Summary

If you take the pas-vault-deploy.json template for v13.2 and modify the CustomScriptExtension to execute a custom script that calls configure-vault.ps1, the password of the Administrator user will change during deployment.

Steps to Reproduce

1. Create a script similar to the one below and upload it to an Azure storage account:

param(
    [string]$StorageAccountName,
    [string]$ContainerName,
    [string]$StorageAccountKey,
    [string]$AdminPass,
    [string]$MasterPass,
    [string]$PrimaryOrDR,
    [string]$PrimaryVaultIP,
    [string]$DRPassword,
    [string]$LicenseFileName,
    [string]$RecPubFileName,
    [string]$VKMName,
    [string]$Secret
)
&".\configure-vault.ps1" -AdminPass $AdminPass, -MasterPass $MasterPass -PrimaryOrDR $PrimaryOrDR -PrimaryVaultIP $PrimaryVaultIP -DRPassword $DRPassword -LicenseFileName $LicenseFileName -RecPubFileName $RecPubFileName -StorageName $StorageAccountName -ContainerName $ContainerName -StorageAccountKey $StorageAccountKey -VKMName $VKMName -Secret $Secret

2. Update the ARM template to execute the new script:

{
         "condition":"[not(empty(parameters ('DR User Secret')))]",
         "type":"Microsoft.Compute/virtualMachines/extensions",
         "name":"[concat(parameters('Primary Vault VM Name'),'/', 'registration_script')]",
         "apiVersion":"2022-08-01",
         "location":"[resourceGroup().location]",
         "tags":{
            "displayName":"activate-vault"
         },
         "properties":{
            "publisher":"Microsoft.Compute",
            "type":"CustomScriptExtension",
            "typeHandlerVersion":"1.9",
            "autoUpgradeMinorVersion":true,
            "settings":{
               "fileUris":[
                  "https://raw.githubusercontent.com/cyberark/pas-on-cloud/v13.2/azure/configure-vault.ps1",
                  "[concat('https://', parameters('Storage Account Name'),'.blob.core.windows.net/', parameters('Container name'), '/', parameters('Custom Script'))]"
              ]
            },
           "protectedSettings":{
              "storageAccountName": "[parameters('Storage Account Name')]",
              "storageAccountKey": "[parameters('Storage account access key')]",
              "commandToExecute":"[concat('powershell -ExecutionPolicy Unrestricted -file ', parameters('Custom Script'), ' -AdminPass ', parameters('Primary Vault Admin Password'), ' -MasterPass ', parameters('Primary Vault Master Password'), ' -PrimaryOrDR Primary -PrimaryVaultIP 1.1.1.1 -DRPassword ', parameters('DR User Password'), ' -LicenseFileName ', parameters('Vault License File'), ' -RecPubFileName ', parameters('Recovery Public Key'), ' -StorageAccountName ', parameters('Storage Account Name'), ' -ContainerName ', parameters('Container name'), ' -StorageAccountKey ', parameters('Storage account access key'), ' -VKMName ', parameters ('Key Vault Name'), ' -Secret ', parameters ('DR User Secret'))]"
           }
         },
         "dependsOn":[
            "[concat('Microsoft.Compute/virtualMachines/', parameters('Primary Vault VM Name'), '/extensions/ManagedIdentityExtensionForWindows')]",
            "[concat('Microsoft.KeyVault/vaults/', variables('vaultName'))]"
         ]
      }

3. Deploy the Primary vault using the updated ARM template and the VM image CyberArk-PAS-Vault-v13.2-win2019
4. Once deployment is complete, download and install the PrivateArk Client and try to login to the Administrator user with the password provided to the template.
5. See error

Expected Results

The vault should deploy in the same manner as before the modifications. The Administrator's password should remain the one provided during deployment.

Actual Results

Trying to login as Administrator with the provided password results in an Authentication error.

Reproducible

• Always
• Sometimes
• Non-Reproducible

Version/Tag number

ARM template for Cyberark v13.2
VM image CyberArk-PAS-Vault-v13.2-win2019

Environment setup

The deployment is made to a deployment stack in Azure.

