlock.cs:line 639 
==> azure-arm.windows-apps-vm: at Microsoft.WindowsAzure.PlatformImageRepository.ArtifactService.GoalSeeking.AllocateSnapshotsBlock.<AllocateSnapshots>d__18.MoveNext() in X:\bt\1253263\repo\src\CRP-PIR\ArtifactService\GoalSeeking\Blocks\AllocateSnapshotsBlock.cs:line 618 
==> azure-arm.windows-apps-vm: at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) 
==> azure-arm.windows-apps-vm: at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) 
==> azure-arm.windows-apps-vm: at System.Runtime.CompilerServices.AsyncMethodBuilderCore.MoveNextRunner.Run() 
==> azure-arm.windows-apps-vm: at System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction(Action action, Boolean allowInlining, Task& currentTask) 
==> azure-arm.windows-apps-vm: at System.Threading.Tasks.Task.FinishContinuations() 

==> azure-arm.windows-apps-vm: ERROR: -> InternalOperationError : Replication failed in this region due to 'Contract.Assert failed: Data model DiskEncryptionSetId '' does not match DiskRP returned DiskEncryptionSetId '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/diskEncryptionSets/{diskEncryptionSet}' 

==> azure-arm.windows-apps-vm: Status: "InternalOperationError"
==> azure-arm.windows-apps-vm: Code: ""
==> azure-arm.windows-apps-vm: Message: "Replication failed in this region due to 'Contract.Assert failed: Data model DiskEncryptionSetId '' does not match DiskRP returned DiskEncryptionSetId '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/diskEncryptionSets/{diskEncryptionSet}' … "
==> azure-arm.windows-apps-vm: Activity Id: ""

May 24 '24 13:05 j7lloyd

packer-plugin-azure packer-plugin-azure copied to clipboard

Error publishing an encrypted (SSE+CMK) image into an Azure Compute Gallery (fka. SIG) with TrustedLaunch enabled

Overview of the Issue

Reproduction Steps

Plugin and Packer version

Simplified Packer Buildfile

Operating system and Environment details

Log Fragments and crash.log files

packer-plugin-azure
packer-plugin-azure copied to clipboard