I have used the following command to achieve it :
azure group deployment create <my-resource-group> <my-deployment-name> --template-uri https://raw.githubusercontent.com/azure/azure-quickstart-templates/master/active-directory-new-domain/azuredeploy.json
This link has a template which does it :
https://raw.githubusercontent.com/azure/azure-quickstart-templates/master/active-directory-new-domain/azuredeploy.json
I ran it several times but it shows this error :
info: Resource 'adVM/CreateADForest' of type 'Microsoft.Compute/virtualMachines/extensions' provisioning status is Running
info: Resource 'adVM' of type 'Microsoft.Compute/virtualMachines' provisioning status is Succeeded
info: Resource 'adNic' of type 'Microsoft.Network/networkInterfaces' provisioning status is Succeeded
info: Resource 'adLoadBalancer' of type 'Microsoft.Network/loadBalancers' provisioning status is Succeeded
info: Resource 'csyh7daynrjiaadsa' of type 'Microsoft.Storage/storageAccounts' provisioning status is Succeeded
info: Resource 'adPublicIP' of type 'Microsoft.Network/publicIPAddresses' provisioning status is Succeeded
info: Resource 'adAvailabiltySet' of type 'Microsoft.Compute/availabilitySets' provisioning status is Succeeded
info: Resource 'VNet' of type 'Microsoft.Resources/deployments' provisioning status is Succeeded
info: Resource 'adVNET' of type 'Microsoft.Network/virtualNetworks' provisioning status is Succeeded
error: getaddrinfo ENOTFOUND management.azure.com management.azure.com:443
ApplicationInsights:Sender [ { [Error: getaddrinfo ENOENT dc.services.visualstudio.com:80]
code: 'ENOENT',
errno: 'ENOENT',
syscall: 'getaddrinfo',
hostname: 'dc.services.visualstudio.com',
host: 'dc.services.visualstudio.com',
port: 80 } ]
error: Error information has been recorded to C:\Users\admin\.azure\azure.err
error: group deployment create command failed
The extensions part is failing. Could anyone tell what I have to do now???
I have solved it....I was not in the arm mode.
azure config mode arm
And then type the commands posted above. This worked.
Related
Does any one know how to resolve this error message?
The same Rancher container's were working just fine until about 2 weeks.
Failed to create pod sandbox: rpc error: code = Unknown desc = [failed to set up sandbox container "e85e08bf70bfbb8cafe4b61b79f47008b4e829310600e5defb29f0a6600d25e3" network for pod "ykgwagg-845b559fbf-clrp8": networkPlugin cni failed to set up pod "ykgwagg-845b559fbf-clrp8_agg" network: error getting ClusterInformation: connection is unauthorized: Unauthorized, failed to clean up sandbox container "e85e08bf70bfbb8cafe4b61b79f47008b4e829310600e5defb29f0a6600d25e3" network for pod "ykgwagg-845b559fbf-clrp8": networkPlugin cni failed to teardown pod "ykgwagg-845b559fbf-clrp8_agg" network: error getting ClusterInformation: connection is unauthorized: Unauthorized]
enter image description here
When running a bicep resource of type Microsoft.Resources/deploymentScripts
that runs a script that needs access to a keyvault which only allows selected networks how can we make the following script work?
resource exampleScript 'Microsoft.Resources/deploymentScripts#2020-10-01' = {
name: 'KeyVaultSecretFromProduct'
location: resourceGroup().location
kind: 'AzurePowerShell'
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'/subscriptions/${subscription().subscriptionId}/resourcegroups/${managedIdentity.scope}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${managedIdentity.name}': {}
}
}
properties: {
arguments: '-ResourceGroupName \\"${keyVaultSecretFromProduct.scope}\\" -SubscriptionKey \\"${subscriptionKey}\\" -KeyVault \\"${keyVaultSecretFromProduct.keyVault}\\"'
azPowerShellVersion: '3.0'
scriptContent: loadTextContent('../../membership-optimization/create-secret-for-product-key.ps1')
retentionInterval: 'P1D'
}
}
After running it fails with the error:
New-AzResourceGroupDeployment: 15:37:50 - The deployment 'test_keyvault' failed with error(s). Showing 1 out of 1 error(s).
Status Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details. (Code: DeploymentFailed)
- {
"status": "failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'failed'.",
"details": [
{
"code": "DeploymentScriptError",
"message": "The provided script failed with the following error:\r\nMicrosoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'\n at Microsoft.Azure.Commands.KeyVault.Models.KeyVaultDataServiceClient.SetSecret(String vaultName, String secretName, SecureString secretValue, PSKeyVaultSecretAttributes secretAttributes)\n at Microsoft.Azure.Commands.KeyVault.SetAzureKeyVaultSecret.ExecuteCmdlet()\n at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c)\n at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 executor)\n at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)\n at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()\r\nat <ScriptBlock>, /mnt/azscripts/azscriptinput/userscript.ps1: line 46\r\nat <ScriptBlock>, <No file>: line 1\r\nat <ScriptBlock>, /mnt/azscripts/azscriptinput/DeploymentScript.ps1: line 264. Please refer to https://aka.ms/DeploymentScriptsTroubleshoot for more deployment script information."
}
]
}
} (Code:Conflict)
CorrelationId: xxxxxxxxxxxxxxxxxxxx
A Vnet with some subnets used for app services were configured so that those app services can have access to key vault secrets.
Is there a way to solve this problem? Any workaround? Maybe a command that we can run that allows us to connect to the vnet?
A work-around could be to change the VNET settings on the vault, then run the script, and then re-set the VNET settings to its original state. It kinda sucks but it is the only thing I got working for me when handling this situation (though in my case It was a Powershell script).
Or, you could run the script on a VM, that is in a authorised subnet.
I'm attempting to deploy to my Virtual machine scale set using the custom script extension as below.
az vmss extension set --debug --name 'CustomScriptExtension' `
--resource-group 'my-rg' `
--publisher 'Microsoft.Compute' `
--version '1.9.5' `
--vmss-name 'myvmss' `
--settings '{\"commandToExecute\": \"powershell.exe ./download-package.ps1\", \"fileUris\": [\"https://[REDACTED].blob.core.windows.net/upload/download-package.ps1\"]}' `
--protected-settings '{\"managedIdentity\": {\"objectId\": \"[REDACTED]\"}}'
When running I get the following error:
cli.azure.cli.core.azclierror : Deployment failed. Correlation ID: 73f4d16b-afe0-4373-8773-1d7dd7d26940. VM has reported a failure when processing extension 'CustomScriptExtension'. Error message: "Failed to download all specified files. Exiting. Error Message: Exception of type 'Microsoft.WindowsAzure.GuestAgent.Plugins.CustomScriptHandler.Downloader.MsiNotFoundException' was thrown."
More information on troubleshooting is available at https://aka.ms/VMExtensionCSEWindowsTroubleshoot
Deployment failed. Correlation ID: 73f4d16b-afe0-4373-8773-1d7dd7d26940. VM has reported a failure when processing extension 'CustomScriptExtension'. Error message: "Failed to download all specified files. Exiting. Error Message: Exception of type 'Microsoft.WindowsAzure.GuestAgent.Plugins.CustomScriptHandler.Downloader.MsiNotFoundException' was thrown."
The file to be downloaded requires authentication so I have given the scale set a system assigned identity and granted it the Storage Blob Data Reader role on the storage account hosting the powershell file.