Summary

While running the Template on AWS using CloudFormation. Below error is seen:
API: ec2:RunInstances Not authorized for images: [ami-011a35e97a0110026] on us-west-2 (Oregon)

Steps to Reproduce

1. Go to CloudFormation
2. Create New Stack
3. Upload Template
4. Region should be us-west-2
5. Fill all the relevant parameters
6. Run the template

Expected Results

Instance should be created, with all resources.

Actual Results

Rollback initiated due to error in Vault Machine failed to create

Reproducible

• Always

Version/Tag number

Latest from https://github.com/cyberark/pas-on-cloud/blob/master/aws/Full-PAS-Deployment.yaml

Additional Information

aws:cloudformation:Stack (CyberArk): error: 1 error occurred: * creating urn:pulumi:platform::cyberark::aws:cloudformation/stack:Stack::CyberArk: 1 error occurred: * error waiting for CloudFormation Stack creation: failed to create CloudFormation stack, rollback requested (ROLLBACK_COMPLETE): ["The following resource(s) failed to create: [VaultMachine]. Rollback requested by user." "API: ec2:RunInstances Not authorized for images: [ami-011a35e97a0110026]"]

Using the script for PSMP throws an error about AvailabiltySet. How do you use the script to deploy the PSMP component

Hi guys,

Nothing to do with the CloudFormation templates which look great. But just wondering whether and how do you sysprep the CyberArk AMIs?
I'm manually testing ami-d18253b3 (Vaults) and ami-f896479a (Components) in ap-southeast-2 region, and found that all launched instances from them use the same machine names. I managed to sysprep ami-f896479a (Components) by myself, but fail to sysprep ami-d18253b3 (Vaults) with the following errors:

Info [0x0f0080] SYSPRP ActionPlatform::LaunchModule: Found 'WSLicenseCleanUpState' in C:\Windows\System32\wsclient.dll; executing it
Info SYSPRP Entering WSLicenseCleanupState - Client Stub
Error SYSPRP WSLicenseCleanUpState failed with hr=c0020017
Info SYSPRP Exiting WSLicenseCleanupState - Client Stub
Error [0x0f0082] SYSPRP ActionPlatform::LaunchModule: Failure occurred while executing 'WSLicenseCleanUpState' from C:\Windows\System32\wsclient.dll; dwRet = 0xc0020017
Error SYSPRP ActionPlatform::ExecuteAction: Error in executing action; dwRet = 0xc0020017
Error SYSPRP ActionPlatform::ExecuteActionList: Error in execute actions; dwRet = 0xc0020017
Error SYSPRP SysprepSession::Execute: Error in executing actions from C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml; dwRet = 0xc0020017
Error SYSPRP RunPlatformActions:Failed while executing SysprepSession actions; dwRet = 0xc0020017
Error [0x0f0070] SYSPRP RunExternalDlls:An error occurred while running registry sysprep DLLs, halting sysprep execution. dwRet = 0xc0020017
Error [0x0f00a8] SYSPRP WinMain:Hit failure while processing sysprep generalize internal providers; hr = 0xc0020017
Info [0x0f004c] SYSPRP WaitThread:Exiting spawned waiting thread
Info [0x0f0052] SYSPRP Shutting down SysPrep log

Any advice would be appreciated!
Thanks

Hi,
Deploying the Vault ARM template the first time works fine, but if I need to redeploy the template (any vault or component template) I get the error below. I assume this is because the customscript is already executed?? If this is the case, is there a way to change the return code/output of the customscript (if it detects that the script has already been executed).

Error JSON:
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details.","details":[{"code":"Conflict","message":"{\r\n "status": "Failed",\r\n "error": {\r\n "code": "ResourceDeploymentFailure",\r\n "message": "The resource operation completed with terminal provisioning state 'Failed'.",\r\n "details": [\r\n {\r\n "code": "VMExtensionProvisioningError",\r\n "message": "VM has reported a failure when processing extension 'customscript'. Error message: \"Finished executing command\"."\r\n }\r\n ]\r\n }\r\n}"}]}

I noticed the NSG are missing a DenyAll rule at prio 4096.

Now when you connect a VNET via peering all traffic is allowed to the VNET.

