@@ -230,3 +230,291 @@ function Test-GetVirtualMachineScaleSetDiskEncryptionDataDisk
230230 Assert-AreEqual " NotEncrypted" $result.DataVolumesEncryptionStatus | ConvertFrom-Json - AsHashtable).Values[0 ] | Out-String ).Trim();
231231 $output = $result | Out-String ;
232232}
233+
234+ <#
235+ . SYNOPSIS
236+ Test the Set-AzVMDiskEncryptionExtension with EncryptionIdentity Added in vmss security profile
237+ #>
238+ function Test-AzureDiskEncryptionWithEncryptionIdentityAddedInAzVmssConfig {
239+ $rgName = Get-ComputeTestResourceName ;
240+ try {
241+ # create virtual machine Scale Set
242+ $loc = " centraluseuap"
243+ New-AzResourceGroup - Name $rgname - Location $loc - Force;
244+ # VM Profile & Hardware
245+ $vmssName = " vmss" + $rgname ;
246+ $imagePublisher = " RedHat"
247+ $imageOffer = " RHEL"
248+ $imageSku = " 92-gen2"
249+ $osVersion = " latest"
250+ $vmssSize = ' Standard_D4s_v3'
251+ $encIdentity = " /subscriptions/759532d8-9991-4d04-878f-49f0f4804906/resourceGroups/anshademsitest-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/anshjainmsitestuserassignedmanagedidentity"
252+ $instances = 2
253+ $vmssConfig = New-AzVmssConfig - Location $loc - SkuCapacity $instances - SkuName $vmssSize - UpgradePolicyMode Automatic - IdentityType UserAssigned - IdentityId $encIdentity - EncryptionIdentity $encIdentity - OrchestrationMode Uniform
254+
255+ Set-AzVmssStorageProfile $vmssConfig - ImageReferencePublisher $imagePublisher - ImageReferenceOffer $imageOffer - ImageReferenceSku $imageSku - ImageReferenceVersion $osVersion - OsDiskCreateOption " FromImage" - OsDiskCaching ReadWrite
256+ $adminUsername = Get-ComputeTestResourceName ;
257+ $password = Get-PasswordForVM ;
258+ $adminPassword = $password | ConvertTo-SecureString - AsPlainText - Force;
259+ $cred = New-Object System.Management.Automation.PSCredential ($adminUsername , $adminPassword );
260+
261+ Set-AzVmssOsProfile $vmssConfig - ComputerNamePrefix " adetest" - AdminUsername $adminUserName - AdminPassword $adminPassword
262+
263+ $subnetName = ' default'
264+ $subnet = New-AzVirtualNetworkSubnetConfig - Name $subnetName - AddressPrefix 10.0 .0.0 / 24
265+ $vnetName = (' {0}-vnet' -f $vmSSName )
266+ $vnet = New-AzVirtualNetwork - Name $vnetName - ResourceGroupName $rgName - Location $loc - AddressPrefix 10.0 .0.0 / 16 - Subnet $subnet
267+
268+ $subnetId = $vnet.Subnets [0 ].Id
269+ $vmssConfigPublicIpName = (' {0}ip' -f $vmSSName )
270+
271+ $IPCfg = New-AzVmssIPConfig - Name $vmssConfigPublicIpName - SubnetId $subnetId
272+ $vmssNetworkConfigName = (' {0}netconfig' -f $vmSSName )
273+
274+ Add-AzVmssNetworkInterfaceConfiguration - VirtualMachineScaleSet $vmssConfig - Name $vmssNetworkConfigName - Primary $True - IPConfiguration $IPCfg
275+
276+ New-AzVmss - ResourceGroupName $rgName - Name $vmssName - VirtualMachineScaleSet $vmssConfig
277+
278+ $vmssStatus = Get-AzVmss - VMScaleSetName $vmSSName - ResourceGroupName $rgName
279+
280+ $vaultName = $rgname + ' -kv'
281+ $principalId = " 7089a49e-00be-4313-b644-46a6294d0a91"
282+
283+ $keyVault = create- KeyVaultWithAclEncryptionIdentity $rgName $loc $vaultName $principalId ;
284+
285+ Set-AzVmssDiskEncryptionExtension `
286+ - ResourceGroupName $rgName `
287+ - VMScaleSetName $vmssName `
288+ - DiskEncryptionKeyVaultUrl $keyVault.DiskEncryptionKeyVaultUrl `
289+ - DiskEncryptionKeyVaultId $keyVault.DiskEncryptionKeyVaultId `
290+ - VolumeType " All" `
291+ - Force;
292+
293+ $status = Get-AzVmssDiskEncryptionStatus - ResourceGroupName $rgName - VMScaleSetName $vmssName ;
294+ Assert-NotNull $status ;
295+ Assert-NotNull $status.EncryptionSummary
