Add new optional parameter --cvm-os-disk-encryption-set-id in az backup restore restore-disks

Author: SourabhSomnathGholap

src/azure-cli/azure/cli/command_modules/backup/_params.py

@@ -403,6 +403,7 @@ def load_arguments(self, _):
         c.argument('tenant_id', help='ID of the tenant if the Resource Guard protecting the vault exists in a different tenant.')
         c.argument('disk_access_option', arg_type=get_enum_type(allowed_disk_access_options), help='Specify the disk access option for target disks.')
         c.argument('target_disk_access_id', help='Specify the target disk access ID when --disk-access-option is set to EnablePrivateAccessForAllDisks')
+        c.argument('cvm_os_disk_encryption_set_id', options_list=['--cvm-os-disk-encryption-set-id'], help='Disk Encryption Set Id to be used for OS disk encryption of Confidential VMs. This is applicable only for secured VMs with managed disks.')
 
     with self.argument_context('backup restore restore-azurefileshare') as c:
         c.argument('resolve_conflict', resolve_conflict_type)

src/azure-cli/azure/cli/command_modules/backup/custom.py

@@ -27,7 +27,7 @@
     BackupResourceVaultConfig, BackupResourceVaultConfigResource, DiskExclusionProperties, ExtendedProperties, \
     MoveRPAcrossTiersRequest, RecoveryPointRehydrationInfo, IaasVMRestoreWithRehydrationRequest, IdentityInfo, \
     BackupStatusRequest, ListRecoveryPointsRecommendedForMoveRequest, IdentityBasedRestoreDetails, ScheduleRunType, \
-    UnlockDeleteRequest, ResourceGuardProxyBase, ResourceGuardProxyBaseResource, TargetDiskNetworkAccessSettings
+    UnlockDeleteRequest, ResourceGuardProxyBase, ResourceGuardProxyBaseResource, TargetDiskNetworkAccessSettings, SecuredVMDetails
 from azure.mgmt.recoveryservicesbackup.passivestamp.models import CrrJobRequest, CrossRegionRestoreRequest
 
 import azure.cli.command_modules.backup._validators as validators
@@ -1405,7 +1405,7 @@ def restore_disks(cmd, client, resource_group_name, vault_name, container_name,
                   mi_user_assigned=None, target_zone=None, restore_mode='AlternateLocation', target_vm_name=None,
                   target_vnet_name=None, target_vnet_resource_group=None, target_subnet_name=None,
                   target_subscription_id=None, storage_account_resource_group=None, restore_to_edge_zone=None,
-                  tenant_id=None, disk_access_option=None, target_disk_access_id=None):
+                  tenant_id=None, disk_access_option=None, target_disk_access_id=None, cvm_os_disk_encryption_set_id=None):
     vault = vaults_cf(cmd.cli_ctx).get(resource_group_name, vault_name)
     vault_location = vault.location
     vault_identity = vault.identity
@@ -1540,6 +1540,12 @@ def restore_disks(cmd, client, resource_group_name, vault_name, container_name,
             cust_help.get_resource_guard_operation_request(
                 cmd.cli_ctx, resource_group_name, vault_name, "RecoveryServicesRestore")]
 
+    if cvm_os_disk_encryption_set_id is not None:
+        trigger_restore_request.properties.secured_vm_details = SecuredVMDetails(
+            secured_vmos_disk_encryption_set_id=cvm_os_disk_encryption_set_id
+        )
+        logger.warning("Using secured VM OS disk encryption set ID: {}".format(trigger_restore_request.properties.secured_vm_details))
+
     # Trigger restore
     result = client.begin_trigger(vault_name, resource_group_name, fabric_name, container_uri, item_uri, rp_name,
                                   trigger_restore_request, cls=cust_help.get_pipeline_response, polling=False).result()

src/azure-cli/azure/cli/command_modules/backup/custom_base.py

@@ -420,7 +420,7 @@ def restore_disks(cmd, client, resource_group_name, vault_name, container_name,
                   mi_user_assigned=None, target_zone=None, restore_mode='AlternateLocation', target_vm_name=None,
                   target_vnet_name=None, target_vnet_resource_group=None, target_subnet_name=None,
                   target_subscription_id=None, storage_account_resource_group=None, restore_to_edge_zone=None,
-                  tenant_id=None, disk_access_option=None, target_disk_access_id=None):
+                  tenant_id=None, disk_access_option=None, target_disk_access_id=None, cvm_os_disk_encryption_set_id=None):
 
     if rehydration_duration < 10 or rehydration_duration > 30:
         raise InvalidArgumentValueError('--rehydration-duration must have a value between 10 and 30 (both inclusive).')
@@ -438,7 +438,7 @@ def restore_disks(cmd, client, resource_group_name, vault_name, container_name,
                                 mi_system_assigned, mi_user_assigned, target_zone, restore_mode, target_vm_name,
                                 target_vnet_name, target_vnet_resource_group, target_subnet_name,
                                 target_subscription_id, storage_account_resource_group, restore_to_edge_zone,
-                                tenant_id, disk_access_option, target_disk_access_id)
+                                tenant_id, disk_access_option, target_disk_access_id, cvm_os_disk_encryption_set_id)
 
 
 def enable_for_azurefileshare(cmd, client, resource_group_name, vault_name, policy_name, storage_account,