I initially raised this under a separate issue thread but have now started a new issue for it.

I have an issue during the stack deployment (PAS-AIO-dr-Deployment.json) with the vault image delivery, as below. out of interest when I search for [ami-0cf1c48744ffdf9db] in EC2/AMI portal I can't see it under public or private AMI's in fact I can't see any of the AMI's for any of the regions. is this AMI available publicly?

Hello,

Question 1
Can/should the hybrid AzureRM templates (e.g., /azure/pas-hybrid-network.json) be used to create an Azure network environment which is compatible with a CyberArk Privilege Cloud deployment in which the PVWA and Vault are hosted and managed by CyberArk in AWS (requiring outbound https 443 and TCP:1858 connectivity from the Azure-hosted Privilege Cloud Connector servers) ?

Question 2
Can the Azure images be used in such a deployment ? I would guess not, given that for example on the PSM image MS RDS is present, which, as per the CyberArk pre-requisites list for Privilege Cloud Connector Servers, shouldn't be the case: "RDS should not be installed on the machine preemptively. Our install handles this automatically and needs the machine clean of RDS for it to work."

General
What is advised to setup an Azure environment ready for hosting Privilege Cloud Connector Servers ?

Kr

Deploying the PrimaryVault. Filled in all required information.

Deployment is in progress - Failed.

{
"status": "Failed",
"error": {
"code": "VMExtensionProvisioningError",
"message": "VM has reported a failure when processing extension 'registration_script'. Error message: "Command execution finished, but failed because it returned a non-zero exit code of: '1'"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/VMExtensionCSEWindowsTroubleshoot "
}
}

Tried to downgrade to TLS 1.0

Hello,

Can you confirm the AMI's that you have are showing up in AWS as public as for example this one below is not showing up which prevents the stack from launching as no AMI's are available.

Having a look there is also another AMI not showing up, looks like the code has been updated but the AMI's haven't been published out ?

https://github.com/cyberark/pas-on-cloud/blob/master/aws/PAS-Component-Single-Deployment.json#L2357

https://github.com/cyberark/pas-on-cloud/blob/master/aws/PAS-Component-Single-Deployment.json#L2359

CPM": "ami-06b193ca65a341cc7",
"PSM": "ami-0de6e5f2676414c57"

--

--

Summary

The new feature is released with Vault v13: Until now, as part of the PAM on cloud deployment process, the Vault application, metadata and data have been installed on the C: drive. In this version, the Vault deployment process has been updated to deploy the Vault data and metadata on a different drive. This change improves the Vault storage capabilities that were, until now, limited to 2 terabytes due to the C: drive deployment.

This feature requires update of Vault and DR components deployment template(ARM template) - separate storage drive should be added to VM during deployment. Otherwise the deployment of VHD image will fail cause the second drive is not found.

See the support case 03267025

Steps to Reproduce

Run the deployment of vault server vhd image using existing ARM template.

Expected Results

Deployment should succeed.

Actual Results

Deployment fails with error: ITADB338S Missing or invalid Staging area directory in db parameter file ITADB369I utility terminated.

Reproducible

• [ X] Always
• [ ] Sometimes
• [ ] Non-Reproducible

Version/Tag number

Version 13.0

Hi Please can you assist.

I have tried to deploy the stack for both PAS-AIO-Deployment.json and PAS-AIO-dr-Deployment.json
The Role I am using to deploy the stack has Admin privileges
The licence and recpub files use the default name in the root of the new bucket (Vault Files Bucket)
I set the bucket to full global access to check there was no privilege issue with access to the bucket.
During the stack setup I have tried using the bucket ARN, NAme, URL.

any advise greatly appreciated

first error in the deployment

### Full text from the log CloudWatchLog Groups/aws/lambda/CyberArkDR-CopyfileFromBucketLambda-1AMK26XVRUOZK2019/05/08/[$LATEST]0934d9a49d40435193668f7b6b23739a

