azurerm_virtual_machine broken in 0.6.14

[gdhagger]

I'm attempting to use the new azurerm_virtual_machine provider in 0.6.14 however I cannot find any combination of options that will result in the successful launch of a vm. I just get a 400 Bad Request response from Azure whatever I try.

This even appears to be broken using the example from the documentation - per the output below:

azurerm_resource_group.test: Refreshing state... (ID: /subscriptions/d81fd384-a96c-4197-b121-bf0006119534/resourceGroups/acctestrg)
azurerm_storage_account.test: Refreshing state... (ID: /subscriptions/d81fd384-a96c-4197-b121-bf0006119534/resourceGroups/acctestrg/providers/Microsoft.Storage/storageAccounts/accsa)
azurerm_virtual_network.test: Refreshing state... (ID: /subscriptions/d81fd384-a96c-4197-b121-bf0006119534/resourceGroups/acctestrg/providers/Microsoft.Network/virtualNetworks/acctvn)
azurerm_storage_container.test: Refreshing state... (ID: vhds)
azurerm_subnet.test: Refreshing state... (ID: /subscriptions/d81fd384-a96c-4197-b121-bf0006119534/resourceGroups/acctestrg/providers/Microsoft.Network/virtualNetworks/acctvn/subnets/acctsub)
azurerm_network_interface.test: Refreshing state... (ID: /subscriptions/d81fd384-a96c-4197-b121-bf0006119534/resourceGroups/acctestrg/providers/Microsoft.Network/networkInterfaces/acctni)
azurerm_virtual_machine.test: Creating...
  availability_set_id:                                                "" => "<computed>"
  license_type:                                                       "" => "<computed>"
  location:                                                           "" => "westus"
  name:                                                               "" => "acctvm"
  network_interface_ids.#:                                            "" => "1"
  network_interface_ids.2362484608:                                   "" => "/subscriptions/d81fd384-a96c-4197-b121-bf0006119534/resourceGroups/acctestrg/providers/Microsoft.Network/networkInterfaces/acctni"
  os_profile.#:                                                       "" => "1"
  os_profile.3046738104.admin_password:                               "" => "Password1234!"
  os_profile.3046738104.admin_username:                               "" => "testadmin"
  os_profile.3046738104.computer_name:                                "" => "hostname%d"
  os_profile.3046738104.custom_data:                                  "" => "<computed>"
  os_profile_linux_config.#:                                          "" => "1"
  os_profile_linux_config.2972667452.disable_password_authentication: "" => "0"
  os_profile_linux_config.2972667452.ssh_keys.#:                      "" => "0"
  plan.#:                                                             "" => "<computed>"
  resource_group_name:                                                "" => "acctestrg"
  storage_data_disk.#:                                                "" => "<computed>"
  storage_image_reference.#:                                          "" => "1"
  storage_image_reference.1807630748.offer:                           "" => "UbuntuServer"
  storage_image_reference.1807630748.publisher:                       "" => "Canonical"
  storage_image_reference.1807630748.sku:                             "" => "14.04.2-LTS"
  storage_image_reference.1807630748.version:                         "" => "latest"
  storage_os_disk.#:                                                  "" => "1"
  storage_os_disk.867104332.caching:                                  "" => "ReadWrite"
  storage_os_disk.867104332.create_option:                            "" => "FromImage"
  storage_os_disk.867104332.name:                                     "" => "myosdisk1"
  storage_os_disk.867104332.vhd_uri:                                  "" => "https://accsa.blob.core.windows.net/vhds/myosdisk1.vhd"
  vm_size:                                                            "" => "Standard_A0"
Error applying plan:

1 error(s) occurred:

* azurerm_virtual_machine.test: autorest:DoErrorUnlessStatusCode 400 PUT https://management.azure.com/subscriptions/d81fd384-a96c-4197-b121-bf0006119534/resourceGroups/acctestrg/providers/Microsoft.Compute/virtualMachines/acctvm?api-version=2015-06-15 failed with 400 Bad Request

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Getting this provider fixed would MASSIVELY increase my productivity, so please let me know what extra info I can provide to help debug this.

