ProxyAgent support in Compute (#27936)

Author: grizzlytheodore

src/Compute/Compute.Test/ScenarioTests/VirtualMachineScaleSetTests.cs

@@ -472,5 +472,12 @@ public void TestEncryptionIdentityNotPartOfAzureVmssConfig()
         {
             TestRunner.RunTestScript("Test-EncryptionIdentityNotPartOfAzureVmssConfig");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestProxyAgentSetting()
+        {
+            TestRunner.RunTestScript("Test-ProxyAgentSetting");
+        }
     }
 }

src/Compute/Compute.Test/ScenarioTests/VirtualMachineScaleSetTests.ps1

@@ -5888,3 +5888,81 @@ function Test-EncryptionIdentityNotPartOfAzureVmssConfig{
         clean-ResourceGroup $rgName;
     }
 }
+
+<#
+.SYNOPSIS
+Test Proxy Agent Setting 
+#>
+function Test-ProxyAgentSetting
+{
+    # Setup
+    $rgname = Get-ComputeTestResourceName;
+    $loc = "westus2";
+
+    try
+    {
+        # Common
+        New-AzResourceGroup -Name $rgname -Location $loc -Force;
+
+        $vmssName = 'vmss' + $rgname;
+        $domainNameLabel1 = "d1" + $rgname;
+        
+        $adminUsername = Get-ComputeTestResourceName;
+        $password = Get-PasswordForVM;
+        $adminPassword = $password | ConvertTo-SecureString -AsPlainText -Force;
+        $cred = New-Object System.Management.Automation.PSCredential ($adminUsername, $adminPassword);
+
+        # Case 1: Create using simple parameter set 
+        
+        $vmss = New-AzVmss -ResourceGroupName $rgname -Location $loc -Credential $cred -VMScaleSetName $vmssName -DomainNameLabel $domainNameLabel1 -EnableProxyAgent
+
+        # verify
+        Assert-AreEqual $vmss.VirtualMachineProfile.SecurityProfile.ProxyAgentSettings.Enabled $true
+       
+        # Case 2: Create using default parameter set 
+        $vmssName = $vmssName + "DefaultParam";
+        $vmssSize = 'Standard_D4s_v3'
+
+        # SRP
+        $stoname = 'sto' + $rgname;
+        $stotype = 'Standard_GRS';
+        New-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -Location $loc -Type $stotype;
+        $stoaccount = Get-AzStorageAccount -ResourceGroupName $rgname -Name $stoname;
+
+        $publisher = "MicrosoftWindowsServer";
+        $offer = "WindowsServer";
+        $imgSku = "2022-DataCenter";
+        $version = "latest";
+
+        # NRP
+        $subnet = New-AzVirtualNetworkSubnetConfig -Name ('subnet' + $rgname) -AddressPrefix "10.0.0.0/24";
+        $vnet = New-AzVirtualNetwork -Force -Name ('vnet' + $rgname) -ResourceGroupName $rgname -Location $loc -AddressPrefix "10.0.0.0/16" -Subnet $subnet;
+        $vnet = Get-AzVirtualNetwork -Name ('vnet' + $rgname) -ResourceGroupName $rgname;
+        Assert-NotNull $vnet.Subnets
+        $subnetId = $vnet.Subnets[0].Id;
+        
+
+        $ipName = Get-ComputeTestResourceName
+        $ipCfg = New-AzVmssIPConfig -Name 'test' -SubnetId $subnetId -PublicIPAddressConfigurationName $ipName -PublicIPAddressConfigurationIdleTimeoutInMinutes 10 -DnsSetting "testvmssdnscom" -PublicIPAddressVersion "IPv4";
+
+        $vmss = New-AzVmssConfig -Location $loc  -SkuName $vmssSize
+        Add-AzVmssNetworkInterfaceConfiguration -VirtualMachineScaleSet $vmss -Name 'test' -Primary $true -IPConfiguration $ipCfg `
+            | Set-AzVmssOSProfile -ComputerNamePrefix 'test' -AdminUsername $adminUsername -AdminPassword $adminPassword `
+            | Set-AzVmssStorageProfile -OsDiskCreateOption 'FromImage' -OsDiskCaching 'None' `
+                -ImageReferenceOffer $offer -ImageReferenceSku $imgSku -ImageReferenceVersion $version `
+                -ImageReferencePublisher $publisher `
+            | Set-AzVmssProxyAgentSetting -EnableProxyAgent $true -ImdsMode Audit 
+
+        $vmssResult = New-AzVmss -ResourceGroupName $rgname -Name $vmssName -VirtualMachineScaleSet $vmss
+
+        # verify 
+        Assert-AreEqual $vmssResult.VirtualMachineProfile.SecurityProfile.ProxyAgentSettings.Enabled $true
+        Assert-AreEqual $vmssResult.VirtualMachineProfile.SecurityProfile.ProxyAgentSettings.Imds.Mode "Audit";
+
+    }
+    finally
+    {
+        # Cleanup
+        Clean-ResourceGroup $rgname;
+    }
+}

src/Compute/Compute.Test/SessionRecords/Microsoft.Azure.Commands.Compute.Test.ScenarioTests.VirtualMachineScaleSetTests/TestProxyAgentSetting.json

@@ -199,7 +199,8 @@ CmdletsToExport = 'Add-AzImageDataDisk', 'Add-AzVhd',
                'Update-AzGalleryImageDefinition', 'Update-AzGalleryImageVersion', 
                'Update-AzHost', 'Update-AzImage', 'Update-AzRestorePointCollection', 
                'Update-AzSnapshot', 'Update-AzSshKey', 'Update-AzVM', 'Update-AzVmss', 
-               'Update-AzVmssInstance', 'Update-AzVmssVM'
+               'Update-AzVmssInstance', 'Update-AzVmssVM', 
+               'Set-AzVMProxyAgentSetting', 'Set-AzVmssProxyAgentSetting'
 
 # Variables to export from this module
 # VariablesToExport = @()

src/Compute/Compute/Az.Compute.psd1

@@ -20,6 +20,9 @@
 
 -->
 ## Upcoming Release
+* Added `-EnableProxyAgent` parameter to `New-AzVM` and `New-AzVmss` simple parameter sets.
+* Added `-ProxyAgentKeyIncarnationId`parameter to `Update-AzVmssVM` cmdlet.
+* Added new cmdlets `Set-AzVmssProxyAgent` and `Set-AzVMProxyAgent` to set the proxy agent settings for VM and VMSS.`
 
 ## Version 10.0.1
 * Added breaking change message for `New-AzVM` and `New-AzVmss` cmdlets.

src/Compute/Compute/ChangeLog.md

@@ -105,6 +105,12 @@ public static class ConstantValues
         public const string TrustedLaunchDefaultHyperVGen = "v2";
     }
 
+    public static class HyperVGenerations
+    {
+        public const string V1 = "V1";
+        public const string V2 = "V2";
+    }
+
     public static class ProfileNouns
     {
         public const string VirtualMachineProfile = "AzureRmVMProfile";

src/Compute/Compute/Common/ConstantStringTypes.cs

@@ -0,0 +1,103 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+using System.Management.Automation;
+using Microsoft.Azure.Commands.Compute.Common;
+using Microsoft.Azure.Commands.Compute.Models;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Management.Compute.Models;
+using Microsoft.Azure.Commands.Compute.Automation.Models;
+
+namespace Microsoft.Azure.Commands.Compute
+{
+    [Cmdlet("Set", ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "VmssProxyAgentSetting")]
+    [OutputType(typeof(PSVirtualMachineScaleSet))]
+    public class SetAzureVmssProxySetting : Microsoft.Azure.Commands.ResourceManager.Common.AzureRMCmdlet
+    {
+        [Alias("Vmss")]
+        [Parameter(
+            Mandatory = true,
+            ValueFromPipeline = true,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "PSVirtualMachineScaleSet object created from New-AzVMSSConfig.")]
+        public PSVirtualMachineScaleSet VirtualMachineScaleSet { get; set; }
+
+        [Parameter(
+           Mandatory = false,
+           ValueFromPipelineByPropertyName = true,
+           HelpMessage = "Specifies whether Metadata Security Protocol(ProxyAgent) feature should be enabled or not.")]
+        public bool? EnableProxyAgent { get; set; }
+
+        [Parameter(
+           Mandatory = false,
+           ValueFromPipelineByPropertyName = true,
+           HelpMessage = "Specifies the Wire Server endpoint execution mode while creating the virtual machine or virtual machine scale set. In Audit mode, the system acts as if it is enforcing the access control policy, including emitting access denial entries in the logs but it does not actually deny any requests to host endpoints. In Enforce mode, the system will enforce the access control and it is the recommended mode of operation.")]
+        [PSArgumentCompleter("Audit", "Enforce", "Disabled")]
+        public string WireServerMode { get; set; }
+
+        [Parameter(
+            Mandatory = false,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "Specifies the InVMAccessControlProfileVersion resource id in the Wire Server endpoint. Format of /subscriptions/{SubscriptionId}/resourceGroups/{ResourceGroupName}/providers/Microsoft.Compute/galleries/{galleryName}/inVMAccessControlProfiles/{profile}/versions/{version}")]
+        public string WireServerProfile { get; set; }
+
+        [Parameter(
+           Mandatory = false,
+           ValueFromPipelineByPropertyName = true,
+           HelpMessage = "Specifies the IMDS endpoint execution mode. In Audit mode, the system acts as if it is enforcing the access control policy, including emitting access denial entries in the logs but it does not actually deny any requests to host endpoints. In Enforce mode, the system will enforce the access control and it is the recommended mode of operation.")]
+        [PSArgumentCompleter("Audit", "Enforce", "Disabled")]
+        public string ImdsMode { get; set; }
+
+        [Parameter(
+            Mandatory = false,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "Specifies the InVMAccessControlProfileVersion resource id in the IMDS enpoint. Format of /subscriptions/{SubscriptionId}/resourceGroups/{ResourceGroupName}/providers/Microsoft.Compute/galleries/{galleryName}/inVMAccessControlProfiles/{profile}/versions/{version}")]
+        public string ImdsProfile { get; set; }
+
+        public override void ExecuteCmdlet()
+        {
+            if (this.VirtualMachineScaleSet.VirtualMachineProfile == null)
+            {
+                this.VirtualMachineScaleSet.VirtualMachineProfile = new PSVirtualMachineScaleSetVMProfile();
+            }
+            if (this.VirtualMachineScaleSet.VirtualMachineProfile.SecurityProfile == null)
+            {
+                this.VirtualMachineScaleSet.VirtualMachineProfile.SecurityProfile = new SecurityProfile();
+            }
+
+
+            this.VirtualMachineScaleSet.VirtualMachineProfile.SecurityProfile.ProxyAgentSettings = new ProxyAgentSettings
+            {
+                Enabled = this.EnableProxyAgent,
+                WireServer = (this.WireServerMode == null && this.WireServerProfile == null ? null : new HostEndpointSettings()
+                {
+                    Mode = this.WireServerMode,
+                    InVMAccessControlProfileReferenceId = this.WireServerProfile
+                }),
+                Imds = (this.ImdsMode == null && this.ImdsProfile == null ? null : new HostEndpointSettings()
+                {
+                    Mode = this.ImdsMode,
+                    InVMAccessControlProfileReferenceId = this.ImdsProfile
+                })
+            };
+
+            WriteObject(this.VirtualMachineScaleSet);
+        }
+    }
+
+}