Hello everyone, I have a VM on Azure that is created via Terraform, which was originally created with a static password as plain text. I want to change that to use a random string as the password, but that would try to re-create the VM entirely! I have read a bit here: https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/reset-rdp#reset-by-using-the-vmaccess-extension-and-powershell and apparently you can use the VMAccessAgent extension to change the user's password without re-creating the VM. However, even after installing this extension on the VM with the new password value, the VM is still using the old password and doesn't respond to the new password! Is there any extra step I have to take to get this working? It is worth mentioning that I am using Bastion host to connect to the VM, and the VM uses windows OS. Thank you very much in advance.

Hi Shadi , Sadly terraform always will try to recreate the machine when you change the password even if you already have the resource in your statefile the machine, a work around is using azure cli within terraform null resource as bellow exameple,: Already have all definitions of VM Null resource change the password based on variable new_value resource "null_resource" "reset_password" { triggers = { always_run = "${timestamp()}" } provisioner "local-exec" { command = "az vm user update --resource-group <RG-VM> --name <VM-NAME> --username <User-Name> --password newPassword01$" } } Note: that the local-exec provisioner will execute the command on the machine running Terraform, not on the VM. Therefore, you need to have the Azure CLI installed and configured on this machine Let Me know if this solve your challenge. Luis, Note: I recommend you protect sensitive variable as password in terraform ( https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables )

How to change the admin password of a VM created using terraform

Accepted answer

Luis Arias 5,126 Reputation points

2023-11-21T13:28:02.5366667+00:00
Hi Shadi, Sadly terraform always will try to recreate the machine when you change the password even if you already have the resource in your statefile the machine, a work around is using azure cli within terraform null resource as bellow exameple,:

Already have all definitions of VM

Null resource change the password based on variable new_value

resource "null_resource" "reset_password" { triggers = { always_run = "${timestamp()}" } provisioner "local-exec" { command = "az vm user update --resource-group <RG-VM> --name <VM-NAME> --username <User-Name> --password newPassword01$" } }

Note: that the local-exec provisioner will execute the command on the machine running Terraform, not on the VM. Therefore, you need to have the Azure CLI installed and configured on this machine

Let Me know if this solve your challenge. Luis,

Note: I recommend you protect sensitive variable as password in terraform (https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables)
Please sign in to rate this answer.

1 person found this answer helpful.
Zeinab Khosravi 40 Reputation points

2023-11-21T14:01:41.83+00:00

Hey Luis,
thanks for the answer. I am trying to run the terraform code from the customer's devops using pipeline, so I really am not sure whether I am allowed to add the azure cli as part of the pipeline or not. I was hoping that the VmAccessAgent can slove my issue, and was wondering why isn't it working as expected when deployed using the azurerm_virtual_machine_extension resource?

Luis Arias 5,126 Reputation points

2023-11-21T15:32:20.1+00:00

Hey Shadi , If there is a devops pipeline could be a good Idea to have a task or job for do this kind of operation independenly. On the other side I tested changing the password with azurerm_virtual_machine_extension and works perfectly fine with below code . Could you try?

resource "azurerm_virtual_machine_extension" "example" { name = "resetting-password" virtual_machine_id = azurerm_windows_virtual_machine.example.id publisher = "Microsoft.Compute" type = "CustomScriptExtension" type_handler_version = "1.9" settings = <<SETTINGS { "commandToExecute": "net user adminuser NewPassword2" } SETTINGS }

Zeinab Khosravi 40 Reputation points

2023-11-23T08:24:51.62+00:00

Hey Luis,
thank you for your reply. I actually have used the following code:

resource "azurerm_virtual_machine_extension" "vm_admin_access" { depends_on = [azurerm_windows_virtual_machine.vm] virtual_machine_id = azurerm_windows_virtual_machine.vm.id publisher = "Microsoft.Compute" type = "VMAccessAgent" type_handler_version = "2.0" protected_settings = <<PROT { "username": "azureuser", "password": "${random_password.local_admin.result}" } PROT }

and with:

resource "azurerm_virtual_machine_extension" "vm_admin_access" { depends_on = [azurerm_windows_virtual_machine.vm] virtual_machine_id = azurerm_windows_virtual_machine.vm.id publisher = "Microsoft.Compute" type = "VMAccessAgent" type_handler_version = "2.0" protected_settings = jsonencode({ username = "azureuser", password = random_password.local_admin.result }) }

and none of them have worked. I would try your solution and let you know about the results. Thank you for your help.

Zeinab Khosravi 40 Reputation points

2023-11-24T12:08:35.95+00:00

Hello Luis,

so I tested your solution and it worked on my test setup. But when I tried to run it on the actual setup, I have realized that there is already an extension of type CustomScriptExtension on the VM!! Because of this extension, that apparently has been created using Inline inside the pipeline, I can create a new extension with the change password code.

Do you by any chance have any suggestion on this problem? YOur help is much appreciated.

Luis Arias 5,126 Reputation points

2023-11-24T23:20:36.5466667+00:00

Hi Shadi, I'm assuming that you cannot create a new extension for you change passworf code. Isn't it?

That you can do is include your code in your existing custom script append your code to the existing one, but this kind of operation isn't track by Terraform, in that case a null resource option that I share you at first could be a better one. Let me know what is happening with your error.

Zeinab Khosravi 40 Reputation points

2023-11-27T08:15:47.4066667+00:00

Hey Luis,

yes, unfortunately azure doesn't allow 2 extensions of the same type to be created on a windows VM. I ended up using the null resource you have originally suggested. I think we can close this discussion here. Thank you very much for your support.
Sign in to comment

Share via

How to change the admin password of a VM created using terraform

0 additional answers