From 166d886e671b24aa7a41d39ae98ee4444c25789e Mon Sep 17 00:00:00 2001 From: Abhishek Singh Date: Thu, 31 Aug 2023 21:32:58 +0530 Subject: [PATCH] Powershell changes for supporting CVM feature --- .../custom/New-AzMigrateServerReplication.ps1 | 99 ++++++++++++++++++- 1 file changed, 94 insertions(+), 5 deletions(-) diff --git a/src/Migrate/custom/New-AzMigrateServerReplication.ps1 b/src/Migrate/custom/New-AzMigrateServerReplication.ps1 index c6f6a678cf43..8a13c2849eb0 100644 --- a/src/Migrate/custom/New-AzMigrateServerReplication.ps1 +++ b/src/Migrate/custom/New-AzMigrateServerReplication.ps1 @@ -185,6 +185,26 @@ function New-AzMigrateServerReplication { # Specifies the Operating System disk for the source server to be migrated. ${OSDiskID}, + [ValidateSet("Standard" , "ConfidentialVM")] + [ArgumentCompleter( { "Standard" , "ConfidentialVM" })] + [Microsoft.Azure.PowerShell.Cmdlets.Migrate.Category('Path')] + [System.String] + # Specifies the security type for the Azure VM. + ${TargetSecurityType}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.Migrate.Category('Path')] + [System.Management.Automation.SwitchParameter] + # Specifies whether the confidential encryption of OS disks needs to be enabled. + ${TargetVMConfidentialEncryptionEnabled}, + + [ValidateSet("true" , "false")] + [ArgumentCompleter( { "true" , "false" })] + [Microsoft.Azure.PowerShell.Cmdlets.Migrate.Category('Path')] + [System.String] + # Specifies if secure boot needs to be enabled on target VM. + ${TargetVMSecureBootEnabled}, + [Parameter(ParameterSetName = 'ByIdDefaultUser')] [Parameter(ParameterSetName = 'ByInputObjectDefaultUser')] [Microsoft.Azure.PowerShell.Cmdlets.Migrate.Category('Path')] @@ -261,6 +281,9 @@ function New-AzMigrateServerReplication { $HasResync = $PSBoundParameters.ContainsKey('PerformAutoResync') $HasDiskEncryptionSetID = $PSBoundParameters.ContainsKey('DiskEncryptionSetID') $HasTargetVMSize = $PSBoundParameters.ContainsKey('TargetVMSize') + $HasTargetSecurityType = $PSBoundParameters.ContainsKey('TargetSecurityType') + $HasTargetVMConfidentialEncryptionEnabled = $PSBoundParameters.ContainsKey('TargetVMConfidentialEncryptionEnabled') + $HasTargetVMSecureBootEnabled = $PSBoundParameters.ContainsKey('TargetVMSecureBootEnabled') $null = $PSBoundParameters.Remove('ReplicationContainerMapping') $null = $PSBoundParameters.Remove('VMWarerunasaccountID') @@ -286,6 +309,9 @@ function New-AzMigrateServerReplication { $null = $PSBoundParameters.Remove('SqlServerLicenseType') $null = $PSBoundParameters.Remove('LicenseType') $null = $PSBoundParameters.Remove('DiskEncryptionSetID') + $null = $PSBoundParameters.Remove('TargetSecurityType') + $null = $PSBoundParameters.Remove('TargetVMConfidentialEncryptionEnabled') + $null = $PSBoundParameters.Remove('TargetVMSecureBootEnabled') $null = $PSBoundParameters.Remove('MachineId') $null = $PSBoundParameters.Remove('InputObject') @@ -426,7 +452,7 @@ function New-AzMigrateServerReplication { if ($FabricName -eq "") { throw "Fabric not found for given resource group." } - + $null = $PSBoundParameters.Add('FabricName', $FabricName) $peContainers = Az.Migrate\Get-AzMigrateReplicationProtectionContainer @PSBoundParameters $ProtectionContainerName = "" @@ -539,6 +565,25 @@ public static int hashForArtifact(String artifact) $ProviderSpecificDetails.InstanceType = 'VMwareCbt' $ProviderSpecificDetails.LicenseType = $LicenseType $ProviderSpecificDetails.PerformAutoResync = $PerformAutoResync + if ($HasTargetVMConfidentialEncryptionEnabled) { + $ProviderSpecificDetails.TargetVMSecurityProfileIsTargetVmconfidentialEncryptionEnabled = $TargetVMConfidentialEncryptionEnabled.IsPresent + } + if ($HasTargetVMSecureBootEnabled) { + $ProviderSpecificDetails.TargetVMSecurityProfileIsTargetVmsecureBootEnabled = $TargetVMSecureBootEnabled + } + + if ($HasTargetSecurityType -and $TargetSecurityType -ne "Standard") { + $ProviderSpecificDetails.TargetVMSecurityProfileTargetVmsecurityType = $TargetSecurityType + $ProviderSpecificDetails.TargetVMSecurityProfileIsTargetVmtpmEnabled = $true + + if ($TargetVMSecureBootEnabled -ne $true -and $HasTargetVMConfidentialEncryptionEnabled) { + throw "SecureBoot should be enabled when confidential encryption is enabled." + } + } + elseif ($HasTargetVMConfidentialEncryptionEnabled -or $HasTargetVMSecureBootEnabled) { + throw "SecureBoot and Confidential encryption is supported only when security type is confidential virtual machines." + } + if ($HasTargetAVSet) { $ProviderSpecificDetails.TargetAvailabilitySetId = $TargetAvailabilitySet } @@ -639,6 +684,7 @@ public static int hashForArtifact(String artifact) } Import-Module Az.Resources + Import-Module Az.Compute $vmId = $ProviderSpecificDetails.TargetResourceGroupId + "/providers/Microsoft.Compute/virtualMachines/" + $TargetVMName $VMNamePresentinRg = Get-AzResource -ResourceId $vmId -ErrorVariable notPresent -ErrorAction SilentlyContinue if ($VMNamePresentinRg) { @@ -664,7 +710,7 @@ public static int hashForArtifact(String artifact) $DiskObject.IsOSDisk = "false" $DiskObject.LogStorageAccountSasSecretName = $LogStorageAccountSas $DiskObject.LogStorageAccountId = $LogStorageAccountID - if ($HasDiskEncryptionSetID) { + if (!$HasTargetVMConfidentialEncryptionEnabled -and $HasDiskEncryptionSetID) { $DiskObject.DiskEncryptionSetId = $DiskEncryptionSetID } $DiskToInclude += $DiskObject @@ -678,16 +724,61 @@ public static int hashForArtifact(String artifact) $DiskObject.LogStorageAccountId = $LogStorageAccountID if ($HasDiskEncryptionSetID) { $DiskObject.DiskEncryptionSetId = $DiskEncryptionSetID + + if ($TargetSecurityType -eq "ConfidentialVM") + { + $TargetSubscriptionId = $TargetResourceGroupId.Split('/')[2]; + $SourceSubscriptionId = (Get-AzContext -ErrorVariable notPresent -ErrorAction SilentlyContinue).Subscription.Id + $context = Set-AzContext -SubscriptionId $TargetSubscriptionId -ErrorVariable notPresent -ErrorAction SilentlyContinue + $DiskEncryptionSetName = $DiskEncryptionSetID.Split("/")[-1]; + $DiskEncryptionSetRg = $DiskEncryptionSetID.Split("/")[-5]; + $DiskEncryptionSet = Get-AzDiskEncryptionSet -ResourceGroupName $DiskEncryptionSetRg -Name $DiskEncryptionSetName + + if ($DiskEncryptionSet.EncryptionType -ne $null -and $HasTargetVMConfidentialEncryptionEnabled -and $DiskEncryptionSet.EncryptionType -ne "ConfidentialVmEncryptedWithCustomerKey") { + throw "Disk encryption set should be of type ConfidentialVmEncryptedWithCustomerKey when confidential encryption is enabled." + } + elseif (!