Skip to content

[Gallery Image Versions - Update] can't scale up replicas when there is an Azure Policy requiring disk encryption set #31937

New issue
New issue
Open
Open
[Gallery Image Versions - Update] can't scale up replicas when there is an Azure Policy requiring disk encryption set#31937
Assignees
zhoxing-msyanzhudd
Labels
Auto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamComputeaz vm/vmss/image/disk/snapshotquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog
@grace-liang

Description

@grace-liang
grace-liang
opened on Aug 12, 2025

This is a customer reported issue.

Sample command that is used to scale up replicas of GalleryImageVersion resource:
az sig image-version update --resource-group acgtest --gallery-name acgrt --gallery-image-definition dew --gallery-image-version 2.0.0 --target-regions uksouth=2

When an Azure Policy requiring disk encryption sets is applied, this update command fails on GalleryImageVersion resources already utilizing a disk encryption set.

error: {

code: 'RequestDisallowedByPolicy',

target: '22631.5476.250610',

message: 'Resource '22631.5476.250610' was disallowed by policy. Policy identifiers: '[{\\'policyAssignment\\':{\\'name\\':\\'Ensure secure-by-default azurediskstorage for Financial Services Industry\\',\\'id\\':\\'/providers/Microsoft.Management/managementGroups/ace-alpha-01-landingzones/providers/Microsoft.Authorization/policyAssignments/APF-Compliant-AzDisk\\'},\\'policyDefinition\\':{\\'name\\':\\'OS and data disks should be encrypted with a customer-managed key\\',\\'id\\':\\'/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\\',\\'version\\':\\'3.0.0\\'},\\'policySetDefinition\\':{\\'name\\':\\'Ensure secure-by-default azurediskstorage for Financial Services Industry\\',\\'id\\':\\'/providers/Microsoft.Management/managementGroups/ace-alpha-575Lab-01/providers/Microsoft.Authorization/policySetDefinitions/APF-Compliant-AzDisk\\',\\'version\\':\\'1.0.0\\'}}]'.',

This policy is enforced at the ARM level - meaning the API call does not make it to the Compute RP.

Proposed fix:

  1. If the GalleryImageVersion resource has a disk encryption set and the az sig image-version update is used, CLI client should do a GET GalleryImageVersion call and merge disk encryption set payload for the region into the PATCH request.
  2. az sig image-version update should take [--target-region-encryption] as input so the customer can pass the same disk encryption set for updates

Metadata

Metadata

Assignees

Labels

Auto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamComputeaz vm/vmss/image/disk/snapshotquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions