[Compute] az vmss create/update: Add new parameter --security-posture-reference-is-overridable to support setting security posture reference overridable (#29958)

Author: Jing-song

src/azure-cli/azure/cli/command_modules/vm/_params.py

@@ -767,13 +767,6 @@ def load_arguments(self, _):
         c.argument('enable_vtpm', enable_vtpm_type)
         c.argument('os_disk_delete_option', arg_type=get_enum_type(self.get_models('DiskDeleteOptionTypes')), min_api='2022-03-01', arg_group='Storage', help='Specify whether OS disk should be deleted or detached upon VMSS Flex deletion (This feature is only for VMSS with flexible orchestration mode).')
         c.argument('data_disk_delete_option', arg_type=get_enum_type(self.get_models('DiskDeleteOptionTypes')), min_api='2022-03-01', arg_group='Storage', help='Specify whether data disk should be deleted or detached upon VMSS Flex deletion (This feature is only for VMSS with flexible orchestration mode)')
-        c.argument('security_posture_reference_id', min_api='2023-03-01',
-                   options_list=['--security-posture-reference-id', '--security-posture-id'],
-                   help='The security posture reference id in the form of /CommunityGalleries/{communityGalleryName}/securityPostures/{securityPostureName}/versions/{major.minor.patch}|{major.*}|latest')
-        c.argument('security_posture_reference_exclude_extensions', min_api='2023-03-01', type=validate_file_or_dict,
-                   options_list=['--security-posture-reference-exclude-extensions', '--exclude-extensions'],
-                   help='List of virtual machine extensions to exclude when applying the Security Posture. Either a Json string or a file path is acceptable. '
-                        'Please refer to https://learn.microsoft.com/rest/api/compute/virtualmachinescalesets/get#virtualmachineextension for the data format.')
         c.argument('skuprofile_vmsizes', nargs='+', min_api='2024-07-01', help='A list of VM sizes in the scale set. See https://azure.microsoft.com/pricing/details/virtual-machines/ for size info.')
         c.argument('skuprofile_allostrat', options_list=['--skuprofile-allocation-strategy', '--sku-allocat-strat'], arg_type=get_enum_type(['LowestPrice', 'CapacityOptimized']), min_api='2024-07-01', help='Allocation strategy for vm sizes in SKU profile.')
 
@@ -821,13 +814,6 @@ def load_arguments(self, _):
         c.argument('enable_vtpm', enable_vtpm_type)
         c.argument('custom_data', help='Custom init script file or text (cloud-init, cloud-config, etc..)', completer=FilesCompleter(), type=file_type)
         c.argument('security_type', arg_type=get_enum_type(["TrustedLaunch", "Standard"]), min_api='2020-06-01', help='Specify the security type of the virtual machine scale set.')
-        c.argument('security_posture_reference_id', min_api='2023-03-01',
-                   options_list=['--security-posture-reference-id', '--security-posture-id'],
-                   help='The security posture reference id in the form of /CommunityGalleries/{communityGalleryName}/securityPostures/{securityPostureName}/versions/{major.minor.patch}|{major.*}|latest')
-        c.argument('security_posture_reference_exclude_extensions', min_api='2023-03-01', type=validate_file_or_dict,
-                   options_list=['--security-posture-reference-exclude-extensions', '--exclude-extensions'],
-                   help='List of virtual machine extensions to exclude when applying the Security Posture. Either a Json string or a file path is acceptable. '
-                        'Please refer to https://learn.microsoft.com/rest/api/compute/virtualmachinescalesets/get#virtualmachineextension for the data format.')
         c.argument('ephemeral_os_disk', arg_type=get_three_state_flag(), min_api='2024-03-01', help='Allow you to specify the ephemeral disk settings for the operating system disk. Specify it to false to set ephemeral disk setting as empty and migrate it to non ephemeral')
         c.argument('ephemeral_os_disk_option', options_list=['--ephemeral-os-disk-option', '--ephemeral-option'], arg_type=get_enum_type(self.get_models('DiffDiskOptions')), min_api='2024-03-01', help='Specify the ephemeral disk settings for operating system disk.')
         c.argument('zones', zones_type, min_api='2023-03-01')
@@ -871,6 +857,14 @@ def load_arguments(self, _):
             c.argument('enable_user_redeploy_scheduled_events', options_list=['--enable-user-redeploy-scheduled-events', '--enable-redeploy'], arg_type=get_three_state_flag(), min_api='2024-03-01', help='The configuration parameter used while creating user initiated redeploy scheduled event setting creation.')
             c.argument('enable_auto_os_upgrade', enable_auto_os_upgrade_type)
             c.argument('upgrade_policy_mode', help='Specify the mode of an upgrade to virtual machines in the scale set.', arg_type=get_enum_type(UpgradeMode))
+            c.argument('security_posture_reference_id', min_api='2023-03-01',
+                       options_list=['--security-posture-reference-id', '--security-posture-id'],
+                       help='The security posture reference id in the form of /CommunityGalleries/{communityGalleryName}/securityPostures/{securityPostureName}/versions/{major.minor.patch}|{major.*}|latest')
+            c.argument('security_posture_reference_exclude_extensions', min_api='2023-03-01', nargs='*',
+                       options_list=['--security-posture-reference-exclude-extensions', '--exclude-extensions'],
+                       help='List of virtual machine extensions to exclude when applying the Security Posture. Either a Json string or a file path is acceptable. '
+                            'Please refer to https://docs.microsoft.com/rest/api/compute/virtualmachinescalesets/get#virtualmachineextension for the data format.')
+            c.argument('security_posture_reference_is_overridable', arg_type=get_three_state_flag(), min_api='2024-03-01', options_list=['--security-posture-reference-is-overridable', '--is-overridable'], help='Whether the security posture can be overridden by the user.')
 
     with self.argument_context('vmss update') as c:
         c.argument('instance_id', id_part='child_name_1', help="Update the VM instance with this ID. If missing, update the VMSS.")

src/azure-cli/azure/cli/command_modules/vm/_template_builder.py

@@ -978,8 +978,8 @@ def build_vmss_resource(cmd, name, computer_name_prefix, location, tags, overpro
                         security_posture_reference_id=None, security_posture_reference_exclude_extensions=None,
                         enable_resilient_vm_creation=None, enable_resilient_vm_deletion=None,
                         additional_scheduled_events=None, enable_user_reboot_scheduled_events=None,
-                        enable_user_redeploy_scheduled_events=None,
-                        skuprofile_vmsizes=None, skuprofile_allostrat=None):
+                        enable_user_redeploy_scheduled_events=None, skuprofile_vmsizes=None, skuprofile_allostrat=None,
+                        security_posture_reference_is_overridable=None):
 
     # Build IP configuration
     ip_configuration = {}
@@ -1527,6 +1527,11 @@ def build_vmss_resource(cmd, name, computer_name_prefix, location, tags, overpro
         security_posture_reference['excludeExtensions'] = security_posture_reference_exclude_extensions
         virtual_machine_profile['securityPostureReference'] = security_posture_reference
 
+    if security_posture_reference_is_overridable is not None:
+        security_posture_reference = virtual_machine_profile.get('securityPostureReference', {})
+        security_posture_reference['isOverridable'] = security_posture_reference_is_overridable
+        virtual_machine_profile['securityPostureReference'] = security_posture_reference
+
     if virtual_machine_profile:
         vmss_properties['virtualMachineProfile'] = virtual_machine_profile
 

src/azure-cli/azure/cli/command_modules/vm/custom.py

@@ -3196,8 +3196,8 @@ def create_vmss(cmd, vmss_name, resource_group_name, image=None,
                 security_posture_reference_id=None, security_posture_reference_exclude_extensions=None,
                 enable_resilient_creation=None, enable_resilient_deletion=None,
                 additional_scheduled_events=None, enable_user_reboot_scheduled_events=None,
-                enable_user_redeploy_scheduled_events=None,
-                skuprofile_vmsizes=None, skuprofile_allostrat=None):
+                enable_user_redeploy_scheduled_events=None, skuprofile_vmsizes=None, skuprofile_allostrat=None,
+                security_posture_reference_is_overridable=None):
     from azure.cli.core.commands.client_factory import get_subscription_id
     from azure.cli.core.util import random_string, hash_string
     from azure.cli.core.commands.arm import ArmTemplateBuilder
@@ -3511,8 +3511,8 @@ def _get_public_ip_address_allocation(value, sku):
             additional_scheduled_events=additional_scheduled_events,
             enable_user_reboot_scheduled_events=enable_user_reboot_scheduled_events,
             enable_user_redeploy_scheduled_events=enable_user_redeploy_scheduled_events,
-            skuprofile_vmsizes=skuprofile_vmsizes,
-            skuprofile_allostrat=skuprofile_allostrat)
+            skuprofile_vmsizes=skuprofile_vmsizes, skuprofile_allostrat=skuprofile_allostrat,
+            security_posture_reference_is_overridable=security_posture_reference_is_overridable)
 
         vmss_resource['dependsOn'] = vmss_dependencies
 
@@ -3951,8 +3951,8 @@ def update_vmss(cmd, resource_group_name, name, license_type=None, no_wait=False
                 max_surge=None, enable_resilient_creation=None, enable_resilient_deletion=None,
                 ephemeral_os_disk=None, ephemeral_os_disk_option=None, zones=None, additional_scheduled_events=None,
                 enable_user_reboot_scheduled_events=None, enable_user_redeploy_scheduled_events=None,
-                upgrade_policy_mode=None, enable_auto_os_upgrade=None,
-                skuprofile_vmsizes=None, skuprofile_allostrat=None, **kwargs):
+                upgrade_policy_mode=None, enable_auto_os_upgrade=None, skuprofile_vmsizes=None,
+                skuprofile_allostrat=None, security_posture_reference_is_overridable=None, **kwargs):
     vmss = kwargs['parameters']
     aux_subscriptions = None
     # pylint: disable=too-many-boolean-expressions
@@ -4230,7 +4230,8 @@ def update_vmss(cmd, resource_group_name, name, license_type=None, no_wait=False
         else:
             vmss.additional_capabilities.hibernation_enabled = enable_hibernation
 
-    if security_posture_reference_id is not None or security_posture_reference_exclude_extensions is not None:
+    if security_posture_reference_id is not None or security_posture_reference_exclude_extensions is not None or \
+            security_posture_reference_is_overridable is not None:
         security_posture_reference = vmss.virtual_machine_profile.security_posture_reference
         if security_posture_reference is None:
             SecurityPostureReference = cmd.get_models('SecurityPostureReference')
@@ -4240,6 +4241,8 @@ def update_vmss(cmd, resource_group_name, name, license_type=None, no_wait=False
             security_posture_reference.id = security_posture_reference_id
         if security_posture_reference_exclude_extensions is not None:
             security_posture_reference.exclude_extensions = security_posture_reference_exclude_extensions
+        if security_posture_reference_is_overridable is not None:
+            security_posture_reference.is_overridable = security_posture_reference_is_overridable
 
         vmss.virtual_machine_profile.security_posture_reference = security_posture_reference