$HasTargetVMConfidentialEncryptionEnabled -and $DiskEncryptionSet.EncryptionType -eq "ConfidentialVmEncryptedWithCustomerKey") { + throw "Disk encryption set should be of type ConfidentialVmEncryptedWithCustomerKey when confidential encryption is disabled." + } + $context = Set-AzContext -SubscriptionId $SourceSubscriptionId -ErrorVariable notPresent -ErrorAction SilentlyContinue + } } $DiskToInclude += $DiskObject $ProviderSpecificDetails.DisksToInclude = $DiskToInclude } else { + $TargetSubscriptionId = $TargetResourceGroupId.Split('/')[2]; + $SourceSubscriptionId = (Get-AzContext -ErrorVariable notPresent -ErrorAction SilentlyContinue).Subscription.Id + $context = Set-AzContext -SubscriptionId $TargetSubscriptionId -ErrorVariable notPresent -ErrorAction SilentlyContinue + $DiskEncryptionSetHashset = New-Object System.Collections.Generic.HashSet[string] foreach ($DiskObject in $DiskToInclude) { $DiskObject.LogStorageAccountSasSecretName = $LogStorageAccountSas $DiskObject.LogStorageAccountId = $LogStorageAccountID + if (![string]::IsNullOrEmpty($DiskObject.DiskEncryptionSetId) -and $TargetSecurityType -eq "ConfidentialVM") { + $DiskEncryptionSetName = $DiskObject.DiskEncryptionSetId.Split("/")[-1]; + $DiskEncryptionSetRg = $DiskObject.DiskEncryptionSetId.Split("/")[-5]; + if ($DiskObject.IsOSDisk -eq "true") { + $DiskEncryptionSet = Get-AzDiskEncryptionSet -ResourceGroupName $DiskEncryptionSetRg -Name $DiskEncryptionSetName + if ($HasTargetVMConfidentialEncryptionEnabled -and $DiskEncryptionSet.EncryptionType -ne $null -and $DiskEncryptionSet.EncryptionType -ne "ConfidentialVmEncryptedWithCustomerKey") { + throw "Disk encryption set should be of type ConfidentialVmEncryptedWithCustomerKey when confidential encryption is enabled." + } + elseif (!$HasTargetVMConfidentialEncryptionEnabled -and $DiskEncryptionSet.EncryptionType -eq "ConfidentialVmEncryptedWithCustomerKey") { + throw "Disk encryption set should be of type EncryptionAtRestWithCustomerKey when confidential encryption is disabled." + } + } + else { + if (!$DiskEncryptionSetHashset.Contains($DiskObject.DiskEncryptionSetId)) { + $DiskEncryptionSet = Get-AzDiskEncryptionSet -ResourceGroupName $DiskEncryptionSetRg -Name $DiskEncryptionSetName + if ($DiskEncryptionSet.EncryptionType -eq "ConfidentialVmEncryptedWithCustomerKey") { + throw "Disk encryption set should be of type EncryptionAtRestWithCustomerKey for data disks." + } + $var =$DiskEncryptionSetHashset.Add($DiskObject.DiskEncryptionSetId) + } + } + } } + $context = Set-AzContext -SubscriptionId $SourceSubscriptionId -ErrorVariable notPresent -ErrorAction SilentlyContinue $ProviderSpecificDetails.DisksToInclude = $DiskToInclude } @@ -719,7 +810,5 @@ public static int hashForArtifact(String artifact) $null = $PSBoundParameters.Add('ResourceGroupName', $ResourceGroupName) return Az.Migrate.internal\Get-AzMigrateReplicationJob @PSBoundParameters - } - -} \ No newline at end of file +} \ No newline at end of file