Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feature request: set Azure Tags on Packer VM #10883

Open
3 of 15 tasks
baidarka opened this issue Nov 1, 2024 · 10 comments
Open
3 of 15 tasks

feature request: set Azure Tags on Packer VM #10883

baidarka opened this issue Nov 1, 2024 · 10 comments
Assignees

Comments

@baidarka
Copy link

baidarka commented Nov 1, 2024

Description

Feature request: extra parameter on 'build-image.ps1' script so that Azure tags can be passed along to the temporary Packer VM resource.

Although the Packer templates support the parameter 'azure_tags', the build script 'build-image.ps1' does not support that parameter. It is not possible to set Azure tags on the Packer VM when using 'build-image.ps1' or the Azure pipelines in this repo.
(this is an issue, not a bug; apologies, i could not find a matching issue format)

Implemented in PR #10884

Platforms affected

  • Azure DevOps
  • GitHub Actions - Standard Runners
  • GitHub Actions - Larger Runners

Runner images affected

  • Ubuntu 20.04
  • Ubuntu 22.04
  • Ubuntu 24.04
  • macOS 12
  • macOS 13
  • macOS 13 Arm64
  • macOS 14
  • macOS 14 Arm64
  • macOS 15
  • macOS 15 Arm64
  • Windows Server 2019
  • Windows Server 2022

Image version and build link

I need to set Azure tags on the temporary Packer VM that build the image.

Is it regression?

No

Expected behavior

Have a parameter on the build-image.ps1 script to pass on Azure tags to the Packer template file.

Actual behavior

No such parameter.

Repro steps

No such parameter.

@kishorekumar-anchala
Copy link
Contributor

Hi @baidarka ,

We're looking into your issue , thank you !

@baidarka
Copy link
Author

baidarka commented Nov 4, 2024

PR #10884

@pkoelemij
Copy link

This would be a nice addition!

@lakshminarayana02
Copy link

Hi
we are validating it.

@lakshminarayana02
Copy link

Hi
Packer templates can contain the parameter 'azure_tags to include with many', however the challenge here is how to go about including temporary resource tags without a business case for implementing this and obtaining approval from GitHub.

We request that you give further information or justification to consider it.

@baidarka
Copy link
Author

baidarka commented Nov 7, 2024

Summary

We would like to take advantage of the 'azure_tags' parameter in the Packer templates, for instance here:

while using the build-image.ps1 script; about here:
build-image.ps1#L46

Please note that these 'azure_tags' are only applied to the temporary Packer VM in Azure, which is used to build an Azure and/or GitHub runner image and subsequently deleted by Packer.

Question

I am not sure what you mean by: 'Packer templates can contain the parameter 'azure_tags to include with many''?
The Packer templates that we intend to address are

Scenario

As a team we provide, amongst others, VM images for self-hosted runners for our organization.
Our build process starts with building images using https://github.com/actions/runner-images.
This build process uses a temporary Packer VM , in Azure, on which an image is composed and sys-prepped.
(after which a validation process is started and optional customization takes place)
This temporary Packer VM, is currently not tagged in Azure.

Problem

Due to internal policies, we cannot just-spin-up-a-VM, let alone a temporary VM downloading a bunch of tooling (even if this takes place in isolation)
Being able to set a couple of tags on such a temporary VM would enable our security team to keep a better view on what it going on. Also, finance wants to keep a tab on costs (using a cost center tag).

Besides, earlier discussions like #discussioncomment-4591809 within this project may benefit from the proposed PR #10884 .

@baidarka
Copy link
Author

Would it be helpful if I provide additional information? If yes, what would you be looking for? Looking forward to your insights!

@lakshminarayana02
Copy link

Hi @baidarka
We are trying to say that it is at the OS image creation level changes needed and azure policy definitions may need to be amended, additionally worried that it could affect the security posture of the VM.

Please share your thoughts.

@baidarka
Copy link
Author

baidarka commented Nov 26, 2024

Hi @baidarka We are trying to say that it is at the OS image creation level changes needed and azure policy definitions may need to be amended, additionally worried that it could affect the security posture of the VM.

Please share your thoughts.

Dear @lakshminarayana02,

The requested feature (and PR) are not aimed at OS image creation nor at azure policy definitions, nor security posture.
The request is merely to optionally expose an existing packer template parameter in the build script.

Existing parameter: variable "azure_tags" in windows-2022.pkr.hcl

This template parameter is not used nor exposed in build-image.ps1.
The PR #10884 exposes this 'azure_tags' parameter in the build-image.ps1 script and propagates its value to the template parameter.

This does not affect the image to be build. It affects the temporary Packer VM used to build the image.
Hope this helps & kinds regards!

@lakshminarayana02
Copy link

Hi @baidarka
Thank you for sharing these details, we will consult with stakeholders with these details and keep you updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants