Errors in Azure deployment

[studs08]

I am reporting a few errors that I came across when deploying on Azure. I managed to fix a couple of them but got stuck with the last one.

1. The first error was a permissions issue with keys (when running terraform deploy):

Error: current client lacks permissions to read Key Rotation Policy for Key "cloudblock-disk-key" ("Key Vault (Subscription: \"....", Vault url: "....."), please update this as described here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key#example-usage : keyvault.BaseClient#GetKeyRotationPolicy: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application '...' does not have keys getrotationpolicy permission on key vault 'cloudblock-disk-...;location=...'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"ForbiddenByPolicy"}

I fixed this by adding the GetRotationPolicy to key_permissions in az-encryption.tf (in 4 places where key_permissions is defined)

key_permissions = [ "Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", "GetRotationPolicy" ]

2. The second error was a mismatched Ubuntu version between az-instance.tf and az.tfvars. The SKU version is hard-coded in az-instance.tf to 18.04; so it threw an error about not finding the image when I provided the latest image version for 22.04 in az.tfvars. I fixed this by changing the source_image_reference in az-instance.tf to this:

source_image_reference { publisher = "Canonical" offer = "0001-com-ubuntu-server-jammy" sku = "22_04-lts-gen2" version = var.az_image_version }

3. The VM is created successfully but the Ansible process is failing with the following error. I am stuck at this spot.

TASK [various container directories] *******************************************
ok: [localhost] => (item=/opt/cloudflared)
ok: [localhost] => (item=/opt/pihole)
ok: [localhost] => (item=/opt/pihole/etc)
ok: [localhost] => (item=/opt/pihole/dnsmasq.d)
ok: [localhost] => (item=/opt/webproxy)
ok: [localhost] => (item=/opt/wireguard)

TASK [secure proxy to pihole confs] ********************************************
ok: [localhost] => (item=httpd-ssl.conf)
ok: [localhost] => (item=httpd.conf)

TASK [DoH Endpoints] ***********************************************************
ok: [localhost]

TASK [Set DoH URL from DoH provider var] ***************************************
changed: [localhost]

TASK [Get ph_password from Azure Vault Secret] *********************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to get MSI token: 'MSIAuthentication' object has no attribute 'get_token'. Please check whether your machine enabled MSI or grant access to any subscription."}

PLAY RECAP *********************************************************************
localhost : ok=9 changed=1 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

[chadgeary]

Hey @studs08 , thank you for the feedback. I've added both of those changes to the azure terraform.

There is currently a bug with MSI authentication and pinning to an older version works for now, ref:
ansible-collections/azure#1183