[gdhagger]

Here is the terraform manifest that was used in the above run:

provider "azurerm" {
  subscription_id = "SUB_ID_REMOVED"
  client_id = "CLIENT_ID_REMOVED"
  client_secret = "CLIENT_SECRET_REMOVED"
  tenant_id = "TENANT_ID_REMOVED"
}

resource "azurerm_resource_group" "test" {
    name = "acctestrg"
    location = "West US"
}

resource "azurerm_virtual_network" "test" {
    name = "acctvn"
    address_space = ["10.0.0.0/16"]
    location = "West US"
    resource_group_name = "${azurerm_resource_group.test.name}"
}

resource "azurerm_subnet" "test" {
    name = "acctsub"
    resource_group_name = "${azurerm_resource_group.test.name}"
    virtual_network_name = "${azurerm_virtual_network.test.name}"
    address_prefix = "10.0.2.0/24"
}

resource "azurerm_network_interface" "test" {
    name = "acctni"
    location = "West US"
    resource_group_name = "${azurerm_resource_group.test.name}"

    ip_configuration {
        name = "testconfiguration1"
        subnet_id = "${azurerm_subnet.test.id}"
        private_ip_address_allocation = "dynamic"
    }
}

resource "azurerm_storage_account" "test" {
    name = "accsa"
    resource_group_name = "${azurerm_resource_group.test.name}"
    location = "westus"
    account_type = "Standard_LRS"

    tags {
        environment = "staging"
    }
}

resource "azurerm_storage_container" "test" {
    name = "vhds"
    resource_group_name = "${azurerm_resource_group.test.name}"
    storage_account_name = "${azurerm_storage_account.test.name}"
    container_access_type = "private"
}

resource "azurerm_virtual_machine" "test" {
    name = "acctvm"
    location = "West US"
    resource_group_name = "${azurerm_resource_group.test.name}"
    network_interface_ids = ["${azurerm_network_interface.test.id}"]
    vm_size = "Standard_A0"

    storage_image_reference {
    publisher = "Canonical"
    offer = "UbuntuServer"
    sku = "14.04.2-LTS"
    version = "latest"
    }

    storage_os_disk {
        name = "myosdisk1"
        vhd_uri = "${azurerm_storage_account.test.primary_blob_endpoint}${azurerm_storage_container.test.name}/myosdisk1.vhd"
        caching = "ReadWrite"
        create_option = "FromImage"
    }

    os_profile {
    computer_name = "hostname%d"
    admin_username = "testadmin"
    admin_password = "Password1234!"
    }

    os_profile_linux_config {
    disable_password_authentication = false
    }
}

[stack72]

Thanks for the bug report @gdhagger. This is a brand new resource so i will try and debug your configuration to see what the issue is

[stack72]

Hi @gdhagger

So I have been able to debug this (using charles proxy) and found the following:

{
    "error": {
        "code": "InvalidParameter",
        "target": "computerName",
        "message": "Linux host name cannot exceed 64 characters in length or contain the following characters: ` ~ ! @ # $ % ^ & * ( ) = + _ [ ] { } \\ | ; : ' \" , < > / ?."
    }
}

This actually relates to the following:

os_profile {
    computer_name = "hostname%d"
    admin_username = "testadmin"
    admin_password = "Password1234!"
    }

take out the %d from that and it works. This is my fault with the documentation - I will update that immediately! I will also open a PR to add some validation toe the computer_name for both linux and windows machine types

Paul

[gdhagger]

Paul,

That fixed the example for me, however I'm still receiving the same error report with my "real world" code.

Have charles setup - but struggling to get terraform to accept the charles SSL cert. Any tips? Would like to add here if what I'm encountering is still a bug.

[lmeyemezu]

My configuration is below
os_profile {
#computer_name = "hostname%d"
computer_name = "vmtest1"
admin_username = "testadmin"
admin_password = "Password1234!"
}
but i have the same issue
failed with 400 Bad Request

[stack72]

Hi @lmeyemezu

Please can you post your config (minus secrets) so that I can try one too?

Paul

[stack72]

@gdhagger how does the code in the example differ from your code?

[gdhagger]

@stack72 the block giving issues is as follows:

resource "azurerm_virtual_machine" "test" {
    name = "acctvm"
    location = "West US"
    resource_group_name = "${azurerm_resource_group.test.name}"
    network_interface_ids = ["${azurerm_network_interface.test.id}"]
    vm_size = "Standard_A0"

    storage_image_reference {
    publisher = "Canonical"
    offer = "UbuntuServer"
    sku = "14.04.2-LTS"
    version = "latest"
    }

    storage_os_disk {
        name = "myosdisk1"
        vhd_uri = "${azurerm_storage_account.test.primary_blob_endpoint}${azurerm_storage_container.test.name}/myosdisk1.vhd"
        caching = "ReadWrite"
        create_option = "FromImage"
    }

    os_profile {
    computer_name = "somevaluehere"
    admin_username = "admin"
    admin_password = "Password1234!"
    }

    os_profile_linux_config {
      disable_password_authentication = true
      ssh_keys {
        path = "admin"
        key_data = "${file("/home/ghagger/.ssh/ps.pem")}"
      }
    }
}

The issue appears to be with the ssh_keys block. It's unclear from the docs what 'path' actually means in this context, and from experience I've found Azure to be picky about the format of the ssh public key. I've tried both ssh pubkey format, and x509 pem public keys (as seen here) to no avail.

Still trying to get my proxy working so I can see wtf the server is actually saying :)

[stack72]

@gdhagger try following this example

  "linuxConfiguration": { 
    "disablePasswordAuthentication": "true|false", 
    "os_profile_linux_config": { 
      "ssh_keys": [ { 
        "path": "key-path-on-vm", 
        "key_data": "public-key" 
    } ] 
  } 

Path seems to be the path to store the key on the VM

[gdhagger]

@stack72 can you translate that into terraform format? I've tried but am failing. Also, setting 'path' to '/home/admin/.ssh/authorized_keys' isn't helping.

[stack72]

os_profile_linux_config {
      disable_password_authentication = true
      ssh_keys {
        path = "/tmp"
        key_data = "${file("/home/ghagger/.ssh/ps.pem")}"
      }
    }

I don't think you can set it as an authorized key as that is a file in itself - you would need to do that with a custom_data script AFAICT

Try with /tmp for now and see if it writes ok

I am on a train so will have to try and reproduce this when i have network connectivity on my laptop :(

[gdhagger]

OK... I got charles working - here's what I found:

admin_username = "admin" results in:

{
    "error": {
        "code": "InvalidParameter",
        "target": "adminUsername",
        "message": "The Admin Username specified is not allowed."
    }
}

ssh_keys path set to '/tmp/' gives:

{
    "error": {
        "code": "InvalidParameter",
        "target": "linuxConfiguration.ssh.publicKeys.path",
        "message": "The value of parameter linuxConfiguration.ssh.publicKeys.path is invalid."
    }
}

setting it to '/tmp/foo' reveals this:

{
    "error": {
        "code": "InvalidParameter",
        "target": "linuxConfiguration.ssh.publicKeys.path",
        "message": "Destination path for Ssh public keys is currently limited to its default value /home/ps/.ssh/authorized_keys  due to a known issue in Linux provisioning agent."
    }
}

fixing that, with a PEM formatted public key I got:

{
    "error": {
        "code": "InvalidParameter",
        "target": "linuxConfiguration.ssh.publicKeys.keyData",
        "message": "The value of parameter linuxConfiguration.ssh.publicKeys.keyData is invalid."
    }
}

this appears to have worked - the vm now exists in azure (though i've screwed up the network so I can't test ssh right now.... doh!) but terraform is reporting a failure:

Error applying plan:

1 error(s) occurred:

* azurerm_virtual_machine.test: [DEBUG] Error setting Virtual Machine Storage OS Profile Linux Configuration: &errors.errorString{s:"Invalid address to set: []string{\"os_profile_linux_config\", \"69840937\", \"ssh_keys\"}"}

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

[stack72]

@gdhagger OK good news on finding those azure messages. These will form part of the validation

With regards to the ssh key address, this is indeed a bug!! So that needs fixed. Will work on that immediately so thanks for finding it

Your example will help me add a regression test in place so thanks for that

[lmeyemezu]

Hi @stack72 ,
Sorry for the delay..
It's working now. my corporate proxy was misconfigured.
Regards

[joaocc]

Not sure if this is right place to ask this.
But, it seems to me that it would be easier on everyone if those error messages could be made visible (instead of requiring network traffic sniffing).
I'm asking this because I already went through a lot of pain because of the difficulty in getting the original error message.
Is this a feature already planned? Or should I raise a feature request?
Thx

[stack72]

Hi @joaocc

these messages are actually hidden by the SDK not by terraform. Terraform is returning the error's that the SDK returns
But i agree with you it is harder that expected

P.

[joaocc]

Hi @stack72.
So, do you think the nice people at the SDK can devise a way to make the messages more accessible?
Thx

[stack72]

@joaocc

I am really desperate for that to happen too so we will certainly be lobbying them to do this

Paul

[OiNutter]

@gdhagger How did you get Charles working? I'm hitting the same problem and need to check the error messages.

[voiddragon]

@gdhagger @stack72 How did you get terraform to accept the SSL cert for charles? I've been having issues getting charles to work too.

