package arm import ( "crypto/rand" "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/base64" "encoding/json" "fmt" "io/ioutil" "math/big" "regexp" "strings" "time" "github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2018-04-01/compute" "github.com/Azure/go-autorest/autorest/azure" "github.com/Azure/go-autorest/autorest/to" "github.com/masterzen/winrm" "github.com/hashicorp/packer/builder/azure/common/constants" "github.com/hashicorp/packer/builder/azure/pkcs12" "github.com/hashicorp/packer/common" commonhelper "github.com/hashicorp/packer/helper/common" "github.com/hashicorp/packer/helper/communicator" "github.com/hashicorp/packer/helper/config" "github.com/hashicorp/packer/packer" "github.com/hashicorp/packer/template/interpolate" "golang.org/x/crypto/ssh" ) const ( DefaultCloudEnvironmentName = "Public" DefaultImageVersion = "latest" DefaultUserName = "packer" DefaultPrivateVirtualNetworkWithPublicIp = false DefaultVMSize = "Standard_A1" ) const ( // https://docs.microsoft.com/en-us/azure/architecture/best-practices/naming-conventions#naming-rules-and-restrictions // Regular expressions in Go are not expressive enough, such that the regular expression returned by Azure // can be used (no backtracking). // // -> ^[^_\W][\w-._]{0,79}(? 0 { return nil, nil, errs } return &c, nil, nil } func setSshValues(c *Config) error { if c.Comm.SSHTimeout == 0 { c.Comm.SSHTimeout = 20 * time.Minute } if c.Comm.SSHPrivateKeyFile != "" { privateKeyBytes, err := ioutil.ReadFile(c.Comm.SSHPrivateKeyFile) if err != nil { return err } signer, err := ssh.ParsePrivateKey(privateKeyBytes) if err != nil { return err } publicKey := signer.PublicKey() c.sshAuthorizedKey = fmt.Sprintf("%s %s packer Azure Deployment%s", publicKey.Type(), base64.StdEncoding.EncodeToString(publicKey.Marshal()), time.Now().Format(time.RFC3339)) c.Comm.SSHPrivateKey = privateKeyBytes } else { sshKeyPair, err := NewOpenSshKeyPair() if err != nil { return err } c.sshAuthorizedKey = sshKeyPair.AuthorizedKey() c.Comm.SSHPrivateKey = sshKeyPair.PrivateKey() } return nil } func setWinRMCertificate(c *Config) error { c.Comm.WinRMTransportDecorator = func() winrm.Transporter { return &winrm.ClientNTLM{} } cert, err := c.createCertificate() c.winrmCertificate = cert return err } func setRuntimeValues(c *Config) { var tempName = NewTempName() c.tmpAdminPassword = tempName.AdminPassword // store so that we can access this later during provisioning commonhelper.SetSharedState("winrm_password", c.tmpAdminPassword, c.PackerConfig.PackerBuildName) packer.LogSecretFilter.Set(c.tmpAdminPassword) c.tmpCertificatePassword = tempName.CertificatePassword if c.TempComputeName == "" { c.tmpComputeName = tempName.ComputeName } else { c.tmpComputeName = c.TempComputeName } c.tmpDeploymentName = tempName.DeploymentName // Only set tmpResourceGroupName if no name has been specified if c.TempResourceGroupName == "" && c.BuildResourceGroupName == "" { c.tmpResourceGroupName = tempName.ResourceGroupName } else if c.TempResourceGroupName != "" && c.BuildResourceGroupName == "" { c.tmpResourceGroupName = c.TempResourceGroupName } c.tmpNicName = tempName.NicName c.tmpPublicIPAddressName = tempName.PublicIPAddressName c.tmpOSDiskName = tempName.OSDiskName c.tmpSubnetName = tempName.SubnetName c.tmpVirtualNetworkName = tempName.VirtualNetworkName c.tmpKeyVaultName = tempName.KeyVaultName } func setUserNamePassword(c *Config) { if c.Comm.SSHUsername == "" { c.Comm.SSHUsername = DefaultUserName } c.UserName = c.Comm.SSHUsername if c.Comm.SSHPassword != "" { c.Password = c.Comm.SSHPassword } else { c.Password = c.tmpAdminPassword } } func setCloudEnvironment(c *Config) error { lookup := map[string]string{ "CHINA": "AzureChinaCloud", "CHINACLOUD": "AzureChinaCloud", "AZURECHINACLOUD": "AzureChinaCloud", "GERMAN": "AzureGermanCloud", "GERMANCLOUD": "AzureGermanCloud", "AZUREGERMANCLOUD": "AzureGermanCloud", "GERMANY": "AzureGermanCloud", "GERMANYCLOUD": "AzureGermanCloud", "AZUREGERMANYCLOUD": "AzureGermanCloud", "PUBLIC": "AzurePublicCloud", "PUBLICCLOUD": "AzurePublicCloud", "AZUREPUBLICCLOUD": "AzurePublicCloud", "USGOVERNMENT": "AzureUSGovernmentCloud", "USGOVERNMENTCLOUD": "AzureUSGovernmentCloud", "AZUREUSGOVERNMENTCLOUD": "AzureUSGovernmentCloud", } name := strings.ToUpper(c.CloudEnvironmentName) envName, ok := lookup[name] if !ok { return fmt.Errorf("There is no cloud environment matching the name '%s'!", c.CloudEnvironmentName) } env, err := azure.EnvironmentFromName(envName) c.cloudEnvironment = &env return err } func setCustomData(c *Config) error { if c.CustomDataFile == "" { return nil } b, err := ioutil.ReadFile(c.CustomDataFile) if err != nil { return err } c.customData = base64.StdEncoding.EncodeToString(b) return nil } func provideDefaultValues(c *Config) { if c.VMSize == "" { c.VMSize = DefaultVMSize } if c.ManagedImageStorageAccountType == "" { c.managedImageStorageAccountType = compute.StorageAccountTypesStandardLRS } if c.ImagePublisher != "" && c.ImageVersion == "" { c.ImageVersion = DefaultImageVersion } if c.CloudEnvironmentName == "" { c.CloudEnvironmentName = DefaultCloudEnvironmentName } } func assertTagProperties(c *Config, errs *packer.MultiError) { if len(c.AzureTags) > 15 { errs = packer.MultiErrorAppend(errs, fmt.Errorf("a max of 15 tags are supported, but %d were provided", len(c.AzureTags))) } for k, v := range c.AzureTags { if len(k) > 512 { errs = packer.MultiErrorAppend(errs, fmt.Errorf("the tag name %q exceeds (%d) the 512 character limit", k, len(k))) } if len(*v) > 256 { errs = packer.MultiErrorAppend(errs, fmt.Errorf("the tag name %q exceeds (%d) the 256 character limit", *v, len(*v))) } } } func assertRequiredParametersSet(c *Config, errs *packer.MultiError) { ///////////////////////////////////////////// // Authentication via OAUTH // Check if device login is being asked for, and is allowed. // // Device login is enabled if the user only defines SubscriptionID and not // ClientID, ClientSecret, and TenantID. // // Device login is not enabled for Windows because the WinRM certificate is // readable by the ObjectID of the App. There may be another way to handle // this case, but I am not currently aware of it - send feedback. isUseDeviceLogin := func(c *Config) bool { return c.SubscriptionID != "" && c.ClientID == "" && c.ClientSecret == "" && c.TenantID == "" } if isUseDeviceLogin(c) { c.useDeviceLogin = true } else { if c.ClientID == "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("A client_id must be specified")) } if c.ClientSecret == "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("A client_secret must be specified")) } if c.SubscriptionID == "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("A subscription_id must be specified")) } } ///////////////////////////////////////////// // Capture if c.CaptureContainerName == "" && c.ManagedImageName == "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("A capture_container_name or managed_image_name must be specified")) } if c.CaptureNamePrefix == "" && c.ManagedImageResourceGroupName == "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("A capture_name_prefix or managed_image_resource_group_name must be specified")) } if (c.CaptureNamePrefix != "" || c.CaptureContainerName != "") && (c.ManagedImageResourceGroupName != "" || c.ManagedImageName != "") { errs = packer.MultiErrorAppend(errs, fmt.Errorf("Either a VHD or a managed image can be built, but not both. Please specify either capture_container_name and capture_name_prefix or managed_image_resource_group_name and managed_image_name.")) } if c.CaptureContainerName != "" { if !reCaptureContainerName.MatchString(c.CaptureContainerName) { errs = packer.MultiErrorAppend(errs, fmt.Errorf("A capture_container_name must satisfy the regular expression %q.", reCaptureContainerName.String())) } if strings.HasSuffix(c.CaptureContainerName, "-") { errs = packer.MultiErrorAppend(errs, fmt.Errorf("A capture_container_name must not end with a hyphen, e.g. '-'.")) } if strings.Contains(c.CaptureContainerName, "--") { errs = packer.MultiErrorAppend(errs, fmt.Errorf("A capture_container_name must not contain consecutive hyphens, e.g. '--'.")) } if c.CaptureNamePrefix == "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("A capture_name_prefix must be specified")) } if !reCaptureNamePrefix.MatchString(c.CaptureNamePrefix) { errs = packer.MultiErrorAppend(errs, fmt.Errorf("A capture_name_prefix must satisfy the regular expression %q.", reCaptureNamePrefix.String())) } if strings.HasSuffix(c.CaptureNamePrefix, "-") || strings.HasSuffix(c.CaptureNamePrefix, ".") { errs = packer.MultiErrorAppend(errs, fmt.Errorf("A capture_name_prefix must not end with a hyphen or period.")) } } if c.TempResourceGroupName != "" && c.BuildResourceGroupName != "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("The settings temp_resource_group_name and build_resource_group_name cannot both be defined. Please define one or neither.")) } ///////////////////////////////////////////// // Compute toInt := func(b bool) int { if b { return 1 } else { return 0 } } isImageUrl := c.ImageUrl != "" isCustomManagedImage := c.CustomManagedImageName != "" || c.CustomManagedImageResourceGroupName != "" isPlatformImage := c.ImagePublisher != "" || c.ImageOffer != "" || c.ImageSku != "" countSourceInputs := toInt(isImageUrl) + toInt(isCustomManagedImage) + toInt(isPlatformImage) if countSourceInputs > 1 { errs = packer.MultiErrorAppend(errs, fmt.Errorf("Specify either a VHD (image_url), Image Reference (image_publisher, image_offer, image_sku) or a Managed Disk (custom_managed_disk_image_name, custom_managed_disk_resource_group_name")) } if isImageUrl && c.ManagedImageResourceGroupName != "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("A managed image must be created from a managed image, it cannot be created from a VHD.")) } if c.ImageUrl == "" && c.CustomManagedImageName == "" { if c.ImagePublisher == "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("An image_publisher must be specified")) } if c.ImageOffer == "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("An image_offer must be specified")) } if c.ImageSku == "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("An image_sku must be specified")) } } else if c.ImageUrl == "" && c.ImagePublisher == "" { if c.CustomManagedImageResourceGroupName == "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("An custom_managed_image_resource_group_name must be specified")) } if c.CustomManagedImageName == "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("A custom_managed_image_name must be specified")) } if c.ManagedImageResourceGroupName == "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("An managed_image_resource_group_name must be specified")) } if c.ManagedImageName == "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("An managed_image_name must be specified")) } } else { if c.ImagePublisher != "" || c.ImageOffer != "" || c.ImageSku != "" || c.ImageVersion != "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("An image_url must not be specified if image_publisher, image_offer, image_sku, or image_version is specified")) } } ///////////////////////////////////////////// // Deployment xor := func(a, b bool) bool { return (a || b) && !