From f2565768aa6f640fd911e60ae544b123f0ba785b Mon Sep 17 00:00:00 2001 From: Jamie Phillips Date: Mon, 8 Oct 2018 21:28:43 -0400 Subject: [PATCH 1/2] Updated azure setup for new Azure CLI. --- .../source/docs/builders/azure-setup.html.md | 178 ++++-------------- 1 file changed, 33 insertions(+), 145 deletions(-) diff --git a/website/source/docs/builders/azure-setup.html.md b/website/source/docs/builders/azure-setup.html.md index 05d4ce7bb..cda79dc74 100644 --- a/website/source/docs/builders/azure-setup.html.md +++ b/website/source/docs/builders/azure-setup.html.md @@ -55,20 +55,12 @@ To get the credentials above, we will need to install the Azure CLI. Please refe -> The guides below also use a tool called [`jq`](https://stedolan.github.io/jq/) to simplify the output from the Azure CLI, though this is optional. If you use homebrew you can simply `brew install node jq`. -If you already have node.js installed you can use `npm` to install `azure-cli`: - -``` shell -$ npm install -g azure-cli --no-progress -``` - -You can also use the Python-based Azure CLI in Docker. It also comes with `jq` pre-installed: +You can also use the Azure CLI in Docker. It also comes with `jq` pre-installed: ```shell -$ docker run -it azuresdk/azure-cli-python +$ docker run -it microsoft/azure-cli ``` -As there are differences between the node.js client and the Python client, we've included commands for the Python client underneath each node.js command. - ## Guided Setup The Packer project includes a [setup script](https://github.com/hashicorp/packer/blob/master/contrib/azure-setup.sh) that can help you setup your account. It uses an interactive bash script to log you into Azure, name your resources, and export your Packer configuration. @@ -82,15 +74,8 @@ If you want more control or the script does not work for you, you can also use t Login using the Azure CLI ``` shell -$ azure config mode arm -$ azure login -u USERNAME -``` - -If you're using the Python client: - -```shell $ az login -# To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code CODE_PROVIDED to authenticate +# Note, we have launched a browser for you to login. For old experience with device code, use "az login --use-device-code" ``` Once you've completed logging in, you should get a JSON array like the one below: @@ -115,17 +100,12 @@ Once you've completed logging in, you should get a JSON array like the one below Get your account information ``` shell -$ azure account list --json | jq -r '.[].name' -$ azure account set ACCOUNTNAME -$ azure account show --json | jq -r ".[] | .id" +$ az account list --output json | jq -r '.[].name' +$ az account set --subscription ACCOUNTNAME +$ az account show --output json | jq -r '.id' ``` -Python: -``` shell -$ az account set "$(az account list | jq -r '.[].name')" -``` - --> Throughout this document when you see a command pipe to `jq` you may instead omit `--json` and everything after it, but the output will be more verbose. For example you can simply run `azure account list` instead. +-> Throughout this document when you see a command pipe to `jq` you may instead omit `--output json` and everything after it, but the output will be more verbose. For example you can simply run `az account list` instead. This will print out one line that look like this: @@ -138,18 +118,12 @@ This is your `subscription_id`. Note it for later. A [resource group](https://azure.microsoft.com/en-us/documentation/articles/resource-group-overview/#resource-groups) is used to organize related resources. Resource groups and storage accounts are tied to a location. To see available locations, run: ``` shell -$ azure location list +$ az account list-locations $ LOCATION=xxx $ GROUPNAME=xxx # ... -$ azure group create -n $GROUPNAME -l $LOCATION -``` - -Python: - -```shell -$ az group create -n $GROUPNAME -l $LOCATION +$ az group create --name $GROUPNAME --location $LOCATION ``` Your storage account (below) will need to use the same `GROUPNAME` and `LOCATION`. @@ -159,17 +133,12 @@ Your storage account (below) will need to use the same `GROUPNAME` and `LOCATION We will need to create a storage account where your Packer artifacts will be stored. We will create a `LRS` storage account which is the least expensive price/GB at the time of writing. ``` shell -$ azure storage account create \ - -g $GROUPNAME \ - -l $LOCATION \ - --sku-name LRS \ - --kind storage STORAGENAME -``` - -Python: - -```shell -$ az storage account create -n STORAGENAME -g $GROUPNAME -l $LOCATION --sku Standard_LRS +$ az storage account create \ + --name STORAGENAME + --resource-group $GROUPNAME \ + --location $LOCATION \ + --sku Standard_LRS \ + --kind Storage ``` -> `LRS` and `Standard_LRS` are meant as literal "LRS" or "Standard_LRS" and not as variables. @@ -185,126 +154,45 @@ First pick APPNAME, APPURL and PASSWORD: ```shell APPNAME=packer.test APPURL=packer.test - PASSWORD=xxx +PASSWORD=xxx ``` Password is your `client_secret` and can be anything you like. I recommend using ```openssl rand -base64 24```. ``` shell -$ azure ad app create \ - -n $APPNAME \ - -i $APPURL \ +$ az ad app create \ + --display-name $APPNAME \ + --identifier-uris $APPURL \ --home-page $APPURL \ - -p $PASSWORD + --password $PASSWORD ``` -Python: - -```shell -$ az ad app create --display-name $APPNAME --identifier-uris $APPURL --homepage $APPURL --password $PASSWORD -``` - - ### Create a Service Principal -You cannot directly grant permissions to an application. Instead, you create a service principal associated with the application and assign permissions to the service principal. - -First, get the `APPID` for the application we just created. - -``` shell -$ azure ad app show --json --search $APPNAME | jq '.