new resource azurerm_virtual_machine_run_command

[teowa]

Ref:

• Azure Doc
• REST API

Test:

--- PASS: TestAccVirtualMachineRunCommand_complete (333.26s)
--- PASS: TestAccVirtualMachineRunCommand_basic (358.17s)
--- PASS: TestAccVirtualMachineRunCommand_requiresImport (379.89s)
--- PASS: TestAccVirtualMachineRunCommand_update (476.46s)
PASS
ok      github.com/hashicorp/terraform-provider-azurerm/internal/services/compute       476.492s

resolves #20935

[katbyte]

Thanks for the PR @teowa - i'm wondering if this makes sense in terraform/how this works?

given it "runs a command" how do you know when to run it? does it run every plan apply? once?

[teowa]

Thanks for the PR @teowa - i'm wondering if this makes sense in terraform/how this works?

given it "runs a command" how do you know when to run it? does it run every plan apply? once?

The command will run after the resource is being applied (a PUT being sent) and the provider will poll until it is finished. Implement this in terraform, users can make use of below features of the runCommand from doc:

• Parallel execution of multiple scripts
• Sequential execution of scripts
• User specified script timeout
• Support for long running (hours/days) scripts
• Passing secrets (parameters, passwords) in a secure manner

[katbyte]

The command will run after every apply and the provider will poll until it is finished

so every apply this runs? no matter how many times it has run before? again i'm not sure if this is a suitable API for terraform as it is triggering something, every time, and there is no feeedback on if it succeeded or state tos ave?

[tombuildsstuff]

hey @teowa

I've taken a quick look through and left some comments inline, but I'd agree with @katbyte that we need to determine whether this resource makes sense to support in Terraform.

The API appears to be mostly intended for interactive usage (e.g. through the Azure CLI/Portal) for one-of commands rather than for something intended to stick around long-term - as such whilst it's possible to support that in Terraform, I'm not sure it makes sense as a Terraform resource.

In addition the API interacts with the VM Agent, which is also used by the VM Extension resource - and is a major source of issues for end-users today (due the behaviour of both the VM Agent and the the Azure API, not validating the payload/surfacing errors) - as such I'm also concerned this resource may be similarly problematic for end-users/a support burden.

As such whilst I can understand this API being used interactively, would you be able to elaborate on the specific use-cases we're looking to support here?

Thanks!

[tombuildsstuff]

This would violate a key principal of Terraform - that we don't mark a resource as Succeeded until it's finished provisioning - so we'd need to remove this.

[teowa]

Make sense, now the property is hide in TF schema. And we set the flag to false in request.

[gburkecw]

@tombuildsstuff async_execution is pretty important for this resource because if you're setting up a sql vm, it could take hours to restore backups. That's why the AzureRM API supports async_execution. As currently implemented, if the script takes hours to run then terraform has to run for hours, eating up minutes on our CI/CD system and tying up agents. To me, it seems perfectly valid to consider the resource provisioned if the run command is created, even if it is still running.

[tombuildsstuff]

Terraform has timeouts which are used for this purpose, whilst I understand this value is being passed to the API - it's another example of why this resource probably isn't a fit for Terraform.

[teowa]

this property is hide in schema now, in API this field is set to the resource timeout for create/update, which is also customizable through timeouts block.

[tombuildsstuff]

What would users do with this output? The output field perhaps could be useful, but if the exit code is non-zero, presumably the resource would be marked as failed (as is common in other tooling)?

[teowa]

The resource will run the script in VM when Create/Update is triggered. And if script fails, Azire API will return error but the instance still exists in Azure, with non-zero exitcode and error messages inside the instance_view block. The problem is: if save the failed instance in Terraform state, the resource will be marked as taint thus lead to force replacement during next apply.

Terraform will perform the following actions:

  # azurerm_virtual_machine_run_command.example03 is tainted, so must be replaced

Sometimes the API has some issue when performing replacement on same ID. Cannot reproduce it stablelly.

[teowa]

Added a receate test for this case where a wrong script was submitted and then be corrected.

[Yvand]

I monitor this request and I would like to support it for the following reasons:

• This runCommands is a resource of its own right in ARM and Bicep
• Functionally, runCommands is equivalent to the existing resource azurerm_virtual_machine_extension, which also runs a (more sophisticated) script in the target VM

On my side, I need this resource azurerm_virtual_machine_run_command to run a PowerShell script that sets a property, so that resource azurerm_virtual_machine_extension can run successfully.
Today, my workaround is to use the AzAPI Provider. Adding this resource would allow me to remove the dependency on this provider.

[teowa]

Hi team, I have refined the code to make it more fit for Terraform schema. Please kindly take another look.

• The resource will run script on the VM when Create/Update is triggered.
• The resource will emit error if the script execution fails but will leave a instance, to handle this, I modified the Create process to create -> metadata.SetID(id) -> poll the long running operation, in this way if user want to correct the wrong script and then run Terraform apply they don't need to manully import it. And the instance will be mark as taint and be recreated.

--- PASS: TestAccVirtualMachineRunCommand_storageBlobSystemIdentity (300.88s)
--- PASS: TestAccVirtualMachineRunCommand_requiresImport (318.65s)
--- PASS: TestAccVirtualMachineRunCommand_sourceCommandId (396.41s)
--- PASS: TestAccVirtualMachineRunCommand_complete (408.56s)
--- PASS: TestAccVirtualMachineRunCommand_storageBlobSAS (417.41s)
--- PASS: TestAccVirtualMachineRunCommand_basic (451.53s)
--- PASS: TestAccVirtualMachineRunCommand_recreate (462.59s)
--- PASS: TestAccVirtualMachineRunCommand_update (494.90s)
PASS
ok      github.com/hashicorp/terraform-provider-azurerm/internal/services/compute       494.920s

[katbyte]

LGTM ⛵

[MoussaBangre]

Just interested to know how does the connection works in case of ssh into the target vm !

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.