Config attribute to skip Keyvault deployment during Packer Windows build #357
Comments
garimakhulbe02
changed the title
|
Hey @garimakhulbe02 thanks for filing this issue, I'm wondering if it would make more sense to enable users setting the key vault resource group name, allowing users to use any pre-existing key vault, even ones outside the build RG, that might be a bit simpler to implement in my mind, I'm not sure if the key vault neccesarily needs to be in the same resource group as the build, what do you think? |
|
Hey @JenGoldstrich, thank you for responding here. We thought of this as well where keyvault could be in any resource group. However, there is a policy restriction where Keyvault should be behind Virtual network. This Keyvault is used to store WinRM certificate. With BYO-KV, we need to figure out way for packer to write and read certificate in customer Keyvault. Other thing is these policies restrictions are running list and will have new add-ons in future. It will work best for us if we get an option to remove this keyvault altogether because we might not able to accommodate all restrictions in our service. We are planning to use |
|
That makes sense to me, thanks for clarifying that point. I think moving forward with this enhancement makes sense, if a PR gets submitted we will respond to that quickly, I would definitely appreciate if you could include the working PoC with the userdata/custom_data example script in that PR! |
|
Thank you Jenna. We will open a PR soon with userdata/custom_data example script. |
Description
New attribute/input
skip_build_key_vault_createin packer config to skip Keyvault deployment during packer build for windows images. Packer does two ARM deployments during build. First deployment for Keyvault to save WinRM certificate and second deployment for build VM. This attribute will give an option to skip this build Keyvault deployment during build.Use Case(s)
Build Keyvault is used to store certificate for WinRM connection for Windows images. Many Azure customers are now having policies related issue with this Keyvault. Most common ones are: Keyvault should be behind private link service, account does not allow on-fly Keyvault creation during build, and other settings like purge protection and soft delete. We can not use build_key_vault_name because its harden the requirement for our customers to have Keyvault in build resource group only, which is not the case for most of them.
To resolve these issues, we will skip keyvault create and implement solution using custom_script and user_data_file attributes in Packer config. Similar to AWS plugin. We have working PoC with custom_script and user_data_file for Azure plugin.
Please let us know if you have questions or this looks good. Thanks.
Community Note
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
The text was updated successfully, but these errors were encountered: