This may be long so please bear with me.
The Goal: Use terraform to create an azure-vm that an azure-devops release pipeline can use Remote PowerShell on Target Machines step to deploy and start a windows service.
The problem: After creating the VM using Terraform, RDP to the VM and configuring wsman and powershell to allow remote PowerShell on the VM, I try to add the new vm to trustedhosts on my local machine. It fails with this message:
WSManFault Message = The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
Error number: -2144108526 0x80338012 The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
These are the steps I am following to create and set up the VM:
- Execute the terraform script below to create the VM. It is dependent upon an existing keyvault that contains a self-signed certificate.
- RDP to the VM
- Open an cmd prompt and execute "WinRM quickconfig"
- Open powershell and execute: "Install-Module -Name Az -AllowClobber -Scope Current User"
In Powershell, I execute the following:
Connect-AzAccount -Tenant [TenantName]
Select-AzSubscription -Subscription [SubscriptionId]
$cert = Get_AzKeyVaultCertificate -VaultName [vaultName] -Name [certificateName]
Enable-PSRemoting -SkipNetworkProfileCheck -Force
Get-ChildItem WSMan:\Localhost\Listener | WHERE -Property Keys -EQ "Transport=HTTP" | Remove-Item -Recurse
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $cert.Thumbprint -Force
New-NetFirewallRule -DisplayName 'Windows Remote Management (HTTPS-In)' -Name 'Windows Remote Management (HTTPS-In)' -Profile Any -LocalPort 5986 -Protocol TCP
Disable-NetFirewallRule -DisplayName "Windows Remote Management (HTTP-In)"
On my local host, in a command az command line, I execute: az login winrm set winrm/config/client @{TrustedHosts="[Server DNS Name]"}
This is where things fail.
Why do I expect this to work? I previously created a VM using the Azure portal and used these steps to enable HTTPS PSRemoting. Azure Devops is able to successfully deploy to the VM and start the service using the Run PowerShell on Target Machines step via HTTPS. I am also able to add the portal-created VM to my trusted hosts list on my local machine.
In order to get the release pipeline to work I had to add a command Line Script step that added the DNS name to TrustedHosts.
What am I missing that is preventing me from being able to add the terraform-created VM to my trusted hosts? At this point I haven't yet set up the release pipeline believing that, until I can successfully add the terraform-created VM to my trusted hosts, there is no point to trying to set up the release pipeline. The one difference I can see in the portal, when comparing the two VMs, is the terraform-created VM does not have a Computer Name whereas the portal-created VM does have a Computer Name. I haven't been able to figure out why.
While I can't add the DNS name to my TrustedHosts, I am able to establish secured PSSession.
Here is the Terraform script:
provider "azurerm" {
version = "1.27.0"
subscription_id = "${var.subscription-id}"
tenant_id = "${var.ad-tenant-id}"
}
resource "azurerm_virtual_network" "vnet" {
name = "${var.vnet-name}"
address_space = ["10.0.0.0/16"]
location = "${var.location}"
resource_group_name = "${var.vm-resource-group-name}"
}
resource "azurerm_subnet" "subnet" {
name = "${var.subnet-name}"
resource_group_name = "${var.vm-resource-group-name}"
virtual_network_name = "${azurerm_virtual_network.vnet.name}"
address_prefix = "10.0.1.0/24"
}
resource "azurerm_public_ip" "publicip" {
name = "${var.public-ip-name}"
location = "${var.location}"
resource_group_name = "${var.vm-resource-group-name}"
allocation_method = "Static"
domain_name_label = "${var.domain-name-label}"
}
resource "azurerm_network_security_group" "nsg" {
name = "${var.security-group-name}"
location = "${var.location}"
resource_group_name = "${var.vm-resource-group-name}"
security_rule {
name = "RDP"
priority = 300
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "3389"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "WinRM"
priority = 310
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "5985-5986"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
resource "azurerm_network_interface" "nic" {
name = "${var.nic-name}"
location = "${var.location}"
resource_group_name = "${var.vm-resource-group-name}"
network_security_group_id = "${azurerm_network_security_group.nsg.id}"
enable_accelerated_networking = true
ip_configuration {
name = "${var.ip-config-name}"
subnet_id = "${azurerm_subnet.subnet.id}"
private_ip_address_allocation = "dynamic"
public_ip_address_id = "${azurerm_public_ip.publicip.id}"
}
}
resource "azurerm_virtual_machine" "vm" {
name = "${var.vm-name}"
location = "${var.location}"
resource_group_name = "${var.vm-resource-group-name}"
network_interface_ids = ["${azurerm_network_interface.nic.id}"]
vm_size = "${var.vm-size}"
storage_os_disk {
name = "${var.disk-name}"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Premium_LRS"
}
delete_os_disk_on_termination = true
storage_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "${var.sku}"
version = "latest"
}
os_profile {
computer_name = "${var.vm-name}"
admin_username = "${var.vm-admin-id}"
admin_password = "${var.vm-admin-password}"
}
os_profile_secrets {
source_vault_id = "${var.keyvault-id}"
vault_certificates {
certificate_url = "${var.cert-secret-id}"
certificate_store = "My"
}
}
os_profile_windows_config {
}
tags = {
applicationidentifier = "casa"
applicationrole = "VM"
companycode = "C4"
CostCenterCode = "04-ENG"
Environment = "Dev/Test"
name = "casa-win-services"
owner = "captioncall_eng"
version = "1.0"
}
}
TIA, Darwin