---edit---

@OiNutter I figured it out. There's a cert issue with golang on OSX in it's current version. I launched a vagrant ubuntu box, proxied it out to the host after added the charles CA cert and now it works.

Hope this helps you.

[clintonm9]

I am running into the same error as @gdhagger , The ssh key is installed on the VM and I can successfully login to the VM with the key.

But after this happens terraform is pretty much bricked with the following error:

* azurerm_virtual_machine.it-pm: [DEBUG] Error setting Virtual Machine Storage OS Profile Linux Configuration: &errors.errorString{s:"Invalid address to set: []string{\"os_profile_linux_config\", \"69840937\", \"ssh_keys\"}"}

Even trying to destroy the cluster now is not working.

I tested this a few times and after the key is successfully installed I am not able to use terraform on this state. I have to delete the tfstate file to get things working again.

[majormoses]

@gdhagger I cant seem to get terraform to accept the charles ssl cert how did you get that working?

[majormoses]

I got charles working and see some interesting things. @stack72 I see this that is curious:

{
    "error": {
        "code": "InvalidParameter",
        "target": "computerName",
        "message": "Required parameter 'computerName' is missing (null)."
    }
}

The docs say this is optional: https://www.terraform.io/docs/providers/azurerm/r/virtual_machine.html#computer_name

This is also interesting:

{
    "error": {
        "code": "InvalidParameter",
        "target": "adminPassword",
        "message": "The supplied password must be between 6-72 characters long and must satisfy at least 3 of password complexity requirements from the following: \r\n1) Contains an uppercase character\r\n2) Contains a lowercase character\r\n3) Contains a numeric digit\r\n4) Contains a special character."
    }
}

There is no mention of such requirements in the doc: https://www.terraform.io/docs/providers/azurerm/r/virtual_machine.html#admin_password

Can we put some validation on this?

Until we can surface these errors in the SDK do you want a pr for documenting this up?

[gdhagger]

Re: the charles cert - it's been a while, but I think this is what I did:

I'm running ubuntu, so I copy the Charles ca cert from ~/.charles/ca/charles-proxy-ssl-proxying-certificate.pem to /usr/local/share/ca-certificates/charles-proxy-ssl-proxying-certificate.crt. Note the change in extension.

Then run update-ca-certificates

Details here: http://manpages.ubuntu.com/manpages/wily/man8/update-ca-certificates.8.html

[stack72]

FYI, we are trying to get the next release of Terraform to have the updated SDK so that error messages are not hidden

[majormoses]

@stack72 yup I talked with @jen20 about that yesterday

[stack72]

Hi all

I am going to track the work required for this issue in a larger set of AzureRM work that needs to be done. This is going to be #6526 so please track there

Paul

[erkiesken]

Just a FYI, I also ran into "400 Bad Request" issues creating new VMs and couldn't debug with Charles on OSX.

But Azure portal has Audit Logs view where you can see the failed operations and dig into event details. The specific error message is found in the event's PROPERTIES value.

Hope that helps other debug their issues.

In my case the problem was I had set os_profile.admin_username=admin and ARM doesn't like that:

statusMessage:{"error":{"code":"InvalidParameter","target":"adminUsername","message":"The Admin Username specified is not allowed."}}

[majormoses]

@stack72 regarding the comment above I believe I saw the username issue reported somewhere is that still being tracked? I dont see it here: #6526

[NisharunnisaShaik]

Hi
I am not sure whether it is a right place to post my question but hoping some one might help.
I am unable to create Windows Virtual Machine.I gone through many blogs, official docs but nothing helped . Somehow one or the other error is popping up.

Terraform version : v0.12.23
My config for creating vm:

resource "azurerm_windows_virtual_machine" "resource_virtual_machine" {
name = "${var.virtual-machine}"
location = "${azurerm_resource_group.resource_group_name.location}"
resource_group_name = "${azurerm_resource_group.resource_group_name.name}"
size = "Standard_B1ls"
admin_username = "${var.admin}"
admin_password = "${var.password}"
network_interface_ids = ["${azurerm_network_interface.resource_network_interface.id}"]

os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"

}

source_image_reference{
publisher="MicrosoftWindowsDesktop"
offer="Windows-10"
sku="19h1-ent"
version="18362.592.2001092016"
}
}

Error : compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="InvalidParameter" Message="The Admin Username specified is not allowed." Target="adminUsername"

Note : Storage_image_reference , os_profile_windows_config, os_profile

I have tried using all the above options in the config file but every time i get a new error stating the "
os_profile is not expected here".

Solutions & suggestions appreciated.
Thank you

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.