The custom extension logs on the VM suggest that it was unable to get the identity of the vm:
[7108+00000001] [11/20/2020 09:12:28.79] [INFO] Handler successfully enabled
[7108+00000001] [11/20/2020 09:12:28.80] [INFO] Loading configuration for sequence number 1
[7108+00000001] [11/20/2020 09:12:28.84] [INFO] HandlerSettings = ProtectedSettingsCertThumbprint: [REDACTED], ProtectedSettings: {[REDACTED]}, PublicSettings: {FileUris: [https://[REDACTED].blob.core.windows.net/upload/download-package.ps1], CommandToExecute: powershell.exe ./download-package.ps1}
[7108+00000001] [11/20/2020 09:12:29.26] [INFO] Downloading files specified in configuration...
[7108+00000001] [11/20/2020 09:12:30.90] [INFO] Attempting to get MSI from IMDS
[7108+00000001] [11/20/2020 09:12:31.04] [WARN] WebClient: non retryable error occurred System.Net.WebException: The remote server returned an error: (400) Bad Request.
at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
at System.Net.WebClient.DownloadString(Uri address)
at Microsoft.WindowsAzure.GuestAgent.Plugins.MsiUtils.WebClient.<>c__DisplayClass3_0.<DownloadStringWithRetries>b__0()
at Microsoft.WindowsAzure.GuestAgent.Plugins.MsiUtils.WebClientWithRetryAbstract.ActionWithRetries(Action action)
[7108+00000001] [11/20/2020 09:12:31.14] [ERROR] Unknown exception occurred while attempting to get MSI token System.Net.WebException: The remote server returned an error: (400) Bad Request.
at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
at System.Net.WebClient.DownloadString(Uri address)
at Microsoft.WindowsAzure.GuestAgent.Plugins.MsiUtils.WebClient.<>c__DisplayClass3_0.<DownloadStringWithRetries>b__0()
at Microsoft.WindowsAzure.GuestAgent.Plugins.MsiUtils.WebClientWithRetryAbstract.ActionWithRetries(Action action)
at Microsoft.WindowsAzure.GuestAgent.Plugins.MsiUtils.WebClient.DownloadStringWithRetries(Uri address)
at Microsoft.WindowsAzure.GuestAgent.Plugins.MsiUtils.MsiProvider.GetMsiHelper(NameValueCollection queries)
[7108+00000001] [11/20/2020 09:12:31.14] [INFO] Msi was not obtained
I can retrieve the identity token from the metadata endpoint via Invoke-WebRequest -Method Get -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' so that appears to be set up correctly.
Any advice on what the problem could be or how to further diagnose this issue would be greatly appreciated.
Here are the few fixes you can try
The object ID of the managed identity might be incorrect.
Please also move commandToExecute and FileUris into protected settings with managed identities.
If want to use system assigned managed identity, you don't need to pass a clientId or objectID, more info here https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows#property-managedidentity
edit: please explicitly pass an empty json object as settings when you add commandToExecute and fileUris to protected settings. Extensions would fail otherwise due to duplicated settings.
I want to create 2 instance (an instance Zone A, and an instance Zone B), Private IP, SLB (Public IP), the VServer is both instance (for SLB), Frontend and Backend Port are HTTP. Regarding my terraform scripts are here: https://github.com/gablooge/alibaba-terraform-challenge
But I have a problem when applying my scripts. It turned out like this when creating the instance and SLB on applying my terraform scripts. Here are the error messages:
Error: [ERROR] terraform-provider-alicloud/alicloud/resource_alicloud_instance.go:423: Resource alicloud_instance RunInstances Failed!!! [SDK alibaba-cloud-sdk-go ERROR]:
SDK.ServerError
ErrorCode: Forbidden.RiskControl
Recommend:
RequestId: 09B3E699-BC3E-457B-B266-54AC66325BE7
Message: This operation is forbidden by Aliyun RiskControl system.
on main.tf line 1, in resource "alicloud_instance" "instance_a":
1: resource "alicloud_instance" "instance_a" {
Error: [ERROR] terraform-provider-alicloud/alicloud/resource_alicloud_instance.go:423: Resource alicloud_instance RunInstances Failed!!! [SDK alibaba-cloud-sdk-go ERROR]:
SDK.ServerError
ErrorCode: Forbidden.RiskControl
Recommend:
RequestId: 5520BCA6-6A03-4E3A-A87E-1794AC38AB11
Message: This operation is forbidden by Aliyun RiskControl system.
