iSharkFly-Docs
/
packer-cn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updated azure setup for new Azure CLI.

This commit is contained in:
Jamie Phillips 2018-10-08 21:28:43 -04:00 committed by Charles Phillips
parent 895e7fe111
commit f2565768aa
1 changed files with 33 additions and 145 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

178
website/source/docs/builders/azure-setup.html.md
View File

@ -55,20 +55,12 @@ To get the credentials above, we will need to install the Azure CLI. Please refe
-> The guides below also use a tool called [`jq`](https://stedolan.github.io/jq/) to simplify the output from the Azure CLI, though this is optional. If you use homebrew you can simply `brew install node jq`.
If you already have node.js installed you can use `npm` to install `azure-cli`:
``` shell
$ npm install -g azure-cli --no-progress
```
You can also use the Python-based Azure CLI in Docker. It also comes with `jq` pre-installed:
You can also use the Azure CLI in Docker. It also comes with `jq` pre-installed:
```shell
$ docker run -it azuresdk/azure-cli-python
$ docker run -it microsoft/azure-cli
```
As there are differences between the node.js client and the Python client, we've included commands for the Python client underneath each node.js command.
## Guided Setup
The Packer project includes a [setup script](https://github.com/hashicorp/packer/blob/master/contrib/azure-setup.sh) that can help you setup your account. It uses an interactive bash script to log you into Azure, name your resources, and export your Packer configuration.
@ -82,15 +74,8 @@ If you want more control or the script does not work for you, you can also use t
Login using the Azure CLI
``` shell
$ azure config mode arm
$ azure login -u USERNAME
```
If you're using the Python client:
```shell
$ az login
# To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code CODE_PROVIDED to authenticate
# Note, we have launched a browser for you to login. For old experience with device code, use "az login --use-device-code"
```
Once you've completed logging in, you should get a JSON array like the one below:
@ -115,17 +100,12 @@ Once you've completed logging in, you should get a JSON array like the one below
Get your account information
``` shell
$ azure account list --json | jq -r '.[].name'
$ azure account set ACCOUNTNAME
$ azure account show --json | jq -r ".[] | .id"
$ az account list --output json | jq -r '.[].name'
$ az account set --subscription ACCOUNTNAME
$ az account show --output json | jq -r '.id'
```
Python:
``` shell
$ az account set "$(az account list | jq -r '.[].name')"
```
-> Throughout this document when you see a command pipe to `jq` you may instead omit `--json` and everything after it, but the output will be more verbose. For example you can simply run `azure account list` instead.
-> Throughout this document when you see a command pipe to `jq` you may instead omit `--output json` and everything after it, but the output will be more verbose. For example you can simply run `az account list` instead.
This will print out one line that look like this:
@ -138,18 +118,12 @@ This is your `subscription_id`. Note it for later.
A [resource group](https://azure.microsoft.com/en-us/documentation/articles/resource-group-overview/#resource-groups) is used to organize related resources. Resource groups and storage accounts are tied to a location. To see available locations, run:
``` shell
$ azure location list
$ az account list-locations
$ LOCATION=xxx
$ GROUPNAME=xxx
# ...
$ azure group create -n $GROUPNAME -l $LOCATION
```
Python:
```shell
$ az group create -n $GROUPNAME -l $LOCATION
$ az group create --name $GROUPNAME --location $LOCATION
```
Your storage account (below) will need to use the same `GROUPNAME` and `LOCATION`.
@ -159,17 +133,12 @@ Your storage account (below) will need to use the same `GROUPNAME` and `LOCATION
We will need to create a storage account where your Packer artifacts will be stored. We will create a `LRS` storage account which is the least expensive price/GB at the time of writing.
``` shell
$ azure storage account create \
-g $GROUPNAME \
-l $LOCATION \
--sku-name LRS \
--kind storage STORAGENAME
```
Python:
```shell
$ az storage account create -n STORAGENAME -g $GROUPNAME -l $LOCATION --sku Standard_LRS
$ az storage account create \
--name STORAGENAME
--resource-group $GROUPNAME \
--location $LOCATION \
--sku Standard_LRS \
