Thursday, April 14, 2022

[SOLVED] Terraform Azure Linux VM with Azure AD Access

Issue

I am trying to provision a simple Ubuntu Linux VM with Terraform that allows users to connect with their Azure AD credentials. I am new to Terraform and am trying to I'm trying to find the right resource section/command that enables the "Login with Azure AD" setting from the GUI shown in the screenshot link below.

https://i.stack.imgur.com/Gg9p8.png

Here is a snippet of code that provisions the VM:

resource "azurerm_linux_virtual_machine" "dev" {
  name                = "devhost01"
  resource_group_name = azurerm_resource_group.dev.name
  location            = azurerm_resource_group.ev.location
  size                = "Standard_D2s_v3"
  admin_username      = "admin"
  network_interface_ids = [
    azurerm_network_interface.dev.id,
  ]

  admin_ssh_key {
    username   = "admin"
    public_key = file("~/.ssh/admin.pub")
  }

  os_disk {
    caching              = "ReadWrite"
    storage_account_type = "Standard_LRS"
  }

  source_image_reference {
    publisher = "Canonical"
    offer     = "UbuntuServer"
    sku       = "18.04-LTS"
    version   = "latest"
  }
}

I have a related but secondary question as well; I am unsure if it warrants a separate question/post. I manually created a VM through the GUI enabling "Login with Azure AD", tried to connect with

az ssh vm --ip XXX.XXX.XXX.XXX

and received

Permission denied (publickey).

I haven't specified that users need to connect using ssh keys (at least not intentionally). Is there another section I need to add to allow basic SSH access for authenticated AD users?


Solution

To logon to a linux VM with Azure AD. You would need to perform below actions.

  1. Install AAD linux extension, which appears to be installed as per your screenshot
  2. Enable System assigned Managed Identity which facilitates the AD login. I see this also being created.
  3. As mentioned in “Azure AD” section on your screenshot, you would need to assign one of Virtual Machine Administrator Login or Virtual Machine User Login roles via RBAC on the VM resource.

The third one is equally important like it’s predecessors to allow AD logins.

When all three steps are performed, az ssh vm --ip XXX.XXX.XXX.XXX would let you logon to the VM.

Update

---- adding tf code as requested in comments-----

add managed identity to VM resource

resource "azurerm_linux_virtual_machine" "dev" {
      // blah-blah
      identity {
        type         = "SystemAssigned"    
      }
 }

add role assignment

resource "azurerm_role_assignment" "assign-vm-role" {
  scope                = azurerm_linux_virtual_machine.dev.id
  role_definition_name = "Virtual Machine Administrator Login"
  principal_id         = <id-of-group/user/sp>
}


Answered By - harshavmb
Answer Checked By - Candace Johnson (WPSolving Volunteer)