on main.tf line 15, in resource "alicloud_instance" "instance_b":
15: resource "alicloud_instance" "instance_b" {
Error: [ERROR] terraform-provider-alicloud/alicloud/resource_alicloud_slb.go:244: Resource alicloud_slb CreateLoadBalancer Failed!!! [SDK alibaba-cloud-sdk-go ERROR]:
SDK.ServerError
ErrorCode: RISK.RISK_CONTROL_REJECTION
Recommend:
RequestId: D677A5EB-F3A7-48A2-98D1-91988BAF6B53
Message: The Account is rejected by risk control system.
on main.tf line 30, in resource "alicloud_slb" "default":
30: resource "alicloud_slb" "default" {
Alibaba Cloud Terraform Apply - ErrorCode: RISK.RISK_CONTROL_REJECTION & ErrorCode: Forbidden.RiskControl
Anybody know how to resolve this problem?
This looks like access related issue. You might want to check with raise a ticket with Alibaba Cloud support team to confirm all the required access is enabled.
I'm trying to login via Windows Azure SDK on OSX.
But I could not login because had gotten an error when I login: "Server returned an unknown AccountType: undefined".
My Azure account is a Visual Studio Premium with MSDN.
Also, the account has a spending limit yet, but I can create a Web Sites on Azure portal.
Could you tell me what is wrong?
My work is here:
$ azure -v
0.8.2
$ azure login
info: Executing command login
Username: MY_AZURE_ACCOUNT
Password: **********
If you choose to continue, Azure command-line interface will cache your authentication information. Note that this sensitive information will be stored in plain text on the file system of your computer at /Users/awwa/.azure/azureProfile.json. Ensure that you take suitable precautions to protect your computer from unauthorized access in order minimize the risk of that information being disclosed.
Do you wish to continue: (y/n) y
+ Authenticating...
error: Server returned an unknown AccountType: undefined
info: Error information has been recorded to azure.err
error: login command failed
azure.err is here:
Wed Apr 30 2014 21:40:30 GMT+0900 (JST):
{ [Error: Server returned an unknown AccountType: undefined]
stack: [Getter/Setter],
__frame:
{ name: '__7',
line: 171,
file: '/usr/local/azure/lib/commands/account.js',
prev: undefined,
active: false,
offset: 35,
col: 31 },
rawStack: [Getter] }
Error: Server returned an unknown AccountType: undefined
at Logger.createError (/usr/local/azure/node_modules/adal-node/lib/log.js:196:13)
at /usr/local/azure/node_modules/adal-node/lib/token-request.js:366:35
at UserRealm._parseDiscoveryResponse (/usr/local/azure/node_modules/adal-node/lib/user-realm.js:234:3)
at /usr/local/azure/node_modules/adal-node/lib/user-realm.js:263:12
at Request._callback (/usr/local/azure/node_modules/adal-node/lib/util.js:116:5)
at Request.self.callback (/usr/local/azure/node_modules/adal-node/node_modules/request/request.js:121:22)
at Request.EventEmitter.emit (events.js:98:17)
at Request.<anonymous> (/usr/local/azure/node_modules/adal-node/node_modules/request/request.js:978:14)
at Request.EventEmitter.emit (events.js:117:20)
at IncomingMessage.<anonymous> (/usr/local/azure/node_modules/adal-node/node_modules/request/request.js:929:12)
at IncomingMessage.<anonymous> (/usr/local/azure/node_modules/adal-node/node_modules/request/request.js:929:12)
at __7 (/usr/local/azure/lib/commands/account.js:206:31)
The azure login method only works with organizational account. if you use a MSAccount, you should use "azure account import" and .publishsettings file.
see also:
http://azure.microsoft.com/en-us/documentation/articles/xplat-cli/