packer-plugin-azure icon indicating copy to clipboard operation
packer-plugin-azure copied to clipboard
verified publisher icon hashicorp

Azure chroot builder uses the current user's subscription to verify the image version existence

Open shubangmck opened this issue 10 months ago • 0 comments

Overview of the Issue

The azure chroot builder accepts a source attribute to use a specific shared image version. The subscription ID in the azure resource ID is being overridden by the logged in service principal's subscription ID which means I cannot use shared images across subscriptions.

Reproduction Steps

Packer config

variable "az_client_creds" {
  type      = string
  sensitive = true
}

locals {
  az_client_creds = jsondecode(var.az_client_creds)
}

source "azure-chroot" "test-img" {
  client_id       = local.az_client_creds["client_id"]
  client_secret   = local.az_client_creds["client_secret"]
  subscription_id = local.az_client_creds["subscription_id"] // SUB_ID1


  source = "/subscriptions/<SUB_ID2>/resourceGroups/packer-images/providers/Microsoft.Compute/galleries/<GALLERY_NAME>/images/<IMAGE_NAME>versions/1.0.0"

  shared_image_destination {
    resource_group = "<DEST_RES_GROUP_NAME>"
    gallery_name   = "<DEST_GALLERY_NAME>"
    image_name     = "chroot-test"
    image_version  = "1.0.0"
  }

}

build {
  sources = ["sources.azure-chroot.test-img"]
  provisioner "shell" {
    inline = ["apt-get update"]
    inline_shebang = "/bin/sh -x"
  }
}

Packer build errors

==> azure-chroot.test-img: Error retrieving shared image version "/subscriptions/<SUB_ID2>/resourceGroups/<SOURCE_RESOURCE_GROUP>/providers/Microsoft.Compute/galleries/<SOURCE_GALLERY>/images/<IMAGE_NAME>/versions/1.0.0": unexpected status 404 (404 Not Found) with error: ResourceGroupNotFound: Resource group 'SOURCE_RESOURCE_GALLERY could not be found.
Build 'azure-chroot.test-img' errored after 507 milliseconds 600 microseconds: Error retrieving shared image version "/subscriptions/<SUB_ID2>/resourceGroups/<SOURCE_RESOURCE_GROUP>/providers/Microsoft.Compute/galleries/<SOURCE_GALLERY>/images/<IMAGE_NAME>/versions/1.0.0": unexpected status 404 (404 Not Found) with error: ResourceGroupNotFound: Resource group '<SOURCE_RESOURCE_GROUP>' could not be found.

Plugin and Packer version

packer version: v1.11 azure plugin: v2.3.0

The bug is on this line

The Subscription ID present in the resource link is being overridden with the azcli subscription ID which belongs to the logged in user. This will restrict people to use shared images within the same subscription, if this is intended then it must be documented, why not just use the subscription ID from the parsed Resource struct

shubangmck avatar Feb 27 '25 05:02 shubangmck