Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disk Encryption Set for Data Disks not persisting in the image pushed to Azure Compute Gallery / Shared Image Gallery #13256

Open
paul8989 opened this issue Jan 8, 2025 · 0 comments
Open

Disk Encryption Set for Data Disks not persisting in the image pushed to Azure Compute Gallery / Shared Image Gallery #13256

paul8989 opened this issue Jan 8, 2025 · 0 comments
Labels
bug

Comments

@paul8989
Copy link

paul8989 commented Jan 8, 2025
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

When filing a bug, please include the following headings if possible. Any
example text in this template can be deleted.

Overview of the Issue

We are trying to add data disk along with packer build using disk_additional_size parameter. It creates the additional data disk attached to the VM and is pushed to the shared image gallery version as well. But it never persists the Disk Encryption Set (DES) associated to it. I can see the packer vm created under the hood was attached to a disk with des id (SSE with CMK). But once the image is created and pushed to the shared image gallery and creating a new VM /VMSS out of it , the data disk is always encrypted with SSE with PMK , which is disallowed by my subscription policy. There is no option to change the data disk settings as Azure doesn't allow to does it stating it is baked to the image.

I tried creating the same image using az cli and pushing it to the shared image gallery where it did persist the disk encryption on the data disk and the VM created out of it was having SSE with CMK.

Reproduction Steps

Create a windows image from market place
Add a data disk
Add DES to the OS and data disk.
Install dependencies on the data disk.
Push to Shared image gallery.

Packer version

Packer v1.11.0

Simplified Packer Template

# #-----------------------------------------------------------------------------------------------#
# #                                   WINDOWS IMAGE BUILD                                         #
# #-----------------------------------------------------------------------------------------------#
source "azure-arm" "windows_image" {
  client_id                           = "xxxx"
  client_secret                       = "xxxx"
  tenant_id                           = "xxx"
  subscription_id                     = "xxx"
  os_type                             = "windows"
  vm_size                             = "Standard_F8s_v2"
  build_resource_group_name           = "xxx"
  build_key_vault_name                = "xxx"
  disk_additional_size                = [256]
  public_ip_sku                       = "Standard"
  disk_encryption_set_id              = "/subscriptions/xxx/resourceGroups/rg-packer-test/providers/Microsoft.Compute/diskEncryptionSets/desxxx"
 

  #Base image details from Microsoft galleries
  image_publisher             = "MicrosoftWindowsServer"
  image_offer                 = "WindowsServer"
  image_sku                   = "2019-datacenter-gensecond"
  image_version               = "latest"
  
 
  shared_image_gallery_destination {
    subscription   = "xxx"
    resource_group = "xxx"
    gallery_name   = "xx"
    image_name     = "win-vm-def"
    image_version  = "1.0.10"
    storage_account_type = "Standard_LRS"

    target_region {
      name                   =   "uksouth"
      disk_encryption_set_id = "/subscriptions/xxx/resourceGroups/rg-packer-test/providers/Microsoft.Compute/diskEncryptionSets/desxxx"
    }
  }

  # WinRM settings
  communicator   = "winrm"
  winrm_use_ssl  = true
  winrm_insecure = true
  winrm_timeout  = "3m"
  winrm_username = "packer"

  # Security settings (only when using shared image gallery)
  security_type        = "TrustedLaunch"
  secure_boot_enabled  = true
  vtpm_enabled         = true
}

build {
  name    = "application-name"
  sources = ["source.azure-arm.windows_image"]

provisioner "powershell" {
  inline = [
    
    # Ensure the D drive is available
    "if (-not (Test-Path D:\\)) { Write-Host 'D drive is not available. Exiting.'; exit 1 }",

    # Create a directory for Notepad++ installation (if it doesn't already exist)
    "if (-not (Test-Path D:\\Apps\\Notepad++)) { New-Item -ItemType Directory -Path D:\\Apps\\Notepad++ }",

    # Download Notepad++ installer
    "Invoke-WebRequest -Uri https://github.com/notepad-plus-plus/notepad-plus-plus/releases/download/v8.5.6/npp.8.5.6.Installer.x64.exe -OutFile D:\\npp-installer.exe",

    # Install Notepad++ silently to the specified directory
    "Start-Process -FilePath D:\\npp-installer.exe -ArgumentList '/S', '/D=D:\\Apps\\Notepad++' -Wait",

    # Clean up installer
    "Remove-Item -Path D:\\npp-installer.exe -Force",

    # Verify Installation
    "if (Test-Path D:\\Apps\\Notepad++\\notepad++.exe) { Write-Host 'Notepad++ Installed Successfully' } else { Write-Host 'Notepad++ Installation Failed'; exit 1 }"
  ]
}


  # Below PowerShell shouldn't be removed and it should be executed at the end of all provisioners to deprovision/sysprep and generalise the VM.
  provisioner "powershell" {
    inline = [
          "# If Guest Agent services are installed, make sure that they have started.",
          "foreach ($service in Get-Service -Name RdAgent, WindowsAzureTelemetryService, WindowsAzureGuestAgent -ErrorAction SilentlyContinue) { while ((Get-Service $service.Name).Status -ne 'Running') { Start-Sleep -s 5 } }",
 
          "& $env:SystemRoot\\System32\\Sysprep\\Sysprep.exe /oobe /generalize /quiet /quit /mode:vm",
          "while($true) { $imageState = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\State | Select ImageState; if($imageState.ImageState -ne 'IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE') { Write-Output $imageState.ImageState; Start-Sleep -s 10  } else { break } }"
    ]
  }
 
  post-processor "manifest" {
      output = "packer-manifest.json"
      strip_path = true
  }
}
# #------------------------------------- END WINDOWS BUILD ---------------------------------------#

If the file is longer than a few dozen lines, please include the URL to the
gist of the log or use the Github detailed
format
instead of posting it directly in the issue.

Operating system and Environment details

OS, Architecture, and any other information you can provide about the
environment.

Log Fragments and crash.log files

Include appropriate log fragments. If the log is longer than a few dozen lines,
please include the URL to the gist of the log or
use the Github detailed format instead of posting it directly in the issue.

Set the env var PACKER_LOG=1 for maximum log detail.
@paul8989 paul8989 added the bug label Jan 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@paul8989