Adding SupportedSecurityOption for Trusted Launch as Default

[varsha9713]

Preconditions

• No need to upgrade Python SDK or the Python SDK is ready.

Related command

az disk create

Resource Provider

Microsoft.Compute/disks

Description of Feature or Work Requested

The new property "SupportedSecurityOption" indicates the security capabilities supported by the disk which can be used to create a Trusted VM during attach of the disk to the VM. Accepted values are "TrustedLaunchSupported", "TrustedLaunchAndConfidentialVMSupported"
Customer can set the property "SupportedSecurityOption" while using the az disk create using the CreateOption of Import and Upload if the source is "TrustedLaunchCapable". When such a disk gets attached to a VM, a TrustedLaunch VM is created.

Minimum API Version Required

2025-01-02

Swagger PR link / SDK link

Azure/azure-rest-api-specs#34922

Request Example

https://github.com/Azure/azure-rest-api-specs/blob/main/specification/compute/resource-manager/Microsoft.Compute/DiskRP/stable/2025-01-02/examples/diskExamples/Disk_Create_FromAnAzureComputeGalleryImage.json

Existing command:
az disk create -resource-group $rgname --name $diskName --source $sourceUri --source-storage-account-id $storageAccountId

New command:
az disk create -resource-group $rgname --name $diskName --source $sourceUri --source-storage-account-id $storageAccountId -SupportedSecurityOption $supportedSecurityOption

Target Date

2025-07-30

PM Contact

Ajay.Kundnani, Geetha.G

Engineer Contact

varshasankar

Additional context

• Supported swagger changes from API Version 2025-01-02.
• For Public Preview, this feature is behind an AFEC "Microsoft.Compute/TrustedLaunchByDefaultPreview".

[yonzhan]

Thank you for opening this issue, we will look into it.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• CLI | Trusted Launch Default - New Az VM OS Disk #23614
• Confidential Compute CLI Change Request - VM OS Disk / Disk Encryption Set Create #22200
• Trusted Launch CLI Change Request - VM Disk Snapshot & Config #22275
• Trusted Launch - DiskRP CLI #17599
• CLI - Add Standard as SecurityType Option for backward compatibility #24127

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

To implement the SupportedSecurityOption property in the az disk create command, ensure that the new parameter is added with the appropriate validation logic. For example, when SupportedSecurityOption is set, ensure that the CreateOption is either Import or Upload and the source is TrustedLaunchCapable. Additionally, ensure that the API version used supports this property (2025-01-02).

Reference:

• CLI | Trusted Launch Default - New Az VM OS Disk #23614 (comment)
• CLI | Trusted Launch Default - New Az VM OS Disk #23614 (comment)

Solution 2:

When adding the SupportedSecurityOption parameter, ensure that the CLI provides clear error messages or warnings if the parameter is used incorrectly. For example, if the SupportedSecurityOption is set but the source is not TrustedLaunchCapable, the CLI should notify the user with a clear message.

Reference:

• CLI | Trusted Launch Default - New Az VM OS Disk #23614 (comment)
• CLI | Trusted Launch Default - New Az VM OS Disk #23614 (comment)

Solution 3:

Ensure backward compatibility by allowing users to create disks without specifying the SupportedSecurityOption parameter. If the parameter is not provided, the CLI should default to the existing behavior without Trusted Launch capabilities.

Reference:

• CLI - Add Standard as SecurityType Option for backward compatibility #24127 (comment)
• CLI - Add Standard as SecurityType Option for backward compatibility #24127 (comment)

Powered by issue-sentinel