[AVM Module Issue]: Unable to set licenseType to RHEL_BYOS for linux VMs

[oramoss]

Check for previous/existing GitHub issues

• I have checked for previous/existing GitHub issues

Issue Type?

Feature Request

Module Name

avm/res/compute/virtual-machine

(Optional) Module Version

0.2.3

Description

For Linux VMs that use Bring Your Own Subscription, we can't set licenseType to "RHEL_BYOS" for these images because the input parameter only allows Windows values (Windows_Client / Windows_Server) or an empty string.

Need to add "RHEL_BYOS" as an allowed value.

(Optional) Correlation Id

No response

[github-actions]

@oramoss, thanks for submitting this issue for the avm/res/compute/virtual-machine module!

A member of the @azure/avm-res-compute-virtualmachine-module-owners-bicep or @azure/avm-res-compute-virtualmachine-module-contributors-bicep team will review it soon!

[rahalan]

@oramoss thanks for bringing that up. I will investigate

[oramoss]

I'm doing a lot with AVM recently and I've read this article https://johnlokerse.dev/2024/04/10/your-first-contribution-to-azure-verified-modules/ from John Lokerse about contributing...so I'd like to do the fix if I can...if it's as simple as just adding the value to the allowed list on the parameters, of course.

[rahalan]

I'm doing a lot with AVM recently and I've read this article https://johnlokerse.dev/2024/04/10/your-first-contribution-to-azure-verified-modules/ from John Lokerse about contributing...so I'd like to do the fix if I can...if it's as simple as just adding the value to the allowed list on the parameters, of course.

@oramoss That would be awesome. Please read the contribution guide. Basically you need to create your own fork and test environment. After the change you might also need to regenerate the readme file. Feel free to ping me, if you need help.

[oramoss]

I forked it, changed the parameter to allow RHEL_BYOS and then ran the GitHub (after creating a Subscription+RG in my tenant for deployment testing).

I get this:

Am I missing something? I can continue to debug but I'm guessing you will have seent his before and can point me quicker...

[oramoss]

When I try to run the Test locally, with:

Install-Module -Name Pester -Force
$folder = "C:/data/code/bicep-registry-modules"
. $folder/avm/utilities/tools/Set-AVMModule.ps1
. $folder/avm/utilities/tools/Test-ModuleLocally.ps1
$TestModuleLocallyInput = @{
TemplateFilePath = "$folder/avm/res/compute/virtual-machine/main.bicep"
ModuleTestFilePath = "$folder/avm/res/compute/virtual-machine/tests/e2e/windows-defaults/main.test.bicep"
PesterTest = $true
ValidationTest = $false
DeploymentTest = $false
ValidateOrDeployParameters = @{
Location = 'uksouth'
SubscriptionId = 'XXXXXXXXXXX'
RemoveDeployment = $true
}
AdditionalTokens = @{
namePrefix = 'oramoss'
TenantId = 'YYYYYYYYYYYYY'
}
}
$TestModuleLocallyInput.ModuleTestFilePath = "$folder/avm/res/compute/virtual-machine/tests/e2e/windows-defaults/main.test.bicep"
Test-ModuleLocally @TestModuleLocallyInput

...it runs through fine with no failures....

[rahalan]

@oramoss please add both missing Linux values: 'RHEL_BYOS' and 'SLES_BYOS'

[rahalan]

@oramoss the name prefix needs to be a secret in your GH, see 3.1 https://azure.github.io/Azure-Verified-Modules/contributing/bicep/bicep-contribution-flow/#31-set-up-secrets

[oramoss]

Name prefix in secrets worked fine - it builds stuff in my tenant now.
I get several failures, some of which were down to me - my Tenant is laid out using Cloud Adoption Framework and there were lots of policies in the way, so I moved to a Sandbox Subscription and that fixed it.

I now get 6 of the 10 deployments to run successfully.

The 4 failures occur because:
linux-max - complains of authorisation but the Service principal has Owner + User Access Administrator and works fine on all others. Error:

Exception: /home/runner/work/_temp/dc66c607-7139-4670-939c-8c68d0c69c33.ps1:56
Line |
56 | throw $res.exception
| ~~~~~~~~~~~~~~~~~~~~
| 16:25:08 - The deployment 'a-r-c-vm-linux.max-t3-20240417T1604335990Z'
| failed with error(s). Showing 1 out of 1 error(s). Status Message: The
| template deployment failed with error: 'Authorization failed for
| template resource '09b10464-d5db-5376-85c6-d567fca004a2' of type
| 'Microsoft.Authorization/roleAssignments'. The client
| '232547db-xxxx' with object id
| '232547db-xxxx' does not have permission to
| perform action 'Microsoft.Authorization/roleAssignments/write' at scope
| '/subscriptions//resourceGroups/dep--compute.virtualMachines-cvmlinmax-rg/providers/Microsoft.Compute/virtualMachines/***cvmlinmax/providers/Microsoft.Authorization/roleAssignments/09b10464-xxxx'.'. (Code:InvalidTemplateDeployment) CorrelationId: c99b6e6b-1062-4dd9-96f5-15ddd117fcb0

waf-aligned - authorisation again...same error as above...
windows-max - authorisation again...same error as above...
windows.nvidia - quotas issue - I have none (and can't increase from zero for whatever reason) for the relevant SKU:

Exception: /home/runner/work/_temp/5e417921-511e-4f42-a279-532a7e0141e7.ps1:56
Line |
56 | throw $res.exception
| ~~~~~~~~~~~~~~~~~~~~
| 06:44:36 - The deployment
| 'a-r-c-vm-windows.nvidia-t3-20240417T0604064967Z' failed with error(s).
| Showing 1 out of 1 error(s). Status Message: The template deployment
| 'ujcbnkut5nstm-test-cvmwinnvidia-init' is not valid according to the
| validation procedure. The tracking id is
| 'a491e768-xxxx'. See inner errors for details.
| (Code: InvalidTemplateDeployment) - Operation could not be completed
| as it results in exceeding approved StandardNVADSA10v5Family Cores
| quota. Additional details - Deployment Model: Resource Manager,
| Location: eastus, Current Limit: 0, Current Usage: 0, Additional
| Required: 6, (Minimum) New Limit Required: 6. Submit a request for Quota
| increase at

Given that the other 6 work fine, I fail to see how the Service Principal doesn't have the right privileges for the first 3.

For the Nvidia one, I simply don't have the capability to run that one to success due to constraints I can't control.

Thoughts?

[rahalan]

@oramoss The issue is that the Azure Backup Service GUID is tenant specific. You need to find out yours and replace it. Mind you not to forget to change it back, after the tests.

[oramoss]

Ok - great - that GUID change fixed the 3 failures at the top but still leaves the nvidia one.

Ultimately, that one requires a quota of nvidia SKU and I don't have it and can't obtain it....so I'm not sure what I can do here...

[oramoss]

Right, so for Nvidia one I changed the SKU use from Standard_NV6ads_A10_v5 to Standard_NV4as_v4 and it worked:

So, are you saying I now need, on my feature branch, to undo the backup service GUID change and this new NVIDIA SKU change and then do PR from my feature branch to your main?

[rahalan]

@oramoss yes, please create a PR and assign it to me

[oramoss]

Created PR.
I'm not normally a GitHub user and this is my first PR to this repo and more generally opensource.
Not sure how you assign to you @rahalan - doesn't seem to be an option for me...

[rahalan]

@oramoss thanks for your contribution. PR is merged

[oramoss]

Excellent. I'll go an have a quiet sit down now :-)