296+ Assert-NotNull $status.EncryptionSummary [0 ]
297+ Assert-AreEqual " ProvisioningState/succeeded" $status.EncryptionSummary [0 ].Code
298+ Assert-AreEqual $True $status.EncryptionEnabled
299+ }
300+ finally {
301+ clean - ResourceGroup $rgName ;
302+ }
303+ }
304+
305+ <#
306+ . SYNOPSIS
307+ Test the Set-AzVMssDiskEncryptionExtension with EncryptionIdentity Added in vm security profile during Set ADE Cmdlet
308+ #>
309+ function Test-AzureDiskEncryptionWithEncryptionIdentityAddedInSetADEVMssCmdlet {
310+ $rgName = Get-ComputeTestResourceName ;
311+ try {
312+ # create virtual machine Scale Set
313+ $loc = " centraluseuap"
314+ New-AzResourceGroup - Name $rgname - Location $loc - Force;
315+ # VM Profile & Hardware
316+ $vmssName = " vmss" + $rgname ;
317+ $imagePublisher = " RedHat"
318+ $imageOffer = " RHEL"
319+ $imageSku = " 92-gen2"
320+ $osVersion = " latest"
321+ $vmssSize = ' Standard_D4s_v3'
322+ $encIdentity = " /subscriptions/759532d8-9991-4d04-878f-49f0f4804906/resourceGroups/anshademsitest-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/anshjainmsitestuserassignedmanagedidentity"
323+ $instances = 2
324+ $vmssConfig = New-AzVmssConfig - Location $loc - SkuCapacity $instances - SkuName $vmssSize - UpgradePolicyMode Automatic - IdentityType UserAssigned - IdentityId $encIdentity - OrchestrationMode Uniform
325+
326+ Set-AzVmssStorageProfile $vmssConfig - ImageReferencePublisher $imagePublisher - ImageReferenceOffer $imageOffer - ImageReferenceSku $imageSku - ImageReferenceVersion $osVersion - OsDiskCreateOption " FromImage" - OsDiskCaching ReadWrite
327+ $adminUsername = Get-ComputeTestResourceName ;
328+ $password = Get-PasswordForVM ;
329+ $adminPassword = $password | ConvertTo-SecureString - AsPlainText - Force;
330+ $cred = New-Object System.Management.Automation.PSCredential ($adminUsername , $adminPassword );
331+
332+ Set-AzVmssOsProfile $vmssConfig - ComputerNamePrefix " adetest" - AdminUsername $adminUserName - AdminPassword $adminPassword
333+
334+ $subnetName = ' default'
335+ $subnet = New-AzVirtualNetworkSubnetConfig - Name $subnetName - AddressPrefix 10.0 .0.0 / 24
336+ $vnetName = (' {0}-vnet' -f $vmSSName )
337+ $vnet = New-AzVirtualNetwork - Name $vnetName - ResourceGroupName $rgName - Location $loc - AddressPrefix 10.0 .0.0 / 16 - Subnet $subnet
338+
339+ $subnetId = $vnet.Subnets [0 ].Id
340+ $vmssConfigPublicIpName = (' {0}ip' -f $vmSSName )
341+
342+ $IPCfg = New-AzVmssIPConfig - Name $vmssConfigPublicIpName - SubnetId $subnetId
343+ $vmssNetworkConfigName = (' {0}netconfig' -f $vmSSName )
344+
345+ Add-AzVmssNetworkInterfaceConfiguration - VirtualMachineScaleSet $vmssConfig - Name $vmssNetworkConfigName - Primary $True - IPConfiguration $IPCfg
346+
347+ New-AzVmss - ResourceGroupName $rgName - Name $vmssName - VirtualMachineScaleSet $vmssConfig
348+
349+ $vmssStatus = Get-AzVmss - VMScaleSetName $vmSSName - ResourceGroupName $rgName
350+
351+ $vaultName = $rgname + ' -kv'
352+ $principalId = " 7089a49e-00be-4313-b644-46a6294d0a91"
353+
354+ $keyVault = create- KeyVaultWithAclEncryptionIdentity $rgName $loc $vaultName $principalId ;
355+
356+ Set-AzVmssDiskEncryptionExtension `
357+ - ResourceGroupName $rgName `
358+ - VMScaleSetName $vmssName `
359+ - DiskEncryptionKeyVaultUrl $keyVault.DiskEncryptionKeyVaultUrl `
360+ - DiskEncryptionKeyVaultId $keyVault.DiskEncryptionKeyVaultId `
361+ - EncryptionId $encIdentity - VolumeType " All" `
362+ - Force;
363+
364+ $status = Get-AzVmssDiskEncryptionStatus - ResourceGroupName $rgName - VMScaleSetName $vmssName ;
365+ Assert-NotNull $status ;
366+ Assert-NotNull $status.EncryptionSummary
