[Compute] az vm create/update: Add new parameters --wire-server-mode --wire-server-access-control-profile-reference-id to support setting wireserver endpoint settings (#31279)

Author: Jing-song

src/azure-cli/azure/cli/command_modules/vm/_params.py

@@ -481,6 +481,7 @@ def load_arguments(self, _):
             c.argument('enable_user_reboot_scheduled_events', options_list=['--enable-user-reboot-scheduled-events', '--enable-reboot'], arg_type=get_three_state_flag(), min_api='2024-07-01', help='The configuration parameter used while publishing scheduled events additional publishing targets.')
             c.argument('enable_user_redeploy_scheduled_events', options_list=['--enable-user-redeploy-scheduled-events', '--enable-redeploy'], arg_type=get_three_state_flag(), min_api='2024-07-01', help='The configuration parameter used while creating user initiated redeploy scheduled event setting creation.')
             c.argument('align_regional_disks_to_vm_zone', options_list=['--align-regional-disks-to-vm-zone', '--align-regional-disks'], arg_type=get_three_state_flag(), min_api='2024-11-01', help='Specify whether the regional disks should be aligned/moved to the VM zone. This is applicable only for VMs with placement property set. Please note that this change is irreversible.')
+            c.argument('key_incarnation_id', type=int, min_api='2024-11-01', help='Increase the value of this property allows user to reset the key used for securing communication channel between guest and host.')
 
     with self.argument_context('vm create', arg_group='Storage') as c:
         c.argument('attach_os_disk', help='Attach an existing OS disk to the VM. Can use the name or ID of a managed disk or the URI to an unmanaged disk VHD.')
@@ -1251,7 +1252,11 @@ def load_arguments(self, _):
             c.argument('v_cpus_per_core', type=int, min_api='2021-11-01', help='Specify the ratio of vCPU to physical core. Setting this property to 1 also means that hyper-threading is disabled.')
             c.argument('disk_controller_type', disk_controller_type)
             c.argument('enable_proxy_agent', arg_type=get_three_state_flag(), min_api='2023-09-01', help='Specify whether proxy agent feature should be enabled on the virtual machine or virtual machine scale set.')
-            c.argument('proxy_agent_mode', arg_type=get_enum_type(self.get_models('Mode')), min_api='2023-09-01', help='Specify the mode that proxy agent will execute on if the feature is enabled.')
+            c.argument('proxy_agent_mode', deprecate_info=c.deprecate(target='--proxy-agent-mode', redirect='--wire-server-mode'), arg_type=get_enum_type(self.get_models('Mode')), min_api='2023-09-01', help='Specify the mode that proxy agent will execute on if the feature is enabled.')
+            c.argument('wire_server_mode', arg_type=get_enum_type(self.get_models('Mode')), min_api='2024-11-01', help='Specify the mode that proxy agent will execute on if the feature is enabled.')
+            c.argument('wire_server_access_control_profile_reference_id', options_list=['--wire-server-access-control-profile-reference-id', '--wire-server-profile-id'], min_api='2024-11-01', help='Specify the access control profile version resource id of wire server.')
+            c.argument('imds_mode', arg_type=get_enum_type(self.get_models('Mode')), min_api='2024-11-01', help='Specify the mode that proxy agent will execute on if the feature is enabled.')
+            c.argument('imds_access_control_profile_reference_id', options_list=['--imds-access-control-profile-reference-id', '--imds-profile-id'], min_api='2024-11-01', help='Specify the access control profile version resource id resource id of imds.')
 
     with self.argument_context('vm update') as c:
         c.argument('license_type', license_type)

src/azure-cli/azure/cli/command_modules/vm/_template_builder.py

@@ -309,7 +309,9 @@ def build_vm_resource(  # pylint: disable=too-many-locals, too-many-statements,
         os_disk_security_encryption_type=None, os_disk_secure_vm_disk_encryption_set=None, disk_controller_type=None,
         enable_proxy_agent=None, proxy_agent_mode=None, additional_scheduled_events=None,
         enable_user_reboot_scheduled_events=None, enable_user_redeploy_scheduled_events=None,
-        zone_placement_policy=None, include_zones=None, exclude_zones=None, align_regional_disks_to_vm_zone=None):
+        zone_placement_policy=None, include_zones=None, exclude_zones=None, align_regional_disks_to_vm_zone=None,
+        wire_server_mode=None, imds_mode=None, wire_server_access_control_profile_reference_id=None,
+        imds_access_control_profile_reference_id=None, key_incarnation_id=None):
 
     os_caching = disk_info['os'].get('caching')
 
@@ -668,12 +670,31 @@ def _build_storage_profile():
         vm_properties['securityProfile']['encryptionAtHost'] = encryption_at_host
 
     proxy_agent_settings = {}
+    wire_server = {}
+    imds = {}
     if enable_proxy_agent is not None:
         proxy_agent_settings['enabled'] = enable_proxy_agent
 
     if proxy_agent_mode is not None:
         proxy_agent_settings['mode'] = proxy_agent_mode
 
+    if key_incarnation_id is not None:
+        proxy_agent_settings['keyIncarnationId'] = key_incarnation_id
+
+    if wire_server_mode is not None or wire_server_access_control_profile_reference_id is not None:
+        wire_server['mode'] = wire_server_mode
+        wire_server['inVMAccessControlProfileReferenceId'] = wire_server_access_control_profile_reference_id
+
+    if imds_mode is not None or imds_access_control_profile_reference_id is not None:
+        imds['mode'] = imds_mode
+        imds['inVMAccessControlProfileReferenceId'] = imds_access_control_profile_reference_id
+
+    if wire_server:
+        proxy_agent_settings['wireServer'] = wire_server
+
+    if imds:
+        proxy_agent_settings['imds'] = imds
+
     if proxy_agent_settings:
         vm_properties['securityProfile']['proxyAgentSettings'] = proxy_agent_settings
 
@@ -1019,7 +1040,9 @@ def build_vmss_resource(cmd, name, computer_name_prefix, location, tags, overpro
                         enable_resilient_vm_creation=None, enable_resilient_vm_deletion=None,
                         additional_scheduled_events=None, enable_user_reboot_scheduled_events=None,
                         enable_user_redeploy_scheduled_events=None, skuprofile_vmsizes=None, skuprofile_allostrat=None,
-                        security_posture_reference_is_overridable=None, zone_balance=None):
+                        security_posture_reference_is_overridable=None, zone_balance=None, wire_server_mode=None,
+                        imds_mode=None, wire_server_access_control_profile_reference_id=None,
+                        imds_access_control_profile_reference_id=None):
 
     # Build IP configuration
     ip_configuration = {}
@@ -1533,12 +1556,28 @@ def build_vmss_resource(cmd, name, computer_name_prefix, location, tags, overpro
         }
 
     proxy_agent_settings = {}
+    wire_server = {}
+    imds = {}
     if enable_proxy_agent is not None:
         proxy_agent_settings['enabled'] = enable_proxy_agent
 
     if proxy_agent_mode is not None:
         proxy_agent_settings['mode'] = proxy_agent_mode
 
+    if wire_server_mode is not None or wire_server_access_control_profile_reference_id is not None:
+        wire_server['mode'] = wire_server_mode
+        wire_server['inVMAccessControlProfileReferenceId'] = wire_server_access_control_profile_reference_id
+
+    if imds_mode is not None or imds_access_control_profile_reference_id is not None:
+        imds['mode'] = imds_mode
+        imds['inVMAccessControlProfileReferenceId'] = imds_access_control_profile_reference_id
+
+    if wire_server:
+        proxy_agent_settings['wireServer'] = wire_server
+
+    if imds:
+        proxy_agent_settings['imds'] = imds
+
     if proxy_agent_settings:
         security_profile['proxyAgentSettings'] = proxy_agent_settings
 

src/azure-cli/azure/cli/command_modules/vm/custom.py

@@ -826,7 +826,9 @@ def create_vm(cmd, vm_name, resource_group_name, image=None, size='Standard_DS1_
               source_disk_restore_point=None, source_disk_restore_point_size_gb=None, ssh_key_type=None,
               additional_scheduled_events=None, enable_user_reboot_scheduled_events=None,
               enable_user_redeploy_scheduled_events=None, zone_placement_policy=None, include_zones=None,
-              exclude_zones=None, align_regional_disks_to_vm_zone=None):
+              exclude_zones=None, align_regional_disks_to_vm_zone=None, wire_server_mode=None, imds_mode=None,
+              wire_server_access_control_profile_reference_id=None, imds_access_control_profile_reference_id=None,
+              key_incarnation_id=None):
 
     from azure.cli.core.commands.client_factory import get_subscription_id
     from azure.cli.core.util import random_string, hash_string
@@ -1052,7 +1054,11 @@ def create_vm(cmd, vm_name, resource_group_name, image=None, size='Standard_DS1_
         enable_user_reboot_scheduled_events=enable_user_reboot_scheduled_events,
         enable_user_redeploy_scheduled_events=enable_user_redeploy_scheduled_events,
         zone_placement_policy=zone_placement_policy, include_zones=include_zones, exclude_zones=exclude_zones,
-        align_regional_disks_to_vm_zone=align_regional_disks_to_vm_zone)
+        align_regional_disks_to_vm_zone=align_regional_disks_to_vm_zone, wire_server_mode=wire_server_mode,
+        imds_mode=imds_mode,
+        wire_server_access_control_profile_reference_id=wire_server_access_control_profile_reference_id,
+        imds_access_control_profile_reference_id=imds_access_control_profile_reference_id,
+        key_incarnation_id=key_incarnation_id)
 
     vm_resource['dependsOn'] = vm_dependencies
 
@@ -1581,7 +1587,9 @@ def update_vm(cmd, resource_group_name, vm_name, os_disk=None, disk_caching=None
               enable_hibernation=None, v_cpus_available=None, v_cpus_per_core=None, disk_controller_type=None,
               security_type=None, enable_proxy_agent=None, proxy_agent_mode=None, additional_scheduled_events=None,
               enable_user_reboot_scheduled_events=None, enable_user_redeploy_scheduled_events=None,
-              align_regional_disks_to_vm_zone=None, **kwargs):
+              align_regional_disks_to_vm_zone=None, wire_server_mode=None, imds_mode=None,
+              wire_server_access_control_profile_reference_id=None, imds_access_control_profile_reference_id=None,
+              key_incarnation_id=None, **kwargs):
     from azure.mgmt.core.tools import parse_resource_id, resource_id, is_valid_resource_id
     from ._vm_utils import update_write_accelerator_settings, update_disk_caching
     SecurityProfile, UefiSettings = cmd.get_models('SecurityProfile', 'UefiSettings')
@@ -1704,18 +1712,37 @@ def update_vm(cmd, resource_group_name, vm_name, os_disk=None, disk_caching=None
         vm.security_profile.uefi_settings = UefiSettings(secure_boot_enabled=enable_secure_boot,
                                                          v_tpm_enabled=enable_vtpm)
 
-    if enable_proxy_agent is not None or proxy_agent_mode is not None:
+    proxy_agent_parameters = [
+        enable_proxy_agent, wire_server_mode, imds_mode, key_incarnation_id,
+        wire_server_access_control_profile_reference_id, imds_access_control_profile_reference_id
+    ]
+    if any(parameter is not None for parameter in proxy_agent_parameters):
         ProxyAgentSettings = cmd.get_models('ProxyAgentSettings')
+        HostEndpointSettings = cmd.get_models('HostEndpointSettings')
+        wire_server = HostEndpointSettings(
+            mode=wire_server_mode,
+            in_vm_access_control_profile_reference_id=wire_server_access_control_profile_reference_id
+        )
+        imds = HostEndpointSettings(
+            mode=imds_mode,
+            in_vm_access_control_profile_reference_id=imds_access_control_profile_reference_id
+        )
         if vm.security_profile is None:
             vm.security_profile = SecurityProfile()
-            vm.security_profile.proxy_agent_settings = ProxyAgentSettings(enabled=enable_proxy_agent,
-                                                                          mode=proxy_agent_mode)
+            vm.security_profile.proxy_agent_settings = ProxyAgentSettings(
+                enabled=enable_proxy_agent, key_incarnation_id=key_incarnation_id, wire_server=wire_server, imds=imds)
         elif vm.security_profile.proxy_agent_settings is None:
-            vm.security_profile.proxy_agent_settings = ProxyAgentSettings(enabled=enable_proxy_agent,
-                                                                          mode=proxy_agent_mode)
+            vm.security_profile.proxy_agent_settings = ProxyAgentSettings(
+                enabled=enable_proxy_agent, key_incarnation_id=key_incarnation_id, wire_server=wire_server, imds=imds)
         else:
             vm.security_profile.proxy_agent_settings.enabled = enable_proxy_agent
-            vm.security_profile.proxy_agent_settings.mode = proxy_agent_mode
+            vm.security_profile.proxy_agent_settings.key_incarnation_id = key_incarnation_id
+            vm.security_profile.proxy_agent_settings.wire_server.mode = wire_server_mode
+            vm.security_profile.proxy_agent_settings.wire_server.in_vm_access_control_profile_reference_id = \
+                wire_server_access_control_profile_reference_id
+            vm.security_profile.proxy_agent_settings.imds.mode = imds_mode
+            vm.security_profile.proxy_agent_settings.imds.in_vm_access_control_profile_reference_id = \
+                imds_access_control_profile_reference_id
 
     if workspace is not None:
         workspace_id = _prepare_workspace(cmd, resource_group_name, workspace)
@@ -3193,7 +3220,9 @@ def create_vmss(cmd, vmss_name, resource_group_name, image=None,
                 enable_resilient_creation=None, enable_resilient_deletion=None,
                 additional_scheduled_events=None, enable_user_reboot_scheduled_events=None,
                 enable_user_redeploy_scheduled_events=None, skuprofile_vmsizes=None, skuprofile_allostrat=None,
-                security_posture_reference_is_overridable=None, zone_balance=None):
+                security_posture_reference_is_overridable=None, zone_balance=None, wire_server_mode=None,
+                imds_mode=None, wire_server_access_control_profile_reference_id=None,
+                imds_access_control_profile_reference_id=None):
     from azure.cli.core.commands.client_factory import get_subscription_id
     from azure.cli.core.util import random_string, hash_string
     from azure.cli.core.commands.arm import ArmTemplateBuilder
@@ -3509,7 +3538,9 @@ def _get_public_ip_address_allocation(value, sku):
             enable_user_redeploy_scheduled_events=enable_user_redeploy_scheduled_events,
             skuprofile_vmsizes=skuprofile_vmsizes, skuprofile_allostrat=skuprofile_allostrat,
             security_posture_reference_is_overridable=security_posture_reference_is_overridable,
-            zone_balance=zone_balance)
+            zone_balance=zone_balance, wire_server_mode=wire_server_mode, imds_mode=imds_mode,
+            wire_server_access_control_profile_reference_id=wire_server_access_control_profile_reference_id,
+            imds_access_control_profile_reference_id=imds_access_control_profile_reference_id)
 
         vmss_resource['dependsOn'] = vmss_dependencies
 
@@ -3958,7 +3989,9 @@ def update_vmss(cmd, resource_group_name, name, license_type=None, no_wait=False
                 ephemeral_os_disk=None, ephemeral_os_disk_option=None, zones=None, additional_scheduled_events=None,
                 enable_user_reboot_scheduled_events=None, enable_user_redeploy_scheduled_events=None,
                 upgrade_policy_mode=None, enable_auto_os_upgrade=None, skuprofile_vmsizes=None,
-                skuprofile_allostrat=None, security_posture_reference_is_overridable=None, zone_balance=None, **kwargs):
+                skuprofile_allostrat=None, security_posture_reference_is_overridable=None, zone_balance=None,
+                wire_server_mode=None, imds_mode=None, wire_server_access_control_profile_reference_id=None,
+                imds_access_control_profile_reference_id=None, **kwargs):
     vmss = kwargs['parameters']
     aux_subscriptions = None
     # pylint: disable=too-many-boolean-expressions
@@ -4121,19 +4154,35 @@ def update_vmss(cmd, resource_group_name, name, license_type=None, no_wait=False
                 'vTpmEnabled': enable_vtpm
             }}
 
-    if enable_proxy_agent is not None or proxy_agent_mode is not None:
+    if enable_proxy_agent is not None or wire_server_mode is not None or imds_mode is not None or \
+            wire_server_access_control_profile_reference_id is not None or \
+            imds_access_control_profile_reference_id is not None:
         SecurityProfile = cmd.get_models('SecurityProfile')
         ProxyAgentSettings = cmd.get_models('ProxyAgentSettings')
+        HostEndpointSettings = cmd.get_models('HostEndpointSettings')
+        wire_server = HostEndpointSettings(
+            mode=wire_server_mode,
+            in_vm_access_control_profile_reference_id=wire_server_access_control_profile_reference_id
+        )
+        imds = HostEndpointSettings(
+            mode=imds_mode,
+            in_vm_access_control_profile_reference_id=imds_access_control_profile_reference_id
+        )
         if vmss.virtual_machine_profile.security_profile is None:
             vmss.virtual_machine_profile.security_profile = SecurityProfile()
             vmss.virtual_machine_profile.security_profile.proxy_agent_settings = ProxyAgentSettings(
-                enabled=enable_proxy_agent, mode=proxy_agent_mode)
+                enabled=enable_proxy_agent, wire_server=wire_server, imds=imds)
         elif vmss.virtual_machine_profile.security_profile.proxy_agent_settings is None:
             vmss.virtual_machine_profile.security_profile.proxy_agent_settings = ProxyAgentSettings(
-                enabled=enable_proxy_agent, mode=proxy_agent_mode)
+                enabled=enable_proxy_agent, wire_server=wire_server, imds=imds)
         else:
             vmss.virtual_machine_profile.security_profile.proxy_agent_settings.enabled = enable_proxy_agent
-            vmss.virtual_machine_profile.security_profile.proxy_agent_settings.mode = proxy_agent_mode
+            vmss.virtual_machine_profile.security_profile.proxy_agent_settings.wire_server.mode = wire_server_mode
+            vmss.virtual_machine_profile.security_profile.proxy_agent_settings.wire_server. \
+                in_vm_access_control_profile_reference_id = wire_server_access_control_profile_reference_id
+            vmss.virtual_machine_profile.security_profile.proxy_agent_settings.imds.mode = imds_mode
+            vmss.virtual_machine_profile.security_profile.proxy_agent_settings.imds. \
+                in_vm_access_control_profile_reference_id = imds_access_control_profile_reference_id
 
     if regular_priority_count is not None or regular_priority_percentage is not None:
         if vmss.orchestration_mode != 'Flexible':