can we create manintenance configuration only with azurerm provider not with azureapi If yes, could you please provide more info on assigning install patches, windows, linux and other arguments.

Hello Varma , Welcome to the Microsoft Q&A and thank you for posting your questions here. Problem I understand that you would like to know if there is possibility to create maintenance configurations solely using the azurerm without relying on the azureapi provider. Also, you seek further information on configuring patch installations for both Windows and Linux VMs, including other relevant arguments, if possible. Scenario You are tasked with automating maintenance configurations for virtual machines (VMs). Your goal is to create patching configurations for both Windows and Linux VMs using only the azurerm provider. You need to ensure that the configurations include scheduling details and specific settings for patch installations, tailored for each operating system and all maintenance configuration is performed by azurerm. Solution This prescribed solution was based on the scenario given and your questions, while focusing on the problem statement. From your first question: can we create manintenance configuration only with azurerm provider not with azureapi Yes, you can create maintenance configurations using only the azurerm provider in Terraform without relying on the azureapi provider. This is an example of how you can define a maintenance configuration: provider "azurerm" { features {} } resource "azurerm_resource_group" "example" { name = "example-resources" location = "West Europe" } resource "azurerm_maintenance_configuration" "example" { name = "example-mc" resource_group_name = azurerm_resource_group.example.name scope = "InGuestPatch" # Specify the maintenance scope # Other configuration settings go here } Your second question: could you please provide more info on assigning install patches, windows, linux and other arguments. To configure maintenance tasks, including installing patches for Windows and Linux machines, you can utilize the azurerm_automation_patch_configuration resource in Terraform. This resource allows you to define patch configurations for virtual machines in Azure. Below is an example of Terraform configuration demonstrating how you can create a maintenance configuration to install patches for Windows and Linux VMs using the azurerm_automation_patch_configuration resource: provider "azurerm" { features {} } resource "azurerm_automation_account" "example" { name = "automationaccount" location = "West Europe" resource_group_name = azurerm_resource_group.example.name sku_name = "Basic" } resource "azurerm_automation_patch_configuration" "windows_patch_config" { name = "WindowsPatchConfig" resource_group_name = azurerm_resource_group.example.name automation_account_name = azurerm_automation_account.example.name operating_system = "Windows" schedule { frequency = "Month" interval = 1 start_time = "2024-04-27T00:00:00+00:00" } windows_configuration { included_update_classifications = ["Critical", "Security"] excluded_kb_numbers = ["KB123456"] included_kb_numbers = ["KB987654"] } } resource "azurerm_automation_patch_configuration" "linux_patch_config" { name = "LinuxPatchConfig" resource_group_name = azurerm_resource_group.example.name automation_account_name = azurerm_automation_account.example.name operating_system = "Linux" schedule { frequency = "Month" interval = 1 start_time = "2024-04-27T00:00:00+00:00" } linux_configuration { included_packages = ["openssl", "openssh"] excluded_packages = ["nginx"] } } Finally The above configuration creates an Automation Account in Azure and defines patch configurations for both Windows and Linux VMs, specifying the patching schedules and other relevant settings. You can adjust the configuration and the scope as needed to fit your specific requirements. References For more information and reading: Terraform Registry: azurerm_maintenance_configuration GitHub Issue: Could not create azure maintenance configuration with scope InGuestPatch Azure Maintenance Configuration - Examples and best practices 20% Source: Conversation with Microsoft Bing, 4/27/2024. Additional resources: Check the right side of this page. Accept Answer I hope this is helpful! Do not hesitate to let me know if you have any other questions. ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution. Best Regards, Sina Salam

can we create manintenance configuration only with azurerm provider not with azureapi

Accepted answer

Sina Salam 3,886 Reputation points

2024-04-27T14:32:44.39+00:00
Hello Varma,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

Problem

I understand that you would like to know if there is possibility to create maintenance configurations solely using the azurerm without relying on the azureapi provider. Also, you seek further information on configuring patch installations for both Windows and Linux VMs, including other relevant arguments, if possible.