367+ Assert-NotNull $status.EncryptionSummary [0 ]
368+ Assert-AreEqual " ProvisioningState/succeeded" $status.EncryptionSummary [0 ].Code
369+ Assert-AreEqual $True $status.EncryptionEnabled
370+
371+ }
372+ finally {
373+ clean - ResourceGroup $rgName ;
374+ }
375+ }
376+
377+ <#
378+ . SYNOPSIS
379+ Test the Set-AzVMssDiskEncryptionExtension with EncryptionIdentity not added in vm security profile
380+ Throw Exception with message:Encryption Identity should be an ARM Resource ID of one of the
381+ user assigned identities associated to the resource
382+ #>
383+ function Test-AzureDiskEncryptionWithIdentityNotSetInVirtualMachineScaleSet {
384+
385+ # Setup
386+ $rgname = Get-ComputeTestResourceName
387+ try
388+ {
389+ # create virtual machine Scale Set
390+ $loc = " centraluseuap"
391+ New-AzResourceGroup - Name $rgname - Location $loc - Force;
392+ # VM Profile & Hardware
393+ $vmssName = " vmss" + $rgname ;
394+ $imagePublisher = " RedHat"
395+ $imageOffer = " RHEL"
396+ $imageSku = " 92-gen2"
397+ $osVersion = " latest"
398+ $vmssSize = ' Standard_D4s_v3'
399+ $encIdentity = " /subscriptions/759532d8-9991-4d04-878f-49f0f4804906/resourceGroups/anshademsitest-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/anshjainmsitestuserassignedmanagedidentity"
400+ $instances = 2
401+ $vmssConfig = New-AzVmssConfig - Location $loc - SkuCapacity $instances - SkuName $vmssSize - UpgradePolicyMode Automatic - IdentityType SystemAssigned - OrchestrationMode Uniform
402+
403+ Set-AzVmssStorageProfile $vmssConfig - ImageReferencePublisher $imagePublisher - ImageReferenceOffer $imageOffer - ImageReferenceSku $imageSku - ImageReferenceVersion $osVersion - OsDiskCreateOption " FromImage" - OsDiskCaching ReadWrite
404+ $adminUsername = Get-ComputeTestResourceName ;
405+ $password = Get-PasswordForVM ;
406+ $adminPassword = $password | ConvertTo-SecureString - AsPlainText - Force;
407+ $cred = New-Object System.Management.Automation.PSCredential ($adminUsername , $adminPassword );
408+
409+ Set-AzVmssOsProfile $vmssConfig - ComputerNamePrefix " adetest" - AdminUsername $adminUserName - AdminPassword $adminPassword
410+
411+ $subnetName = ' default'
412+ $subnet = New-AzVirtualNetworkSubnetConfig - Name $subnetName - AddressPrefix 10.0 .0.0 / 24
413+ $vnetName = (' {0}-vnet' -f $vmSSName )
414+ $vnet = New-AzVirtualNetwork - Name $vnetName - ResourceGroupName $rgName - Location $loc - AddressPrefix 10.0 .0.0 / 16 - Subnet $subnet
415+
416+ $subnetId = $vnet.Subnets [0 ].Id
417+ $vmssConfigPublicIpName = (' {0}ip' -f $vmSSName )
418+
419+ $IPCfg = New-AzVmssIPConfig - Name $vmssConfigPublicIpName - SubnetId $subnetId
420+ $vmssNetworkConfigName = (' {0}netconfig' -f $vmSSName )
421+
422+ Add-AzVmssNetworkInterfaceConfiguration - VirtualMachineScaleSet $vmssConfig - Name $vmssNetworkConfigName - Primary $True - IPConfiguration $IPCfg
423+
424+ New-AzVmss - ResourceGroupName $rgName - Name $vmssName - VirtualMachineScaleSet $vmssConfig
425+
426+ $vmssStatus = Get-AzVmss - VMScaleSetName $vmSSName - ResourceGroupName $rgName
427+
428+ $vaultName = $rgname + ' -kv'
429+ $principalId = " 7089a49e-00be-4313-b644-46a6294d0a91"
430+
431+ $keyVault = create- KeyVaultWithAclEncryptionIdentity $rgName $loc $vaultName $principalId ;
432+
433+ Assert-ThrowsContains {Set-AzVmssDiskEncryptionExtension `
434+ - ResourceGroupName $rgName `
435+ - VMScaleSetName $vmssName `
436+ - DiskEncryptionKeyVaultUrl $keyVault.DiskEncryptionKeyVaultUrl `
437+ - DiskEncryptionKeyVaultId $keyVault.DiskEncryptionKeyVaultId `
438+ - EncryptionId $encIdentity - VolumeType " All" `
439+ - Force;} `
