Error 412: Supplied fingerprint does not match current metadata fingerprint

Hi

I’ve got an intermittent issue when using packer to create a Windows image on GCP. Its intermittent, it can work 10 times and then stop working with the following error:-

build.googlecompute.build: Checking image does not exist...
build.googlecompute.build: Creating temporary RSA SSH key for instance...
build.googlecompute.build: Using image: windows-server-2019-dc-v20221014
build.googlecompute.build: Creating instance...
build.googlecompute.build: Loading zone: europe-west1-c
build.googlecompute.build: Loading machine type: e2-highcpu-2
build.googlecompute.build: Requesting instance creation...
build.googlecompute.build: Waiting for creation operation to complete...
build.googlecompute.build: Instance has been created!
build.googlecompute.build: Waiting 2m30s before adding SSH keys...
build.googlecompute.build: Creating windows user for instance...
build.googlecompute.build: Waiting for windows password to complete...
build.googlecompute.build: Error creating windows password: googleapi: Error 412: Supplied fingerprint does not match current metadata fingerprint., conditionNotMet
build.googlecompute.build: Deleting instance...
build.googlecompute.build: Instance has been deleted!
build.googlecompute.build: Deleting disk...
build.googlecompute.build: Disk has been deleted!
Build 'build.googlecompute.build' errored after 5 minutes 6 seconds: Error creating windows password: googleapi: Error 412: Supplied fingerprint does not match current metadata fingerprint., conditionNotMet

Wait completed after 5 minutes 6 seconds

Some builds didn't complete successfully and had errors:
build.googlecompute.build: Error creating windows password: googleapi: Error 412: Supplied fingerprint does not match current metadata fingerprint., conditionNotMet

There is a firewall rule to open the ports 5985 and 5986 which is applied when the network has the pipeline-build tag. I just cant work out why it works and then it doesn’t?

A slimmed down version of the HCL file is:-

source "googlecompute" "build" {
  project_id                     = var.project_id
  region                         = "europe-west1"
  zone                           = "europe-west1-c"
  communicator                   = "winrm"
  disk_size                      = "50"
  disk_type                      = "pd-standard"
  image_description              = "My-Windows-2019-Image"
  image_family                   = "windows-2019"
  image_labels                   = local.labels
  image_name                     = "win-2019-{{timestamp}}"
  image_storage_locations        = ["eu"]
  impersonate_service_account    = var.deployment_sa
  instance_name                  = "${var.image_family}-${var.build_number}-build"
  labels                         = local.labels
  machine_type                   = e2-highcpu-2
  metadata                       = {windows-startup-script-cmd = local.windows_startup_script_cmd}
  network_project_id             = var.project_id
  scopes                         = ["https://www.googleapis.com/auth/cloud-platform"]
  service_account_email          = var.instance_sa_email
  source_image                   = windows-server-2019-dc-v20221014
  source_image_project_id        = windows-cloud
  startup_script_file            = "packer_userdata.ps1"
  state_timeout                  = "15m"
  subnetwork                     = image-building-subnetwork
  tags                           = ["pipeline-build"]
  wait_to_add_ssh_keys           = "150s"
  winrm_insecure                 = true
  winrm_use_ssl                  = true
  winrm_username                 = packer_user
}

build {
  name = "build"
  sources = ["source.googlecompute.build"]  
  
  provisioner "powershell" {
    inline = ["GCESysprep -NoShutdown"]
    skip_clean = true
  }    
}

The line in the local.hcl file for windows_startup_script_cmd is:-

  windows_startup_script_cmd = "winrm quickconfig -quiet & net user /add packer_user & net localgroup administrators packer_user /add & winrm set winrm/config/service/auth @{Basic=\"true\"}" 

and the packer_userdata.ps1 is below. Not sure this is actually needed?

<powershell>

# Set administrator password
wmic useraccount where "name='packer_user'" set PasswordExpires=FALSE

# First, make sure WinRM can't be connected to
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes action=block

# Delete any existing WinRM listeners
winrm delete winrm/config/listener?Address=*+Transport=HTTP  2>$Null
winrm delete winrm/config/listener?Address=*+Transport=HTTPS 2>$Null

# Disable group policies which block basic authentication and unencrypted login

Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client -Name AllowBasic -Value 1
Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client -Name AllowUnencryptedTraffic -Value 1
Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service -Name AllowBasic -Value 1
Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service -Name AllowUnencryptedTraffic -Value 1

# Create a new WinRM listener and configure
winrm create winrm/config/listener?Address=*+Transport=HTTP
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="0"}'
winrm set winrm/config '@{MaxTimeoutms="7200000"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service '@{MaxConcurrentOperationsPerUser="12000"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/client/auth '@{Basic="true"}'

# Configure UAC to allow privilege elevation in remote shells
$Key = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
$Setting = 'LocalAccountTokenFilterPolicy'
Set-ItemProperty -Path $Key -Name $Setting -Value 1 -Force

# Configure and restart the WinRM Service; Enable the required firewall exception
Stop-Service -Name WinRM
Set-Service -Name WinRM -StartupType Automatic
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new action=allow localip=any remoteip=any
Start-Service -Name WinRM

#Configure RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

</powershell>

When it does connect the log shows as:-

build.googlecompute.build: Checking image does not exist...
build.googlecompute.build: Creating temporary RSA SSH key for instance...
build.googlecompute.build: Using image: windows-server-2019-dc-v20221014
build.googlecompute.build: Creating instance...
build.googlecompute.build: Loading zone: europe-west1-c
build.googlecompute.build: Loading machine type: e2-highcpu-2
build.googlecompute.build: Requesting instance creation...
build.googlecompute.build: Waiting for creation operation to complete...
build.googlecompute.build: Instance has been created!
build.googlecompute.build: Waiting 2m30s before adding SSH keys...
build.googlecompute.build: Creating windows user for instance...
build.googlecompute.build: Waiting for windows password to complete...
build.googlecompute.build: Created password.
build.googlecompute.build: Waiting for the instance to become running...
build.googlecompute.build: IP: 34.79.156.46
build.googlecompute.build: Using WinRM communicator to connect: 34.79.156.46
build.googlecompute.build: Waiting for WinRM to become available...
build.googlecompute.build: WinRM connected.
build.googlecompute.build: Connected to WinRM!
build.googlecompute.build: Provisioning with Powershell...