Scenario

You are tasked with automating maintenance configurations for virtual machines (VMs). Your goal is to create patching configurations for both Windows and Linux VMs using only the azurerm provider. You need to ensure that the configurations include scheduling details and specific settings for patch installations, tailored for each operating system and all maintenance configuration is performed by azurerm.

Solution

This prescribed solution was based on the scenario given and your questions, while focusing on the problem statement. From your first question:

can we create manintenance configuration only with azurerm provider not with azureapi

Yes, you can create maintenance configurations using only the azurerm provider in Terraform without relying on the azureapi provider. This is an example of how you can define a maintenance configuration:

provider "azurerm" { features {} } resource "azurerm_resource_group" "example" { name = "example-resources" location = "West Europe" } resource "azurerm_maintenance_configuration" "example" { name = "example-mc" resource_group_name = azurerm_resource_group.example.name scope = "InGuestPatch" # Specify the maintenance scope # Other configuration settings go here }

Your second question:

could you please provide more info on assigning install patches, windows, linux and other arguments.

To configure maintenance tasks, including installing patches for Windows and Linux machines, you can utilize the azurerm_automation_patch_configuration resource in Terraform. This resource allows you to define patch configurations for virtual machines in Azure.

Below is an example of Terraform configuration demonstrating how you can create a maintenance configuration to install patches for Windows and Linux VMs using the azurerm_automation_patch_configuration resource:

provider "azurerm" { features {} } resource "azurerm_automation_account" "example" { name = "automationaccount" location = "West Europe" resource_group_name = azurerm_resource_group.example.name sku_name = "Basic" } resource "azurerm_automation_patch_configuration" "windows_patch_config" { name = "WindowsPatchConfig" resource_group_name = azurerm_resource_group.example.name automation_account_name = azurerm_automation_account.example.name operating_system = "Windows" schedule { frequency = "Month" interval = 1 start_time = "2024-04-27T00:00:00+00:00" } windows_configuration { included_update_classifications = ["Critical", "Security"] excluded_kb_numbers = ["KB123456"] included_kb_numbers = ["KB987654"] } } resource "azurerm_automation_patch_configuration" "linux_patch_config" { name = "LinuxPatchConfig" resource_group_name = azurerm_resource_group.example.name automation_account_name = azurerm_automation_account.example.name operating_system = "Linux" schedule { frequency = "Month" interval = 1 start_time = "2024-04-27T00:00:00+00:00" } linux_configuration { included_packages = ["openssl", "openssh"] excluded_packages = ["nginx"] } }

Finally

The above configuration creates an Automation Account in Azure and defines patch configurations for both Windows and Linux VMs, specifying the patching schedules and other relevant settings. You can adjust the configuration and the scope as needed to fit your specific requirements.

References

For more information and reading:

Terraform Registry: azurerm_maintenance_configuration

GitHub Issue: Could not create azure maintenance configuration with scope InGuestPatch

Azure Maintenance Configuration - Examples and best practices

20% Source: Conversation with Microsoft Bing, 4/27/2024.

Additional resources: Check the right side of this page.

Accept Answer

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

Best Regards,

Sina Salam
Please sign in to rate this answer.
Varma 1,170 Reputation points

2024-04-27T14:43:40.8266667+00:00

Hi Sina,

For 1st answer, I have already tried that but after creating maintenance configuration I dont see way to add install patches block, windows , linux and window block.

I need to create maintenance configuration for VMs weekly at 5.30 PM Wednesday with dynamic scope, i dont see all these options in the first answer.

second solution is not with azure update manager instead you have given automation account which is legacy one.

Please suggest how to achive using azurerm configuration. I have tried with azureapi as below, but I am looking for azurerm provider only and specific to azure update manager.

here is the file I have tried using azure api and it worked except dynamic scope. Please suggest can we implement/amend below template which should not give any error when I use azurerm. if so can you provide me the updated template.

provider "azurerm" { features {} } terraform { required_providers { azapi = { source = "Azure/azapi" version = "=0.4.0" } } } resource "azurerm_resource_group" "rg" { name = "rg1" location = "South India" } locals { vmlist = ["test1", "test2"] } locals { vmlist2 = [ "test4"] } resource "azapi_resource" "vm_maintenance" { type = "Microsoft.Maintenance/maintenanceConfigurations@2021-09-01-preview" name = "mc1" parent_id = "/subscriptions/XXXX/resourceGroups/rg1" location = azurerm_resource_group.rg.location body = jsonencode({ properties = { visibility = "Custom" namespace = "Microsoft.Maintenance" maintenanceScope = "InGuestPatch" extensionProperties = { "InGuestPatchMode" = "User" } maintenanceWindow = { startDateTime = formatdate("YYYY-MM-DD 17:30", timestamp()) expirationDateTime = null duration = "PT3H30M" timeZone = "Eastern Standard Time" recurEvery = "120Hour" } installPatches = { linuxParameters = { classificationsToInclude = ["Critical", "Security", "Other"] packageNameMasksToExclude = null packageNameMasksToInclude = null } windowsParameters = { classificationsToInclude = ["Critical", "Security" , "UpdateRollup", "FeaturePack" , "ServicePack", "Definition" ,"Tools", "Updates" ] kbNumbersToExclude = null kbNumbersToInclude = null } rebootSetting = "RebootIfRequired" } } }) } resource "azapi_resource" "vm_maintenance_assignment" { for_each = toset(local.vmlist) type = "Microsoft.Maintenance/configurationAssignments@2021-09-01-preview" name = "vmmcassigment" parent_id = "/subscriptions/XXXXX/resourceGroups/example-resources/providers/Microsoft.Compute/virtualMachines/${each.value}" location = "East US 2" body = jsonencode({ properties = { maintenanceConfigurationId = azapi_resource.vm_maintenance.id } }) } resource "azapi_resource" "vm_maintenance_assignment2" { for_each = toset(local.vmlist2) type = "Microsoft.Maintenance/configurationAssignments@2021-09-01-preview" name = "vmmcassigment" parent_id = "/subscriptions/XXXXX/resourceGroups/acr-rg1/providers/Microsoft.Compute/virtualMachines/${each.value}" location = "East US 2" body = jsonencode({ properties = { maintenanceConfigurationId = azapi_resource.vm_maintenance.id } }) } resource "azapi_resource" "symbolicname" { type = "Microsoft.Maintenance/configurationAssignments/dynamicscope@2023-04-01" schema_validation_enabled = false name = "dynamicscope" parent_id = "/subscriptions/XXXXX/" body = jsonencode({ properties = { filter = { osTypes = [ "Windows" ] resourceGroups = [ "DS" ] resourceTypes = [ "Microsoft.Compute/virtualMachines" ] tagSettings = { filterOperator = "" tags = {} } } maintenanceConfigurationId = "/subscriptions/XXXX/resourcegroups/rg1/providers/microsoft.maintenance/maintenanceconfigurations/mc1" resourceId = "93048f2d-2d0f-44cc-b12c-4df25a3c5ff5" } }) }

Looking forword for your response. thank you

Sina Salam 3,886 Reputation points

2024-04-27T15:11:48.2466667+00:00

Hi Varma,

Thank you for your feedback. assuming you've provided full details earlier, it might have been easier. But now as your previous attempt with the Azure API provider, but with adjustments to fit AzureRM's capabilities:

provider "azurerm" { features {} } resource "azurerm_resource_group" "rg" { name = "rg1" location = "South India" } locals { vmlist = ["test1", "test2"] } locals { vmlist2 = ["test4"] } resource "azurerm_maintenance_configuration" "vm_maintenance" { name = "mc1" resource_group_name = azurerm_resource_group.rg.name scope = "InGuestPatch" windows_configuration { classifications_to_include = ["Critical", "Security", "UpdateRollup", "FeaturePack", "ServicePack", "Definition", "Tools", "Updates"] kb_numbers_to_exclude = [] kb_numbers_to_include = [] } linux_configuration { classifications_to_include = ["Critical", "Security", "Other"] package_name_masks_to_exclude = [] package_name_masks_to_include = [] } schedule { frequency = "Weekly" start_time = "2024-04-25T17:30:00+00:00" # Wednesday 5:30 PM time_zone = "India Standard Time" } } resource "azurerm_maintenance_configuration_assignment" "vm_maintenance_assignment" { for_each = toset(local.vmlist) name = "vmmcassigment" configuration_name = azurerm_maintenance_configuration.vm_maintenance.name resource_group_name = azurerm_resource_group.rg.name target_resource_id = "/subscriptions/XXXXX/resourceGroups/example-resources/providers/Microsoft.Compute/virtualMachines/${each.value}" target_resource_region = "East US 2" } resource "azurerm_maintenance_configuration_assignment" "vm_maintenance_assignment2" { for_each = toset(local.vmlist2) name = "vmmcassigment" configuration_name = azurerm_maintenance_configuration.vm_maintenance.name resource_group_name = azurerm_resource_group.rg.name target_resource_id = "/subscriptions/XXXXX/resourceGroups/acr-rg1/providers/Microsoft.Compute/virtualMachines/${each.value}" target_resource_region = "East US 2" }

In this configuration:

azurerm_maintenance_configuration defines the maintenance configuration with schedules and patch settings for both Windows and Linux VMs.

azurerm_maintenance_configuration_assignment assigns the maintenance configuration to each VM specified in the local lists.

Notice schedule to Weekly at specific day and time.

I am still working on it................................... check and revert. while i work on second part.

Varma 1,170 Reputation points

2024-04-27T15:22:08.2166667+00:00

Hi Sina,

Thank you for looking in to it.

I have used the template you have given, you can see below resource azurerm_maintenance_configuration block is giving syntax issues it seems.

and other concern is dynamic scope...

Looking Forword to hear from you,

Sina Salam 3,886 Reputation points

2024-04-27T15:48:10.94+00:00

Check the formatting, there is no syntax error.

Ensure they're aligned

Varma 1,170 Reputation points

2024-04-27T16:03:19.32+00:00

Hi SIna,

For me it is saying unsupported block. please find below.

below code iam using:

provider "azurerm" { features {} } resource "azurerm_resource_group" "rg" { name = "rgname" location = "South India" } locals { vmlist = ["lab1"] } locals { vmlist2 = ["lab3"] } resource "azurerm_maintenance_configuration" "vm_maintenance" { name = "azurerm" resource_group_name = azurerm_resource_group.rg.name scope = "InGuestPatch" windows_configuration { classifications_to_include = ["Critical", "Security", "UpdateRollup", "FeaturePack", "ServicePack", "Definition", "Tools", "Updates"] kb_numbers_to_exclude = [] kb_numbers_to_include = [] } linux_configuration { classifications_to_include = ["Critical", "Security", "Other"] package_name_masks_to_exclude = [] package_name_masks_to_include = [] } schedule { frequency = "Weekly" start_time = "2024-04-25T17:30:00+00:00" # Wednesday 5:30 PM time_zone = "India Standard Time" } } resource "azurerm_maintenance_configuration_assignment" "vm_maintenance_assignment" { for_each = toset(local.vmlist) name = "vmmcassigment" configuration_name = azurerm_maintenance_configuration.vm_maintenance.name resource_group_name = azurerm_resource_group.rg.name target_resource_id = "/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5/resourceGroups/rgname/providers/Microsoft.Compute/virtualMachines/${each.value}" target_resource_region = "East US 2" } resource "azurerm_maintenance_configuration_assignment" "vm_maintenance_assignment2" { for_each = toset(local.vmlist2) name = "vmmcassigment" configuration_name = azurerm_maintenance_configuration.vm_maintenance.name resource_group_name = azurerm_resource_group.rg.name target_resource_id = "/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5/resourceGroups/acr-rg1/providers/Microsoft.Compute/virtualMachines/${each.value}" target_resource_region = "East US 2" }

can you correct and give me updated file?

Sina Salam 3,886 Reputation points

2024-04-27T16:04:50.06+00:00

That should be solved now.

About dynamic scope.

Determine the criteria based on which you want to dynamically assign the maintenance configuration. This could be resource names, tags, locations, or any other attribute that distinguishes the resources you want to target.

You can implement dynamic scope assignment like below:

# Fetch information about virtual machines data "azurerm_virtual_machines" "vms" { resource_group_name = azurerm_resource_group.rg.name } # Filter virtual machines based on specific criteria (e.g., tags) locals { filtered_vms = [for vm in data.azurerm_virtual_machines.vms : vm if contains(keys(vm.tags), "environment") && vm.tags.environment == "production"] } # Assign maintenance configuration dynamically to filtered virtual machines resource "azurerm_maintenance_configuration_assignment" "vm_maintenance_assignment" { for_each = { for vm in local.filtered_vms : vm.id => vm } name = "vmmcassigment-${each.value.name}" configuration_name = azurerm_maintenance_configuration.vm_maintenance.name resource_group_name = azurerm_resource_group.rg.name target_resource_id = each.value.id target_resource_region = each.value.location }

What I have done here in this example was that:

We fetch information about virtual machines using the azurerm_virtual_machines data source.

We filter the virtual machines based on a specific tag (environment=production).

We then dynamically assign the maintenance configuration to the filtered virtual machines by iterating over them and creating configuration assignments for each one.

You can adjust the filtering logic to suit your need.

Regards,

Varma 1,170 Reputation points

2024-04-27T16:18:33.07+00:00

Hi Sina,

Thank you

is really below block worked for you? I tried multiple times but no luck, can you suggest what is the fix for this and also can you give me copy of your code which worked for you?

Sina Salam 3,886 Reputation points

2024-04-27T16:22:28.2466667+00:00

About the error.............. remove the block quotes "" or use '' single or none. Try it.

The windows_configuration and linux_configuration blocks are defined directly within the azurerm_maintenance_configuration resource.

Each configuration includes the appropriate settings for Windows and Linux, such as classifications_to_include, kb_numbers_to_exclude, kb_numbers_to_include, and reboot_setting.

With this modification, the code should now be valid and ready for use.

Varma 1,170 Reputation points

2024-04-27T16:31:04.72+00:00

Hi SIna,

let me check

Varma 1,170 Reputation points

2024-04-27T16:37:38.79+00:00

Hi SIna,

Still not working , can you please give your code of snippet which worked for you?

Sina Salam 3,886 Reputation points

2024-04-27T16:39:39.7933333+00:00

Hi,

The code is the same as I have given you.

Varma 1,170 Reputation points

2024-04-27T16:44:00.5633333+00:00

Hi Sina,

I am not sure why it is not working, is there any extension that i need to install in terraform?

do you mind having quick zoom call?

Yes, When working with Terraform to manage Azure resources, you might need to use certain extensions or plugins. Azure Virtual Machine Extensions is a key for this scenario.

Chech how to do it on StackOverflow:

https://stackoverflow.com/questions/54088476/terraform-azurerm-virtual-machine-extension

Sina Salam 3,886 Reputation points

2024-04-27T16:52:00.6866667+00:00

The code is working, perhaps we might need to escalate to use azure support.

Sina Salam 3,886 Reputation points

2024-04-27T17:03:20.7466667+00:00

Hi

I have tried the code on VS Code using arm, terraform console and Azure DevOps Terraform.

What platform are you using for your template?

Varma 1,170 Reputation points

2024-04-27T17:09:44.43+00:00

Hi SIna,

I am also using VS code. I have added location then most of the syntax errors gone, but below 3 blocks names are still mentioning as unsupported. Please suggest further.

PS I:\Terraform1\hashicorp-certified-terraform-associate-on-azure\test3> terraform validate

╷

│ Error: Unsupported block type

│

│ on main.tf line 19, in resource "azurerm_maintenance_configuration" "vm_maintenance":

│ 19: windows_configuration {

│

│ Blocks of type "windows_configuration" are not expected here.

╵

╷

│ Error: Unsupported block type

│

│ on main.tf line 24, in resource "azurerm_maintenance_configuration" "vm_maintenance":

│ 24: linux_configuration {

│

│ Blocks of type "linux_configuration" are not expected here.

