Azure ssh key issue

[tayzlor]

Hi there,
I'm trying out the azure provider in the latest master branch and receiving the following issue when trying to provision an instance -

* Error creating instance NAME: Error response from Azure. Code: BadRequest, Message: The certificate with thumbprint THUMBPRINT_HERE was not found.

My azure_instance looks something like this -

resource "azure_instance" "master" {
  name          = "instance-${count.index}"
  count          = "${var.masters}"
  image                       = "custom-image-name"
  size                          = "${var.instance_type.master}"
  security_group    = "${azure_security_group.default.name}"
  location               = "${var.region}"
  username           = "${var.username}"
  ssh_key_thumbprint = "${var.ssh_key_thumbprint}"

  endpoint {
    name         = "SSH"
    protocol     = "tcp"
    public_port  = 22
    private_port = 22
  }
}

I'm using a Linux host and building with a custom Ubuntu based image i've baked using the Packer azure plugin.

I've followed this guide to create an SSH key for Azure - https://azure.microsoft.com/en-gb/documentation/articles/virtual-machines-linux-use-ssh-key/

and uploaded it to https://manage.windowsazure.com/@myusername#Workspaces/AdminTasks/ListManagementCertificates

I'm wondering if this is just a user error (i've missed a step) or if there is something wrong here.
Following the docs for azure i'm using the AZURE_SETTINGS_FILE downloaded from https://manage.windowsazure.com/publishsettings

How do I associate an SSH key with my instance, is this possible via terraform in a similar way to http://terraform.io/docs/providers/aws/r/key_pair.html ?

[tayzlor]

As an aside if I use a password instead of an ssh_key_thumbprint the instances provision fine.

[stonevil]

This same issue

[stonevil]

Look like this is issue with azure-sdk-for-go. This same issue with small Go app created with azure-sdk-for-go.

[keymon]

In #3099 we request a feature to be able to upload the ssh key from terraform.

In this commit you can see that we implemented automation around this using a local_exec provisioner in the azure_hosted_service which calls the azure-cli. You might find this useful.

[xied75]

Guys, all wrong direction. For those of you who made the correct decision to stick with TF for Azure, here is what I found after a whole day wasted on this:

0, we are talking about classic ASM mode here.
1, the "Management Certificates" you can see and upload in the classic portal, as the name suggests, are for Management purpose only, things like authenticate you via Visual Studio or azure-cli to reach the api endpoint.
2, what you need for ssh login to your deployed Linux VM, is Certificates that belong to a Cloud Service, i.e. the Cloud Service you are deploying your VM into.
3, during deploy, Azure simply get your public key from the cert and put it under /home/you/.ssh/authorized_keys

It's very strange to understand consider AWS/CloudStack would let you create ssh public key as an object and reference that in your deployment. But anyway, this is Microsoft we are talking about.

So the proper procedure:
1, you create id_rsa, id_rsa.pub as normal.
2, you generate a .cer file.
3, you upload the .cer file into your Cloud Service.
4, reference its thumbprint in your tf.
5, login via -i id_rsa

If you are making your own image, leave the id_rsa.pub in authorized_keys as normal. Otherwise for Azure images, I believe they all have some kind of cloud init in it to fetch keys at boot time.

Things TF doesn't do: upload .cer step. Will look further as otherwise this is not full automation.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.