(a && b) } if !xor((c.StorageAccount != "" || c.ResourceGroupName != ""), (c.ManagedImageName != "" || c.ManagedImageResourceGroupName != "")) { errs = packer.MultiErrorAppend(errs, fmt.Errorf("Specify either a VHD (storage_account and resource_group_name) or Managed Image (managed_image_resource_group_name and managed_image_name) output")) } if !xor(c.Location != "", c.BuildResourceGroupName != "") { errs = packer.MultiErrorAppend(errs, fmt.Errorf("Specify either a location to create the resource group in or an existing build_resource_group_name, but not both.")) } if c.ManagedImageName == "" && c.ManagedImageResourceGroupName == "" { if c.StorageAccount == "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("A storage_account must be specified")) } if c.ResourceGroupName == "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("A resource_group_name must be specified")) } } if c.TempResourceGroupName != "" { if ok, err := assertResourceGroupName(c.TempResourceGroupName, "temp_resource_group_name"); !ok { errs = packer.MultiErrorAppend(errs, err) } } if c.BuildResourceGroupName != "" { if ok, err := assertResourceGroupName(c.BuildResourceGroupName, "build_resource_group_name"); !ok { errs = packer.MultiErrorAppend(errs, err) } } if c.ManagedImageResourceGroupName != "" { if ok, err := assertResourceGroupName(c.ManagedImageResourceGroupName, "managed_image_resource_group_name"); !ok { errs = packer.MultiErrorAppend(errs, err) } } if c.ManagedImageName != "" { if ok, err := assertManagedImageName(c.ManagedImageName, "managed_image_name"); !ok { errs = packer.MultiErrorAppend(errs, err) } } if c.VirtualNetworkName == "" && c.VirtualNetworkResourceGroupName != "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("If virtual_network_resource_group_name is specified, so must virtual_network_name")) } if c.VirtualNetworkName == "" && c.VirtualNetworkSubnetName != "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("If virtual_network_subnet_name is specified, so must virtual_network_name")) } ///////////////////////////////////////////// // Plan Info if c.PlanInfo.PlanName != "" || c.PlanInfo.PlanProduct != "" || c.PlanInfo.PlanPublisher != "" || c.PlanInfo.PlanPromotionCode != "" { if c.PlanInfo.PlanName == "" || c.PlanInfo.PlanProduct == "" || c.PlanInfo.PlanPublisher == "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("if either plan_name, plan_product, plan_publisher, or plan_promotion_code are defined then plan_name, plan_product, and plan_publisher must be defined")) } else { if c.AzureTags == nil { c.AzureTags = make(map[string]*string) } c.AzureTags["PlanInfo"] = &c.PlanInfo.PlanName c.AzureTags["PlanProduct"] = &c.PlanInfo.PlanProduct c.AzureTags["PlanPublisher"] = &c.PlanInfo.PlanPublisher c.AzureTags["PlanPromotionCode"] = &c.PlanInfo.PlanPromotionCode } } ///////////////////////////////////////////// // OS if strings.EqualFold(c.OSType, constants.Target_Linux) { c.OSType = constants.Target_Linux } else if strings.EqualFold(c.OSType, constants.Target_Windows) { c.OSType = constants.Target_Windows } else if c.OSType == "" { errs = packer.MultiErrorAppend(errs, fmt.Errorf("An os_type must be specified")) } else { errs = packer.MultiErrorAppend(errs, fmt.Errorf("The os_type %q is invalid", c.OSType)) } switch c.ManagedImageStorageAccountType { case "", string(compute.StorageAccountTypesStandardLRS): c.managedImageStorageAccountType = compute.StorageAccountTypesStandardLRS case string(compute.StorageAccountTypesPremiumLRS): c.managedImageStorageAccountType = compute.StorageAccountTypesPremiumLRS default: errs = packer.MultiErrorAppend(errs, fmt.Errorf("The managed_image_storage_account_type %q is invalid", c.ManagedImageStorageAccountType)) } } func assertManagedImageName(name, setting string) (bool, error) { if !isValidAzureName(reManagedDiskName, name) { return false, fmt.Errorf("The setting %s must match the regular expression %q, and not end with a '-' or '.'.", setting, validManagedDiskName) } return true, nil } func assertResourceGroupName(rgn, setting string) (bool, error) { if !isValidAzureName(reResourceGroupName, rgn) { return false, fmt.Errorf("The setting %s must match the regular expression %q, and not end with a '-' or '.'.", setting, validResourceGroupNameRe) } return true, nil } func isValidAzureName(re *regexp.Regexp, rgn string) bool { return re.Match([]byte(rgn)) && !strings.HasSuffix(rgn, ".") && !strings.HasSuffix(rgn, "-") }