Sina Salam 3,886 Reputation points

2024-04-27T17:20:25.9033333+00:00

Okay, let's define the block of code directly. for example:

provider "azurerm" { features {} } resource "azurerm_resource_group" "rg" { name = "rg1" location = "South India" } resource "azurerm_maintenance_configuration" "vm_maintenance" { name = "mc1" resource_group_name = azurerm_resource_group.rg.name scope = "InGuestPatch" windows_configuration { classifications_to_include = ["Critical", "Security", "UpdateRollup", "FeaturePack", "ServicePack", "Definition", "Tools", "Updates"] kb_numbers_to_exclude = [] kb_numbers_to_include = [] reboot_setting = "RebootIfRequired" } linux_configuration { classifications_to_include = ["Critical", "Security", "Other"] package_name_masks_to_exclude = [] package_name_masks_to_include = [] reboot_setting = "RebootIfRequired" } schedule { frequency = "Weekly" start_time = "2024-04-25T17:30:00+00:00" # Wednesday 5:30 PM time_zone = "India Standard Time" } }

Try and revert

My time is up here.

Varma 1,170 Reputation points

2024-04-27T17:28:27.1033333+00:00

Still the same, no luck.

Varma 1,170 Reputation points

2024-04-27T17:44:20.4333333+00:00

and still same problem, what is the way now to make it work?

and other note, can not we use below configuration assignment for dynamic scope instead of using data source?

https://learn.microsoft.com/en-us/azure/templates/microsoft.maintenance/configurationassignments?pivots=deployment-language-terraform

Sina Salam 3,886 Reputation points

2024-04-27T17:54:35.9333333+00:00

you've said you don't want to use azureapi.........................

You can try it.

Varma 1,170 Reputation points

2024-04-28T08:51:13.5966667+00:00

Hi Sina,

1.

Any luck on syntax issues.?

and on the other hand, I am trying to use data source but could you please suggest what I am missing here.

3.

and what is the target resource group from below is it where machines eixst resource group or resource group where maintenace configuration exist?

and also could you please suggest target resource id and target resource region?

Sina Salam 3,886 Reputation points

2024-04-28T11:18:38.3633333+00:00

Do you have that resource group name created in azure under a subscription? If not do that,

is where the maintenance configuration (azurerm_maintenance_configuration) will be created.

Sina Salam 3,886 Reputation points

2024-04-28T11:26:55.9+00:00

Hi,

without any hurry, take time to check through the below instructions.

For effectiveness: Use the Terraform CLI.

If you don't have need to reinstall Terraform on your machine, you must have installed before. So, check for updates to Terraform and keep your version up to date to ensure compatibility with the latest features and improvements.

1b. update your Terraform installation to the latest version, you can use the following command: terraform -install -upgrade

very important: Terraform needs access to your Azure account to provision resources. You can configure Azure credentials using one of the supported methods, such as using the Azure CLI to log in (az login) or using a service principal.

2b. Ensure all the subscription and resource group name are correct. The resource group being targeted is the one where the maintenance configuration will exist. This resource group may or may not be the same as the resource group where your virtual machines exist. It depends on your specific architecture and organizational preferences.

run terraform init where Terraform configuration files are located (where your .tf files reside).

You can generate an execution plan by running terraform plan. Before applying the changes to your Azure environment, it's a good practice to review what Terraform plans to do.

4b. If the plan looks good, you can apply the changes by running terraform apply. This will create or update the Azure resources specified in your Terraform configuration.

Once Terraform has finished applying the configuration, you can verify in the Azure portal or using Azure CLI commands that the resources have been provisioned as expected.

The code is good so far.

Sina Salam 3,886 Reputation points

2024-04-30T02:13:03.21+00:00

Hi,

You can try this corrected code for your Terraform configuration using azurerm scenario:

provider "azurerm" { features {} } resource "azurerm_resource_group" "rg" { name = "rg1" location = "West Europe" # Update this with a valid Azure region } resource "azurerm_maintenance_configuration" "example" { name = "example-mc" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location scope = "InGuestPatch" # Update this with a valid scope value // ... other required arguments ... } locals { vmlist = ["test1", "test2"] } locals { vmlist2 = ["test4"] } resource "azurerm_maintenance_configuration" "vm_maintenance" { name = "mc1" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location scope = "InGuestPatch" # Corrected duration format window { start_date_time = "2024-04-25T17:30:00Z" expiration_date_time = "2024-05-25T17:30:00Z" duration = "01:00" # Corrected duration format time_zone = "UTC" recur_every = "Weekly" } # ... other configuration ... install_patches { linux { classifications_to_include = ["Critical", "Security", "Other"] } windows { classifications_to_include = ["Critical", "Security", "UpdateRollup", "FeaturePack", "ServicePack", "Definition", "Tools", "Updates"] } reboot = "IfRequired" // Possible values: Always, IfRequired, Never } // ... other required arguments ... } # Corrected resource type for maintenance assignment resource "azurerm_maintenance_assignment_virtual_machine" "vm_maintenance_assignment" { for_each = toset(local.vmlist) location = azurerm_resource_group.rg.location maintenance_configuration_id = azurerm_maintenance_configuration.vm_maintenance.id virtual_machine_id = "/subscriptions/XXXXX/resourceGroups/rg1/providers/Microsoft.Compute/virtualMachines/${each.value}" } resource "azurerm_maintenance_assignment_virtual_machine" "vm_maintenance_assignment2" { for_each = toset(local.vmlist2) location = azurerm_resource_group.rg.location maintenance_configuration_id = azurerm_maintenance_configuration.vm_maintenance.id virtual_machine_id = "/subscriptions/XXXXX/resourceGroups/acr-rg1/providers/Microsoft.Compute/virtualMachines/${each.value}" }

All the code are fine now.

Run Terraform plan first.

You should have this error message:

Planning failed. Terraform encountered an error while generating this plan. ╷ │ Error: unable to build authorizer for Resource Manager API: could not configure AzureCli Authorizer: could not parse Azure CLI version: launching Azure CLI: exec: "az": executable file not found in %PATH% │ │ with provider["registry.terraform.io/hashicorp/azurerm"], │ on Varma.tf line 1, in provider "azurerm": │ 1: provider "azurerm" { │

You only need to authorize terraform to Azure resources RM either from Azure CLI or they way you do it.

Ensure you review the code and change necessary parameters.

Success.

Varma 1,170 Reputation points

2024-04-30T07:07:30.3766667+00:00

Hi Sina,

I tried above template, but giving the following error. what guest patch mode it is referring? and where to mention that? Please suggest further

FYI: we use customer managed schedule as patch orchestration mode for all VMs, so how and where to declare this in template?

Error:

azurerm_resource_group.rg: Creation complete after 3s [id=/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5/resourceGroups/rg1]

azurerm_maintenance_configuration.vm_maintenance: Creating...

╷

│ Error: in_guest_user_patch_mode must be specified when scope is InGuestPatch

│

│ with azurerm_maintenance_configuration.vm_maintenance,

│ on main.tf line 26, in resource "azurerm_maintenance_configuration" "vm_maintenance":

│ 26: resource "azurerm_maintenance_configuration" "vm_maintenance" {

Sina Salam 3,886 Reputation points

2024-04-30T09:42:07.27+00:00

Hi,

As I said, modify all the parameter to your own configurations.

Scope: This defines the coverage of the maintenance activities. Possible values include Extension, Host, InGuestPatch, OSImage, SQLDB, or SQLManagedInstance et al.

InGuestPatch: When set as the scope, it specifies that the maintenance configuration is for patching the software inside the virtual machine. This can be further configured to define whether the patch mode is managed by the user or the platform.

Do the below, before running your terraform plan.

This is the code right in my VS Code.

All these have answered your questions on:

how you can create manintenance configuration only with azurerm provider not with azureapi, and how you can assign install patches, for windows, linux and other arguments.

I wish you all the best.

