0

I have been trying, to no avail, to Terraform the following setup in Azure:

A Linux VM from a Packer-created custom VM image with an additional persistent, managed and encrypted data disk attached to said VM, but lives externally in case I want to recreate the VM with a newer (more updated, secure) version of the custom image, without losing any of the data saved to the external disk (imagine a node in a database cluster). And went on to do the following:

  1. Initially, I tried using the azurerm_managed_disk and a azurerm_virtual_machine_data_disk_attachment with the VM resource, but the issue is that if you just create a disk like this (with create_option set to Empty) the disk will be unformatted, unpartitioned, and unmounted. Basically unusable unless something script is ran on the VM.
  2. My thinking went: ok, I'll just run a cloud-init or provisioner block thingie to partition/mount the disk and that's it. But: if I do this, when I rotate the VM, the script will run again and re-format/partition the disk, hence deleting any data I might have saved.
  3. I also tried creating a custom image with an additional data disk with Packer, and using FromImage in the azurerm_managed_disk's create_option, but it turns out it only works when referencing marketplace images and custom images are not supported

The only viable thing I can now think of is going back to approach 2 and make a smarter script that runs only if the attached disk is not partitioned.

Is there an alternative approach I'm not seeing? Can someone help me validate this thinking?

My additional concern is regarding encryption in said disks, as I don't know if this will be an issue when adopting either approach.

Improve this question
1

1 Answer 1

Reset to default
1

First of all, you can create the Azure VM from a custom image through Terraform, no matter how do you create the image, Packer or other ways, more details see To provision a Custom Image in Terraform.

But when you use the custom image and want to encrypted data disk, the problem is coming.

Disk encryption is not currently supported in the use of custom Linux images.

More details see Requirements and limitations of Encryption.

In addition, to mount the data disk to the VM, I think you can use the VM extension to achieve that. And attach the managed data disk to VM, you can just add the storage_data_disk block in the VM configuration of Terraform code like this:

resource "azurerm_virtual_machine" "main" {
  name                  = "${var.prefix}-vm"
  location              = "${azurerm_resource_group.main.location}"
  resource_group_name   = "${azurerm_resource_group.main.name}"
  network_interface_ids = ["${azurerm_network_interface.main.id}"]
  vm_size               = "Standard_DS1_v2"

  # Uncomment this line to delete the OS disk automatically when deleting the VM
  # delete_os_disk_on_termination = true


  # Uncomment this line to delete the data disks automatically when deleting the VM
  # delete_data_disks_on_termination = true

  ...

  storage_data_disk {
    name          = "datadisk0"
    vhd_uri       = "${azurestack_storage_account.test.primary_blob_endpoint}${azurestack_storage_container.test.name}/datadisk0.vhd"
    disk_size_gb  = "1023"
    create_option = "Empty"
    lun           = 0
  }

  ...

  tags {
    environment = "staging"
  }
}

EDIT

I am afraid you need to use the custom image id in the vm storage_image_reference. You could use the data azurerm_image to refer your custom image in your group. The code like this:

data "azurerm_image" "custom" {
    name = "your_custom_image_name"
    resource_group_name = "your_group"
}

resource "azurerm_virtual_machine" "main" {
    ...

    storage_image_reference {
        id = "${data.azurerm_image.custom.id}"
    }

    ...
}
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks for the input! By following your code sample, it suggests I use an unmanaged disk (I take this from the vhd_uri option). Would you consider this to be a better approach than using a managed disk? Also, regarding disk encryption, Terraform does support providing encryption keys to managed disks, so I guess I could work around the limitation you mentioned through this approach, couldn't I?
@gvilarino I update the answer to add the code for using the custom image. For the disk encryption, I am afraid you cannot achieve that.
@gvilarino Do you solve the problem with my answer? If it's helpful you can accept it.
thanks for your reply. No, I wasn't able to solve the problem completely because trying to use a data disk from a non-marketplace image as an external data disk simply doesn't work in Azure. Additionally, azure-integrated managed disk encryption dosn't work in linux VMs, so secondary bummer. My solution is to create an empty disk, run a shell script on VM provisioning that partitions, formats and mounts the disk if needs be, and managing encryption via software.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.