Skip to content

v2.0.0
Compare
Choose a tag to compare
@github-actions github-actions released this 14 Aug 16:43
· 131 commits to main since this release
v2.0.0
2e2bab5
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Version 2.0.0 of the Packer Azure Plugin switches from using the now deprecated version of the Azure SDK for Go, to an SDK maintained by HashiCorp go-azure-sdk

Packer Azure Plugin v2.0.0 breaking change upgrade guide

Certificate Authentication

Azure Packer plugin versions before v2.0.0 supported PEM encoded certificates without passwords, the new SDK used by v2.0.0 only supports PKCS#12 bundles (pfx files), this is the same functionality that the AzureRM Terraform Provider uses.

Steps to Generate a PFX bundle and register it in Azure from a POSIX-compatible shell are listed below. For PowerShell the commands will be different:

1.) Generate the certificate (for example with OpenSSL)
$ openssl req -subj '/CN=myclientcertificate/O=MyCompany, Inc./ST=CA/C=US' -new -newkey rsa:4096 -sha256 -days 730 -nodes -x509 -keyout client.key -out client.crt

2.) Create PKCS#12 bundle from certificate note: the password is intentionally quoted for shell compatibility, the value does not include the quotes $ openssl pkcs12 -export -password pass:"Pa55w0rd123" -out client.pfx -inkey client.key -in client.crt

3.) Create a new application registration and then inside the Certificates & secrets section of that app registration, go to Certificates and then click Upload certificate select the public key of the cerificate (client.crt)

4.) Then on the Azure Subscriptions page, choose the subscription you created the app registry for and open Access Control (IAM) and then using the Add > Add role assignment button grant that registered application the roles required for your build (e.g. Contributor)

5.) Use the generated pfx file client.pfx in the field client_cert_path and set your certificate password in client_cert_password of your Packer Azure build. (in this example we've set that to Pa55w0rd123)

Managed Authentication For Storage Accounts

During VHD builds this plugin previously would use an account key to authorize deleting from storage accounts, this is not recommended by Microsoft due to security risks so we now as requested in #250 use managed authentication to connect to Storage Accounts, for VHD builds this means your user principal will need delete storage account access to the account where VHD builds are occurring, this level of access was previously not required, and without it Packer will fail to cleanup VHD artifacts at the end of a build

Interactive (Device Code) Authentication

In Azure Packer plugin Packer v2.0.0 we have removed support for the authentication option use_interactive_auth aka Device Code login, users can still use device code login through the Azure CLI az login –use-device-code and then using the use_azure_cli_auth authentication option.

SAS URIs

In Azure Packer plugin versions before v2.0.0 we previously displayed a ReadOnly SAS URI in Packer builds for VHDs, and managed images which kept their OS disks. In v2 the plugin no longer generate these SAS URIs, Microsoft recommends not using these keys and sticking to Azure AD authentication, you can read more here about SAS URIs.

OIDC Support

The Packer Azure Plugin now supports OIDC auth using the client_jwt field as your OIDC token, an example is available here

Full Change List

Breaking Changes 🛠

Other Changes

Full Changelog: v1.4.5...v2.0.0

Contributors

JenGoldstrich, dependabot, and lbajolet-hashicorp
Assets 23
Loading