通过WinRM连接远程主机在Terraform中失败

Question

我试图在Windows上使用terraform在provisioner下面运行

provisioner "remote-exec" {
    connection {
      type = "winrm"
      user     = "${local.admin_username}"
      password = "${local.admin_password}"
      port     = 5986
      https    = true
      timeout  = "10m"
      host = azurerm_public_ip.example.ip_address        
      insecure = true
    }

    inline = [
      "powershell.exe New-Item -Path c:\\ -Name testfile1.txt -ItemType file -Value This is a text string."
    ]
  }

当提供VM时，我在尝试使用远程-exec建立连接时遇到错误。

azurerm_virtual_machine.example (remote-exec): Connecting to remote host via WinRM...
azurerm_virtual_machine.example (remote-exec):   Host: 52.172.xxx.xxx
azurerm_virtual_machine.example (remote-exec):   Port: 5986
azurerm_virtual_machine.example (remote-exec):   User: testadmin
azurerm_virtual_machine.example (remote-exec):   Password: true
azurerm_virtual_machine.example (remote-exec):   HTTPS: true
azurerm_virtual_machine.example (remote-exec):   Insecure: true
azurerm_virtual_machine.example (remote-exec):   NTLM: false
azurerm_virtual_machine.example (remote-exec):   CACert: false
azurerm_virtual_machine.example: Still creating... [11m50s elapsed]
azurerm_virtual_machine.example: Still creating... [12m0s elapsed]


Error: timeout - last error: unknown error Post "https://52.172.xxx.xxx:5986/wsman": dial tcp 52.172.xxx.xxx:5986: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

供应器是否以正确的格式提供？

Answer 1

如果您想使用WinRM访问Azure，我们需要配置一些东西。有关更多细节，请参阅这里。

例如

1. 创建一个密钥库

New-AzKeyVault -VaultName "<vault-name>" -ResourceGroupName "<rg-name>" -Location "<vault-location>" -EnabledForDeployment -EnabledForTemplateDeployment

1. 创建证书

$certificateName = "somename"

$thumbprint = (New-SelfSignedCertificate -DnsName $certificateName -CertStoreLocation Cert:\CurrentUser\My -KeySpec KeyExchange).Thumbprint

$cert = (Get-ChildItem -Path cert:\CurrentUser\My\$thumbprint)

$password = Read-Host -Prompt "Please enter the certificate password." -AsSecureString

Export-PfxCertificate -Cert $cert -FilePath ".\$certificateName.pfx" -Password $password

1. 将证书上载到Azure密钥库

$fileName = "<Path to the .pfx file>"
$fileContentBytes = Get-Content $fileName -Encoding Byte
$fileContentEncoded = [System.Convert]::ToBase64String($fileContentBytes)

[System.Collections.HashTable]$TableForJSON = @{
    "data"     = $filecontentencoded;
    "dataType" = "pfx";
    "password" = "<password>";
}
[System.String]$JSONObject = $TableForJSON | ConvertTo-Json

$secret = ConvertTo-SecureString -String $jsonEncoded -AsPlainText –Force
Set-AzKeyVaultSecret -VaultName "<vault name>" -Name "<secret name>" -SecretValue $secret

1. 引用您的自签名证书URL

"osProfile": {
      ...
      "secrets": [
        {
          "sourceVault": {
            "id": "<resource id of the Key Vault containing the secret>"
          },
          "vaultCertificates": [
            {
              "certificateUrl": "<URL for the certificate you got in Step 4>",
              "certificateStore": "<Name of the certificate store on the VM>"
            }
          ]
        }
      ],
      "windowsConfiguration": {
        ...
        "winRM": {
          "listeners": [
            {
              "protocol": "http"
            },
            {
              "protocol": "https",
              "certificateUrl": "[reference(resourceId(resourceGroup().name, 'Microsoft.KeyVault/vaults/secrets', '<vault-name>', '<secret-name>'), '2015-06-01').secretUriWithVersion]"
            }
          ]
        },
        ...
      }
    },

1. 连接到Azure以启用winRm服务

Enable-PSRemoting -Force