From 6d46ecb95292e3bf7ab46356f4f76ff354cfcb1c Mon Sep 17 00:00:00 2001 From: Adam Sandor Date: Mon, 8 Jan 2024 14:15:11 -0500 Subject: [PATCH 1/7] dev code --- .../Operation/NewAzureVMCommand.cs | 79 ++++++++++++++----- 1 file changed, 58 insertions(+), 21 deletions(-) diff --git a/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs b/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs index 6c6bb9d32e34..5c27aa49f5fa 100644 --- a/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs +++ b/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs @@ -54,6 +54,8 @@ using System.Security.AccessControl; using System.Security.Principal; using Microsoft.Azure.Commands.Common.Strategies.Compute; +using System.Security.Policy; +using System.Text.RegularExpressions; namespace Microsoft.Azure.Commands.Compute { @@ -977,28 +979,64 @@ public void DefaultExecuteCmdlet() // ImageReference provided, TL defaulting occurs if image is Gen2. + // This will handle when the Id is provided in a URI format and + // when the image segments are provided individually. if (this.VM.SecurityProfile?.SecurityType == null && this.VM.StorageProfile?.ImageReference != null) { - if (this.VM.StorageProfile?.ImageReference?.Id != null)//This code should never happen apparently - { + if (this.VM.StorageProfile?.ImageReference?.Id != null) + { string imageRefString = this.VM.StorageProfile.ImageReference.Id.ToString(); - var parts = imageRefString.Split(new char[] { '/' }, StringSplitOptions.RemoveEmptyEntries); - - string imagePublisher = parts[Array.IndexOf(parts, "Publishers") + 1]; - string imageOffer = parts[Array.IndexOf(parts, "Offers") + 1]; - string imageSku = parts[Array.IndexOf(parts, "Skus") + 1]; - string imageVersion = parts[Array.IndexOf(parts, "Versions") + 1]; - //location is required when config object provided. - var imgResponse = ComputeClient.ComputeManagementClient.VirtualMachineImages.GetWithHttpMessagesAsync( - this.Location.Canonicalize(), - imagePublisher, - imageOffer, - imageSku, - version: imageVersion).GetAwaiter().GetResult(); - - setHyperVGenForImageCheckAndTLDefaulting(imgResponse); + string galleryImgIdPattern = @"/subscriptions/(?[^/]+)/resourceGroups/(?[^/]+)/providers/Microsoft.Compute/galleries/(?[^/]+)/images/(?[^/]+)/versions/(?[^/]+)"; + string managedImageIdPattern = @"/subscriptions/(?[^/]+)/resourceGroups/(?[^/]+)/providers/Microsoft.Compute/images/(?[^/]+)"; + string defaultExistingImagePattern = @"/Subscriptions/(?[^/]+)/Providers/Microsoft.Compute/Locations/(?[^/]+)/Publishers/(?[^/]+)/ArtifactTypes/VMImage/Offers/(?[^/]+)/Skus/(?[^/]+)/Versions/(?[^/]+)"; + + //Gallery Id + Regex galleryRgx = new Regex(galleryImgIdPattern, RegexOptions.IgnoreCase); + Match galleryMatch = galleryRgx.Match(imageRefString); + // Managed Image Id + Regex managedImageRgx = new Regex(managedImageIdPattern, RegexOptions.IgnoreCase); + Match managedImageMatch = managedImageRgx.Match(imageRefString); + // Default Image Id + Regex defaultImageRgx = new Regex(defaultExistingImagePattern, RegexOptions.IgnoreCase); + Match defaultImageMatch = defaultImageRgx.Match(imageRefString); + if (galleryMatch.Success) + { + // It's a Gallery Image Id + // do nothing, send message to use TL. + if (this.AsJobPresent() == false) // to avoid a failure when it is a job. Seems to fail when it is a job. + { + WriteInformation(HelpMessages.TrustedLaunchUpgradeMessage, new string[] { "PSHOST" }); + } + } + else if (managedImageMatch.Success) + { + // It's a Managed Image Id + // do nothing, send message to use TL. + if (this.AsJobPresent() == false) // to avoid a failure when it is a job. Seems to fail when it is a job. + { + WriteInformation(HelpMessages.TrustedLaunchUpgradeMessage, new string[] { "PSHOST" }); + } + } + else if (defaultImageMatch.Success) + { + var parts = imageRefString.Split(new char[] { '/' }, StringSplitOptions.RemoveEmptyEntries); + // It's a default existing image + string imagePublisher = parts[Array.IndexOf(parts, "Publishers") + 1]; + string imageOffer = parts[Array.IndexOf(parts, "Offers") + 1]; + string imageSku = parts[Array.IndexOf(parts, "Skus") + 1]; + string imageVersion = parts[Array.IndexOf(parts, "Versions") + 1]; + //location is required when config object provided. + var imgResponse = ComputeClient.ComputeManagementClient.VirtualMachineImages.GetWithHttpMessagesAsync( + this.Location.Canonicalize(), + imagePublisher, + imageOffer, + imageSku, + version: imageVersion).GetAwaiter().GetResult(); + + setHyperVGenForImageCheckAndTLDefaulting(imgResponse); + } } else { @@ -1009,12 +1047,11 @@ public void DefaultExecuteCmdlet() } if (this.VM.SecurityProfile?.SecurityType == ConstantValues.TrustedLaunchSecurityType - && this.VM.StorageProfile?.ImageReference == null - && this.VM.StorageProfile?.OsDisk?.ManagedDisk?.Id == null //had to add this - && this.VM.StorageProfile?.ImageReference?.SharedGalleryImageId == null) + && this.VM.StorageProfile?.ImageReference == null + && this.VM.StorageProfile?.OsDisk?.ManagedDisk?.Id == null //had to add this + && this.VM.StorageProfile?.ImageReference?.SharedGalleryImageId == null) { defaultTrustedLaunchAndUefi(); - setTrustedLaunchImage(); } From bc8670a734d2e795cc3e9f9031864c292cc6c717 Mon Sep 17 00:00:00 2001 From: Adam Sandor Date: Wed, 10 Jan 2024 10:22:56 -0500 Subject: [PATCH 2/7] test trying --- .../ScenarioTests/VirtualMachineTests.ps1 | 275 +++++++++++++++++- 1 file changed, 274 insertions(+), 1 deletion(-) diff --git a/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.ps1 b/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.ps1 index 3d63d5ac5459..229b30d31e39 100644 --- a/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.ps1 +++ b/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.ps1 @@ -1,4 +1,4 @@ -# ---------------------------------------------------------------------------------- +# ---------------------------------------------------------------------------------- # # Copyright Microsoft Corporation # Licensed under the Apache License, Version 2.0 (the "License"); @@ -7253,6 +7253,279 @@ function Test-VMDefaultsToTrustedLaunchWithNullEncryptionAtHost $vm = Get-AzVm -ResourceGroupName $rgname -Name $vmname; + # Validate + Assert-AreEqual $vm.SecurityProfile.SecurityType $securityType_TL; + Assert-AreEqual $vm.SecurityProfile.UefiSettings.SecureBootEnabled $enable; + Assert-AreEqual $vm.SecurityProfile.UefiSettings.VTpmEnabled $enable; + Assert-AreEqual $vm.StorageProfile.ImageReference.Sku $SKU; + Assert-Null $vm.SecurityProfile.EncryptionAtHost; + } + finally + { + # Cleanup + Clean-ResourceGroup $rgname; + } +} + +<# +.SYNOPSIS +Test Virtual Machines default to SecurityType = TrustedLaunch. +Other necessary defaults also occur for TL support. +EncryptionAtHost (a feature requiring a feature flag) must be null. +#> +function Test-VMTLWithImageSource +{ + # Setup + $rgname = Get-ComputeTestResourceName; + $loc = Get-ComputeVMLocation; + + try + { + $loc = "eastus"; + $rgname = "adsandgal4"; + New-AzResourceGroup -Name $rgname -Location $loc -Force; + # SimpleParameterSet, no config, scenario. + # create credential + $password = "Testing1234567";#Get-PasswordForVM; + $securePassword = $password | ConvertTo-SecureString -AsPlainText -Force; + $user = "admin01";#Get-ComputeTestResourceName; + $cred = New-Object System.Management.Automation.PSCredential ($user, $securePassword); + + # Add one VM from creation + $vmname = 'vm' + $rgname; + $domainNameLabel = "d1" + $rgname; + $securityType_TL = "TrustedLaunch"; + $PublisherName = "MicrosoftWindowsServer"; + $Offer = "WindowsServer"; + $SKU = "2022-datacenter-azure-edition"; + $version = "latest"; + $disable = $false; + $enable = $true; + $galleryName = "g" + $rgname; + $vnetname = "vn" + $rgname; + $vnetAddress = "10.0.0.0/16"; + $subnetname = "slb" + $rgname; + $subnetAddress = "10.0.2.0/24"; + $OSDiskName = $vmname + "-osdisk"; + $NICName = $vmname+ "-nic"; + $NSGName = $vmname + "-NSG"; + $OSDiskSizeinGB = 128; + $VMSize = "Standard_DS2_v2"; + + # Gallery + $vm = New-AzVM -ResourceGroupName $rgname -Name $vmname -Credential $cred -DomainNameLabel $domainNameLabel -SecurityType "Standard"; + Stop-AzVM -ResourceGroupName $rgname -Name $vmname -Force ; + Set-AzVM -ResourceGroupName $rgname -Name $vmname -Generalized ; + + $imageName = "im" + $rgname; + $imageConfig = New-AzImageConfig -Location $loc -SourceVirtualMachineId $vm.Id; + $managedImage = New-AzImage -Image $imageConfig -ImageName $imageName -ResourceGroupName $rgname; + + # default provided image: + # $image = Get-AzVMImage -Skus $SKU -Offer $Offer -PublisherName $PublisherName -Location $loc -Version latest; + + # Gallery + $gal = New-AzGallery -GalleryName $galleryName -ResourceGroupName $rgname -Location $loc; + $imageDefinitionName = "ig" + $rgname; + $osType = "Windows"; # use "Linux" for Linux + $galImg = New-AzGalleryImageDefinition -GalleryName $galleryName -ResourceGroupName $rgname -Location $loc -Name $imageDefinitionName -OsState generalized -OsType $osType -Publisher $PublisherName -Offer $Offer -Sku $Sku; + $imageVersion = "1.0.0"; + $galImgVer = New-AzGalleryImageVersion -GalleryImageDefinitionName $imageDefinitionName -GalleryImageVersionName $imageVersion -GalleryName $galleryName -ResourceGroupName $rgname -Location $loc -SourceImageId $managedImage.Id; + + # Network + $frontendSubnet = New-AzVirtualNetworkSubnetConfig -Name $subnetname -AddressPrefix $subnetAddress; + + $vnet = New-AzVirtualNetwork -Name $vnetname -ResourceGroupName $rgname -Location $loc -AddressPrefix $vnetAddress -Subnet $frontendSubnet; + + $nsgRuleRDP = New-AzNetworkSecurityRuleConfig -Name RDP -Protocol Tcp -Direction Inbound -Priority 1001 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow; + $nsg = New-AzNetworkSecurityGroup -ResourceGroupName $RGName -Location $loc -Name $NSGName -SecurityRules $nsgRuleRDP; + $nic = New-AzNetworkInterface -Name $NICName -ResourceGroupName $RGName -Location $loc -SubnetId $vnet.Subnets[0].Id -NetworkSecurityGroupId $nsg.Id -EnableAcceleratedNetworking; + + # VM + $vmname2 = "2" + $vmname; + $vmConfig = New-AzVMConfig -VMName $vmname2 -VMSize $VMSize; + Set-AzVMOperatingSystem -VM $vmConfig -Windows -ComputerName $vmname2 -Credential $cred; + Set-AzVMSourceImage -VM $vmConfig -Id $galImgVer.Id ; + Set-AzVMOSDisk -VM $vmConfig -Caching 'ReadOnly' -CreateOption FromImage; + Add-AzVMNetworkInterface -VM $vmConfig -Id $nic.Id; + + New-AzVM -ResourceGroupName $rgname -Location $loc -VM $vmConfig;# -Verbose;# -Debug; + + $vm = Get-AzVM -ResourceGroupName $rgname -Name $vmname2; + + + # Validate + Assert-AreEqual $vm.SecurityProfile.SecurityType $securityType_TL; + Assert-AreEqual $vm.SecurityProfile.UefiSettings.SecureBootEnabled $enable; + Assert-AreEqual $vm.SecurityProfile.UefiSettings.VTpmEnabled $enable; + Assert-AreEqual $vm.StorageProfile.ImageReference.Sku $SKU; + Assert-Null $vm.SecurityProfile.EncryptionAtHost; + } + finally + { + # Cleanup + Clean-ResourceGroup $rgname; + } +} + +<# +.SYNOPSIS +Test Virtual Machines default to SecurityType = TrustedLaunch. +Other necessary defaults also occur for TL support. +EncryptionAtHost (a feature requiring a feature flag) must be null. +#> +function Test-VMTLWithGallerySource +{ + # Setup + $rgname = Get-ComputeTestResourceName; + $loc = Get-ComputeVMLocation; + + try + { + $loc = "eastus"; + $location = $loc; + $rgname = "adsandgdef8"; + New-AzResourceGroup -Name $rgname -Location $loc -Force; + # SimpleParameterSet, no config, scenario. + # create credential + $password = "Testing1234567";#Get-PasswordForVM; + $securePassword = $password | ConvertTo-SecureString -AsPlainText -Force; + $user = "admin01";#Get-ComputeTestResourceName; + $cred = New-Object System.Management.Automation.PSCredential ($user, $securePassword); + + # Add one VM from creation + $vmname = 'vm' + $rgname; + $domainNameLabel = "d1" + $rgname; + $securityType_TL = "TrustedLaunch"; + $PublisherName = "MicrosoftWindowsServer"; + $Offer = "WindowsServer"; + $SKU = "2022-datacenter-azure-edition"; + $version = "latest"; + $disable = $false; + $enable = $true; + $galleryName = "g" + $rgname; + $vnetname = "vn" + $rgname; + $vnetAddress = "10.0.0.0/16"; + $subnetname = "slb" + $rgname; + $subnetAddress = "10.0.2.0/24"; + $pubipname = "p" + $rgname; + $OSDiskName = $vmname + "-osdisk"; + $NICName = $vmname+ "-nic"; + $NSGName = $vmname + "-NSG"; + $nsgrulename = "nsr" + $rgname; + $OSDiskSizeinGB = 128; + $VMSize = "Standard_DS2_v2"; + $vmname2 = "2" + $vmname; + + # Gallery + $vnetname1 = "vn1" + $rgname; + $vnetAddress = "10.0.0.0/16"; + $subnetname1 = "slb1" + $rgname; + $subnetAddress = "10.0.2.0/24"; + $pubipname1 = "p1" + $rgname; + $OSDiskName1 = $vmname + "-osdisk1"; + $NICName1 = $vmname+ "-nic1"; + $NSGName1 = $vmname + "-NSG1"; + $nsgrulename = "nsr1" + $rgname; + $diskname = "di" + $rgname; + $frontendSubnet = New-AzVirtualNetworkSubnetConfig -Name $subnetname1 -AddressPrefix $subnetAddress; + $vnet = New-AzVirtualNetwork -Name $vnetname1 -ResourceGroupName $rgname -Location $loc -AddressPrefix $vnetAddress -Subnet $frontendSubnet; + $nsgRuleRDP = New-AzNetworkSecurityRuleConfig -Name RDP -Protocol Tcp -Direction Inbound -Priority 1001 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow; + $nsg = New-AzNetworkSecurityGroup -ResourceGroupName $RGName -Location $loc -Name $NSGName1 -SecurityRules $nsgRuleRDP; + $nic = New-AzNetworkInterface -Name $NICName1 -ResourceGroupName $RGName -Location $loc -SubnetId $vnet.Subnets[0].Id -NetworkSecurityGroupId $nsg.Id -EnableAcceleratedNetworking; + + $image = Get-AzVMImage -Skus $SKU -Offer $Offer -PublisherName $PublisherName -Location $loc -Version latest; + $diskconfig = New-AzDiskConfig -DiskSizeGB 127 -AccountType Premium_LRS -OsType Windows -CreateOption FromImage -Location $loc -HyperVGeneration "V2"; + $diskconfig = Set-AzDiskImageReference -Disk $diskconfig -Id $image.Id; + $diskConfig = Set-AzDiskSecurityProfile -SecurityType "Standard" -Disk $diskConfig; + $disk = New-AzDisk -ResourceGroupName $rgname -DiskName $diskname -Disk $diskconfig; + + $vmConfig = New-AzVMConfig -VMName $vmName -VMSize $VMSize -SecurityType "Standard"; + $vmConfig = Add-AzVMNetworkInterface -VM $vmConfig -Id $nic.Id; + $vmConfig = Set-AzVMOSDisk -Windows -ManagedDiskId $disk.Id -CreateOption Attach -VM $vmConfig; + New-AzVM -ResourceGroupName $rgname -Location $loc -VM $vmConfig; + # $vm = New-AzVM -ResourceGroupName $rgname -Name $vmname -Credential $cred -DomainNameLabel $domainNameLabel -SecurityType "Standard"; + Stop-AzVM -ResourceGroupName $rgname -Name $vmname -Force ; + Set-AzVM -ResourceGroupName $rgname -Name $vmname -Generalized ; + + $imageName = "im" + $rgname; + $imageConfig = New-AzImageConfig -Location $loc -SourceVirtualMachineId $vm.Id -HyperVGeneration "V2"; + $managedImage = New-AzImage -Image $imageConfig -ImageName $imageName -ResourceGroupName $rgname; + + # default provided image: + # $image = Get-AzVMImage -Skus $SKU -Offer $Offer -PublisherName $PublisherName -Location $loc -Version latest; + + # Gallery + $gal = New-AzGallery -GalleryName $galleryName -ResourceGroupName $rgname -Location $loc; + $imageDefinitionName = "ig" + $rgname; + $osType = "Windows"; # use "Linux" for Linux + + $SecurityType = @{Name='SecurityType';Value='TrustedLaunchSupported'}; + $features = @($SecurityType); + New-AzGalleryImageDefinition -ResourceGroupName $rgName -GalleryName $galleryName -Name $imageDefinitionName -Location $loc -Publisher $publisherName -Offer $offer -Sku $sku -HyperVGeneration "V2" -OsState "Generalized" -OsType "Windows" -Feature $features; + # $galImg = New-AzGalleryImageDefinition -GalleryName $galleryName -ResourceGroupName $rgname -Location $loc -Name $imageDefinitionName -OsState generalized -OsType $osType -Publisher $PublisherName -Offer $Offer -Sku $Sku; + $galleryImageVersionName = "1.0.0" + $sourceImageId = $managedImage.Id;#"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myVMRG/providers/Microsoft.Compute/galleries/MyGallery/images/Gen2VMImageDef/versions/0.0.1" + $galImgVer = New-AzGalleryImageVersion -ResourceGroupName $rgName -GalleryName $galleryName -GalleryImageDefinitionName $imageDefinitionName -Name $galleryImageVersionName -Location $loc -SourceImageId $sourceImageId; + # $galImgVer = New-AzGalleryImageVersion -GalleryImageDefinitionName $imageDefinitionName -GalleryImageVersionName $imageVersion -GalleryName $galleryName -ResourceGroupName $rgname -Location $loc -SourceImageId $managedImage.Id; + $vmSize = "Standard_D2s_v5"; + $imageDefinition = Get-AzGalleryImageDefinition -GalleryName $galleryName -ResourceGroupName $rgName -Name $imageDefinitionName; + # Network pieces + $subnetConfig = New-AzVirtualNetworkSubnetConfig ` + -Name $subnetname ` + -AddressPrefix 192.168.1.0/24 + $vnet = New-AzVirtualNetwork ` + -ResourceGroupName $rgName ` + -Location $location ` + -Name $vnetAddress ` + -AddressPrefix 192.168.0.0/16 ` + -Subnet $subnetConfig + $pip = New-AzPublicIpAddress ` + -ResourceGroupName $rgName ` + -Location $location ` + -Name $pubipname ` + -AllocationMethod Static ` + -IdleTimeoutInMinutes 4 + $nsgRuleRDP = New-AzNetworkSecurityRuleConfig ` + -Name $nsgrulename ` + -Protocol Tcp ` + -Direction Inbound ` + -Priority 1000 ` + -SourceAddressPrefix * ` + -SourcePortRange * ` + -DestinationAddressPrefix * ` + -DestinationPortRange 3389 ` + -Access Deny + $nsg = New-AzNetworkSecurityGroup ` + -ResourceGroupName $rgName ` + -Location $location ` + -Name $NSGName ` + -SecurityRules $nsgRuleRDP + $nic = New-AzNetworkInterface ` + -Name $NICName ` + -ResourceGroupName $rgName ` + -Location $location ` + -SubnetId $vnet.Subnets[0].Id ` + -PublicIpAddressId $pip.Id ` + -NetworkSecurityGroupId $nsg.Id + $vm = New-AzVMConfig -vmName $vmname2  -vmSize $vmSize | ` + Set-AzVMOperatingSystem -Windows -ComputerName $vmName -Credential $cred | ` + Set-AzVMSourceImage -Id $imageDefinition.Id | ` + Add-AzVMNetworkInterface -Id $nic.Id + #$vm = Set-AzVMSecurityProfile -SecurityType "TrustedLaunch" -VM $vm + #$vm = Set-AzVmUefi -VM $vm ` + # -EnableVtpm $true ` + # -EnableSecureBoot $true + New-AzVM ` + -ResourceGroupName $rgName ` + -Location $location ` + -VM $vm; + + + + $vm = Get-AzVM -ResourceGroupName $rgname -Name $vmname2; + + # Validate Assert-AreEqual $vm.SecurityProfile.SecurityType $securityType_TL; Assert-AreEqual $vm.SecurityProfile.UefiSettings.SecureBootEnabled $enable; From 41bd1712677694f87c10d81c49eb67031a6f6974 Mon Sep 17 00:00:00 2001 From: Adam Sandor Date: Tue, 23 Jan 2024 09:57:21 -0500 Subject: [PATCH 3/7] test manually works but cannot record bc gallery image not found --- .../ScenarioTests/VirtualMachineTests.cs | 7 + .../ScenarioTests/VirtualMachineTests.ps1 | 338 ++++++++++++++++++ .../Operation/NewAzureVMCommand.cs | 4 +- 3 files changed, 348 insertions(+), 1 deletion(-) diff --git a/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.cs b/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.cs index b2631fd4a58f..3bb2a5fdab3f 100644 --- a/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.cs +++ b/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.cs @@ -626,5 +626,12 @@ public void TestVMDefaultsToTrustedLaunchWithNullEncryptionAtHost() { TestRunner.RunTestScript("Test-VMDefaultsToTrustedLaunchWithNullEncryptionAtHost"); } + + [Fact] + [Trait(Category.AcceptanceType, Category.CheckIn)] + public void TestVMTLWithGallerySourceImage() + { + TestRunner.RunTestScript("Test-VMTLWithGallerySourceImage"); + } } } diff --git a/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.ps1 b/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.ps1 index 229b30d31e39..6a84e44528d8 100644 --- a/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.ps1 +++ b/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.ps1 @@ -7539,3 +7539,341 @@ function Test-VMTLWithGallerySource Clean-ResourceGroup $rgname; } } + +<# +.SYNOPSIS +Test Virtual Machines default to SecurityType = TrustedLaunch. +Other necessary defaults also occur for TL support. +EncryptionAtHost (a feature requiring a feature flag) must be null. +demo script provided from Ajay or demo acg. +#> +function Test-VMTLWithGallerySourceDemo +{ + # Setup + $rgname = Get-ComputeTestResourceName; + $loc = Get-ComputeVMLocation; + + try + { + # Set-AzContext -Subscription "d978fb46-d408-4e80-b1a1-db3bb535cfba"; + $loc = "westus3"; + $location = $loc; + $rgname = "adsandimg3"; + New-AzResourceGroup -Name $rgname -Location $loc -Force; + # SimpleParameterSet, no config, scenario. + # create credential + $password = "Testing1234567";#Get-PasswordForVM; + $securePassword = $password | ConvertTo-SecureString -AsPlainText -Force; + $user = "admin01";#Get-ComputeTestResourceName; + $cred = New-Object System.Management.Automation.PSCredential ($user, $securePassword); + + # Add one VM from creation + $vmname = 'vm' + $rgname; + $domainNameLabel = "d1" + $rgname; + $securityType_TL = "TrustedLaunch"; + $PublisherName = "MicrosoftWindowsServer"; + $Offer = "WindowsServer"; + $SKU = "2022-datacenter-azure-edition"; + $version = "latest"; + $disable = $false; + $enable = $true; + $galleryName = "g" + $rgname; + $vnetname = "vn" + $rgname; + $vnetAddress = "10.0.0.0/16"; + $subnetname = "slb" + $rgname; + $subnetAddress = "10.0.2.0/24"; + $pubipname = "p" + $rgname; + $OSDiskName = $vmname + "-osdisk"; + $NICName = $vmname+ "-nic"; + $NSGName = $vmname + "-NSG"; + $nsgrulename = "nsr" + $rgname; + $OSDiskSizeinGB = 128; + $VMSize = "Standard_DS2_v2"; + $vmname2 = "2" + $vmname; + + # Gallery + # $vnetname1 = "vn1" + $rgname; + # $vnetAddress = "10.0.0.0/16"; + # $subnetname1 = "slb1" + $rgname; + # $subnetAddress = "10.0.2.0/24"; + # $pubipname1 = "p1" + $rgname; + # $OSDiskName1 = $vmname + "-osdisk1"; + # $NICName1 = $vmname+ "-nic1"; + # $NSGName1 = $vmname + "-NSG1"; + # $nsgrulename = "nsr1" + $rgname; + # $diskname = "di" + $rgname; + # $frontendSubnet = New-AzVirtualNetworkSubnetConfig -Name $subnetname1 -AddressPrefix $subnetAddress; + # $vnet = New-AzVirtualNetwork -Name $vnetname1 -ResourceGroupName $rgname -Location $loc -AddressPrefix $vnetAddress -Subnet $frontendSubnet; + # $nsgRuleRDP = New-AzNetworkSecurityRuleConfig -Name RDP -Protocol Tcp -Direction Inbound -Priority 1001 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow; + # $nsg = New-AzNetworkSecurityGroup -ResourceGroupName $RGName -Location $loc -Name $NSGName1 -SecurityRules $nsgRuleRDP; + # $nic = New-AzNetworkInterface -Name $NICName1 -ResourceGroupName $RGName -Location $loc -SubnetId $vnet.Subnets[0].Id -NetworkSecurityGroupId $nsg.Id -EnableAcceleratedNetworking; + + $vmSize = "Standard_D2s_v5"; + #$imageDefinition = Get-AzGalleryImageDefinition -GalleryName $galleryName -ResourceGroupName $rgName -Name $imageDefinitionName; + $rgNameDef = "demoacgrg"; + $galName = "demoacg"; + $galDefName = "demotlsupported"; + $imageDefinition = Get-AzGalleryImageDefinition -GalleryName $galName -ResourceGroupName $rgNameDef -Name $galDefName; + # Network pieces + $subnetConfig = New-AzVirtualNetworkSubnetConfig ` + -Name $subnetname ` + -AddressPrefix $subnetAddress;#192.168.1.0/24; + $vnet = New-AzVirtualNetwork ` + -ResourceGroupName $rgName -Location $location -Name $vnetAddress -AddressPrefix $vnetAddress ` + -Subnet $subnetConfig;#192.168.0.0/16 ` + $pip = New-AzPublicIpAddress ` + -ResourceGroupName $rgName ` + -Location $location ` + -Name $pubipname ` + -AllocationMethod Static ` + -IdleTimeoutInMinutes 4; + $nsgRuleRDP = New-AzNetworkSecurityRuleConfig ` + -Name $nsgrulename ` + -Protocol Tcp ` + -Direction Inbound ` + -Priority 1000 ` + -SourceAddressPrefix * ` + -SourcePortRange * ` + -DestinationAddressPrefix * ` + -DestinationPortRange 3389 ` + -Access Deny; + $nsg = New-AzNetworkSecurityGroup ` + -ResourceGroupName $rgName ` + -Location $location ` + -Name $NSGName ` + -SecurityRules $nsgRuleRDP; + $nic = New-AzNetworkInterface ` + -Name $NICName ` + -ResourceGroupName $rgName ` + -Location $location ` + -SubnetId $vnet.Subnets[0].Id ` + -PublicIpAddressId $pip.Id ` + -NetworkSecurityGroupId $nsg.Id; + $vm = New-AzVMConfig -vmName $vmname2  -vmSize $vmSize | ` + Set-AzVMOperatingSystem -Windows -ComputerName $vmName -Credential $cred | ` + Set-AzVMSourceImage -Id $imageDefinition.Id | ` + Add-AzVMNetworkInterface -Id $nic.Id; + #$vm = Set-AzVMSecurityProfile -SecurityType "TrustedLaunch" -VM $vm + #$vm = Set-AzVmUefi -VM $vm ` + # -EnableVtpm $true ` + # -EnableSecureBoot $true + New-AzVM ` + -ResourceGroupName $rgName ` + -Location $location ` + -VM $vm; + + + + $vm = Get-AzVM -ResourceGroupName $rgname -Name $vmname2; + + + # Validate + Assert-AreEqual $vm.SecurityProfile.SecurityType $securityType_TL; + Assert-AreEqual $vm.SecurityProfile.UefiSettings.SecureBootEnabled $enable; + Assert-AreEqual $vm.SecurityProfile.UefiSettings.VTpmEnabled $enable; + Assert-AreEqual $vm.StorageProfile.ImageReference.Sku $SKU; + Assert-Null $vm.SecurityProfile.EncryptionAtHost; + } + finally + { + # Cleanup + Clean-ResourceGroup $rgname; + } +} + + +<# +.SYNOPSIS +Test Virtual Machines default to SecurityType = TrustedLaunch. +Other necessary defaults also occur for TL support. +EncryptionAtHost (a feature requiring a feature flag) must be null. +demo script provided from Ajay or demo acg. +#> +function Test-VMTLWithGallerySourceImage +{ + # Setup + $rgname = Get-ComputeTestResourceName; + $loc = "westus3"; + + try + { + # Set-AzContext -Subscription "d978fb46-d408-4e80-b1a1-db3bb535cfba"; + # Set-AzContext -Subscription "e37510d7-33b6-4676-886f-ee75bcc01871"; + # $loc = "eastus"; + $location = $loc; + # $rgname = "adsandimg7"; + New-AzResourceGroup -Name $rgname -Location $loc -Force; + # SimpleParameterSet, no config, scenario. + # create credential + $password = Get-PasswordForVM; + $securePassword = $password | ConvertTo-SecureString -AsPlainText -Force; + $user = Get-ComputeTestResourceName; + $cred = New-Object System.Management.Automation.PSCredential ($user, $securePassword); + + # Add one VM from creation + $vmname = 'vm' + $rgname; + $domainNameLabel = "d1" + $rgname; + $securityType_TL = "TrustedLaunch"; + $PublisherName = "MicrosoftWindowsServer"; + $Offer = "WindowsServer"; + $SKU = "2022-datacenter-azure-edition"; + $version = "latest"; + $disable = $false; + $enable = $true; + $galleryName = "g" + $rgname; + $vnetname = "vn" + $rgname; + $vnetAddress = "10.0.0.0/16"; + $subnetname = "slb" + $rgname; + $subnetAddress = "10.0.2.0/24"; + $pubipname = "p" + $rgname; + $OSDiskName = $vmname + "-osdisk"; + $NICName = $vmname+ "-nic"; + $NSGName = $vmname + "-NSG"; + $nsgrulename = "nsr" + $rgname; + $OSDiskSizeinGB = 128; + $VMSize = "Standard_DS2_v2"; + $vmname2 = "2" + $vmname; + + # Gallery + $resourceGroup = $rgname + $vmName = 'v' + $resourceGroup + $userName = 'usertest' + $pass = "Testing1234567" | ConvertTo-SecureString -AsPlainText -Force + $cred = New-Object System.Management.Automation.PSCredential ($userName, $pass) + $galleryName = 'gl' + $rgname + $definitionName = 'def' + $rgname + $skuDetails = @{ + Publisher = 'test' + Offer = 'test' + Sku = 'test' + } + $osType = 'Windows' + $osState = 'Specialized' + [bool]$trustedLaunch = $false + $storageAccountSku = 'Standard_LRS' + $hyperVGeneration = 'v1' + + # create new VM + $paramNewAzVm = @{ + ResourceGroupName = $resourceGroup + Name = $vmName + Credential = $cred + Location = $location + ErrorAction = 'Stop' + } + if ($trustedLaunch -eq $false) { + $paramNewAzVm.Add('SecurityType', 'Standard') + } + $vm = New-AzVM @paramNewAzVm + + # Setup Image Gallery + New-AzGallery -ResourceGroupName $resourceGroup -Name $galleryName -location $location -ErrorAction 'Stop' | Out-Null + + # Setup Image Definition + $paramNewAzImageDef = @{ + ResourceGroupName = $resourceGroup + GalleryName = $galleryName + Name = $definitionName + Publisher = $skuDetails.Publisher + Offer = $skuDetails.Offer + Sku = $skuDetails.Sku + Location = $location + OSState = $osState + OsType = $osType + HyperVGeneration = $hyperVGeneration + ErrorAction = 'Stop' + } + if ($trustedLaunch -eq $true) { + $SecurityType = @{Name='SecurityType';Value='TrustedLaunchSupported'} + $features = @($SecurityType) + $paramNewAzImageDef.Add('Feature', $features) + } + $imageDefinition = New-AzGalleryImageDefinition @paramNewAzImageDef + + + + # Setup Image Version + $paramNewAzImageVer = @{ + ResourceGroupName = $resourceGroup + GalleryName = $galleryName + GalleryImageDefinitionName = $definitionName + Name = "1.0.0" + Location = $location + SourceImageId = $vm.Id + ErrorAction = 'Stop' + StorageAccountType = $storageAccountSku + AsJob = $true + } + New-AzGalleryImageVersion @paramNewAzImageVer | Out-Null + + # Add arbitary delay for Image Ver provisioning + Start-Sleep -Seconds 1000; + + # Vm + $vmSize = "Standard_D2s_v5"; + #$imageDefinition = Get-AzGalleryImageDefinition -GalleryName $galleryName -ResourceGroupName $rgName -Name $imageDefinitionName; + #$rgNameDef = "demoacgrg"; + #$galName = "demoacg"; + #$galDefName = "demotlsupported"; + # $imageDefinition = Get-AzGalleryImageDefinition -GalleryName $galName -ResourceGroupName $rgNameDef -Name $galDefName; + # Network pieces + $subnetConfig = New-AzVirtualNetworkSubnetConfig ` + -Name $subnetname ` + -AddressPrefix $subnetAddress;#192.168.1.0/24; + $vnet = New-AzVirtualNetwork ` + -ResourceGroupName $rgName -Location $location -Name $vnetname -AddressPrefix $vnetAddress ` + -Subnet $subnetConfig;#192.168.0.0/16 ` + $pip = New-AzPublicIpAddress ` + -ResourceGroupName $rgName ` + -Location $location ` + -Name $pubipname ` + -AllocationMethod Static ` + -IdleTimeoutInMinutes 4; + $nsgRuleRDP = New-AzNetworkSecurityRuleConfig ` + -Name $nsgrulename ` + -Protocol Tcp ` + -Direction Inbound ` + -Priority 1000 ` + -SourceAddressPrefix * ` + -SourcePortRange * ` + -DestinationAddressPrefix * ` + -DestinationPortRange 3389 ` + -Access Deny; + $nsg = New-AzNetworkSecurityGroup ` + -ResourceGroupName $rgName ` + -Location $location ` + -Name $NSGName ` + -SecurityRules $nsgRuleRDP; + $nic = New-AzNetworkInterface ` + -Name $NICName ` + -ResourceGroupName $rgName ` + -Location $location ` + -SubnetId $vnet.Subnets[0].Id ` + -PublicIpAddressId $pip.Id ` + -NetworkSecurityGroupId $nsg.Id; + $vm = New-AzVMConfig -vmName $vmname2  -vmSize $vmSize | ` + Set-AzVMSourceImage -Id $imageDefinition.Id | ` + Add-AzVMNetworkInterface -Id $nic.Id; + # Set-AzVMOperatingSystem -Windows -ComputerName $vmName -Credential $cred | ` + + #$vm = Set-AzVMSecurityProfile -SecurityType "TrustedLaunch" -VM $vm + #$vm = Set-AzVmUefi -VM $vm ` + # -EnableVtpm $true ` + # -EnableSecureBoot $true + New-AzVM ` + -ResourceGroupName $rgName ` + -Location $location ` + -VM $vm; + + $vm = Get-AzVM -ResourceGroupName $rgname -Name $vmname2; + + + # Validate + Assert-Null $vm.SecurityProfile; + } + finally + { + # Cleanup + Clean-ResourceGroup $rgname; + } +} diff --git a/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs b/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs index 5c27aa49f5fa..c8b16407d63a 100644 --- a/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs +++ b/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs @@ -988,11 +988,13 @@ public void DefaultExecuteCmdlet() { string imageRefString = this.VM.StorageProfile.ImageReference.Id.ToString(); - string galleryImgIdPattern = @"/subscriptions/(?[^/]+)/resourceGroups/(?[^/]+)/providers/Microsoft.Compute/galleries/(?[^/]+)/images/(?[^/]+)/versions/(?[^/]+)"; + string galleryImgIdPattern = @"/subscriptions/(?[^/]+)/resourceGroups/(?[^/]+)/providers/Microsoft.Compute/galleries/(?[^/]+)/images/(?[^/]+)"; string managedImageIdPattern = @"/subscriptions/(?[^/]+)/resourceGroups/(?[^/]+)/providers/Microsoft.Compute/images/(?[^/]+)"; string defaultExistingImagePattern = @"/Subscriptions/(?[^/]+)/Providers/Microsoft.Compute/Locations/(?[^/]+)/Publishers/(?[^/]+)/ArtifactTypes/VMImage/Offers/(?[^/]+)/Skus/(?[^/]+)/Versions/(?[^/]+)"; //Gallery Id + //imageRefString: "/subscriptions/e37510d7-33b6-4676-886f-ee75bcc01871/resourceGroups/adsandimg3/providers/Microsoft.Compute/galleries/gladsandimg3/images/defadsandimg3" + // pattern: @"/subscriptions/(?[^/]+)/resourceGroups/(?[^/]+)/providers/Microsoft.Compute/galleries/(?[^/]+)/images/(?[^/]+)/versions/(?[^/]+)"; Regex galleryRgx = new Regex(galleryImgIdPattern, RegexOptions.IgnoreCase); Match galleryMatch = galleryRgx.Match(imageRefString); // Managed Image Id From bf6a4a857318d8312f87d5ca29a12220a675ed8b Mon Sep 17 00:00:00 2001 From: Adam Sandor Date: Fri, 26 Jan 2024 13:49:37 -0500 Subject: [PATCH 4/7] manual test --- .../ScenarioTests/VirtualMachineTests.cs | 2 +- .../ScenarioTests/VirtualMachineTests.ps1 | 475 +----------------- .../Operation/NewAzureVMCommand.cs | 12 +- 3 files changed, 28 insertions(+), 461 deletions(-) diff --git a/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.cs b/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.cs index 3bb2a5fdab3f..eb86dec4e1f8 100644 --- a/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.cs +++ b/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.cs @@ -628,7 +628,7 @@ public void TestVMDefaultsToTrustedLaunchWithNullEncryptionAtHost() } [Fact] - [Trait(Category.AcceptanceType, Category.CheckIn)] + [Trait(Category.AcceptanceType, Category.LiveOnly)] public void TestVMTLWithGallerySourceImage() { TestRunner.RunTestScript("Test-VMTLWithGallerySourceImage"); diff --git a/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.ps1 b/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.ps1 index 6a84e44528d8..c477d266b9dd 100644 --- a/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.ps1 +++ b/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.ps1 @@ -7269,441 +7269,20 @@ function Test-VMDefaultsToTrustedLaunchWithNullEncryptionAtHost <# .SYNOPSIS -Test Virtual Machines default to SecurityType = TrustedLaunch. -Other necessary defaults also occur for TL support. -EncryptionAtHost (a feature requiring a feature flag) must be null. -#> -function Test-VMTLWithImageSource -{ - # Setup - $rgname = Get-ComputeTestResourceName; - $loc = Get-ComputeVMLocation; - - try - { - $loc = "eastus"; - $rgname = "adsandgal4"; - New-AzResourceGroup -Name $rgname -Location $loc -Force; - # SimpleParameterSet, no config, scenario. - # create credential - $password = "Testing1234567";#Get-PasswordForVM; - $securePassword = $password | ConvertTo-SecureString -AsPlainText -Force; - $user = "admin01";#Get-ComputeTestResourceName; - $cred = New-Object System.Management.Automation.PSCredential ($user, $securePassword); - - # Add one VM from creation - $vmname = 'vm' + $rgname; - $domainNameLabel = "d1" + $rgname; - $securityType_TL = "TrustedLaunch"; - $PublisherName = "MicrosoftWindowsServer"; - $Offer = "WindowsServer"; - $SKU = "2022-datacenter-azure-edition"; - $version = "latest"; - $disable = $false; - $enable = $true; - $galleryName = "g" + $rgname; - $vnetname = "vn" + $rgname; - $vnetAddress = "10.0.0.0/16"; - $subnetname = "slb" + $rgname; - $subnetAddress = "10.0.2.0/24"; - $OSDiskName = $vmname + "-osdisk"; - $NICName = $vmname+ "-nic"; - $NSGName = $vmname + "-NSG"; - $OSDiskSizeinGB = 128; - $VMSize = "Standard_DS2_v2"; - - # Gallery - $vm = New-AzVM -ResourceGroupName $rgname -Name $vmname -Credential $cred -DomainNameLabel $domainNameLabel -SecurityType "Standard"; - Stop-AzVM -ResourceGroupName $rgname -Name $vmname -Force ; - Set-AzVM -ResourceGroupName $rgname -Name $vmname -Generalized ; - - $imageName = "im" + $rgname; - $imageConfig = New-AzImageConfig -Location $loc -SourceVirtualMachineId $vm.Id; - $managedImage = New-AzImage -Image $imageConfig -ImageName $imageName -ResourceGroupName $rgname; - - # default provided image: - # $image = Get-AzVMImage -Skus $SKU -Offer $Offer -PublisherName $PublisherName -Location $loc -Version latest; - - # Gallery - $gal = New-AzGallery -GalleryName $galleryName -ResourceGroupName $rgname -Location $loc; - $imageDefinitionName = "ig" + $rgname; - $osType = "Windows"; # use "Linux" for Linux - $galImg = New-AzGalleryImageDefinition -GalleryName $galleryName -ResourceGroupName $rgname -Location $loc -Name $imageDefinitionName -OsState generalized -OsType $osType -Publisher $PublisherName -Offer $Offer -Sku $Sku; - $imageVersion = "1.0.0"; - $galImgVer = New-AzGalleryImageVersion -GalleryImageDefinitionName $imageDefinitionName -GalleryImageVersionName $imageVersion -GalleryName $galleryName -ResourceGroupName $rgname -Location $loc -SourceImageId $managedImage.Id; - - # Network - $frontendSubnet = New-AzVirtualNetworkSubnetConfig -Name $subnetname -AddressPrefix $subnetAddress; - - $vnet = New-AzVirtualNetwork -Name $vnetname -ResourceGroupName $rgname -Location $loc -AddressPrefix $vnetAddress -Subnet $frontendSubnet; - - $nsgRuleRDP = New-AzNetworkSecurityRuleConfig -Name RDP -Protocol Tcp -Direction Inbound -Priority 1001 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow; - $nsg = New-AzNetworkSecurityGroup -ResourceGroupName $RGName -Location $loc -Name $NSGName -SecurityRules $nsgRuleRDP; - $nic = New-AzNetworkInterface -Name $NICName -ResourceGroupName $RGName -Location $loc -SubnetId $vnet.Subnets[0].Id -NetworkSecurityGroupId $nsg.Id -EnableAcceleratedNetworking; - - # VM - $vmname2 = "2" + $vmname; - $vmConfig = New-AzVMConfig -VMName $vmname2 -VMSize $VMSize; - Set-AzVMOperatingSystem -VM $vmConfig -Windows -ComputerName $vmname2 -Credential $cred; - Set-AzVMSourceImage -VM $vmConfig -Id $galImgVer.Id ; - Set-AzVMOSDisk -VM $vmConfig -Caching 'ReadOnly' -CreateOption FromImage; - Add-AzVMNetworkInterface -VM $vmConfig -Id $nic.Id; - - New-AzVM -ResourceGroupName $rgname -Location $loc -VM $vmConfig;# -Verbose;# -Debug; - - $vm = Get-AzVM -ResourceGroupName $rgname -Name $vmname2; - - - # Validate - Assert-AreEqual $vm.SecurityProfile.SecurityType $securityType_TL; - Assert-AreEqual $vm.SecurityProfile.UefiSettings.SecureBootEnabled $enable; - Assert-AreEqual $vm.SecurityProfile.UefiSettings.VTpmEnabled $enable; - Assert-AreEqual $vm.StorageProfile.ImageReference.Sku $SKU; - Assert-Null $vm.SecurityProfile.EncryptionAtHost; - } - finally - { - # Cleanup - Clean-ResourceGroup $rgname; - } -} - -<# -.SYNOPSIS -Test Virtual Machines default to SecurityType = TrustedLaunch. -Other necessary defaults also occur for TL support. -EncryptionAtHost (a feature requiring a feature flag) must be null. -#> -function Test-VMTLWithGallerySource -{ - # Setup - $rgname = Get-ComputeTestResourceName; - $loc = Get-ComputeVMLocation; - - try - { - $loc = "eastus"; - $location = $loc; - $rgname = "adsandgdef8"; - New-AzResourceGroup -Name $rgname -Location $loc -Force; - # SimpleParameterSet, no config, scenario. - # create credential - $password = "Testing1234567";#Get-PasswordForVM; - $securePassword = $password | ConvertTo-SecureString -AsPlainText -Force; - $user = "admin01";#Get-ComputeTestResourceName; - $cred = New-Object System.Management.Automation.PSCredential ($user, $securePassword); - - # Add one VM from creation - $vmname = 'vm' + $rgname; - $domainNameLabel = "d1" + $rgname; - $securityType_TL = "TrustedLaunch"; - $PublisherName = "MicrosoftWindowsServer"; - $Offer = "WindowsServer"; - $SKU = "2022-datacenter-azure-edition"; - $version = "latest"; - $disable = $false; - $enable = $true; - $galleryName = "g" + $rgname; - $vnetname = "vn" + $rgname; - $vnetAddress = "10.0.0.0/16"; - $subnetname = "slb" + $rgname; - $subnetAddress = "10.0.2.0/24"; - $pubipname = "p" + $rgname; - $OSDiskName = $vmname + "-osdisk"; - $NICName = $vmname+ "-nic"; - $NSGName = $vmname + "-NSG"; - $nsgrulename = "nsr" + $rgname; - $OSDiskSizeinGB = 128; - $VMSize = "Standard_DS2_v2"; - $vmname2 = "2" + $vmname; - - # Gallery - $vnetname1 = "vn1" + $rgname; - $vnetAddress = "10.0.0.0/16"; - $subnetname1 = "slb1" + $rgname; - $subnetAddress = "10.0.2.0/24"; - $pubipname1 = "p1" + $rgname; - $OSDiskName1 = $vmname + "-osdisk1"; - $NICName1 = $vmname+ "-nic1"; - $NSGName1 = $vmname + "-NSG1"; - $nsgrulename = "nsr1" + $rgname; - $diskname = "di" + $rgname; - $frontendSubnet = New-AzVirtualNetworkSubnetConfig -Name $subnetname1 -AddressPrefix $subnetAddress; - $vnet = New-AzVirtualNetwork -Name $vnetname1 -ResourceGroupName $rgname -Location $loc -AddressPrefix $vnetAddress -Subnet $frontendSubnet; - $nsgRuleRDP = New-AzNetworkSecurityRuleConfig -Name RDP -Protocol Tcp -Direction Inbound -Priority 1001 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow; - $nsg = New-AzNetworkSecurityGroup -ResourceGroupName $RGName -Location $loc -Name $NSGName1 -SecurityRules $nsgRuleRDP; - $nic = New-AzNetworkInterface -Name $NICName1 -ResourceGroupName $RGName -Location $loc -SubnetId $vnet.Subnets[0].Id -NetworkSecurityGroupId $nsg.Id -EnableAcceleratedNetworking; - - $image = Get-AzVMImage -Skus $SKU -Offer $Offer -PublisherName $PublisherName -Location $loc -Version latest; - $diskconfig = New-AzDiskConfig -DiskSizeGB 127 -AccountType Premium_LRS -OsType Windows -CreateOption FromImage -Location $loc -HyperVGeneration "V2"; - $diskconfig = Set-AzDiskImageReference -Disk $diskconfig -Id $image.Id; - $diskConfig = Set-AzDiskSecurityProfile -SecurityType "Standard" -Disk $diskConfig; - $disk = New-AzDisk -ResourceGroupName $rgname -DiskName $diskname -Disk $diskconfig; - - $vmConfig = New-AzVMConfig -VMName $vmName -VMSize $VMSize -SecurityType "Standard"; - $vmConfig = Add-AzVMNetworkInterface -VM $vmConfig -Id $nic.Id; - $vmConfig = Set-AzVMOSDisk -Windows -ManagedDiskId $disk.Id -CreateOption Attach -VM $vmConfig; - New-AzVM -ResourceGroupName $rgname -Location $loc -VM $vmConfig; - # $vm = New-AzVM -ResourceGroupName $rgname -Name $vmname -Credential $cred -DomainNameLabel $domainNameLabel -SecurityType "Standard"; - Stop-AzVM -ResourceGroupName $rgname -Name $vmname -Force ; - Set-AzVM -ResourceGroupName $rgname -Name $vmname -Generalized ; - - $imageName = "im" + $rgname; - $imageConfig = New-AzImageConfig -Location $loc -SourceVirtualMachineId $vm.Id -HyperVGeneration "V2"; - $managedImage = New-AzImage -Image $imageConfig -ImageName $imageName -ResourceGroupName $rgname; - - # default provided image: - # $image = Get-AzVMImage -Skus $SKU -Offer $Offer -PublisherName $PublisherName -Location $loc -Version latest; - - # Gallery - $gal = New-AzGallery -GalleryName $galleryName -ResourceGroupName $rgname -Location $loc; - $imageDefinitionName = "ig" + $rgname; - $osType = "Windows"; # use "Linux" for Linux - - $SecurityType = @{Name='SecurityType';Value='TrustedLaunchSupported'}; - $features = @($SecurityType); - New-AzGalleryImageDefinition -ResourceGroupName $rgName -GalleryName $galleryName -Name $imageDefinitionName -Location $loc -Publisher $publisherName -Offer $offer -Sku $sku -HyperVGeneration "V2" -OsState "Generalized" -OsType "Windows" -Feature $features; - # $galImg = New-AzGalleryImageDefinition -GalleryName $galleryName -ResourceGroupName $rgname -Location $loc -Name $imageDefinitionName -OsState generalized -OsType $osType -Publisher $PublisherName -Offer $Offer -Sku $Sku; - $galleryImageVersionName = "1.0.0" - $sourceImageId = $managedImage.Id;#"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myVMRG/providers/Microsoft.Compute/galleries/MyGallery/images/Gen2VMImageDef/versions/0.0.1" - $galImgVer = New-AzGalleryImageVersion -ResourceGroupName $rgName -GalleryName $galleryName -GalleryImageDefinitionName $imageDefinitionName -Name $galleryImageVersionName -Location $loc -SourceImageId $sourceImageId; - # $galImgVer = New-AzGalleryImageVersion -GalleryImageDefinitionName $imageDefinitionName -GalleryImageVersionName $imageVersion -GalleryName $galleryName -ResourceGroupName $rgname -Location $loc -SourceImageId $managedImage.Id; - $vmSize = "Standard_D2s_v5"; - $imageDefinition = Get-AzGalleryImageDefinition -GalleryName $galleryName -ResourceGroupName $rgName -Name $imageDefinitionName; - # Network pieces - $subnetConfig = New-AzVirtualNetworkSubnetConfig ` - -Name $subnetname ` - -AddressPrefix 192.168.1.0/24 - $vnet = New-AzVirtualNetwork ` - -ResourceGroupName $rgName ` - -Location $location ` - -Name $vnetAddress ` - -AddressPrefix 192.168.0.0/16 ` - -Subnet $subnetConfig - $pip = New-AzPublicIpAddress ` - -ResourceGroupName $rgName ` - -Location $location ` - -Name $pubipname ` - -AllocationMethod Static ` - -IdleTimeoutInMinutes 4 - $nsgRuleRDP = New-AzNetworkSecurityRuleConfig ` - -Name $nsgrulename ` - -Protocol Tcp ` - -Direction Inbound ` - -Priority 1000 ` - -SourceAddressPrefix * ` - -SourcePortRange * ` - -DestinationAddressPrefix * ` - -DestinationPortRange 3389 ` - -Access Deny - $nsg = New-AzNetworkSecurityGroup ` - -ResourceGroupName $rgName ` - -Location $location ` - -Name $NSGName ` - -SecurityRules $nsgRuleRDP - $nic = New-AzNetworkInterface ` - -Name $NICName ` - -ResourceGroupName $rgName ` - -Location $location ` - -SubnetId $vnet.Subnets[0].Id ` - -PublicIpAddressId $pip.Id ` - -NetworkSecurityGroupId $nsg.Id - $vm = New-AzVMConfig -vmName $vmname2  -vmSize $vmSize | ` - Set-AzVMOperatingSystem -Windows -ComputerName $vmName -Credential $cred | ` - Set-AzVMSourceImage -Id $imageDefinition.Id | ` - Add-AzVMNetworkInterface -Id $nic.Id - #$vm = Set-AzVMSecurityProfile -SecurityType "TrustedLaunch" -VM $vm - #$vm = Set-AzVmUefi -VM $vm ` - # -EnableVtpm $true ` - # -EnableSecureBoot $true - New-AzVM ` - -ResourceGroupName $rgName ` - -Location $location ` - -VM $vm; - - - - $vm = Get-AzVM -ResourceGroupName $rgname -Name $vmname2; - - - # Validate - Assert-AreEqual $vm.SecurityProfile.SecurityType $securityType_TL; - Assert-AreEqual $vm.SecurityProfile.UefiSettings.SecureBootEnabled $enable; - Assert-AreEqual $vm.SecurityProfile.UefiSettings.VTpmEnabled $enable; - Assert-AreEqual $vm.StorageProfile.ImageReference.Sku $SKU; - Assert-Null $vm.SecurityProfile.EncryptionAtHost; - } - finally - { - # Cleanup - Clean-ResourceGroup $rgname; - } -} - -<# -.SYNOPSIS -Test Virtual Machines default to SecurityType = TrustedLaunch. -Other necessary defaults also occur for TL support. -EncryptionAtHost (a feature requiring a feature flag) must be null. -demo script provided from Ajay or demo acg. -#> -function Test-VMTLWithGallerySourceDemo -{ - # Setup - $rgname = Get-ComputeTestResourceName; - $loc = Get-ComputeVMLocation; - - try - { - # Set-AzContext -Subscription "d978fb46-d408-4e80-b1a1-db3bb535cfba"; - $loc = "westus3"; - $location = $loc; - $rgname = "adsandimg3"; - New-AzResourceGroup -Name $rgname -Location $loc -Force; - # SimpleParameterSet, no config, scenario. - # create credential - $password = "Testing1234567";#Get-PasswordForVM; - $securePassword = $password | ConvertTo-SecureString -AsPlainText -Force; - $user = "admin01";#Get-ComputeTestResourceName; - $cred = New-Object System.Management.Automation.PSCredential ($user, $securePassword); - - # Add one VM from creation - $vmname = 'vm' + $rgname; - $domainNameLabel = "d1" + $rgname; - $securityType_TL = "TrustedLaunch"; - $PublisherName = "MicrosoftWindowsServer"; - $Offer = "WindowsServer"; - $SKU = "2022-datacenter-azure-edition"; - $version = "latest"; - $disable = $false; - $enable = $true; - $galleryName = "g" + $rgname; - $vnetname = "vn" + $rgname; - $vnetAddress = "10.0.0.0/16"; - $subnetname = "slb" + $rgname; - $subnetAddress = "10.0.2.0/24"; - $pubipname = "p" + $rgname; - $OSDiskName = $vmname + "-osdisk"; - $NICName = $vmname+ "-nic"; - $NSGName = $vmname + "-NSG"; - $nsgrulename = "nsr" + $rgname; - $OSDiskSizeinGB = 128; - $VMSize = "Standard_DS2_v2"; - $vmname2 = "2" + $vmname; - - # Gallery - # $vnetname1 = "vn1" + $rgname; - # $vnetAddress = "10.0.0.0/16"; - # $subnetname1 = "slb1" + $rgname; - # $subnetAddress = "10.0.2.0/24"; - # $pubipname1 = "p1" + $rgname; - # $OSDiskName1 = $vmname + "-osdisk1"; - # $NICName1 = $vmname+ "-nic1"; - # $NSGName1 = $vmname + "-NSG1"; - # $nsgrulename = "nsr1" + $rgname; - # $diskname = "di" + $rgname; - # $frontendSubnet = New-AzVirtualNetworkSubnetConfig -Name $subnetname1 -AddressPrefix $subnetAddress; - # $vnet = New-AzVirtualNetwork -Name $vnetname1 -ResourceGroupName $rgname -Location $loc -AddressPrefix $vnetAddress -Subnet $frontendSubnet; - # $nsgRuleRDP = New-AzNetworkSecurityRuleConfig -Name RDP -Protocol Tcp -Direction Inbound -Priority 1001 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow; - # $nsg = New-AzNetworkSecurityGroup -ResourceGroupName $RGName -Location $loc -Name $NSGName1 -SecurityRules $nsgRuleRDP; - # $nic = New-AzNetworkInterface -Name $NICName1 -ResourceGroupName $RGName -Location $loc -SubnetId $vnet.Subnets[0].Id -NetworkSecurityGroupId $nsg.Id -EnableAcceleratedNetworking; - - $vmSize = "Standard_D2s_v5"; - #$imageDefinition = Get-AzGalleryImageDefinition -GalleryName $galleryName -ResourceGroupName $rgName -Name $imageDefinitionName; - $rgNameDef = "demoacgrg"; - $galName = "demoacg"; - $galDefName = "demotlsupported"; - $imageDefinition = Get-AzGalleryImageDefinition -GalleryName $galName -ResourceGroupName $rgNameDef -Name $galDefName; - # Network pieces - $subnetConfig = New-AzVirtualNetworkSubnetConfig ` - -Name $subnetname ` - -AddressPrefix $subnetAddress;#192.168.1.0/24; - $vnet = New-AzVirtualNetwork ` - -ResourceGroupName $rgName -Location $location -Name $vnetAddress -AddressPrefix $vnetAddress ` - -Subnet $subnetConfig;#192.168.0.0/16 ` - $pip = New-AzPublicIpAddress ` - -ResourceGroupName $rgName ` - -Location $location ` - -Name $pubipname ` - -AllocationMethod Static ` - -IdleTimeoutInMinutes 4; - $nsgRuleRDP = New-AzNetworkSecurityRuleConfig ` - -Name $nsgrulename ` - -Protocol Tcp ` - -Direction Inbound ` - -Priority 1000 ` - -SourceAddressPrefix * ` - -SourcePortRange * ` - -DestinationAddressPrefix * ` - -DestinationPortRange 3389 ` - -Access Deny; - $nsg = New-AzNetworkSecurityGroup ` - -ResourceGroupName $rgName ` - -Location $location ` - -Name $NSGName ` - -SecurityRules $nsgRuleRDP; - $nic = New-AzNetworkInterface ` - -Name $NICName ` - -ResourceGroupName $rgName ` - -Location $location ` - -SubnetId $vnet.Subnets[0].Id ` - -PublicIpAddressId $pip.Id ` - -NetworkSecurityGroupId $nsg.Id; - $vm = New-AzVMConfig -vmName $vmname2  -vmSize $vmSize | ` - Set-AzVMOperatingSystem -Windows -ComputerName $vmName -Credential $cred | ` - Set-AzVMSourceImage -Id $imageDefinition.Id | ` - Add-AzVMNetworkInterface -Id $nic.Id; - #$vm = Set-AzVMSecurityProfile -SecurityType "TrustedLaunch" -VM $vm - #$vm = Set-AzVmUefi -VM $vm ` - # -EnableVtpm $true ` - # -EnableSecureBoot $true - New-AzVM ` - -ResourceGroupName $rgName ` - -Location $location ` - -VM $vm; - - - - $vm = Get-AzVM -ResourceGroupName $rgname -Name $vmname2; - - - # Validate - Assert-AreEqual $vm.SecurityProfile.SecurityType $securityType_TL; - Assert-AreEqual $vm.SecurityProfile.UefiSettings.SecureBootEnabled $enable; - Assert-AreEqual $vm.SecurityProfile.UefiSettings.VTpmEnabled $enable; - Assert-AreEqual $vm.StorageProfile.ImageReference.Sku $SKU; - Assert-Null $vm.SecurityProfile.EncryptionAtHost; - } - finally - { - # Cleanup - Clean-ResourceGroup $rgname; - } -} - - -<# -.SYNOPSIS -Test Virtual Machines default to SecurityType = TrustedLaunch. -Other necessary defaults also occur for TL support. -EncryptionAtHost (a feature requiring a feature flag) must be null. -demo script provided from Ajay or demo acg. +Tests that a VM that is created from a Gallery Image source +does not error out due to TL defaulting code that looks for the image version +assuming it has a different format. #> function Test-VMTLWithGallerySourceImage { # Setup $rgname = Get-ComputeTestResourceName; - $loc = "westus3"; + $loc = Get-ComputeVMLocation; try { - # Set-AzContext -Subscription "d978fb46-d408-4e80-b1a1-db3bb535cfba"; - # Set-AzContext -Subscription "e37510d7-33b6-4676-886f-ee75bcc01871"; - # $loc = "eastus"; $location = $loc; - # $rgname = "adsandimg7"; New-AzResourceGroup -Name $rgname -Location $loc -Force; - # SimpleParameterSet, no config, scenario. # create credential $password = Get-PasswordForVM; $securePassword = $password | ConvertTo-SecureString -AsPlainText -Force; @@ -7736,10 +7315,6 @@ function Test-VMTLWithGallerySourceImage # Gallery $resourceGroup = $rgname - $vmName = 'v' + $resourceGroup - $userName = 'usertest' - $pass = "Testing1234567" | ConvertTo-SecureString -AsPlainText -Force - $cred = New-Object System.Management.Automation.PSCredential ($userName, $pass) $galleryName = 'gl' + $rgname $definitionName = 'def' + $rgname $skuDetails = @{ @@ -7783,21 +7358,17 @@ function Test-VMTLWithGallerySourceImage HyperVGeneration = $hyperVGeneration ErrorAction = 'Stop' } - if ($trustedLaunch -eq $true) { - $SecurityType = @{Name='SecurityType';Value='TrustedLaunchSupported'} - $features = @($SecurityType) - $paramNewAzImageDef.Add('Feature', $features) - } - $imageDefinition = New-AzGalleryImageDefinition @paramNewAzImageDef - - + New-AzGalleryImageDefinition @paramNewAzImageDef | Out-Null; + $imageDefinition = Get-AzGalleryImageDefinition -ResourceGroupName $rgname -GalleryName $galleryName -Name $definitionName; + # Setup Image Version + $imageVersionName = "1.0.0"; $paramNewAzImageVer = @{ ResourceGroupName = $resourceGroup GalleryName = $galleryName GalleryImageDefinitionName = $definitionName - Name = "1.0.0" + Name = $imageVersionName Location = $location SourceImageId = $vm.Id ErrorAction = 'Stop' @@ -7805,24 +7376,22 @@ function Test-VMTLWithGallerySourceImage AsJob = $true } New-AzGalleryImageVersion @paramNewAzImageVer | Out-Null - - # Add arbitary delay for Image Ver provisioning - Start-Sleep -Seconds 1000; - + + # Check image version status + # Looping to wait for the provisioningState to go to Succeeded never ends despite + # the status changing in portal. Image Definition is never seen by this PS script + # despite it being there, so making this a manual test. + Start-Sleep -Seconds 120 ; + # Vm $vmSize = "Standard_D2s_v5"; - #$imageDefinition = Get-AzGalleryImageDefinition -GalleryName $galleryName -ResourceGroupName $rgName -Name $imageDefinitionName; - #$rgNameDef = "demoacgrg"; - #$galName = "demoacg"; - #$galDefName = "demotlsupported"; - # $imageDefinition = Get-AzGalleryImageDefinition -GalleryName $galName -ResourceGroupName $rgNameDef -Name $galDefName; # Network pieces $subnetConfig = New-AzVirtualNetworkSubnetConfig ` -Name $subnetname ` - -AddressPrefix $subnetAddress;#192.168.1.0/24; + -AddressPrefix $subnetAddress; $vnet = New-AzVirtualNetwork ` -ResourceGroupName $rgName -Location $location -Name $vnetname -AddressPrefix $vnetAddress ` - -Subnet $subnetConfig;#192.168.0.0/16 ` + -Subnet $subnetConfig; $pip = New-AzPublicIpAddress ` -ResourceGroupName $rgName ` -Location $location ` @@ -7854,12 +7423,7 @@ function Test-VMTLWithGallerySourceImage $vm = New-AzVMConfig -vmName $vmname2  -vmSize $vmSize | ` Set-AzVMSourceImage -Id $imageDefinition.Id | ` Add-AzVMNetworkInterface -Id $nic.Id; - # Set-AzVMOperatingSystem -Windows -ComputerName $vmName -Credential $cred | ` - - #$vm = Set-AzVMSecurityProfile -SecurityType "TrustedLaunch" -VM $vm - #$vm = Set-AzVmUefi -VM $vm ` - # -EnableVtpm $true ` - # -EnableSecureBoot $true + New-AzVM ` -ResourceGroupName $rgName ` -Location $location ` @@ -7867,7 +7431,6 @@ function Test-VMTLWithGallerySourceImage $vm = Get-AzVM -ResourceGroupName $rgname -Name $vmname2; - # Validate Assert-Null $vm.SecurityProfile; } diff --git a/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs b/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs index c8b16407d63a..5563848a4952 100644 --- a/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs +++ b/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs @@ -993,8 +993,6 @@ public void DefaultExecuteCmdlet() string defaultExistingImagePattern = @"/Subscriptions/(?[^/]+)/Providers/Microsoft.Compute/Locations/(?[^/]+)/Publishers/(?[^/]+)/ArtifactTypes/VMImage/Offers/(?[^/]+)/Skus/(?[^/]+)/Versions/(?[^/]+)"; //Gallery Id - //imageRefString: "/subscriptions/e37510d7-33b6-4676-886f-ee75bcc01871/resourceGroups/adsandimg3/providers/Microsoft.Compute/galleries/gladsandimg3/images/defadsandimg3" - // pattern: @"/subscriptions/(?[^/]+)/resourceGroups/(?[^/]+)/providers/Microsoft.Compute/galleries/(?[^/]+)/images/(?[^/]+)/versions/(?[^/]+)"; Regex galleryRgx = new Regex(galleryImgIdPattern, RegexOptions.IgnoreCase); Match galleryMatch = galleryRgx.Match(imageRefString); // Managed Image Id @@ -1005,7 +1003,6 @@ public void DefaultExecuteCmdlet() Match defaultImageMatch = defaultImageRgx.Match(imageRefString); if (galleryMatch.Success) { - // It's a Gallery Image Id // do nothing, send message to use TL. if (this.AsJobPresent() == false) // to avoid a failure when it is a job. Seems to fail when it is a job. { @@ -1014,7 +1011,6 @@ public void DefaultExecuteCmdlet() } else if (managedImageMatch.Success) { - // It's a Managed Image Id // do nothing, send message to use TL. if (this.AsJobPresent() == false) // to avoid a failure when it is a job. Seems to fail when it is a job. { @@ -1039,6 +1035,14 @@ public void DefaultExecuteCmdlet() setHyperVGenForImageCheckAndTLDefaulting(imgResponse); } + else + { + // Default behavior is to remind customer to use TrustedLaunch. + if (this.AsJobPresent() == false) // to avoid a failure when it is a job. Seems to fail when it is a job. + { + WriteInformation(HelpMessages.TrustedLaunchUpgradeMessage, new string[] { "PSHOST" }); + } + } } else { From 0220e9f2ea46d5fdf1b635eefb0d6b2ec5d26282 Mon Sep 17 00:00:00 2001 From: Adam Sandor Date: Fri, 26 Jan 2024 14:41:25 -0500 Subject: [PATCH 5/7] changelog --- .../ScenarioTests/VirtualMachineTests.ps1 | 11 ++++++----- src/Compute/Compute/ChangeLog.md | 1 + 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.ps1 b/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.ps1 index c477d266b9dd..6f0f2cb4798c 100644 --- a/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.ps1 +++ b/src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.ps1 @@ -7359,8 +7359,7 @@ function Test-VMTLWithGallerySourceImage ErrorAction = 'Stop' } - New-AzGalleryImageDefinition @paramNewAzImageDef | Out-Null; - $imageDefinition = Get-AzGalleryImageDefinition -ResourceGroupName $rgname -GalleryName $galleryName -Name $definitionName; + New-AzGalleryImageDefinition @paramNewAzImageDef; # Setup Image Version $imageVersionName = "1.0.0"; @@ -7375,13 +7374,15 @@ function Test-VMTLWithGallerySourceImage StorageAccountType = $storageAccountSku AsJob = $true } - New-AzGalleryImageVersion @paramNewAzImageVer | Out-Null - + New-AzGalleryImageVersion @paramNewAzImageVer | Out-Null; + + $imageDefinition = Get-AzGalleryImageDefinition -ResourceGroupName $rgname -GalleryName $galleryName -Name $definitionName; + # Check image version status # Looping to wait for the provisioningState to go to Succeeded never ends despite # the status changing in portal. Image Definition is never seen by this PS script # despite it being there, so making this a manual test. - Start-Sleep -Seconds 120 ; + Start-Sleep -Seconds 1000 ; # Vm $vmSize = "Standard_D2s_v5"; diff --git a/src/Compute/Compute/ChangeLog.md b/src/Compute/Compute/ChangeLog.md index 7453bef5a15a..af5ff895cd11 100644 --- a/src/Compute/Compute/ChangeLog.md +++ b/src/Compute/Compute/ChangeLog.md @@ -23,6 +23,7 @@ * Fixed `New-AzVmss` to correctly work when using `-EdgeZone` by creating the Load Balancer in the correct edge zone. * Removed references to image aliases in `New-AzVM` and `New-AzVmss` to images that were removed. * Az.Compute is updated to use the 2023-09-01 ComputeRP REST API calls. +* Fixed `New-AzVM` when a source image is specified to avoid an error on the `Version` value. ## Version 7.1.0 * Added new parameter `-ElasticSanResourceId` to `New-AzSnapshotConfig` cmdlet. From f882eea775046e2355beee55ccbd961085cadb64 Mon Sep 17 00:00:00 2001 From: Adam Sandor Date: Fri, 26 Jan 2024 16:39:06 -0500 Subject: [PATCH 6/7] cleanup --- .../Operation/NewAzureVMCommand.cs | 28 ++++++++----------- 1 file changed, 11 insertions(+), 17 deletions(-) diff --git a/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs b/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs index 5563848a4952..7c6e32ac647d 100644 --- a/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs +++ b/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs @@ -1001,23 +1001,8 @@ public void DefaultExecuteCmdlet() // Default Image Id Regex defaultImageRgx = new Regex(defaultExistingImagePattern, RegexOptions.IgnoreCase); Match defaultImageMatch = defaultImageRgx.Match(imageRefString); - if (galleryMatch.Success) - { - // do nothing, send message to use TL. - if (this.AsJobPresent() == false) // to avoid a failure when it is a job. Seems to fail when it is a job. - { - WriteInformation(HelpMessages.TrustedLaunchUpgradeMessage, new string[] { "PSHOST" }); - } - } - else if (managedImageMatch.Success) - { - // do nothing, send message to use TL. - if (this.AsJobPresent() == false) // to avoid a failure when it is a job. Seems to fail when it is a job. - { - WriteInformation(HelpMessages.TrustedLaunchUpgradeMessage, new string[] { "PSHOST" }); - } - } - else if (defaultImageMatch.Success) + + if (defaultImageMatch.Success) { var parts = imageRefString.Split(new char[] { '/' }, StringSplitOptions.RemoveEmptyEntries); // It's a default existing image @@ -1035,6 +1020,15 @@ public void DefaultExecuteCmdlet() setHyperVGenForImageCheckAndTLDefaulting(imgResponse); } + // This scenario might have additional logic added later, so making its own if check fo now. + else if (galleryMatch.Success || managedImageMatch.Success) + { + // do nothing, send message to use TL. + if (this.AsJobPresent() == false) // to avoid a failure when it is a job. Seems to fail when it is a job. + { + WriteInformation(HelpMessages.TrustedLaunchUpgradeMessage, new string[] { "PSHOST" }); + } + } else { // Default behavior is to remind customer to use TrustedLaunch. From f3038f85c44b84f6f24ecc2526de2c812997e19c Mon Sep 17 00:00:00 2001 From: Adam Sandor Date: Fri, 26 Jan 2024 17:47:25 -0500 Subject: [PATCH 7/7] cleanup --- .../Operation/NewAzureVMCommand.cs | 50 ++++++++----------- 1 file changed, 22 insertions(+), 28 deletions(-) diff --git a/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs b/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs index 7c6e32ac647d..e54ec59e7ed3 100644 --- a/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs +++ b/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs @@ -938,14 +938,12 @@ public void DefaultExecuteCmdlet() && this.VM.StorageProfile?.ImageReference?.SharedGalleryImageId == null) //had to add this { defaultTrustedLaunchAndUefi(); - setTrustedLaunchImage(); } - // Disk attached scenario for TL defaulting // Determines if the disk has SecurityType enabled. // If so, turns on TrustedLaunch for this VM. - if (this.VM.SecurityProfile?.SecurityType == null + else if (this.VM.SecurityProfile?.SecurityType == null && this.VM.StorageProfile?.OsDisk?.ManagedDisk?.Id != null) { var mDiskId = this.VM.StorageProfile?.OsDisk?.ManagedDisk.Id.ToString(); @@ -959,33 +957,14 @@ public void DefaultExecuteCmdlet() defaultTrustedLaunchAndUefi(); } } - - // Guest Attestation extension defaulting scenario check. - // And SecureBootEnabled and VtpmEnabled defaulting scenario. - if (this.VM.SecurityProfile?.SecurityType != null - && (this.VM.SecurityProfile?.SecurityType?.ToLower() == ConstantValues.TrustedLaunchSecurityType - || this.VM.SecurityProfile?.SecurityType?.ToLower() == ConstantValues.ConfidentialVMSecurityType)) - { - if (this.VM?.SecurityProfile?.UefiSettings != null) - { - this.VM.SecurityProfile.UefiSettings.SecureBootEnabled = this.VM.SecurityProfile.UefiSettings.SecureBootEnabled ?? true; - this.VM.SecurityProfile.UefiSettings.VTpmEnabled = this.VM.SecurityProfile.UefiSettings.VTpmEnabled ?? true; - } - else - { - this.VM.SecurityProfile.UefiSettings = new UefiSettings(true, true); - } - } - - // ImageReference provided, TL defaulting occurs if image is Gen2. // This will handle when the Id is provided in a URI format and // when the image segments are provided individually. - if (this.VM.SecurityProfile?.SecurityType == null + else if (this.VM.SecurityProfile?.SecurityType == null && this.VM.StorageProfile?.ImageReference != null) { if (this.VM.StorageProfile?.ImageReference?.Id != null) - { + { string imageRefString = this.VM.StorageProfile.ImageReference.Id.ToString(); string galleryImgIdPattern = @"/subscriptions/(?[^/]+)/resourceGroups/(?[^/]+)/providers/Microsoft.Compute/galleries/(?[^/]+)/images/(?[^/]+)"; @@ -1001,7 +980,7 @@ public void DefaultExecuteCmdlet() // Default Image Id Regex defaultImageRgx = new Regex(defaultExistingImagePattern, RegexOptions.IgnoreCase); Match defaultImageMatch = defaultImageRgx.Match(imageRefString); - + if (defaultImageMatch.Success) { var parts = imageRefString.Split(new char[] { '/' }, StringSplitOptions.RemoveEmptyEntries); @@ -1045,16 +1024,31 @@ public void DefaultExecuteCmdlet() setHyperVGenForImageCheckAndTLDefaulting(specificImageRespone); } } - - if (this.VM.SecurityProfile?.SecurityType == ConstantValues.TrustedLaunchSecurityType + else if (this.VM.SecurityProfile?.SecurityType == ConstantValues.TrustedLaunchSecurityType && this.VM.StorageProfile?.ImageReference == null && this.VM.StorageProfile?.OsDisk?.ManagedDisk?.Id == null //had to add this - && this.VM.StorageProfile?.ImageReference?.SharedGalleryImageId == null) + && this.VM.StorageProfile?.ImageReference?.SharedGalleryImageId == null) { defaultTrustedLaunchAndUefi(); setTrustedLaunchImage(); } + // SecureBootEnabled and VtpmEnabled defaulting scenario. + if (this.VM.SecurityProfile?.SecurityType != null + && (this.VM.SecurityProfile?.SecurityType?.ToLower() == ConstantValues.TrustedLaunchSecurityType + || this.VM.SecurityProfile?.SecurityType?.ToLower() == ConstantValues.ConfidentialVMSecurityType)) + { + if (this.VM?.SecurityProfile?.UefiSettings != null) + { + this.VM.SecurityProfile.UefiSettings.SecureBootEnabled = this.VM.SecurityProfile.UefiSettings.SecureBootEnabled ?? true; + this.VM.SecurityProfile.UefiSettings.VTpmEnabled = this.VM.SecurityProfile.UefiSettings.VTpmEnabled ?? true; + } + else + { + this.VM.SecurityProfile.UefiSettings = new UefiSettings(true, true); + } + } + // Standard security type removing value since API does not support it yet. if (this.VM.SecurityProfile?.SecurityType != null && this.VM.SecurityProfile?.SecurityType?.ToString().ToLower() == ConstantValues.StandardSecurityType)