Creation of temporary Azure Keyvault for Windows 2022 image

[nico3133]

Hi,

Can anyone explain me how the temp keyvault is created at the win2022 template creation ?

My demand is because we had a strict policy on our Azure Tenant, Keyvault must be equipped with a Firewall, and unfortunately, the one is coming with the temp VM for template creation isn't.
Is it possible to build a custom keyvault with a firewall to be compliant with our policies ?

Thanks for your good work and answers ;)

Nico

[vpolikarpov-akvelon]

Hi @nico3133, nice to meet you again.

The temporary KeyVault that is created during the Windows 2022 image generation is managed by Packer. Packer generates a random name for the KeyVault, prefixed with "pkrkv", and it doesn't provide an option to configure network ACLs for this KeyVault.

Unfortunately, due to these constraints, it's not possible to create a custom KeyVault with a firewall that complies with your policies during the template creation process.

However, Packer does allow setting tags for the resources it creates. You could potentially use these tags to identify resources created by Packer and omit them in your policy.

[nico3133]

Hi @vpolikarpov-akvelon nice to meet you again too :)

Thanks for you answer.

Finally I found a solution and I have a full win 2022 template which is running fine.

I managed to create my own KeyVault on the resource group with all the mandatory secu policies.
I found that on the packer doc : build_key_vault_name (string) - Specify an existing key vault to use for uploading the certificate for the instance to connect.
Add that on the win2022 json and it works very fine, just need to create your own KeyVault and tick-on Azure Resource Manager for template deployment and Azure Virtual Machines for deployment (not sure the last one is necessary) on the keyvault access configuration.

If it can helps other one.

Also, one more time, thanks for the amazing work on that Git !

Nico

[davincisama]

Hi @vpolikarpov-akvelon nice to meet you again too :)

Thanks for you answer.

Finally I found a solution and I have a full win 2022 template which is running fine.

I managed to create my own KeyVault on the resource group with all the mandatory secu policies. I found that on the packer doc : build_key_vault_name (string) - Specify an existing key vault to use for uploading the certificate for the instance to connect. Add that on the win2022 json and it works very fine, just need to create your own KeyVault and tick-on Azure Resource Manager for template deployment and Azure Virtual Machines for deployment (not sure the last one is necessary) on the keyvault access configuration.

If it can helps other one.

Also, one more time, thanks for the amazing work on that Git !

Nico

Hi @nico3133

Happy to finally find someone who has the same issue..

Can you elaborate a bit more on how you managed to solve this. Did you create all the resources that Azure Image Builder uses (including resource group, vnet, Key Vault etc) from scratch? And where exactly have you used the "build_key_vault_name" in the json? I have a similar use case and struggling to make the template deployment work... it seems it's not able to find the already existing key vault I have created..

Would appreciate if you have any input.

Regards,