Service Assurance/Management

Wednesday, November 11, 2020

Convergent Encryption using Transit Secrets Engine.

$ cat create_transit_secrets_payload.json
{
        "type": "aes128-gcm96",
        "convergent_encryption": true,
        "derived": true,
        "exportable": true,
        "allow_plaintext_backup": true
}

$ vault write transit/keys/orders @create_transit_secrets_payload.json
Success! Data written to: transit/keys/orders
$

$ curl --header "X-Vault-Token: root" http://127.0.0.1:8200/v1/transit/keys/orders | jq -r
{
"request_id": "edc0df98-95a4-463a-e6eb-25ad4cadebc8",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
    "allow_plaintext_backup": true,
    "convergent_encryption": true,
    "convergent_encryption_version": -1,
    "deletion_allowed": false,
    "derived": true,
    "exportable": true,
    "kdf": "hkdf_sha256",
    "keys": {
      "1": 1605112467
    },
    "latest_version": 1,
    "min_available_version": 0,
    "min_decryption_version": 1,
    "min_encryption_version": 0,
    "name": "orders",
    "supports_decryption": true,
    "supports_derivation": true,
    "supports_encryption": true,
    "supports_signing": false,
    "type": "aes256-gcm96"
},
"wrap_info": null,
"warnings": null,
"auth": null
}

$ curl --header "X-Vault-Token: root" --request LIST http://127.0.0.1:8200/v1/transit/keys | jq -r{
"request_id": "2cc35698-5da9-6f02-ea11-13682e04346b",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
    "keys": [
      "orders"
    ]
},
"wrap_info": null,
"warnings": null,
"auth": null
}

# -- create another key name called payments.
$ curl --header "X-Vault-Token: root" --request POST --data @create-named-key-payload.json http://127.0.0.1:8200/v1/transit/keys/payments

$ curl --header "X-Vault-Token: root" --request LIST http://127.0.0.1:8200/v1/transit/keys | jq -r
{
"request_id": "a85727cb-0f91-9d42-3e12-1e6d78261b1f",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
    "keys": [
      "orders",
      "payments"
    ]
},
"wrap_info": null,
"warnings": null,
"auth": null
}

$ curl --header "X-Vault-Token: root" --request DELETE http://127.0.0.1:8200/v1/transit/keys/payments | jq -r

{
"errors": [
"error deleting policy payments: deletion is not allowed for this key"
]
}

$ curl --header "X-Vault-Token: root" http://127.0.0.1:8200/v1/transit/export/encryption-key/orders | jq -r
{
"request_id": "90038666-54e9-c805-0490-1e04197cdb39",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
    "keys": {
      "1": "g1ldyMgMewn655RpWUjV7rbbfLu6ZXAMc0efU2r7k6Y="
    },
    "name": "orders",
    "type": "aes256-gcm96"
},
"wrap_info": null,
"warnings": null,
"auth": null
}

$ curl --header "X-Vault-Token: root" http://127.0.0.1:8200/v1/transit/export/encryption-key/orders/1 | jq -r
{
"request_id": "8be6c9e3-1f55-3684-d02b-5a739791c540",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
    "keys": {
      "1": "g1ldyMgMewn655RpWUjV7rbbfLu6ZXAMc0efU2r7k6Y="
    },
    "name": "orders",
    "type": "aes256-gcm96"
},
"wrap_info": null,
"warnings": null,
"auth": null
}

$ curl --header "X-Vault-Token: root" http://127.0.0.1:8200/v1/transit/export/encryption-key/orders/2 | jq -r
{
"errors": [
"version does not exist or cannot be found"
]
}

# -- rotate the key, want to see two keys for orders.
$ curl --header "X-Vault-Token: root" --request POST http://127.0.0.1:8200/v1/transit/keys/orders/rotate | jq -r
% Total    % Received % Xferd Average Speed   Time    Time     Time Current
                                 Dload Upload   Total   Spent    Left Speed
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

$ curl --header "X-Vault-Token: root" http://127.0.0.1:8200/v1/transit/export/encryption-key/orders | jq -r
{
"request_id": "56b149c9-7ab0-5482-0e0e-73662a389c41",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
    "keys": {
      "1": "g1ldyMgMewn655RpWUjV7rbbfLu6ZXAMc0efU2r7k6Y=",
      "2": "7nd4jACin+ji0SJ2qTPcd8KovmI3FsFgxVi1+RK+f2k="
    },
    "name": "orders",
    "type": "aes256-gcm96"
},
"wrap_info": null,
"warnings": null,
"auth": null
}

$ curl --header "X-Vault-Token: root" http://127.0.0.1:8200/v1/transit/export/encryption-key/orders/2 | jq -r
{
"request_id": "97ed6070-c693-fd04-6395-2746b6ed2013",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
    "keys": {
      "2": "7nd4jACin+ji0SJ2qTPcd8KovmI3FsFgxVi1+RK+f2k="
    },
    "name": "orders",
    "type": "aes256-gcm96"
},
"wrap_info": null,
"warnings": null,
"auth": null
}
$

## -- fetch the keys

$ curl --header "X-Vault-Token: root" http://127.0.0.1:8200/v1/transit/export/encryption-key/orders | jq -r '.data.keys'

{
"1": "GYPfzE+HTBxa5YCvVsr3jQ==",
"2": "AErMLLRvnne0MGi1joTmGA=="
}

## -- below we will encrypt the text, have to pass a context parameter for convergent encryption. You will see the encrypted string is the same for every transaction.

$ vault write -format=json transit/encrypt/orders plaintext=$(base64 <<< "credit-card-number") context=$(base64 <<< "cc-field") | jq -r ".data.ciphertext" > cipher.txt
$ cat cipher.txt
vault:v2:KDdEwZcgYbLfHfJ101pT5nozygwlrvhfSy+mvsZWEkX3RcEO9OnXI4mDxEbxPjs=

$ vault write -format=json transit/encrypt/orders plaintext=$(base64 <<< "credit-card-number") context=$(base64 <<< "cc-field") | jq -r ".data.ciphertext" > cipher.txt.1
$ cat cipher.txt.1vault:v2:KDdEwZcgYbLfHfJ101pT5nozygwlrvhfSy+mvsZWEkX3RcEO9OnXI4mDxEbxPjs=
$

$ vault write -format=json transit/encrypt/orders plaintext=$(base64 <<< "credit-card-number") context=$(base64 <<< "cc-field-2") | jq -r ".data.ciphertext" > cipher.txt.2
$ cat cipher.txt.2
vault:v2:4PgP9YEqB23kR4UpzRbq/M7k6fWTZwXzFH9xcopSdejM5JeVByXoUmbgxJpaiWA=
$

## -- Decrypt

$ vault write -format=json transit/decrypt/orders ciphertext=$(cat cipher.txt) context=$(base64 <<< "cc-field") | jq -r ".data.plaintext"
Y3JlZGl0LWNhcmQtbnVtYmVyCg==

$ base64 -d <<< Y3JlZGl0LWNhcmQtbnVtYmVyCg==
credit-card-number
$

$ vault write -format=json transit/decrypt/orders ciphertext=$(cat cipher.txt.1) context=$(base64 <<< "cc-field") | jq -r ".data.plaintext"
Y3JlZGl0LWNhcmQtbnVtYmVyCg==

## -- what happens if wrong context is sent.. it fails

$ vault write -format=json transit/decrypt/orders ciphertext=$(cat cipher.txt.2) context=$(base64 <<< "cc-field") | jq -r ".data.plaintext"
Error writing data to transit/decrypt/orders: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/transit/decrypt/orders
Code: 400. Errors:

* invalid ciphertext: unable to decrypt
$

## -- export or backup the key

$ vault read transit/backup/orders -format=json
{
"request_id": "49cf6800-8488-a925-b897-8800b9e5410c",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"backup": "eyJwb2xpY3kiOnsibmFtZSI6Im9yZGVycyIsImtleXMiOnsiMSI6eyJrZXkiOiJHWVBmekUrSFRCeGE1WUN2VnNyM2pRPT0iLCJobWFjX2tleSI6IkI3andqdWpkMXdxRiswK3h5MVRWbUpLYUdQTUR5c0pyQkRYK00weFIveU09IiwidGltZSI6IjIwMjAtMTEtMTFUMTg6MjM6MDcuMTAwMzA4NTY3WiIsImVjX3giOm51bGwsImVjX3kiOm51bGwsImVjX2QiOm51bGwsInJzYV9rZXkiOm51bGwsInB1YmxpY19rZXkiOiIiLCJjb252ZXJnZW50X3ZlcnNpb24iOjMsImNyZWF0aW9uX3RpbWUiOjE2MDUxMTg5ODd9LCIyIjp7ImtleSI6IkFFck1MTFJ2bm5lME1HaTFqb1RtR0E9PSIsImhtYWNfa2V5IjoiWjFBYTZ3VktBaUVFZmFjQ2YwVEZkc1czUTZsckFIaDRwVThaMm1yMFNKMD0iLCJ0aW1lIjoiMjAyMC0xMS0xMVQxODozMTozMy4xNjY3MjMwNDhaIiwiZWNfeCI6bnVsbCwiZWNfeSI6bnVsbCwiZWNfZCI6bnVsbCwicnNhX2tleSI6bnVsbCwicHVibGljX2tleSI6IiIsImNvbnZlcmdlbnRfdmVyc2lvbiI6MywiY3JlYXRpb25fdGltZSI6MTYwNTExOTQ5M319LCJkZXJpdmVkIjp0cnVlLCJrZGYiOjEsImNvbnZlcmdlbnRfZW5jcnlwdGlvbiI6dHJ1ZSwiZXhwb3J0YWJsZSI6dHJ1ZSwibWluX2RlY3J5cHRpb25fdmVyc2lvbiI6MSwibWluX2VuY3J5cHRpb25fdmVyc2lvbiI6MCwibGF0ZXN0X3ZlcnNpb24iOjIsImFyY2hpdmVfdmVyc2lvbiI6MiwiYXJjaGl2ZV9taW5fdmVyc2lvbiI6MCwibWluX2F2YWlsYWJsZV92ZXJzaW9uIjowLCJkZWxldGlvbl9hbGxvd2VkIjpmYWxzZSwiY29udmVyZ2VudF92ZXJzaW9uIjotMSwidHlwZSI6OCwiYmFja3VwX2luZm8iOnsidGltZSI6IjIwMjAtMTEtMTFUMTg6NTQ6MDIuODA4MzU5Njc5WiIsInZlcnNpb24iOjJ9LCJyZXN0b3JlX2luZm8iOm51bGwsImFsbG93X3BsYWludGV4dF9iYWNrdXAiOnRydWUsInZlcnNpb25fdGVtcGxhdGUiOiIiLCJzdG9yYWdlX3ByZWZpeCI6IiJ9LCJhcmNoaXZlZF9rZXlzIjp7ImtleXMiOlt7ImtleSI6bnVsbCwiaG1hY19rZXkiOm51bGwsInRpbWUiOiIwMDAxLTAxLTAxVDAwOjAwOjAwWiIsImVjX3giOm51bGwsImVjX3kiOm51bGwsImVjX2QiOm51bGwsInJzYV9rZXkiOm51bGwsInB1YmxpY19rZXkiOiIiLCJjb252ZXJnZW50X3ZlcnNpb24iOjAsImNyZWF0aW9uX3RpbWUiOjB9LHsia2V5IjoiR1lQZnpFK0hUQnhhNVlDdlZzcjNqUT09IiwiaG1hY19rZXkiOiJCN2p3anVqZDF3cUYrMCt4eTFUVm1KS2FHUE1EeXNKckJEWCtNMHhSL3lNPSIsInRpbWUiOiIyMDIwLTExLTExVDE4OjIzOjA3LjEwMDMwODU2N1oiLCJlY194IjpudWxsLCJlY195IjpudWxsLCJlY19kIjpudWxsLCJyc2Ffa2V5IjpudWxsLCJwdWJsaWNfa2V5IjoiIiwiY29udmVyZ2VudF92ZXJzaW9uIjozLCJjcmVhdGlvbl90aW1lIjoxNjA1MTE4OTg3fSx7ImtleSI6IkFFck1MTFJ2bm5lME1HaTFqb1RtR0E9PSIsImhtYWNfa2V5IjoiWjFBYTZ3VktBaUVFZmFjQ2YwVEZkc1czUTZsckFIaDRwVThaMm1yMFNKMD0iLCJ0aW1lIjoiMjAyMC0xMS0xMVQxODozMTozMy4xNjY3MjMwNDhaIiwiZWNfeCI6bnVsbCwiZWNfeSI6bnVsbCwiZWNfZCI6bnVsbCwicnNhX2tleSI6bnVsbCwicHVibGljX2tleSI6IiIsImNvbnZlcmdlbnRfdmVyc2lvbiI6MywiY3JlYXRpb25fdGltZSI6MTYwNTExOTQ5M31dfX0K"
},
"warnings": null
}

Monday, April 27, 2020

Vault Performance Benchmarking

Wayfair Performance Benchmarking of Vault [Determining how performance increases with each additional performance standby]

Product Hang powerpoint: https://drive.google.com/file/d/19GD2JsSc6ED0CEXQH8JM0U6TuzJduE1O/view
Product Hang Notes: https://docs.google.com/document/d/10vmXB7hU3YwJmacomD90nQZeVw_YBRttDWNQbBp7af0/edit#heading=h.zg2u6q5hfhsa
Actual Results: https://drive.google.com/file/d/1nUpSSlZZo550ZubCpFLSYV8rVKWhB7-F/view

(edited)

Tuesday, October 15, 2019

Azure Dynamic Secret

Configuration to be done on Azure

Steps to generate azure service principle dynamically.

We have to create a root Service Principal on AZ which will be used by Vault for all the abstraction/brokering service

⇒ az login

Create a Service Principal to be used by Vault

Let's create a root service principal with role=Owner which will be used by vault.
For the below command, you will need the subscription ID
- to find subscription id, on your AZ portal, search for subscription and launch the page from the list.
- more details on the command we are running below. ( https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-create-for-rbac )

⇒ az ad sp create-for-rbac -n vault-admin-manjeet --role Owner --scope /subscriptions/14692f20-9428-451b-8298-102ed4e39c2a
Changing "vault-admin-manjeet" to a valid URI of "http://vault-admin-manjeet", which is the required format used for service principal names
Creating a role assignment under the scope of "/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a"
Retrying role assignment creation: 1/36
Retrying role assignment creation: 2/36
Retrying role assignment creation: 3/36
{
"appId": "235e821c-867a-4bc2-93fe-97433d6208b4",
"displayName": "vault-admin-manjeet",
"name": "http://vault-admin-manjeet",
"password": "3d8a8189-a93f-4f0f-a772-410807a76902",
"tenant": "0e3e2e88-8caf-41ca-b4da-e3b33b6c52ec"
}

- The above output appId can also be verified from both command line and AZ portal

CLI Verification
⇒ az ad sp list --query "[?contains(appId, '235e821c-867a-4bc2-93fe-97433d6208b4')]"

AZ portal - search and launch 'App registration', then click on 'All applications'. Do another search in this window for the appId output from above. Note, the search works only if you copy/paste the entire appId

Create a custom Role in AZ (optional, but this is to show how you can align the vault role to this same role in AZ)

- Lets check what custom roles are currently in AZ

⇒ az role definition list --custom-role-only true --output json | jq '.[] | {"roleName":.roleName, "roleType":.roleType}'
{
"roleName": "Vault_ReadOnly",
"roleType": "CustomRole"
}
{
"roleName": "vault-test-role",
"roleType": "CustomRole"
}
{
"roleName": "HashiCorp Vault Azure Auth",
"roleType": "CustomRole"
}

- This is the custom role which will be added to AZ portal. Make sure the Name property has something which can be identified easily, I am adding my name to the end
⇒ cat custom-role.json
{
"Name": "testing-custom-role-manjeet",
"IsCustom": true,
"Description": "Testing Vault Azure Secret Engine",
"Actions": [
    "Microsoft.Storage/*/read",
    "Microsoft.Network/*/read",
    "Microsoft.Compute/*/read",
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/restart/action",
    "Microsoft.Authorization/*/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Support/*"
],
"NotActions": [

],
"AssignableScopes": [
    "/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a"
]
}

- Command to create the role using the above json file
⇒ az role definition create --role-definition custom-role.json
{
"assignableScopes": [
    "/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a"
],
"description": "Testing Vault Azure Secret Engine",
"id": "/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/providers/Microsoft.Authorization/roleDefinitions/3f5cab16-188d-4ec0-864b-183d9e4c18ea",
"name": "3f5cab16-188d-4ec0-864b-183d9e4c18ea",
"permissions": [
    {
      "actions": [
        "Microsoft.Storage/*/read",
        "Microsoft.Network/*/read",
        "Microsoft.Compute/*/read",
        "Microsoft.Compute/virtualMachines/start/action",
        "Microsoft.Compute/virtualMachines/restart/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*"
      ],
      "dataActions": [],
      "notActions": [],
      "notDataActions": []
    }
],
"roleName": "testing-custom-role-manjeet",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

- Verify if the role was added by listing the role definitions

⇒ az role definition list --custom-role-only true --output json | jq '.[] | {"roleName":.roleName, "roleType":.roleType}'
{
"roleName": "Vault_ReadOnly",
"roleType": "CustomRole"
}
{
"roleName": "vault-test-role",
"roleType": "CustomRole"
}
{
"roleName": "HashiCorp Vault Azure Auth",
"roleType": "CustomRole"
}
{
"roleName": "testing-custom-role-manjeet",
"roleType": "CustomRole"
}

Configuration to be done on Vault

- Set the environment variables VAULT_ADDR & VAULT_ROOT_TOKEN
- VAULT_ADDR=http://127.0.0.1:8200
- VAULT_ROOT_TOKEN=vault-root-token

- Enable Azure Secrets Engines

# vault secrets enable azure

- Configure this az secrets engine. All the information here will come from the last section

# cat az-dynamic-secrets-config.json
{
        azure_roles:
"subscription_id": "14692f20-9428-451b-8298-102ed4e39c2a",
"tenant_id": "0e3e2e88-8caf-41ca-b4da-e3b33b6c52ec",
"client_id": "235e821c-867a-4bc2-93fe-97433d6208b4",
"client_secret": "3d8a8189-a93f-4f0f-a772-410807a76902",
        "azure_roles":
"environment": "AzurePublicCloud"
}

# curl --header "X-Vault-Token: $VAULT_ROOT_TOKEN" --request POST --data @az-dynamic-secrets-config.json $VAULT_ADDR/v1/azure/config

- Read the az config to check if it was added
# vault read azure/config
Key                Value
---                -----
client_id          235e821c-867a-4bc2-93fe-97433d6208b4
environment        AzurePublicCloud
subscription_id    14692f20-9428-451b-8298-102ed4e39c2a
tenant_id          0e3e2e88-8caf-41ca-b4da-e3b33b6c52ec

- Create a role in Vault
- uuid = subscription_id
- Make sure you have a resource group name Website. If not use the one you already have.

# vault write azure/roles/my-role ttl=5m azure_roles=-<<EOF
> [
> {
> "role_name": "Contributer",
> "scope": "/subscriptions/<uuid>/resourceGroups/Website"
> }
> ]
> EOF

- Actual command I ran.

# vault write azure/roles/my-role ttl=5m azure_roles=-<<EOF
[
{
"role_name": "Contributor",
"scope": "/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/resourceGroups/my-project-resources"
}
]
EOF

Success! Data written to: azure/roles/my-role

# vault list azure/roles
Keys
----
my-role

# vault read azure/roles/my-role
Key                      Value
---                      -----
application_object_id    n/a
azure_roles              [map[role_id:/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c role_name:Contributor scope:/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/resourceGroups/Website]]
max_ttl                  0s
ttl                      5m

- Read new credentials
# vault read azure/creds/my-role
Key                Value
---                -----
lease_id           azure/creds/my-role/BqHorsQTkp5oFEObHYuShUDz
lease_duration     5m
lease_renewable    true
client_id          71ad1565-574b-4b90-ad12-56912c4ae110
client_secret      74ef4dde-2701-9f29-66f5-f51b4db86224

- To verify

AZ Portal - search for 'App registration', click 'All applications'. In the search bar, copy/paste the client_id
Note - this gets revoked in 5 mins by Vault because of the role we added above.

CLI -

⇒ az ad sp list --query "[?contains(appId, '71ad1565-574b-4b90-ad12-56912c4ae110')]" --all
[
{
    "accountEnabled": "True",
    "addIns": [],
    "alternativeNames": [],
    "appDisplayName": "vault-4ac2a52f-5ba8-6bf3-efd1-a9f2fdca138b",
    "appId": "71ad1565-574b-4b90-ad12-56912c4ae110",
    "appOwnerTenantId": "0e3e2e88-8caf-41ca-b4da-e3b33b6c52ec",
    "appRoleAssignmentRequired": false,
    "appRoles": [],
    "applicationTemplateId": null,
    "deletionTimestamp": null,
    "displayName": "vault-4ac2a52f-5ba8-6bf3-efd1-a9f2fdca138b",
    "errorUrl": null,
    "homepage": "https://vault-4ac2a52f-5ba8-6bf3-efd1-a9f2fdca138b",
    "informationalUrls": {
      "marketing": null,
      "privacy": null,
      "support": null,
      "termsOfService": null
    },
    "keyCredentials": [],
    "logoutUrl": null,
    "notificationEmailAddresses": [],
    "oauth2Permissions": [
      {
        "adminConsentDescription": "Allow the application to access vault-4ac2a52f-5ba8-6bf3-efd1-a9f2fdca138b on behalf of the signed-in user.",
        "adminConsentDisplayName": "Access vault-4ac2a52f-5ba8-6bf3-efd1-a9f2fdca138b",
        "id": "fc040adc-374a-4a84-a9f3-47d46bf5926c",
        "isEnabled": true,
        "type": "User",
        "userConsentDescription": "Allow the application to access vault-4ac2a52f-5ba8-6bf3-efd1-a9f2fdca138b on your behalf.",
        "userConsentDisplayName": "Access vault-4ac2a52f-5ba8-6bf3-efd1-a9f2fdca138b",
        "value": "user_impersonation"
      }
    ],
    "objectId": "5abde33f-0998-4adb-bf97-5fb435f12d57",
    "objectType": "ServicePrincipal",
    "odata.type": "Microsoft.DirectoryServices.ServicePrincipal",
    "passwordCredentials": [
      {
        "additionalProperties": null,
        "customKeyIdentifier": null,
        "endDate": "2029-10-13T03:05:56.216504+00:00",
        "keyId": "da164420-ed28-4354-88b5-d1d3c88e0a2d",
        "startDate": "2019-10-16T03:05:56.216504+00:00",
        "value": null
      }
    ],
    "preferredSingleSignOnMode": null,
    "preferredTokenSigningKeyEndDateTime": null,
    "preferredTokenSigningKeyThumbprint": null,
    "publisherName": "Default Directory",
    "replyUrls": [],
    "samlMetadataUrl": null,
    "samlSingleSignOnSettings": null,
    "servicePrincipalNames": [
      "https://vault-4ac2a52f-5ba8-6bf3-efd1-a9f2fdca138b",
      "71ad1565-574b-4b90-ad12-56912c4ae110"
    ],
    "servicePrincipalType": "Application",
    "signInAudience": "AzureADMyOrg",
    "tags": [],
    "tokenEncryptionKeyId": null
}
]

Vagrant Troubleshooting

default: /vagrant => /Users/manjeet/manjeet-working/vagrant/VAGRANT-mysql
Vagrant was unable to mount VirtualBox shared folders. This is usually
because the filesystem "vboxsf" is not available. This filesystem is
made available via the VirtualBox Guest Additions and kernel module.
Please verify that these guest additions are properly installed in the
guest. This is not a bug in Vagrant and is usually caused by a faulty
Vagrant box. For context, the command attempted was:

mount -t vboxsf -o uid=1000,gid=1000 vagrant /vagrant

The error output from the command was:

/sbin/mount.vboxsf: mounting failed with the error: No such device

Solution
⇒ vagrant plugin install vagrant-vbguest
vagrant halt
vagrant reload

Monday, October 14, 2019

Compiling Azure DSC

There are few manual steps to setup Azure Automation which can not be handled by TF currently which is compiling the powershell DSC script.

Note, I read this may be added later to az automation resource list of TF, but no guarantees as this is not creating any resources, its more about your script and compiling to generate the MOF file.

Steps are performed on Windows (can be done on Linux or Mac, but have to download and setup powershell, az modules etc)

1) Launch powershell (Run-> powershell ->select powershell(x86)

2) $PSVersionTable (make sure this is not version 5.1, we need PowerShell version 6.x.x)

3) Upgrade powershell to v6
( Execute the command below -> Should launch a window to install new version - follow the steps
iex "& { $(irm https://aka.ms/install-powershell.ps1) } -UseMSI"
)

PS C:\Program Files (x86)\PowerShell\6> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      6.2.3
PSEdition                      Core
GitCommitId                    6.2.3
OS                             Microsoft Windows 10.0.14393
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

PS C:\Program Files (x86)\PowerShell\6>

4) You have to install the modules to compile your script. There are default modules, but if you don't find in default, then install it

To check on the modules available ( note the folder where it stores the modules)

PS C:\windows\system32> Get-Module -ListAvailable
    Directory: C:\Program Files\WindowsPowerShell\Modules

5) The above module path should be part of your powershell environment, if it;s not, thenyou have to add it to the environment.

PS C:\Program Files (x86)\PowerShell\6> $env:PSModulePath
C:\Users\testadmin\Documents\PowerShell\Modules;C:\Program Files (x86)\PowerShell\Modules;c:\program files (x86)\powershell\6\Modules;C:\windows\system32\WindowsPowerShell\v1.0\Modules
PS C:\Program Files (x86)\PowerShell\6>

Add the path to the environment

PS C:\Program Files (x86)\PowerShell\6> $env:PSModulePath=$env:PSModulePath + ";C:\Program Files\WindowsPowerShell\Modules"

6) Install the modules needed.

PS C:\Program Files (x86)\PowerShell\6> Install-Module WindowsPSModulePath

PS C:\Program Files (x86)\PowerShell\6> Install-Module -name ComputerManagementDSC -MinimumVersion 6.0

7) Write the script
time-conf.ps1
configuration timezone {
    Import-DscResource -ModuleName ComputerManagementDsc -ModuleVersion 7.0.0.0
    Write-Output 'Hi'
    TimeZone westeustandard {
        IsSingleInstance = 'Yes'
        TimeZone = 'W. Europe Standard Time'
    }
}
timezone

8) Let's compile the ps1 script
ps> . ./time-conf.ps1

The compile should create a folder called timezone. This folder should have a mof file called localhost.mof

9) Copy the ps1 script (time-conf.ps1) and the timezone folder to the terraform code directory and use it in the terraform code.

TF Code to Provision Windows VM

manjeet@Manjeets-MBP:~/manjeet-working/tf-demo/AzureDemo/az-dsc|
⇒ cat 4.virtual-machine-AD.tf
locals {
virtual_machine_name = "${var.vm_name}-client"
virtual_machine_fqdn = "${local.virtual_machine_name}.${var.active_directory_domain}"
custom_data_params   = "Param($RemoteHostName = \"${local.virtual_machine_fqdn}\", $ComputerName = \"${local.virtual_machine_name}\")"
custom_data_content = "${local.custom_data_params} ${file("./files/winrm.ps1")}"
}

resource "azurerm_virtual_machine" "windows-vm" {
count                 = "${var.vmcount}"
name                  = "${local.virtual_machine_name}-${count.index}"
resource_group_name   = "${data.azurerm_resource_group.myresourcegroup.name}"
location              = "${data.azurerm_resource_group.myresourcegroup.location}"
network_interface_ids = ["${element(azurerm_network_interface.windows-vm-nic.*.id, count.index)}"]
vm_size               = "${var.vmsize["medium"]}"

tags = "${merge(
    map(
      "Name", "win-vm-public-ip-${count.index}",
      "Description", "This is windows vm workstation client for developers"
    ), var.tags)
}"

delete_os_disk_on_termination    = true
delete_data_disks_on_termination = true

storage_image_reference {
    publisher = "MicrosoftWindowsServer"
    offer     = "WindowsServer"
    sku       = "2016-Datacenter"
    version   = "latest"
}

storage_os_disk {
    name              = "${var.name}-vm-osdisk-${count.index}"
    caching           = "ReadWrite"
    create_option     = "FromImage"
    managed_disk_type = "Standard_LRS"
}

os_profile {
    computer_name = "${local.virtual_machine_name}-${count.index}"
    admin_username = "${data.azurerm_key_vault_secret.myWinUser.value}"
    admin_password = "${data.azurerm_key_vault_secret.myWinPass.value}"
    custom_data    = "${local.custom_data_content}"
}

os_profile_secrets {
    source_vault_id = "${data.azurerm_key_vault.keyvault.id}"

    vault_certificates {
      certificate_url   = "${element(azurerm_key_vault_certificate.vm_certificate.*.secret_id, count.index)}"
      certificate_store = "My"
    }
}

os_profile_windows_config {
    provision_vm_agent        = true
    enable_automatic_upgrades = true

    winrm {
      protocol        = "https"
      certificate_url = "${element(azurerm_key_vault_certificate.vm_certificate.*.secret_id, count.index)}"
    }

    additional_unattend_config {
      pass         = "oobeSystem"
      component    = "Microsoft-Windows-Shell-Setup"
      setting_name = "AutoLogon"
      content      = "<AutoLogon><Password><Value>${data.azurerm_key_vault_secret.myWinPass.value}</Value></Password><Enabled>true</Enabled><LogonCount>1</LogonCount><Username>${data.azurerm_key_vault_secret.myWinUser.value}</Username></AutoLogon>"
    }

    # Unattend config is to enable basic auth in WinRM, required for the provisioner stage.
    additional_unattend_config {
      pass         = "oobeSystem"
      component    = "Microsoft-Windows-Shell-Setup"
      setting_name = "FirstLogonCommands"
      content      = "${file("./files/FirstLogonCommands.xml")}"
    }
}

provisioner "remote-exec" {
    connection {
      type     = "winrm"
      host     = "${element(azurerm_public_ip.windows-public-ip.*.fqdn, count.index)}"
      user     = "${data.azurerm_key_vault_secret.myWinUser.value}"
      password = "${data.azurerm_key_vault_secret.myWinPass.value}"
      port     = 5986
      https    = true
      timeout = "2m"

      # NOTE: if you're using a real certificate, rather than a self-signed one, you'll want this set to `false`/to remove this.
      insecure = true
    }

    inline = [
      "cd C:\\Windows",
      "dir",
      //"powershell.exe -ExecutionPolicy Unrestricted -Command {Install-WindowsFeature -name Web-Server -IncludeManagementTools}",
    ]
}

}

TF Apply output - bootstraping vm to join a AD domain

⇒ cat 5.join-domain.tf
resource "azurerm_virtual_machine_extension" "join-domain" {
count                = "${var.vmcount}"
name                 = "${element(azurerm_virtual_machine.windows-vm.*.name, count.index)}"
location             = "${data.azurerm_resource_group.myresourcegroup.location}"
resource_group_name = "${data.azurerm_resource_group.myresourcegroup.name}"
virtual_machine_name = "${element(azurerm_virtual_machine.windows-vm.*.name, count.index)}"
publisher            = "Microsoft.Compute"
type                 = "JsonADDomainExtension"
type_handler_version = "1.3"

# NOTE: the `OUPath` field is intentionally blank, to put it in the Computers OU
settings = <<SETTINGS
    {
        "Name": "${var.active_directory_domain}",
        "OUPath": "",
        "User": "${var.active_directory_domain}\\${data.azurerm_key_vault_secret.myWinUser.value}",
        "Restart": "true",
        "Options": "3"
    }
SETTINGS

protected_settings = <<SETTINGS
    {
        "Password": "${data.azurerm_key_vault_secret.myWinPass.value}"
    }
SETTINGS

}

manjeet@Manjeets-MBP:~/manjeet-working/tf-demo/AzureDemo/az-dsc|
⇒ /Users/manjeet/manjeet-working/vagrant/terraform apply
data.azurerm_resource_group.myresourcegroup: Refreshing state...
azurerm_public_ip.windows-public-ip[0]: Refreshing state... [id=/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/resourceGroups/markel-project-resources/providers/Microsoft.Network/publicIPAddresses/win-vm-public-ip-0]
data.azurerm_network_security_group.nw_sg: Refreshing state...
data.azurerm_virtual_network.vnet: Refreshing state...
data.azurerm_key_vault.keyvault: Refreshing state...
data.azurerm_subnet.subnet: Refreshing state...
data.azurerm_key_vault_secret.myWinPass: Refreshing state...
data.azurerm_key_vault_secret.myWinUser: Refreshing state...
azurerm_key_vault_certificate.vm_certificate[0]: Refreshing state... [id=https://markel-project-keyvault.vault.azure.net/certificates/win-client-0-cert/9191800430f746a1871d5c2f33a124c9]
azurerm_network_interface.windows-vm-nic[0]: Refreshing state... [id=/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/resourceGroups/markel-project-resources/providers/Microsoft.Network/networkInterfaces/win-client-vm-nic-0]
azurerm_virtual_machine.windows-vm[0]: Refreshing state... [id=/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/resourceGroups/markel-project-resources/providers/Microsoft.Compute/virtualMachines/win-client-0]
azurerm_virtual_machine_extension.dsc_extension[0]: Refreshing state... [id=/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/resourceGroups/markel-project-resources/providers/Microsoft.Compute/virtualMachines/win-client-0/extensions/win-client-0-DSC]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create

Terraform will perform the following actions:

# azurerm_virtual_machine_extension.join-domain[0] will be created
+ resource "azurerm_virtual_machine_extension" "join-domain" {
      + id                   = (known after apply)
      + location             = "eastus"
      + name                 = "win-client-0"
      + protected_settings   = (sensitive value)
      + publisher            = "Microsoft.Compute"
      + resource_group_name = "markel-project-resources"
      + settings             = jsonencode(
            {
              + Name    = "hashidemos.com"
              + OUPath = ""
              + Options = "3"
              + Restart = "true"
              + User    = "hashidemos.com\\testadmin"
            }
        )
      + tags                 = (known after apply)
      + type                 = "JsonADDomainExtension"
      + type_handler_version = "1.3"
      + virtual_machine_name = "win-client-0"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.

Enter a value: yes

azurerm_virtual_machine_extension.join-domain[0]: Creating...
azurerm_virtual_machine_extension.join-domain[0]: Still creating... [10s elapsed]
azurerm_virtual_machine_extension.join-domain[0]: Still creating... [20s elapsed]
azurerm_virtual_machine_extension.join-domain[0]: Still creating... [30s elapsed]
azurerm_virtual_machine_extension.join-domain[0]: Still creating... [40s elapsed]
azurerm_virtual_machine_extension.join-domain[0]: Still creating... [50s elapsed]
azurerm_virtual_machine_extension.join-domain[0]: Still creating... [1m0s elapsed]
azurerm_virtual_machine_extension.join-domain[0]: Creation complete after 1m1s [id=/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/resourceGroups/markel-project-resources/providers/Microsoft.Compute/virtualMachines/win-client-0/extensions/win-client-0]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
manjeet@Manjeets-MBP:~/manjeet-working/tf-demo/AzureDemo/az-dsc|
⇒

TF Apply output - Installing Remote Provisioner and DSC bootstraping

TF Apply output - Installing Remote Provisioner and DSC bootstraping

⇒ cat 6.add-dsc-automation.tf
locals {
dsc_mode = "ApplyAndAutoCorrect"
}

variable "dscaa-node-config" {
default     = "timezone.localhost"
description = "Azure Automation Node Config Name - CompiledConfiguration->NodeConfiguration"
}
variable "dscaa-resource-group-name" {
default     = "markel-project-resources"
description = "Azure Automation azurerm_resource_group name"
}
variable "dscaa-account-name" {
default     = "Az-Automation-DSC-01"
description = "Azure Automation azurerm_automation_account name"
}
variable "dscaa-server-endpoint" {
default     = "https://eus-agentservice-prod-1.azure-automation.net/accounts/fa1a2024-bc30-46f9-a611-df0e8f3238e1"
description = "Azure Automation azurerm_automation_account endpoint URL - Registration URL"
}
variable "dscaa-access-key" {
default     = "JyFckE5yh2fHeErWv7Pj/GGPso1QA4BfY6f3NF94fPUsX3vZS6VEpsGMUsSOaSCU98wFN+7ZPQ2ktuwKwlztZQ=="
description = "Azure Automation azurerm_automation_account access key - Registration Key"
}

#NOTE: Node data must already exist - otherwise the extension will fail with 'No NodeConfiguration was found for the agent.'
resource "azurerm_virtual_machine_extension" "dsc_extension" {
count                      = "${var.vmcount}"
name                       = "${element(azurerm_virtual_machine.windows-vm.*.name, count.index)}-DSC"
resource_group_name        = "${data.azurerm_resource_group.myresourcegroup.name}"
location                   = "${data.azurerm_resource_group.myresourcegroup.location}"
virtual_machine_name       = "${element(azurerm_virtual_machine.windows-vm.*.name, count.index)}"
publisher                  = "Microsoft.Powershell"
type                       = "DSC"
type_handler_version       = "2.77"
auto_upgrade_minor_version = true
depends_on                 = ["azurerm_virtual_machine.windows-vm"]

#use default extension properties as mentioned here:
#https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-template
settings           = <<SETTINGS_JSON
        {
            "configurationArguments"    : {
                "RegistrationUrl"    : "${var.dscaa-server-endpoint}",
                "NodeConfigurationName"    : "${var.dscaa-node-config}",
                "ConfigurationMode"    : "${local.dsc_mode}",
                "RefreshFrequencyMins"    : 30,
                "RebootNodeIfNeeded"    : false,
                "ActionAfterReboot"    : "continueConfiguration",
                "AllowModuleOverwrite"    : true,
                "ConfigurationModeFrequencyMins": 15

            }
        }
SETTINGS_JSON
protected_settings = <<PROTECTED_SETTINGS_JSON
    {
        "configurationArguments": {
                "RegistrationKey": {
                    "userName": "NOT_USED",
                    "Password": "${var.dscaa-access-key}"
                }
        }
    }
PROTECTED_SETTINGS_JSON
}

manjeet@Manjeets-MBP:~/manjeet-working/tf-demo/AzureDemo/az-dsc|
⇒ /Users/manjeet/manjeet-working/vagrant/terraform apply
data.azurerm_resource_group.myresourcegroup: Refreshing state...
data.azurerm_virtual_network.vnet: Refreshing state...
data.azurerm_network_security_group.nw_sg: Refreshing state...
data.azurerm_key_vault.keyvault: Refreshing state...
data.azurerm_subnet.subnet: Refreshing state...
data.azurerm_key_vault_secret.myWinPass: Refreshing state...
data.azurerm_key_vault_secret.myWinUser: Refreshing state...

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create

Terraform will perform the following actions:

# azurerm_key_vault_certificate.vm_certificate[0] will be created
+ resource "azurerm_key_vault_certificate" "vm_certificate" {
      + certificate_data = (known after apply)
      + id               = (known after apply)
      + key_vault_id     = "/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/resourceGroups/markel-project-resources/providers/Microsoft.KeyVault/vaults/markel-project-keyvault"
      + name             = "win-client-0-cert"
      + secret_id        = (known after apply)
      + tags             = (known after apply)
      + thumbprint       = (known after apply)
      + vault_uri        = (known after apply)
      + version          = (known after apply)

      + certificate_policy {
          + issuer_parameters {
              + name = "Self"
            }

          + key_properties {
              + exportable = true
              + key_size   = 2048
              + key_type   = "RSA"
              + reuse_key = true
            }

          + lifetime_action {
              + action {
                  + action_type = "AutoRenew"
                }

              + trigger {
                  + days_before_expiry = 30
                }
            }

          + secret_properties {
              + content_type = "application/x-pkcs12"
            }

          + x509_certificate_properties {
              + extended_key_usage = [
                  + "1.3.6.1.5.5.7.3.1",
                ]
              + key_usage          = [
                  + "cRLSign",
                  + "dataEncipherment",
                  + "digitalSignature",
                  + "keyAgreement",
                  + "keyCertSign",
                  + "keyEncipherment",
                ]
              + subject            = "CN=win-client-0"
              + validity_in_months = 12

              + subject_alternative_names {
                  + dns_names = (known after apply)
                  + emails    = (known after apply)
                  + upns      = (known after apply)
                }
            }
        }
    }

# azurerm_network_interface.windows-vm-nic[0] will be created
+ resource "azurerm_network_interface" "windows-vm-nic" {
      + applied_dns_servers           = (known after apply)
      + dns_servers                   = [
          + "10.0.12.4",
        ]
      + enable_accelerated_networking = false
      + enable_ip_forwarding          = false
      + id                            = (known after apply)
      + internal_dns_name_label       = (known after apply)
      + internal_fqdn                 = (known after apply)
      + location                      = "eastus"
      + mac_address                   = (known after apply)
      + name                          = "win-client-vm-nic-0"
      + network_security_group_id     = "/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/resourceGroups/markel-project-resources/providers/Microsoft.Network/networkSecurityGroups/markel-project-sg"
      + private_ip_address            = (known after apply)
      + private_ip_addresses          = (known after apply)
      + resource_group_name           = "markel-project-resources"
      + tags                          = {
          + "Application" = "My App 1"
          + "CreatedBy"   = "IT Ops"
          + "Customer"    = "Markel-test"
          + "Department" = "IT Ops"
          + "Description" = "This is network card interface object"
          + "Environment" = "developer workstations"
          + "Name"        = "win-vm-public-ip-0"
          + "Owner"       = "manjeet"
          + "TTL"         = "78"
          + "Team"        = "Devlopment App team 22"
        }
      + virtual_machine_id            = (known after apply)

      + ip_configuration {
          + application_gateway_backend_address_pools_ids = (known after apply)
          + application_security_group_ids                = (known after apply)
          + load_balancer_backend_address_pools_ids       = (known after apply)
          + load_balancer_inbound_nat_rules_ids           = (known after apply)
          + name                                          = "nic-ipconfig-0"
          + primary                                       = (known after apply)
          + private_ip_address_allocation                 = "dynamic"
          + private_ip_address_version                    = "IPv4"
          + public_ip_address_id                          = (known after apply)
          + subnet_id                                     = "/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/resourceGroups/markel-project-resources/providers/Microsoft.Network/virtualNetworks/markel-project-vnet/subnets/markel-project-subnet-1"
        }
    }

# azurerm_public_ip.windows-public-ip[0] will be created
+ resource "azurerm_public_ip" "windows-public-ip" {
      + allocation_method            = "Dynamic"
      + domain_name_label            = "markel-project-client-0"
      + fqdn                         = (known after apply)
      + id                           = (known after apply)
      + idle_timeout_in_minutes      = 4
      + ip_address                   = (known after apply)
      + ip_version                   = "IPv4"
      + location                     = "eastus"
      + name                         = "win-vm-public-ip-0"
      + public_ip_address_allocation = (known after apply)
      + resource_group_name          = "markel-project-resources"
      + sku                          = "Basic"
      + tags                         = {
          + "Application" = "My App 1"
          + "CreatedBy"   = "IT Ops"
          + "Customer"    = "Markel-test"
          + "Department" = "IT Ops"
          + "Description" = "This is public ip object to be attached to the network card"
          + "Environment" = "developer workstations"
          + "Name"        = "win-vm-public-ip-0"
          + "Owner"       = "manjeet"
          + "TTL"         = "78"
          + "Team"        = "Devlopment App team 22"
        }
    }

# azurerm_virtual_machine.windows-vm[0] will be created
+ resource "azurerm_virtual_machine" "windows-vm" {
      + availability_set_id              = (known after apply)
      + delete_data_disks_on_termination = true
      + delete_os_disk_on_termination    = true
      + id                               = (known after apply)
      + license_type                     = (known after apply)
      + location                         = "eastus"
      + name                             = "win-client-0"
      + network_interface_ids            = (known after apply)
      + resource_group_name              = "markel-project-resources"
      + tags                             = {
          + "Application" = "My App 1"
          + "CreatedBy"   = "IT Ops"
          + "Customer"    = "Markel-test"
          + "Department" = "IT Ops"
          + "Description" = "This is windows vm workstation client for developers"
          + "Environment" = "developer workstations"
          + "Name"        = "win-vm-public-ip-0"
          + "Owner"       = "manjeet"
          + "TTL"         = "78"
          + "Team"        = "Devlopment App team 22"
        }
      + vm_size                          = "Standard_D2s_v3"

      + identity {
          + identity_ids = (known after apply)
          + principal_id = (known after apply)
          + type         = (known after apply)
        }

      + os_profile {
          + admin_password = (sensitive value)
          + admin_username = "testadmin"
          + computer_name = "win-client-0"
          + custom_data    = "b4e5e2ca546e310c79d709977b6f8d70cfed2deb"
        }

      + os_profile_secrets {
          + source_vault_id = "/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/resourceGroups/markel-project-resources/providers/Microsoft.KeyVault/vaults/markel-project-keyvault"

          + vault_certificates {
              + certificate_store = "My"
              + certificate_url   = (known after apply)
            }
        }

      + os_profile_windows_config {
          + enable_automatic_upgrades = true
          + provision_vm_agent        = true

          + additional_unattend_config {
              + component    = "Microsoft-Windows-Shell-Setup"
              + content      = (sensitive value)
              + pass         = "oobeSystem"
              + setting_name = "AutoLogon"
            }
          + additional_unattend_config {
              + component    = "Microsoft-Windows-Shell-Setup"
              + content      = (sensitive value)
              + pass         = "oobeSystem"
              + setting_name = "FirstLogonCommands"
            }

          + winrm {
              + certificate_url = (known after apply)
              + protocol        = "https"
            }
        }

      + storage_data_disk {
          + caching                   = (known after apply)
          + create_option             = (known after apply)
          + disk_size_gb              = (known after apply)
          + lun                       = (known after apply)
          + managed_disk_id           = (known after apply)
          + managed_disk_type         = (known after apply)
          + name                      = (known after apply)
          + vhd_uri                   = (known after apply)
          + write_accelerator_enabled = (known after apply)
        }

      + storage_image_reference {
          + offer     = "WindowsServer"
          + publisher = "MicrosoftWindowsServer"
          + sku       = "2016-Datacenter"
          + version   = "latest"
        }

      + storage_os_disk {
          + caching                   = "ReadWrite"
          + create_option             = "FromImage"
          + disk_size_gb              = (known after apply)
          + managed_disk_id           = (known after apply)
          + managed_disk_type         = "Standard_LRS"
          + name                      = "win-client-vm-osdisk-0"
          + os_type                   = (known after apply)
          + write_accelerator_enabled = false
        }
    }

# azurerm_virtual_machine_extension.dsc_extension[0] will be created
+ resource "azurerm_virtual_machine_extension" "dsc_extension" {
      + auto_upgrade_minor_version = true
      + id                         = (known after apply)
      + location                   = "eastus"
      + name                       = "win-client-0-DSC"
      + protected_settings         = (sensitive value)
      + publisher                  = "Microsoft.Powershell"
      + resource_group_name        = "markel-project-resources"
      + settings                   = jsonencode(
            {
              + configurationArguments = {
                  + ActionAfterReboot              = "continueConfiguration"
                  + AllowModuleOverwrite           = true
                  + ConfigurationMode              = "ApplyAndAutoCorrect"
                  + ConfigurationModeFrequencyMins = 15
                  + NodeConfigurationName          = "timezone.localhost"
                  + RebootNodeIfNeeded             = false
                  + RefreshFrequencyMins           = 30
                  + RegistrationUrl                = "https://eus-agentservice-prod-1.azure-automation.net/accounts/fa1a2024-bc30-46f9-a611-df0e8f3238e1"
                }
            }
        )
      + tags                       = (known after apply)
      + type                       = "DSC"
      + type_handler_version       = "2.77"
      + virtual_machine_name       = "win-client-0"
    }

Plan: 5 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.

Enter a value: yes

azurerm_public_ip.windows-public-ip[0]: Creating...
azurerm_key_vault_certificate.vm_certificate[0]: Creating...
azurerm_public_ip.windows-public-ip[0]: Creation complete after 2s [id=/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/resourceGroups/markel-project-resources/providers/Microsoft.Network/publicIPAddresses/win-vm-public-ip-0]
azurerm_network_interface.windows-vm-nic[0]: Creating...
azurerm_network_interface.windows-vm-nic[0]: Creation complete after 1s [id=/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/resourceGroups/markel-project-resources/providers/Microsoft.Network/networkInterfaces/win-client-vm-nic-0]
azurerm_key_vault_certificate.vm_certificate[0]: Still creating... [10s elapsed]
azurerm_key_vault_certificate.vm_certificate[0]: Still creating... [20s elapsed]
azurerm_key_vault_certificate.vm_certificate[0]: Creation complete after 25s [id=https://markel-project-keyvault.vault.azure.net/certificates/win-client-0-cert/9191800430f746a1871d5c2f33a124c9]
azurerm_virtual_machine.windows-vm[0]: Creating...
azurerm_virtual_machine.windows-vm[0]: Still creating... [10s elapsed]
azurerm_virtual_machine.windows-vm[0]: Still creating... [20s elapsed]
azurerm_virtual_machine.windows-vm[0]: Still creating... [30s elapsed]
azurerm_virtual_machine.windows-vm[0]: Still creating... [40s elapsed]
azurerm_virtual_machine.windows-vm[0]: Still creating... [50s elapsed]
azurerm_virtual_machine.windows-vm[0]: Still creating... [1m0s elapsed]
azurerm_virtual_machine.windows-vm[0]: Still creating... [1m10s elapsed]
azurerm_virtual_machine.windows-vm[0]: Still creating... [1m20s elapsed]
azurerm_virtual_machine.windows-vm[0]: Still creating... [1m30s elapsed]
azurerm_virtual_machine.windows-vm[0]: Still creating... [1m40s elapsed]
azurerm_virtual_machine.windows-vm[0]: Still creating... [1m50s elapsed]
azurerm_virtual_machine.windows-vm[0]: Still creating... [2m0s elapsed]
azurerm_virtual_machine.windows-vm[0]: Still creating... [2m10s elapsed]
azurerm_virtual_machine.windows-vm[0]: Still creating... [2m20s elapsed]
azurerm_virtual_machine.windows-vm[0]: Still creating... [2m30s elapsed]
azurerm_virtual_machine.windows-vm[0]: Still creating... [2m40s elapsed]
azurerm_virtual_machine.windows-vm[0]: Still creating... [2m50s elapsed]
azurerm_virtual_machine.windows-vm[0]: Still creating... [3m0s elapsed]
azurerm_virtual_machine.windows-vm[0]: Still creating... [3m10s elapsed]
azurerm_virtual_machine.windows-vm[0]: Provisioning with 'remote-exec'...
azurerm_virtual_machine.windows-vm[0] (remote-exec): Connecting to remote host via WinRM...
azurerm_virtual_machine.windows-vm[0] (remote-exec):   Host: markel-project-client-0.eastus.cloudapp.azure.com
azurerm_virtual_machine.windows-vm[0] (remote-exec):   Port: 5986
azurerm_virtual_machine.windows-vm[0] (remote-exec):   User: testadmin
azurerm_virtual_machine.windows-vm[0] (remote-exec):   Password: true
azurerm_virtual_machine.windows-vm[0] (remote-exec):   HTTPS: true
azurerm_virtual_machine.windows-vm[0] (remote-exec):   Insecure: true
azurerm_virtual_machine.windows-vm[0] (remote-exec):   NTLM: false
azurerm_virtual_machine.windows-vm[0] (remote-exec):   CACert: false
azurerm_virtual_machine.windows-vm[0] (remote-exec): Connected!

azurerm_virtual_machine.windows-vm[0] (remote-exec): C:\Users\testadmin>cd C:\Windows

azurerm_virtual_machine.windows-vm[0] (remote-exec): C:\Windows>dir
azurerm_virtual_machine.windows-vm[0] (remote-exec): Volume in drive C is Windows
azurerm_virtual_machine.windows-vm[0] (remote-exec): Volume Serial Number is D079-18C0

azurerm_virtual_machine.windows-vm[0] (remote-exec): Directory of C:\Windows

azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/14/2019 05:35 PM    <DIR>          .
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/14/2019 05:35 PM    <DIR>          ..
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          ADFS
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          appcompat
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:26 PM    <DIR>          AppPatch
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/14/2019 05:36 PM    <DIR>          AppReadiness
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 09:30 PM    <DIR>          assembly
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:26 PM    <DIR>          bcastdvr
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:22 PM            63,488 bfsvc.exe
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          Boot
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          Branding
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:26 PM    <DIR>          CbsTemp
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:26 PM    <DIR>          Cluster
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          Cursors
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 09:29 PM    <DIR>          debug
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:22 PM           232,960 DfsrAdmin.exe
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:25 PM             1,315 DfsrAdmin.exe.config
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          diagnostics
azurerm_virtual_machine.windows-vm[0] (remote-exec): 11/21/2016 07:30 AM    <DIR>          DigitalLocker
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          drivers
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/14/2019 05:35 PM             6,165 DtcInstall.log
azurerm_virtual_machine.windows-vm[0] (remote-exec): 11/21/2016 07:30 AM    <DIR>          en-US
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:22 PM         4,673,960 explorer.exe
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          GameBarPresenceWriter
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          Globalization
azurerm_virtual_machine.windows-vm[0] (remote-exec): 11/21/2016 07:30 AM    <DIR>          Help
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:22 PM           975,872 HelpPane.exe
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:18 PM            18,432 hh.exe
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:26 PM    <DIR>          IME
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:26 PM    <DIR>          ImmersiveControlPanel
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/14/2019 05:36 PM    <DIR>          INF
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          InfusedApps
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          InputMethod
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          L2Schemas
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          LiveKernelReports
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/14/2019 05:35 PM    <DIR>          Logs
azurerm_virtual_machine.windows-vm[0] (remote-exec): 11/21/2016 08:06 AM             1,344 lsasetup.log
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:18 PM            43,131 mib.bin
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 09:33 PM    <DIR>          Microsoft.NET
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          Migration
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:26 PM    <DIR>          MiracastView
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          ModemLogs
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:25 PM    <DIR>          NetworkController
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:19 PM           243,200 notepad.exe
azurerm_virtual_machine.windows-vm[0] (remote-exec): 11/21/2016 07:40 AM    <DIR>          OCR
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/14/2019 05:34 PM    <DIR>          OEM
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          Offline Web Pages
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/14/2019 10:35 AM    <DIR>          Panther
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          Performance
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/14/2019 05:34 PM             4,132 PFRO.log
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          PLA
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:26 PM    <DIR>          PolicyDefinitions
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:26 PM    <DIR>          PrintDialog
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          Provisioning
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:22 PM           320,512 regedit.exe
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          Registration
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          RemotePackages
azurerm_virtual_machine.windows-vm[0] (remote-exec): 11/21/2016 08:17 AM    <DIR>          rescache
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          Resources
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          SchCache
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          schemas
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          security
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:19 PM            28,760 ServerDataCenter.xml
azurerm_virtual_machine.windows-vm[0] (remote-exec): 11/21/2016 08:06 AM    <DIR>          ServiceProfiles
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:26 PM    <DIR>          servicing
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 09:25 PM    <DIR>          Setup
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 09:25 PM             7,032 setupact.log
azurerm_virtual_machine.windows-vm[0] (remote-exec): 11/21/2016 08:06 AM                 0 setuperr.log
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:26 PM    <DIR>          ShellExperiences
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          SKB
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/14/2019 05:36 PM    <DIR>          SoftwareDistribution
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          Speech
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          Speech_OneCore
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:22 PM           131,072 splwow64.exe
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          System
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:21 PM               219 system.ini
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/14/2019 05:36 PM    <DIR>          System32
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          SystemApps
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          SystemResources
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 06:26 PM    <DIR>          SysWOW64
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          TAPI
azurerm_virtual_machine.windows-vm[0] (remote-exec): 11/21/2016 08:06 AM    <DIR>          Tasks
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/14/2019 05:36 PM    <DIR>          Temp
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          tracing
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          twain_32
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:20 PM            66,560 twain_32.dll
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          Vss
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:23 PM    <DIR>          Web
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:21 PM                92 win.ini
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/14/2019 05:35 PM               275 WindowsUpdate.log
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:19 PM            10,240 winhlp32.exe
azurerm_virtual_machine.windows-vm[0] (remote-exec): 10/06/2019 09:23 PM    <DIR>          WinSxS
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:18 PM           316,640 WMSysPr9.prx
azurerm_virtual_machine.windows-vm[0] (remote-exec): 07/16/2016 01:18 PM            11,264 write.exe
azurerm_virtual_machine.windows-vm[0] (remote-exec):               23 File(s)      7,156,665 bytes
azurerm_virtual_machine.windows-vm[0] (remote-exec):               71 Dir(s) 125,997,854,720 bytes free
azurerm_virtual_machine.windows-vm[0]: Creation complete after 3m18s [id=/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/resourceGroups/markel-project-resources/providers/Microsoft.Compute/virtualMachines/win-client-0]
azurerm_virtual_machine_extension.dsc_extension[0]: Creating...
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [10s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [20s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [30s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [40s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [50s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [1m0s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [1m10s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [1m20s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [1m30s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [1m40s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [1m50s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [2m0s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [2m10s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [2m20s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [2m30s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [2m40s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [2m50s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [3m0s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [3m10s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [3m20s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [3m30s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [3m40s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [3m50s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [4m0s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [4m10s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [4m20s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [4m30s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [4m40s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [4m50s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [5m0s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [5m10s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [5m20s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [5m30s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [5m40s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [5m50s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [6m0s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [6m10s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [6m20s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [6m30s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [6m40s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [6m50s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [7m0s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [7m10s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [7m20s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [7m30s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [7m40s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [7m50s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [8m0s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [8m11s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [8m21s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [8m31s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [8m41s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [8m51s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [9m1s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [9m11s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [9m21s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [9m31s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [9m41s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [9m51s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [10m1s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [10m11s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [10m21s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [10m31s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [10m41s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [10m51s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [11m1s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [11m11s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [11m21s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [11m31s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [11m41s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [11m51s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [12m1s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [12m11s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [12m21s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [12m31s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [12m41s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [12m51s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [13m1s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [13m11s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [13m21s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [13m31s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [13m41s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [13m51s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [14m1s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [14m11s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [14m21s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [14m31s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [14m41s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [14m51s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Still creating... [15m1s elapsed]
azurerm_virtual_machine_extension.dsc_extension[0]: Creation complete after 15m2s [id=/subscriptions/14692f20-9428-451b-8298-102ed4e39c2a/resourceGroups/markel-project-resources/providers/Microsoft.Compute/virtualMachines/win-client-0/extensions/win-client-0-DSC]

Apply complete! Resources: 5 added, 0 changed, 0 destroyed.
manjeet@Manjeets-MBP:~/manjeet-working/tf-demo/AzureDemo/az-dsc|
⇒