--kind Storage
```
-> `LRS` and `Standard_LRS` are meant as literal "LRS" or "Standard_LRS" and not as variables.
@ -185,126 +154,45 @@ First pick APPNAME, APPURL and PASSWORD:
```shell
APPNAME=packer.test
APPURL=packer.test
PASSWORD=xxx
PASSWORD=xxx
```
Password is your `client_secret` and can be anything you like. I recommend using ```openssl rand -base64 24```.
``` shell
$ azure ad app create \
-n $APPNAME \
-i $APPURL \
$ az ad app create \
--display-name $APPNAME \
--identifier-uris $APPURL \
--home-page $APPURL \
-p $PASSWORD
--password $PASSWORD
```
Python:
```shell
$ az ad app create --display-name $APPNAME --identifier-uris $APPURL --homepage $APPURL --password $PASSWORD
```
### Create a Service Principal
You cannot directly grant permissions to an application. Instead, you create a service principal associated with the application and assign permissions to the service principal.
First, get the `APPID` for the application we just created.
``` shell
$ azure ad app show --json --search $APPNAME | jq '.[0] | .appId'
$ APPID=$(!!)
# ...
$ azure ad sp create --applicationId $APPID
```
Python:
You cannot directly grant permissions to an application. Instead, you create a service principal and assign permissions to the service principal. To create a service principal for use with Packer, run the below command sepifying the subscription. This will grant Packer the contributor role to the subscription. The output of this command is your service principal credentials, save these in a safe place as you will need these to configure Packer.
```shell
$ az ad app list | jq -r ".[] | select(.displayName == \"${APPNAME}\") | .appId"
$ APPID=$(!!)
#...
$ az ad sp create --id $APPID
az ad sp create-for-rbac -n "Packer" --role contributor \
--scopes /subscriptions/{SubID}
```
### Grant Permissions to Your Application
Finally, we will associate the proper permissions with our application's service principal. We're going to assign the `Owner` role to our Packer application and change the scope to manage our whole subscription. (The `Owner` role can be scoped to a specific resource group to further reduce the scope of the account.) This allows Packer to create temporary resource groups for each build.
``` shell
$ azure role assignment create \
--spn $APPURL \
-o "Owner" \
-c /subscriptions/SUBSCRIPTIONID
```
Python:
The service principal credentials.
```shell
# NOTE: Trying to assign the role to the service principal by name directly yields a HTTP 400 error. See: https://github.com/Azure/azure-cli/issues/4911
$ az role assignment create --assignee "$(az ad sp list | jq -r ".[] | select(.displayName == \"$APPNAME\") | .objectId")" --role Owner
{
"appId": "AppId",
"displayName": "Packer",
"name": "http://Packer",
"password": "Password",
"tenant": "TenantId"
}
```
There are a lot of pre-defined roles and you can define your own with more granular permissions, though this is out of scope. You can see a list of pre-configured roles via:
``` shell
$ azure role list --json | jq ".[] | {name:.Name, description:.Description}"
$ az role definition list --output json | jq ".[] | {name:.roleName, description:.description}"
```
### Configuring Packer
Now (finally) everything has been setup in Azure. Let's get our configuration keys together:
Python:
```shell
$ cat <<EOF
{
"subscription_id": $(az account show | jq '.id'),
"client_id": $(az ad app list | jq ".[] | select(.displayName == \"$APPNAME\") | .appId"),
"client_secret": "$PASSWORD",
"location": "$LOCATION",
"tenant_id": $(az account show | jq '.tenantId'),
"object_id": $(az ad app list | jq ".[] | select(.displayName == \"$APPNAME\") | .objectId")
}
EOF
```
node.js:
Get `subscription_id`:
``` shell
$ azure account show --json | jq ".[] | .id"
```
Get `client_id`
``` shell
$ azure ad app list --json | jq ".[] | select(.displayName | contains(\"$APPNAME\")) | .appId"
$ CLIENT_ID=$(!!)
```
Get `client_secret`
This cannot be retrieved. If you forgot this, you will have to delete and re-create your service principal and the associated permissions.
Get `object_id` (OSTYpe=Windows only)
``` shell
azure ad sp show -n $CLIENT_ID
```
Get `resource_group_name`
``` shell
$ azure group list
```
Get `storage_account`
``` shell
$ azure storage account list
```
Now (finally) everything has been setup in Azure and our service principal has been created. You can use the output from creating your service principal in your template.