Varma 1,170 Reputation points

2024-04-30T11:07:21.61+00:00

HI Sina,

I also gave same code, and I am aware that scope includes different values, in that one is guest patch, in that guest patch also it is expecting to declare value as per below error:

│ Error: window must be specified when scope is InGuestPatch

│

│ with azurerm_maintenance_configuration.example,

│ on main.tf line 10, in resource "azurerm_maintenance_configuration" "example":

│ 10: resource "azurerm_maintenance_configuration" "example" {

│

╵

╷

│ Error: in_guest_user_patch_mode must be specified when scope is InGuestPatch

│

│ with azurerm_maintenance_configuration.vm_maintenance,

│ on main.tf line 26, in resource "azurerm_maintenance_configuration" "vm_maintenance":

│ 26: resource "azurerm_maintenance_configuration" "vm_maintenance" {

I used same code, but not sure why it is giving error, could you please review code I am using below one.

provider "azurerm" { features {} } resource "azurerm_resource_group" "rg" { name = "rg1" location = "West Europe" # Update this with a valid Azure region } resource "azurerm_maintenance_configuration" "example" { name = "example-mc" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location scope = "InGuestPatch" # Update this with a valid scope value // ... other required arguments ... } locals { vmlist = ["VM1"] } # locals { # vmlist2 = ["test4"] # } resource "azurerm_maintenance_configuration" "vm_maintenance" { name = "mc1" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location scope = "InGuestPatch" # Corrected duration format window { start_date_time = "2024-04-25T17:30:00Z" expiration_date_time = "2024-05-25T17:30:00Z" duration = "01:00" # Corrected duration format time_zone = "UTC" recur_every = "Weekly" } # ... other configuration ... install_patches { linux { classifications_to_include = ["Critical", "Security", "Other"] } windows { classifications_to_include = ["Critical", "Security", "UpdateRollup", "FeaturePack", "ServicePack", "Definition", "Tools", "Updates"] } reboot = "IfRequired" // Possible values: Always, IfRequired, Never } // ... other required arguments ... } # Corrected resource type for maintenance assignment resource "azurerm_maintenance_assignment_virtual_machine" "vm_maintenance_assignment" { for_each = toset(local.vmlist) location = azurerm_resource_group.rg.location maintenance_configuration_id = azurerm_maintenance_configuration.vm_maintenance.id virtual_machine_id = "/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5/resourceGroups/DS/providers/Microsoft.Compute/virtualMachines/${each.value}" } # resource "azurerm_maintenance_assignment_virtual_machine" "vm_maintenance_assignment2" { # for_each = toset(local.vmlist2) # location = azurerm_resource_group.rg.location # maintenance_configuration_id = azurerm_maintenance_configuration.vm_maintenance.id # virtual_machine_id = "/subscriptions/93048f2d-2d0f-44cc-b12c-4df25a3c5ff5/resourceGroups/acr-rg1/providers/Microsoft.Compute/virtualMachines/${each.value}" # }

and you can see my terraform version is updated and it is latest version.

Sina Salam 3,886 Reputation points

2024-04-30T11:37:28.05+00:00

I don't have those error.......................

But, the errors you’re encountering are due to missing required properties for the azurerm_maintenance_configuration resource when the scope is set to InGuestPatch. According to the Terraform documentation and other issues, when using InGuestPatch, you must specify a window block and the in_guest_user_patch_mode property.

How you can resolve the errors:

Window Block: You need to define a window block for each azurerm_maintenance_configuration resource. You’ve already done this for the vm_maintenance resource, but it’s missing for the example resource.

InGuestPatchMode Property: You need to specify the in_guest_user_patch_mode property within the properties block. This property can have values like AutomaticByPlatform or AutomaticByOS.

Check the below code very well and replace the concern part of the code only.

resource "azurerm_maintenance_configuration" "example" { name = "example-mc" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location scope = "InGuestPatch" window { start_date_time = "2024-04-25T17:30:00Z" expiration_date_time = "2024-05-25T17:30:00Z" duration = "01:00" time_zone = "UTC" recur_every = "Weekly" } properties { "InGuestPatchMode" = "AutomaticByPlatform" # or "AutomaticByOS" } // ... other required arguments ... }

Varma 1,170 Reputation points

2024-04-30T16:41:49.77+00:00

Hi Sina,

finally it worked when I set to user, please find attached image thank you

IMG_2590.jpeg
Sign in to comment