Azure Windows VM上的Terrain Enable-PSRemoting

我正在使用Windows VM上的Terraform v0.12.9设置Azure cloud。在该VM上，我想使用Terraform执行以下任务。基本上是为了避免向VM发送RDP并执行手动脚本执行。

1. Enable PSRemoting
2. Create a new FirewallRule
3. Create a SelfSignedCertificate

我有一个vm_provisioning.tf，如下：

resource "azurerm_virtual_machine" "vm" {
    #count               = "${var.env == "dev" ? 0 : 1}"
    count               = "${var.env == "dev"  ? 0 : 1}"
    name                  = var.vm_name
    location              = "${azurerm_resource_group.rg.location}"
    resource_group_name   = "${azurerm_resource_group.rg.name}"
    network_interface_ids = ["${azurerm_network_interface.network-interface[count.index].id}"]
    vm_size               = "Standard_D13_v2"

    storage_image_reference {
        publisher = "MicrosoftWindowsDesktop"
        offer     = "Windows-10"
        sku       = "rs4-pro"
        version   = "latest"
    }
    storage_os_disk {
        name              = "Primary-disk"
        caching           = "ReadWrite"
        create_option     = "FromImage"
        managed_disk_type = "Standard_LRS"
        disk_size_gb      = "127"
    }
    os_profile {
        computer_name  = var.vm_name
        admin_username = "${var.vm-username}"
        admin_password = "${random_password.vm_password.result}"
    }

    os_profile_windows_config {                   
    }
    provisioner "remote-exec" {
        connection {
            host        = "${element(azurerm_public_ip.PublicIP.*.ip_address, count.index)}"
            type        = "winrm"
            user        = var.vm-username
            password    = "${random_password.vm_password.result}"
            agent       = "false"
            insecure    = "true"
        }
        **inline = [
            "powershell.exe Set-ExecutionPolicy Bypass -force",
            "powershell.exe $DNSName = $env:COMPUTERNAME",
            "powershell.exe Enable-PSRemoting -Force",
            "powershell.exe New-NetFirewallRule -Name 'WinRM HTTPS' -DisplayName 'WinRM HTTPS' -Enabled True -Profile 'Any' -Action 'Allow' -Direction 'Inbound' -LocalPort 5986 -Protocol 'TCP'",
            "powershell.exe $thumbprint = (New-SelfSignedCertificate -DnsName $DNSName -CertStoreLocation Cert:/LocalMachine/My).Thumbprint",
            "powershell.exe $cmd = 'winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=''$DNSName''; CertificateThumbprint=''$thumbprint''}'",
            "powershell.exe cmd.exe /C $cmd"
        ]**
    }
}

我也尝试过azurerm_virtual_machine_extension。

resource "azurerm_virtual_machine_extension" "winrm" {
  name                 = var.name
  location             = "${azurerm_resource_group.rg.location}"
  resource_group_name  = "${azurerm_resource_group.rg.name}"
  virtual_machine_name = var.vm_name
  publisher            = "Microsoft.Azure.Extensions"
  type                 = "CustomScriptExtension"
  type_handler_version = "2.0"

  settings = <<SETTINGS
    {
        "commandToExecute": "hostname && uptime"
    }
    SETTINGS
}

使用azurerm_virtual_machine_extension，我遇到了错误。

##[error]Terraform command 'apply' failed with exit code '1'.:  compute.VirtualMachineExtensionsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: autorest/azure: Service returned an error. Status=<nil> Code="OperationNotAllowed" Message="This operation cannot be performed when extension operations are disallowed. To allow, please ensure VM Agent is installed on the VM and the osProfile.allowExtensionOperations property is true."