Version 2 of the Packer Azure plugin is now available

The Packer Azure plugin has migrated to the HashiCorp Go Azure SDK to address known Azure SDK deprecations and provide a consistent foundation for managing Azure infrastructure.

Sep 06 2023Jenna Goldstrich

We're excited to announce the version 2.0.0 release of the Packer Azure plugin, which enables users to build Azure virtual hard disks, managed images, and Compute Gallery (shared image gallery) images. The plugin is one of the most popular ways to build Azure Virtual Machine images and is used by Microsoft Azure via the Azure Image Builder

For the past year, we have been tracking the changes to the Azure SDKs and keeping our eyes on the upcoming deprecations, which were sure to disrupt how Packer interacts with Azure. When we found that the version of the Azure SDK the Packer plugin was using would soon be deprecated we began work to migrate to the Terraform tested HashiCorp Go Azure SDK. The HashiCorp Go Azure SDK is generated from and based on the Azure API definitions to provide parity with the official Azure SDK — making it a near drop-in replacement for the Azure SDK, with the ability to resolve issues around auto-rest, polling, and API versioning. Version 2.0.0 of the Packer Azure plugin addresses the known deprecations with minimal disruption to the user, introduces new highly requested features, and combines the stability of the Packer Azure plugin with the Terraform Azure provider

»OIDC support

Many users want to bring their own authentication provider when connecting to Azure, and some organizations have policies requiring this. Version 2 of the Packer Azure plugin supports using an OIDC provider to authenticate to Azure using the client_jwt field in the builder configuration. You can follow this guide to setting up GitHub as your OIDC Provider and adding its federated credentials to Azure. For example, configuring a GitHub action like this:

```name: OIDC Exampleon:  push: permissions:  contents: read  id-token: write jobs:  secrets-check:	runs-on: ubuntu-latest	outputs:  	available: "${{ steps.check-secrets.outputs.available }}"	steps:  	# we check for the ACTIONS_ID_TOKEN_REQUEST_URL variable as a proxy for other secrets  	# it will be unset when running for a PR from a fork  	- id: check-secrets    	run: |      	if [[ "${ACTIONS_ID_TOKEN_REQUEST_URL}" == "" ]]; then        	echo "available=false" | tee ${GITHUB_OUTPUT}      	else        	echo "available=true" | tee ${GITHUB_OUTPUT}      	fi   test-oidc:	runs-on: ubuntu-latest	needs: [secrets-check]	if: needs.secrets-check.outputs.available == 'true'	steps:  	- name: Set OIDC Token    	run: |      	echo "ARM_OIDC_TOKEN=$(curl -H "Accept: application/json; api-version=2.0" -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" -H "Content-Type: application/json" -G --data-urlencode "audience=api://AzureADTokenExchange" "${ACTIONS_ID_TOKEN_REQUEST_URL}" | jq -r '.value')"  >>${GITHUB_ENV}   	- name: Install Go    	uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0    	with:      	go-version: '1.19.5'   	- name: Checkout    	uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 	   	- name: Setup `packer`    	uses: hashicorp/setup-packer@main    	id: setup   	- name: Build the plugin    	run:  make 	   	- name: Try to run an AzureARM build with our OIDC token    	run:  packer build -force ./example/oidc-example.pkr.hcl    	env:      	ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID}}      	ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID}}``` 

And using this example Packer template with the client_jwt set as our GitHub provided OIDC token:

variable "arm_client_id" {  type    = string  default = "${env("ARM_CLIENT_ID")}"} variable "arm_oidc_token" {  type    = string  default = "${env("ARM_OIDC_TOKEN")}"} variable "subscription_id" {  type    = string  default = "${env("ARM_SUBSCRIPTION_ID")}"} variable "group_name" {  type    = string  default = "${env("ARM_GROUP_NAME")}"} source "azure-arm" "oidc" {  client_id                         = "${var.arm_client_id}"  client_jwt                        = "${var.arm_oidc_token}"  communicator                      = "winrm"  image_offer                       = "WindowsServer"  image_publisher                   = "MicrosoftWindowsServer"  image_sku                         = "2012-R2-Datacenter"  location                          = "westus"  managed_image_name                = "oidc-example"  managed_image_resource_group_name = "${var.group_name}"  os_type                           = "Windows"  subscription_id                   = "${var.subscription_id}"  vm_size                           = "Standard_DS2_v2"  winrm_insecure                    = "true"  winrm_timeout                     = "3m"  winrm_use_ssl                     = "true"  winrm_username                    = "packer"} build {  sources = ["source.azure-arm.oidc"]}

»Client certificate authentication

Beginning with version 2, the Packer Azure plugin now supports only PKCS#12 bundle (.pfx file) for client certificate authentication. For more information on generating a pfx cert and adding it to Azure, check out the Terraform Azure provider documentation. Certificates encoded in the .pem format, which previously worked in the Azure plugin, will no longer be recognized by the plugin.

»Clarification on VHD deprecation

Historically, the Packer Azure plugin notified users that Azure VHD (virtual hard disk) builds were deprecated and would be removed at a later date. This has led to confusion on whether users can rely on VHD functionality remaining in the plugin, and when or if they will be forced to migrate. We found that many users continue to build VHD images using the Packer Azure plugin, so we decided to remove the deprecation warning. VHD builds will continue to work on v2.0.0 of Azure, and we have no plans to deprecate it again in the immediate future.

»Other updates in the Packer Azure plugin

We also made changes to let the plugin fail faster when users are creating an image build that won't succeed based on invalid shared image gallery version values. We also added support for setting a WinRM expiration time for Azure tenants/subscriptions that have that policy requirement. You can find a full list of changes in the Packer Azure plugin release notes.

Please report any issues with and share your feedback on Version 2.0.0 in the Packer Azure plugin GitHub issue tracker.

PartnersAzure

Sign up for the latest HashiCorp news

By submitting this form, you acknowledge and agree that HashiCorp will process your personal information in accordance with the Privacy Policy.

More blog posts like this one

HCP Packer improves metadata visibility for artifact creation
April 23 2024 | Products & Technology
HCP Packer improves metadata visibility for artifact creation

You can now see the Packer Community Edition version and plugin versions associated with each artifact in HCP Packer.

Introducing The Infrastructure Cloud
April 22 2024 | Products & Technology
Introducing The Infrastructure Cloud

Do cloud right with The Infrastructure Cloud from HashiCorp. Unlock developer potential while controlling cloud costs and risk.

HCP Packer webhooks now generally available
April 16 2024 | Products & Technology
HCP Packer webhooks now generally available

Webhooks for HCP Packer automatically notify external systems about image-related events.