2019-05-08 16:54:59
No older events found at the moment. Retry.
START RequestId: a7d659df-8a2f-43c3-b1c5-290441762995 Version: $LATEST
An error occurred (InvalidArgument) when calling the CopyObject operation: Invalid copy source URI.
https://cloudformation-custom-resource-response-useast1.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-1%3A737331083610%3Astack/CyberArkDR/e276b010-71b1-11e9-a36b-0e194fb09f5c%7CCopyRecpubToBucket%7C451ed0a5-4fee-47df-9c04-81e5935031fe?AWSAccessKeyId=AKIA6L7Q4OWT7XTLUBXY&Expires=1557341699&Signature=G8m1CANTMSDlYzlvgJwR9Wlvcck%3D
Response body:
{
"Status": "FAILED",
"StackId": "arn:aws:cloudformation:us-east-1:737331083610:stack/CyberArkDR/e276b010-71b1-11e9-a36b-0e194fb09f5c",
"PhysicalResourceId": "50696e01-3ea0-4941-9e96-4f57248f2ba5",
"Reason": "See the details in CloudWatch Log Stream: 2019/05/08/[$LATEST]0934d9a49d40435193668f7b6b23739a",
"NoEcho": false,
"RequestId": "451ed0a5-4fee-47df-9c04-81e5935031fe",
"Data": {},
"LogicalResourceId": "CopyRecpubToBucket"
}
Status code: OK
END RequestId: a7d659df-8a2f-43c3-b1c5-290441762995
REPORT RequestId: a7d659df-8a2f-43c3-b1c5-290441762995 Duration: 2067.00 ms Billed Duration: 2100 ms Memory Size: 128 MB Max Memory Used: 67 MB
START RequestId: 5430ee1a-ace4-49d6-accf-863893bda097 Version: $LATEST
Object Deleted Successfully
https://cloudformation-custom-resource-response-useast1.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-1%3A737331083610%3Astack/CyberArkDR/e276b010-71b1-11e9-a36b-0e194fb09f5c%7CCopyLicenseToBucket%7C3c11db60-86a6-43fc-a495-6867ea02a669?AWSAccessKeyId=AKIA6L7Q4OWT7XTLUBXY&Expires=1557341736&Signature=KokCS4QRqs722aWWknhvAbSaeWs%3D
Response body:
{
"Status": "SUCCESS",
"StackId": "arn:aws:cloudformation:us-east-1:737331083610:stack/CyberArkDR/e276b010-71b1-11e9-a36b-0e194fb09f5c",
"PhysicalResourceId": "CyberArkDR-CopyLicenseToBucket-DIT9C9H7RO3V",
"Reason": "See the details in CloudWatch Log Stream: 2019/05/08/[$LATEST]0934d9a49d40435193668f7b6b23739a",
"NoEcho": false,
"RequestId": "3c11db60-86a6-43fc-a495-6867ea02a669",
"Data": {},
"LogicalResourceId": "CopyLicenseToBucket"
}
Status code: OK
END RequestId: 5430ee1a-ace4-49d6-accf-863893bda097
REPORT RequestId: 5430ee1a-ace4-49d6-accf-863893bda097 Duration: 514.80 ms Billed Duration: 600 ms Memory Size: 128 MB Max Memory Used: 68 MB

The default CFT templates are set to 12.2 still, not 12.6.

To access 12.6 you need manually select 12.6 from Tags

Contributing to the Azure SDK

Please see our CONTRIBUTING.md if you are not familiar with contributing to this repository or have questions.

For specific information about pull request etiquette and best practices, see this section.

Originally posted by @m-nash in Azure/azure-sdk-for-net#40176

The ARM templates for deploying any of the single deployments such as the Vault fail with the following error:
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"ArtifactNotFound","message":"The VM extension with publisher 'Microsoft.ManagedIdentity' and type 'ManagedIdentityExtensionForWindows' could not be found."}]}

I worked with Microsoft and they confirmed the Managed Identity Extension is deprecated and has been replaced with an explicit property.
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-template-windows-vm#enable-system-assigned-managed-identity-during-creation-of-an-azure-vm-or-on-an-existing-vm

Would like to see this template updated with that properly working property so deployments do not fail.
Environment: Azure US Gov

Hi,

Im missing the -PtaAccessSAS in the ./import-pas-images.ps1 script.
The documentation makes a references to this value.

https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20Cloud/Azure-Installation-Package.htm?tocpath=Installation%7CInstalling%20the%20PAS%C2%A0Solution%7CCloud%7CIntroduction%7C_____8#UsageExample

Is there an updated version available

Hi,

We are getting the following error message while create the single vault from the cloud formation template. But when I try in my local environment it is working fine. is there any document stating list for permissions needed to create the vault in AWS.