[0] | .appId' -$ APPID=$(!!) -# ... - -$ azure ad sp create --applicationId $APPID -``` - -Python: +You cannot directly grant permissions to an application. Instead, you create a service principal and assign permissions to the service principal. To create a service principal for use with Packer, run the below command sepifying the subscription. This will grant Packer the contributor role to the subscription. The output of this command is your service principal credentials, save these in a safe place as you will need these to configure Packer. ```shell -$ az ad app list | jq -r ".[] | select(.displayName == \"${APPNAME}\") | .appId" -$ APPID=$(!!) -#... - -$ az ad sp create --id $APPID +az ad sp create-for-rbac -n "Packer" --role contributor \ + --scopes /subscriptions/{SubID} ``` -### Grant Permissions to Your Application - -Finally, we will associate the proper permissions with our application's service principal. We're going to assign the `Owner` role to our Packer application and change the scope to manage our whole subscription. (The `Owner` role can be scoped to a specific resource group to further reduce the scope of the account.) This allows Packer to create temporary resource groups for each build. - -``` shell -$ azure role assignment create \ - --spn $APPURL \ - -o "Owner" \ - -c /subscriptions/SUBSCRIPTIONID -``` - -Python: +The service principal credentials. ```shell -# NOTE: Trying to assign the role to the service principal by name directly yields a HTTP 400 error. See: https://github.com/Azure/azure-cli/issues/4911 -$ az role assignment create --assignee "$(az ad sp list | jq -r ".[] | select(.displayName == \"$APPNAME\") | .objectId")" --role Owner +{ + "appId": "AppId", + "displayName": "Packer", + "name": "http://Packer", + "password": "Password", + "tenant": "TenantId" +} ``` There are a lot of pre-defined roles and you can define your own with more granular permissions, though this is out of scope. You can see a list of pre-configured roles via: ``` shell -$ azure role list --json | jq ".[] | {name:.Name, description:.Description}" +$ az role definition list --output json | jq ".[] | {name:.roleName, description:.description}" ``` ### Configuring Packer -Now (finally) everything has been setup in Azure. Let's get our configuration keys together: - -Python: - -```shell -$ cat < Date: Wed, 17 Oct 2018 15:35:29 +0200 Subject: [PATCH 2/2] fix typo --- website/source/docs/builders/azure-setup.html.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/source/docs/builders/azure-setup.html.md b/website/source/docs/builders/azure-setup.html.md index cda79dc74..14cc4dd7d 100644 --- a/website/source/docs/builders/azure-setup.html.md +++ b/website/source/docs/builders/azure-setup.html.md @@ -168,7 +168,7 @@ $ az ad app create \ ### Create a Service Principal -You cannot directly grant permissions to an application. Instead, you create a service principal and assign permissions to the service principal. To create a service principal for use with Packer, run the below command sepifying the subscription. This will grant Packer the contributor role to the subscription. The output of this command is your service principal credentials, save these in a safe place as you will need these to configure Packer. +You cannot directly grant permissions to an application. Instead, you create a service principal and assign permissions to the service principal. To create a service principal for use with Packer, run the below command specifying the subscription. This will grant Packer the contributor role to the subscription. The output of this command is your service principal credentials, save these in a safe place as you will need these to configure Packer. ```shell az ad sp create-for-rbac -n "Packer" --role contributor \ @@ -195,4 +195,4 @@ $ az role definition list --output json | jq ".[] | {name:.roleName, description ### Configuring Packer -Now (finally) everything has been setup in Azure and our service principal has been created. You can use the output from creating your service principal in your template. \ No newline at end of file +Now (finally) everything has been setup in Azure and our service principal has been created. You can use the output from creating your service principal in your template.