Thursday, September 7, 2023

Version 2 of the Packer Azure plugin is now available

We're excited to announce the version 2.0.0 release of the Packer Azure plugin, which enables users to build Azure virtual hard disks, managed images, and Compute Gallery (shared image gallery) images. The plugin is one of the most popular ways to build Azure Virtual Machine images and is used by Microsoft Azure via the Azure Image Builder

For the past year, we have been tracking the changes to the Azure SDKs and keeping our eyes on the upcoming deprecations, which were sure to disrupt how Packer interacts with Azure. When we found that the version of the Azure SDK the Packer plugin was using would soon be deprecated we began work to migrate to the Terraform tested HashiCorp Go Azure SDK. The HashiCorp Go Azure SDK is generated from and based on the Azure API definitions to provide parity with the official Azure SDK — making it a near drop-in replacement for the Azure SDK, with the ability to resolve issues around auto-rest, polling, and API versioning. Version 2.0.0 of the Packer Azure plugin addresses the known deprecations with minimal disruption to the user, introduces new highly requested features, and combines the stability of the Packer Azure plugin with the Terraform Azure provider

OIDC support

Many users want to bring their own authentication provider when connecting to Azure, and some organizations have policies requiring this. Version 2 of the Packer Azure plugin supports using an OIDC provider to authenticate to Azure using the client_jwt field in the builder configuration. You can follow this guide to setting up GitHub as your OIDC Provider and adding its federated credentials to Azure. For example, configuring a GitHub action like this:

name: OIDC Example

  contents: read
  id-token: write

        runs-on: ubuntu-latest
        available: "$"
        # we check for the ACTIONS_ID_TOKEN_REQUEST_URL variable as a proxy for other secrets
        # it will be unset when running for a PR from a fork
        - id: check-secrets
        run: |
        if [[ "${ACTIONS_ID_TOKEN_REQUEST_URL}" == "" ]]; then
                echo "available=false" | tee ${GITHUB_OUTPUT}
                echo "available=true" | tee ${GITHUB_OUTPUT}

        runs-on: ubuntu-latest
        needs: [secrets-check]
        if: needs.secrets-check.outputs.available == 'true'
        - name: Set OIDC Token
        run: |
        echo "ARM_OIDC_TOKEN=$(curl -H "Accept: application/json; api-version=2.0" -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" -H "Content-Type: application/json" -G --data-urlencode "audience=api://AzureADTokenExchange" "${ACTIONS_ID_TOKEN_REQUEST_URL}" | jq -r '.value')"  >>${GITHUB_ENV}

        - name: Install Go
        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
        go-version: '1.19.5'

        - name: Checkout
        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
        - name: Setup `packer`
        uses: hashicorp/setup-packer@main
        id: setup

        - name: Build the plugin
        run:  make
        - name: Try to run an AzureARM build with our OIDC token
        run:  packer build -force ./example/oidc-example.pkr.hcl
        ARM_CLIENT_ID: $

And using this example Packer template with the client_jwt set as our GitHub provided OIDC token:

variable "arm_client_id" {
  type    = string
  default = "${env("ARM_CLIENT_ID")}"

variable "arm_oidc_token" {
  type    = string
  default = "${env("ARM_OIDC_TOKEN")}"

variable "subscription_id" {
  type    = string
  default = "${env("ARM_SUBSCRIPTION_ID")}"

variable "group_name" {
  type    = string
  default = "${env("ARM_GROUP_NAME")}"

source "azure-arm" "oidc" {
  client_id                         = "${var.arm_client_id}"
  client_jwt                        = "${var.arm_oidc_token}"
  communicator                      = "winrm"
  image_offer                       = "WindowsServer"
  image_publisher                   = "MicrosoftWindowsServer"
  image_sku                         = "2012-R2-Datacenter"
  location                          = "westus"
  managed_image_name                = "oidc-example"
  managed_image_resource_group_name = "${var.group_name}"
  os_type                           = "Windows"
  subscription_id                   = "${var.subscription_id}"
  vm_size                           = "Standard_DS2_v2"
  winrm_insecure                    = "true"
  winrm_timeout                     = "3m"
  winrm_use_ssl                     = "true"
  winrm_username                    = "packer"

build {
  sources = [""]

Client certificate authentication

Beginning with version 2, the Packer Azure plugin now supports only PKCS#12 bundle (.pfx file) for client certificate authentication. For more information on generating a pfx cert and adding it to Azure, check out the Terraform Azure provider documentation. Certificates encoded in the .pem format, which previously worked in the Azure plugin, will no longer be recognized by the plugin.

Clarification on VHD deprecation

Historically, the Packer Azure plugin notified users that Azure VHD (virtual hard disk) builds were deprecated and would be removed at a later date. This has led to confusion on whether users can rely on VHD functionality remaining in the plugin, and when or if they will be forced to migrate. We found that many users continue to build VHD images using the Packer Azure plugin, so we decided to remove the deprecation warning. VHD builds will continue to work on v2.0.0 of Azure, and we have no plans to deprecate it again in the immediate future.

Other updates in the Packer Azure plugin

We also made changes to let the plugin fail faster when users are creating an image build that won't succeed based on invalid shared image gallery version values. We also added support for setting a WinRM expiration time for Azure tenants/subscriptions that have that policy requirement. You can find a full list of changes in the Packer Azure plugin release notes.

Please report any issues with and share your feedback on Version 2.0.0 in the Packer Azure plugin GitHub issue tracker.

from HashiCorp Blog

No comments:

Post a Comment