Summary

The PTA image is not getting imported when you run "https://github.com/cyberark/pas-on-cloud/blob/master/azure/import-pas-images.ps1"

Expected Results

Request is made for links to PTA image and the image is imported into the subscription like all other components

Actual Results

No request for PTA image is made on the ARM template and the PTA image is not imported

Reproducible

• Always
• Sometimes
• Non-Reproducible

Summary

While running the Template on AWS using CloudFormation. Below error is seen:
API: ec2:RunInstances Not authorized for images: [ami-022d97240cd52f9f4

Steps to Reproduce

Steps to reproduce the behavior:

1. Go to CloudFormation
2. Create New Stack
3. Upload Template
4. Region should be ap-southeast-2
5. Fill all the relevant parameters
6. Run the template

Expected Results

Instance should be created

Actual Results (including error logs, if applicable)

Rollback initiated due to error in Vault Machine failed to create

Reproducible

• Always

Version/Tag number

What version of the product are you running? Any version info that you can share is helpful.
For example, you might give the version from Docker logs, the Docker tag, a specific download URL,
the output of the /info route, etc.

Environment setup

Can you describe the environment in which this product is running? Is it running on a VM / in a container / in a cloud?
Which cloud provider? Which container orchestrator (including version)?
The more info you can share about your runtime environment, the better we may be able to reproduce the issue.

Additional Information

Add any other context about the problem here.

Please update the following labels to say "AMI Owner Account ID" instead of "CyberArk Account ID" as this is causing lots of confusion and failed implementations while trying to figure out why CFT deployments are hanging.

Hi,

Any suggestion on how these templates can be deployed to installing multiple DR Vault, Multiple CPM/PVWA/PSM. Is it just a case of using "pas-single-component-deploy" template any number of times to meet the required number? All integration will happen as part of the template execution? Any suggestion on how does it impact especially when CPM active-Passive needs to achieve and number CPM/PVWA user needs to create.

Hello Team,

I am trying to understand what is the difference between PAS-network-environment-PrivateLink.json and PAS-network-environment-NAT.json CF Template. I dont see any documentation related to this ? If you guys can point me to right documentation that will be helpful. Also can you please help me in what scenarios do we need to use either templates?

Regards,
Mayur Pawar

What page is this happening on
Copy the URL of the page this issue is happening on.

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

Originally posted by @WatchTower001110 in googleanalytics/ga-dev-tools#1688

The import-pas-images.ps1 script does not include support for importing the PTA images using the accessSAS links. However, the documentation describes this parameter - https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20Cloud/Azure-Installation-Package.htm?Highlight=ptaaccesssas

Is your feature request related to a problem? Please describe.

https://github.com/cyberark/pas-on-cloud/blob/master/azure/import-pas-images.ps1 is currently using AzureRM modules commands. According to Microsoft (https://learn.microsoft.com/en-us/powershell/azure/migrate-from-azurerm-to-az) AzureRM modules will be retired on 29 Feb 2024.
Moreover, currently people who use the new AZ modules cannot have them easily co-exist with AzureRM due to overlapping namespacess (requires allowing clobber as described in https://blog.blksthl.com/2020/10/22/install-the-powershell-az-module-even-if-azurerm-is-installed/).

Describe the solution you would like

Migrate from AzureRM cmdlets to AZ cmdlets - we were able to complete the entire script rewrite in under 30 minutes including full testing. In most cases it is as simple as replacing "AzureRM" or "Azure" text in the name of the cmdlet with "AZ"

Describe alternatives you have considered

N/A

Additional context

N/A

i am receiving this error at the end of the primary vault deployment.

VM has reported a failure when processing extension 'customscript_no_dr'. Error message: "Command execution finished, but failed because it returned a non-zero exit code of: '1'"\r\n\r\n

Summary

Provide brief overview and context for the discovered bug.

Steps to Reproduce

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected Results

A clear and concise description of what you expected to happen.

Actual Results

A clear and concise description of what actually did happen. Include logs and
screens shots, whenever possible

Reproducible

• Always
• Sometimes
• Non-Reproducible

Version/Tag number

What version of the product are you running? Any version info that you can
share is helpful. For example, you might give the version from Docker logs,
the Docker tag, a specific download URL, the output of the /info route, etc.

Environment setup

• Can you describe the environment in which this product is running? Is it running on a VM / in a container / in a cloud?
• Which cloud provider? Which container orchestrator (including version)?
• The more info you can share about your runtime environment, the better we may be able to reproduce the issue.

Additional Information

Add any other context about the problem here.

PAS-AIO stated on cyberark pages and readme is missing

Hi Guys,

In the StorePasswordLambda function I think the first exception has a bad variable name, should be 'ssmclient' instead of 'client' and the ssmclient variable is not available to the lambda_handler function.

I found this error when trying to automate a deployment with serverless using this Templates and send a invalid type of data for the Vault Admin Password.

Regards!

Hi again,

Just wanted to know when you expect to release ARM templates for version 10.10 (or if the existing templates can be used with the new version).

Regards
Thomas, DNB

Documentation says to use t3 series but the template says only has m4.

Hi,

This repos is awesome! Apart of using the Infrastructure as Code native tools from the Cloud Providers, Is there any plan to automate with Terraform the Core PAS deployment on AWS and Azure?

Terraform is massively adopted in the field and this would be a big help.

Thank you.

Hi,

Have you worked on any clever solution for scaling the PSM servers (in/out or up/down)?
We have an environment where concurrent PSM connections fluctuates between 0 and 500 during the week and would really like to minimize Azure compute cost.

Regards
Thomas, DNB

Summary

AWS CloudFormation templates do not wait for role creation to complete, resulting in errors on subsequent steps (e.g. Lambda function creation.

Steps to Reproduce

Use the v12.2.1 FullDeployment yaml to create a new environment with default settings.

Expected Results

CloudFormation template should complete fully and create all necessary resources.

Actual Results

CloudFormation template fails with errors such as:
The following resource(s) failed to create: [StorePasswordLambda, DeletePasswordLambda, RemovePermissionLambda]. Rollback requested by user.
Template error: IAM role pasoncloud-LambdaDeployRole-1TNJXSYRDHUMR doesn't exist
Template error: IAM role pasoncloud-LambdaRemovePermissionsRole-LPI7QK528XKR doesn't exist

Reproducible

• Always - Tried 6 times in a row with same error
• Sometimes
• Non-Reproducible

Version/Tag number

12.2.1 CFT

Environment setup

Fresh AWS account environment

Additional Information

When the CloudFormation template fails with those errors, I can go to IAM and see that the roles were perfectly created. I think the issue is that it can take IAM a few seconds to make the role fully available, but the CloudFormation template does not wait for this to occur and just attempts to immediately use the roles which causes it to fail if there is any delay in IAM.

Hi guys,
I see in your CyberArk documentation that a design using two different AvailabilityZones are recommended per component. I can't see that this is reflected in the ARM templates (only see that availability sets are used). Any comments on this?

Regards
Thomas, DNB

It seems the passwords are not properly handled (escaping the special character). When I used the randomly created password, it failed to bring up VPWA with failure on CloudRegisterToVault.ps1

Below is the log regarding the failure.
subprocess.CalledProcessError: Command '['powershell.exe', u'C:\\CyberArk\\CloudRegisterToVault.ps1 -PVWA -PVWAVaultIP "10.158.2.28,10.158.2.41" -PVWAVaultPort 1858 -PVWAVaultUser Administrator -PVWAVaultPassword U.~:9]&-d=}]GE5gx2w*!/+}y -PVWAUrl https://ip-10-158-0-54.ec2.internal/PasswordVault']' returned non-zero exit status 1

Summary

Azure ARM template consists of parameters with spaces in the parameter name. Azure pipeline doesn't support "multi word" parameter name and doesn't allow to override such parameters. The recommendation is to remove spaces from the parameter's names or replace with "_" sign.

