Cannot create CVM SIG Image Version via CLI #22995
Description
az feedbackauto-generates most of the information requested below, as of CLI version 2.0.62
Related command
az sig image version create
Describe the bug
Cannot create CVM sig image versions from CLI.
To Reproduce
Create a sig image definition with confidential vm security type. If using CLI, here's an example:
az sig image-definition create --resource-group tiregan --gallery-name tireganCvmGallery --gallery-image-definition ConfidentialVmImage --publisher tiregan --offer tiregan --sku tiregan --os-type windows --os-state Generalized --features SecurityType=ConfidentialVM --hyper-v-generation V2
Then, create a sig image version under this image. It requires target-region-cvm-encryption parameter. example:
az sig image-version create --resource-group NEURG --gallery-name CVMGallery --gallery-image-definition CVMWinGenImage --gallery-image-version 1.0.0 --os-snapshot WinCVMEncrypteddisk --target-region-cvm-encryption EncryptedWithPmk --target-regions northeurope
The above fails. The error returned is this:
(InvalidParameter) The regional encryption.osDiskImage.securityProfile.type must be specified when the SecurityType of the image definition is ConfidentialVM. Code: InvalidParameter Message: The regional encryption.osDiskImage.securityProfile.type must be specified when the SecurityType of the image definition is ConfidentialVM. Target: galleryArtifactVersion.properties.publishingProfile.targetRegions.encryption.osDiskImage.securityProfile
Expected behavior
The above should successfully create a SIG image version with proper CVM properties.
The request that comes to the backend SIG service should look similar to this:
{
"location": "northeurope",
"tags": {},
"properties": {
"publishingProfile": {
"targetRegions": [
{
"name": "northeurope",
"encryption": {
"osDiskImage": {
"securityProfile": {
"confidentialVMEncryptionType": "EncryptedWithPmk"
}
}
}
}
]
},
"storageProfile": {
"osDiskImage": {
"source": {
"id": "/subscriptions/5fb7f578-4dfb-476a-b46b-52696f8ecc32/resourceGroups/NEURG/providers/Microsoft.Compute/snapshots/WinCVMEncrypteddisk"
}
}
}
}
}
But instead the request comes in missing the encryption.osDiskImage.securityProfile and so the request fails.
Environment summary
N/A
Additional context
It’s worth noting that I did successfully make a CVM image version via Azure CLI. However, in order to do that I had to also specify the –target-region-encryption parameter. The target-region-encryption and the target-region-cvm-encryption parameters should be independent of one another but right now the target-region-cvm-encryption parameter ONLY works when -target-region-encryption is also specified.
As an example of this, this command actually worked:
az sig image-version create --resource-group tiregan --gallery-name tireganCvmGallery --gallery-image-definition ConfidentialVmImage --gallery-image-version 1.0.2 --os-snapshot [source snapshot id] --target-region-cvm-encryption EncryptedWithPmk, --target-regions eastus2euap --target-region-encryption [des id]
See email thread with subject 'RE: Problem creating Confidential Gallery Image Version via CLI'