440+ " Encryption Identity should be an ARM Resource ID of one of the user assigned identities associated to the resource"
441+
442+ }
443+ finally
444+ {
445+ # Cleanup
446+ Clean - ResourceGroup $rgname
447+ }
448+ }
449+
450+ <#
451+ . SYNOPSIS
452+ Test the Set-AzVMssDiskEncryptionExtension with EncryptionIdentity added in vm security profile
453+ Encryption Identity not acled in the KeyVault
454+ Throw Exception with message:RUNTIME_E_KEYVAULT_SET_SECRET_FAILED Failed to set secret to KeyVault
455+ #>
456+ function Test-AzureVmssDiskEncryptionWithIdentityNotAckledInKeyVault {
457+
458+ # Setup
459+ $rgname = Get-ComputeTestResourceName
460+
461+ try
462+ {
463+ # create virtual machine Scale Set
464+ $loc = " centraluseuap"
465+ New-AzResourceGroup - Name $rgname - Location $loc - Force;
466+ # VM Profile & Hardware
467+ $vmssName = " vmss" + $rgname ;
468+ $imagePublisher = " RedHat"
469+ $imageOffer = " RHEL"
470+ $imageSku = " 92-gen2"
471+ $osVersion = " latest"
472+ $vmssSize = ' Standard_D4s_v3'
473+ $encIdentity = " /subscriptions/759532d8-9991-4d04-878f-49f0f4804906/resourceGroups/anshademsitest-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/anshjainmsitestuserassignedmanagedidentity"
474+ $instances = 2
475+ $vmssConfig = New-AzVmssConfig - Location $loc - SkuCapacity $instances - SkuName $vmssSize - UpgradePolicyMode Automatic - IdentityType UserAssigned - IdentityId $encIdentity - OrchestrationMode Uniform
476+
477+ Set-AzVmssStorageProfile $vmssConfig - ImageReferencePublisher $imagePublisher - ImageReferenceOffer $imageOffer - ImageReferenceSku $imageSku - ImageReferenceVersion $osVersion - OsDiskCreateOption " FromImage" - OsDiskCaching ReadWrite
478+ $adminUsername = Get-ComputeTestResourceName ;
479+ $password = Get-PasswordForVM ;
480+ $adminPassword = $password | ConvertTo-SecureString - AsPlainText - Force;
481+ $cred = New-Object System.Management.Automation.PSCredential ($adminUsername , $adminPassword );
482+
483+ Set-AzVmssOsProfile $vmssConfig - ComputerNamePrefix " adetest" - AdminUsername $adminUserName - AdminPassword $adminPassword
484+
485+ $subnetName = ' default'
486+ $subnet = New-AzVirtualNetworkSubnetConfig - Name $subnetName - AddressPrefix 10.0 .0.0 / 24
487+ $vnetName = (' {0}-vnet' -f $vmSSName )
488+ $vnet = New-AzVirtualNetwork - Name $vnetName - ResourceGroupName $rgName - Location $loc - AddressPrefix 10.0 .0.0 / 16 - Subnet $subnet
489+
490+ $subnetId = $vnet.Subnets [0 ].Id
491+ $vmssConfigPublicIpName = (' {0}ip' -f $vmSSName )
492+
493+ $IPCfg = New-AzVmssIPConfig - Name $vmssConfigPublicIpName - SubnetId $subnetId
494+ $vmssNetworkConfigName = (' {0}netconfig' -f $vmSSName )
495+
496+ Add-AzVmssNetworkInterfaceConfiguration - VirtualMachineScaleSet $vmssConfig - Name $vmssNetworkConfigName - Primary $True - IPConfiguration $IPCfg
497+
498+ New-AzVmss - ResourceGroupName $rgName - Name $vmssName - VirtualMachineScaleSet $vmssConfig
499+
500+ $vmssStatus = Get-AzVmss - VMScaleSetName $vmSSName - ResourceGroupName $rgName
501+
502+ $vaultName = $rgname + ' -kv'
503+
504+ $keyVault = create- KeyVaultWithAclEncryptionIdentity $rgName $loc $vaultName
505+
506+ Assert-ThrowsContains {Set-AzVMssDiskEncryptionExtension `
507+ - ResourceGroupName $rgName `
508+ - VMScaleSetName $vmssName `
509+ - DiskEncryptionKeyVaultUrl $keyVault.DiskEncryptionKeyVaultUrl `
510+ - DiskEncryptionKeyVaultId $keyVault.DiskEncryptionKeyVaultId `
511+ - EncryptionId $encIdentity - VolumeType " All" `
512+ - Force; } `
513+ " RUNTIME_E_KEYVAULT_SET_SECRET_FAILED Failed to set secret to KeyVault"
514+ }
515+ finally
516+ {
517+ # Cleanup
518+ Clean - ResourceGroup $rgname
519+ }
520+ }
0 commit comments