-
Notifications
You must be signed in to change notification settings - Fork 557
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GCP Azure Arc-enabled servers terraform plans fail to create service account needed for Defender onboarding #1557
Comments
Hey friend! Thanks for opening this issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on the Azure Arc Jumpstart. |
I want to work on this issue. |
Hi @Aditya-Narayan-Nayak In addition to fixing the service account issue in GCP, another goal of this issue should be making sure that the terraform modules are up to date with the current stable version of Terraform and associated providers. Please let me know if you have questions about the issue itself or about contributing and I will be happy to support. Thanks |
Thank you @dkirby-ms. Sure I will let you know if there are any doubt. |
@Aditya-Narayan-Nayak are you still planning on working on this? |
@likamrat yes |
@Aditya-Narayan-Nayak thank you. can you please share progress and expected timelines? We would like to close on this in the September milestone, is this something you can commit to? |
@likamrat Sure I can finish this before 1/2 week of September. getting some errors in the Service Account Section but yes I might have found the solution too. i will test and Let you know |
Hi @likamrat The Terraform plan is working fine but when I applied it showed an error on the install_arc_agent_sh
|
Hi @Aditya-Narayan-Nayak - it seems |
Not able to locate install_arc_agent.sh Here is the Error:- |
Did you first deploy using the 1804 image and then did a new |
Hi @janegilring I tried Terraform Destroy and Apply but exactly the same error im getting. after that, I compared it with the aws issue and found out they added sudo in remote-exec. I also tried to add sudo but nothing changed. |
I see, what is returned when you try to run install_arc_agent.sh manually within the VM? |
It's running till the end after that it's saying service principal, all the variables are invalid. |
I see, it seems like it did not pick up the input variables. When you look at the contents of If not, I suppose something is not working regarding this part - where variables should be replaced. If we can confirm this, we can try to troubleshoot what is happening. |
Actually I checked but input added properly in install_arc.sh in the vm |
Interesting, could you share a screenshot of the output when running the script manually? |
When I cat into the install_arc-agent.sh its resource name is not added its present like $HOSTNAME |
I see, that should be fine given you get the name of the machine when you run The content of install_arc_agent.sh does look as expected though, I will need to check up on this and get back to you after the weekend. |
Could you try to add sudo in front of wget and then run terraform destroy/apply? |
@Aditya-Narayan-Nayak any updates? |
@likamrat getting same error every time so I'm stuck there |
@Aditya-Narayan-Nayak Did you try to add sudo in front of wget followed by a |
Yes but got same error |
I have now tested a deployment after updating the VM image for GCP Linux-scenario to
|
i have tested terraform now able to create service account needed for Defender onboarding.
|
This issue is very similar to #1556
By adding the service account blocks shown below that is an available argument reference for the resource “google_compute_intance”, the default service account worked and this does enable Defender for Cloud to automatically add the
Added this to the “google_compute_instance” resource sections in main.tf
service_account {
# Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
email = data.google_compute_default_service_account.default.email
scopes = ["cloud-platform"]
}
Added this to the bottom of the main.tf.
data "google_compute_default_service_account" "default" {
}
output "default_account" {
value = data.google_compute_default_service_account.default.email
}
The text was updated successfully, but these errors were encountered: