coder
Add an example template for Azure
Problem
Azure is a major cloud provider and many users/companies will benefit from an example template using Azure.
Definition of done
Coder OSS provides GCP and AWS templates, but should also provide Azure templates for VMs
Related #2179
@mark-theshark what specific templates are you requesting for Azure?
My interpretation is that we would want Azure ports of both https://github.com/coder/coder/tree/main/examples/templates/aws-windows and https://github.com/coder/coder/tree/main/examples/templates/aws-linux
Is this correct?
@bpmct @tjcran one annoying thing about Azure linux VMs is that they require either an admin password or an SSH public key. In normal use, the Coder user will never need either of these because they will coder ssh to the machine.
But, if things go wrong and they need to troubleshoot, do forensics, etc., they'll need the credentials.
Requiring users to paste in an SSH key or think of a password they won't generally need on workspace creation feels unfriendly, especially SSH keys for Windows / macOS users who might not have one as a matter of course.
Use of a password parameter means this gets stored in Coder's database, which isn't great. It also means we need to choose between making it a template parameter that is considered secret, or a regular parameter where we won't ******* out the user's typing, which also feels not great.
I wonder if we will want some ability for Coder to autogenerate and store (possibly externally) these "in case of emergency" type credentials.
We could use Azure Key Vault to store a password (but not an SSH key because there would be no way to extract the private key and enable login)
I wonder if we will want some ability for Coder to autogenerate and store (possibly externally) these "in case of emergency" type credentials.
That seems like a solid approach and I'm sure it would come in handy for a number of use cases. I created #3260, but feel free to make edits and define the problem better.
[Azure VMs] require either an admin password or an SSH public key. In normal use, the Coder user will never need either of these because they will coder ssh to the machine.
@ntimo has an interesting workaround for their Hetzner template when this came up. The template auto-generates a "dummy" key with Terraform and attaches it to the instance. An admin could always edit the template and add their "master key" instead, but this gets around the requirement while (ideally) not posing a major security risk.
Edit: forgot to link to the template: https://github.com/ntimo/coder-hetzner-cloud-template/blob/147801ba8507d746c8131f6afa54408a333a9560/main.tf#L94-L98
The problem with dummy keys or passwords is that they are not accessible if they are needed.
The problem with dummy keys or passwords is that they are not accessible if they are needed.
Yeah, totally agree. Currently, most of our example templates follow that pattern, not just Azure. An admin would need to go in and update the template to open firewalls and add their keys if they need to access the resource via a backdoor.
I agree that an admin needing access to the resource is potentially important, but I'm also of the opinion that the workspaces are supposed to be ephemeral and if there's a problem they'd probably just as soon vaporize the thing and start over as access to troubleshoot it. OR they would gain access via the cloud provider.
I don't think we need to solve the infrastructure problem here...
We just talked about this at office hours, and Resource Metadata sounds like a great way forward. We'll ask Terraform to generate the key resource, and then return the private key as "secret" metadata so that the user can get it if they need it.
Turns out Azure has the ability to copy a new key onto the VM if needed. So, I'll just generate something and not return it. But, good to know for other clouds.