Issues Setting up a Kali Linux Virtual Machine in Azure with Terraform

Just a quick post to show how I solved a few issues I had while trying to quickly provision a Kali Linux Virtual Machine in Azure with Terraform.

A quick disclaimer, I am still quite new to Azure and I am having teething problems with work that I would have otherwise done very quickly in AWS. To begin here is some basic code to setup a Linux VM (I will leave out the extra details and allow you to decide upon SSH and password requirements for now):

resource "azurerm_linux_virtual_machine" "kali_linux_vm" {
  name                = "kali-linux-vm"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
  size                = "Standard_DS2_v2"
  admin_username      = "adminuser"
  network_interface_ids = [
    azurerm_network_interface.example.id,
  ]

  admin_ssh_key {
    username   = "adminuser"
    public_key = file("~/.ssh/id_rsa.pub")
  }

  os_disk {
    caching              = "ReadWrite"
    storage_account_type = "Standard_LRS"
  }

  source_image_reference {
    publisher = "kali-linux"
    offer     = "kali"
    sku       = "kali-2024-2"
    version   = "latest"
  }

  plan {
    name      = "kali-2024-2"
    publisher = "kali-linux"
    product   = "kali"
  }
}

Very basic and very readable. “But Mike!” I hear you say, “The “plan” isn’t on the example on the Terraform website! And where did you get all that amazing information?”. Very well observed, I shall respond. BASICALLY, my VM complained profusely if there wasn’t a plan block included. So I included it. And where did I get all that lovely information from? Well I had to tiptoe into the marketplace. That wonderful joint. And from there decided which image I would like to deploy. This time I chose Kali Linux. Aww, cute. You see, the values in Terraform need to exactly match the infrastructure in the marketplace. The next step is to use the Azure CLI to obtain a nice table of what is available to us.

az login
az vm image list --publisher kali-linux --all --output table

From here you will see a table that includes Architecture, Offer, Publisher, Sku, Urn and Version. These match the source_image_reference requirements easily but not the plan.

For the plan you want to match publisher = publisher, offer = product and sku = name. See above Terraform for reference.

Why Do We Need A Plan Block?

I don’t really know! ChatGPT says that some marketplace images are private and just do so deal with it 😎. You could probably check by running more elaborate CLI commands but no one needs that in their life.

Further Issues

Upon Apply I also had an issue I didn’t expect and wasn’t recreatable within the portal if I created resources manually.

What happened was I got this strange error, something like:

unexpected status 400 (400 Bad Request) with error: ResourcePurchaseValidationFailed: User failed validation to purchase resources. Error message: 'You have not accepted the legal terms on this subscription: '***' for this plan. Before the subscription can be used, you need to accept the legal terms of the image.'

So I tried shouting “I ACCEPT” at my machine but nothing happened. SO instead I decided to look into how to solve this issue, starting with Terraform.

On the Terraform Registry there is a very vague agreement resource that says it works sometimes but not all the time. “Awesome” I thought!

And as expected it didn’t work. It also didn’t work if I put a depends_on statement in my vm code. At this point I did feel like throwing the towel in but I continued. This is what worked for me. And it’s more CLI work but hey there you go.

az vm image terms accept --publisher kali-linux --offer kali --plan kali

az vm image terms show --publisher kali-linux --offer kali --plan kali
 

The second command should display "accepted", true, in lovely readable json at the top of the result.

Therefore I needed to accept the terms manually in the CLI before it could build the resource.

I don’t like this! And if this works for you, I bet you won’t like it either! It should be acceptable in the pipeline or apply stage of your build but anyway. This worked for me. I have much more to learn but before I forgot all about this, I wanted to share my experience.