Additional details - https://stackoverflow.com/questions/58629448/override-parameter-with-a-space-in-the-parameter-name

Steps to Reproduce

Create a base pipeline in Azure and add AzureResourceManagerTemplateDeployment task:

task: AzureResourceManagerTemplateDeployment@3 inputs: deploymentScope: 'Resource Group' azureResourceManagerConnection: 'Subscription-Name' subscriptionId: '123456-0ec1-4a4c-8eba-1bd12947485d' action: 'Create Or Update Resource Group' resourceGroupName: 'PAMaaS-CorePAS-RG' location: 'North Europe' templateLocation: 'URL of the file' csmFileLink: 'https://raw.githubusercontent.com/cyberark/pas-on-cloud/master/azure/pas-full-network.json' overrideParameters: '- "User Access CIDR" "10.2.0.0/24" - "Administrative Access CIDR" "10.2.0.0/24"' deploymentMode: 'Incremental'

Expected Results

Expected result that the template is deployed with custom values for User and Administrative VNET

Actual Results (including error logs, if applicable)

Deployment failed:

ARM Service Connection deployment scope - Subscription Checking if the following resource group exists: PAMaaS-CorePAS-RG. Resource group exists: true. Creating deployment parameters. There was an error while overriding '' parameter because of 'TypeError: Cannot read property 'type' of undefined', make sure it follows JavaScript Object Notation (JSON) There was an error while overriding '' parameter because of 'TypeError: Cannot read property 'type' of undefined', make sure it follows JavaScript Object Notation (JSON) There was an error while overriding '' parameter because of 'TypeError: Cannot read property 'type' of undefined', make sure it follows JavaScript Object Notation (JSON) There was an error while overriding '' parameter because of 'TypeError: Cannot read property 'type' of undefined', make sure it follows JavaScript Object Notation (JSON) Starting template validation. Deployment name is pas-full-network-20210521-101823-f374 There were errors in your deployment. Error code: InvalidDeploymentParameterKey. ##[error]One of the deployment parameters has an empty key. Please see https://aka.ms/resource-manager-parameter-files for details. ##[warning]Validation errors were found in the Azure Resource Manager template. This can potentially cause template deployment to fail. Task failed while creating or updating the template deployment.. Please follow https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-syntax Starting Deployment. Deployment name is pas-full-network-20210521-101823-f374 There were errors in your deployment. Error code: InvalidDeploymentParameterKey. ##[error]One of the deployment parameters has an empty key. Please see https://aka.ms/resource-manager-parameter-files for details. ##[error]Check out the troubleshooting guide to see if your issue is addressed: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment?view=azure-devops#troubleshooting ##[error]Task failed while creating or updating the template deployment. Finishing: AzureResourceManagerTemplateDeployment

Reproducible

• Always
• Sometimes
• Non-Reproducible

Version/Tag number

Not relevant

Environment setup

Not relevant

Additional Information

Suggestion that the CyberArk Account ID should be set in the CFT or at least in the readme of the AWS page.

After attempting to deploy to West US discovered we are where unable to deploy due to those regions not having availability zones. After research we discovered West Central US, West US, East US 3 do not currently have availability zones but this is not listed as a limitation anywhere.

I am getting the error below when trying to deploy the Vault Image. It seems to be successfully downloaded and a image was created that I am using, but still getting the error below. Any thoughts?

Deployment failed. Correlation ID: e2d255bc-c36b-4834-8dc3-5906d0010702. {
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "OSProvisioningClientError",
"message": "OS provisioning for VM 'cavault' failed. Error details: This installation of Windows is undeployable. Make sure the image has been properly prepared (generalized).\r\nInstructions for Windows: https://azure.microsoft.com/documentation/articles/virtual-machines-windows-upload-image/ "
}
]
}
}

This appears to be the 12.0 not 12.1 version of the AMI.

Azure resource names cannot contain spaces.
https://github.com/cyberark/pas-on-cloud/blob/f9d3e11/azure/pas-dr-deploy.json#L45

The default value for Primary follows the rules.
　https://github.com/cyberark/pas-on-cloud/blob/f9d3e11/azure/pas-vault-deploy.json#L88