Skip to content

Commit bd31663

Browse files
SandidoVeryEarly
andauthored
Hotifx: Update TL as Default feature to further restrict it (#23297)
* Update NewAzureVMCommand.cs * Update DiskCreateOrUpdateMethod.cs * Update VirtualMachineScaleSetCreateOrUpdateMethod.cs * Update NewAzureVMCommand.cs * Update VirtualMachineScaleSetCreateOrUpdateMethod.cs * Update DiskCreateOrUpdateMethod.cs * Update NewAzureVMCommand.cs * Update NewAzureVMCommand.cs * Update New-AzVM.md * Update New-AzVM.md * Update VirtualMachineScaleSetCreateOrUpdateMethod.cs * ensure flex defaulting works fine * Update ExampleIssues.csv --------- Co-authored-by: Yabo Hu <[email protected]>
1 parent 50b9d53 commit bd31663

File tree

5 files changed

+21
-5
lines changed

5 files changed

+21
-5
lines changed

src/Compute/Compute/Generated/VirtualMachineScaleSet/VirtualMachineScaleSetCreateOrUpdateMethod.cs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -431,6 +431,7 @@ private bool shouldGuestAttestationExtBeInstalled(VirtualMachineScaleSet vmssPar
431431
{
432432
if (this.DisableIntegrityMonitoring != true &&
433433
vmssParameters != null &&
434+
vmssParameters.OrchestrationMode != "Flexible" &&
434435
vmssParameters.VirtualMachineProfile != null &&
435436
vmssParameters.VirtualMachineProfile.SecurityProfile != null &&
436437
vmssParameters.VirtualMachineProfile.SecurityProfile.SecurityType?.ToLower() == ConstantValues.TrustedLaunchSecurityType &&

src/Compute/Compute/Manual/VirtualMachineScaleSetCreateOrUpdateMethod.cs

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -557,6 +557,12 @@ private async Task<ResourceConfig<VirtualMachineScaleSet>> SimpleParameterSetOrc
557557

558558
var hostGroup = resourceGroup.CreateDedicatedHostGroupSubResourceFunc(_cmdlet.HostGroupId);
559559

560+
if (!_cmdlet.IsParameterBound(c => c.SystemAssignedIdentity)
561+
&& _cmdlet.SystemAssignedIdentity == true)
562+
{
563+
_cmdlet.SystemAssignedIdentity = false;
564+
}
565+
560566
return resourceGroup.CreateVirtualMachineScaleSetConfigOrchestrationModeFlexible(
561567
name: _cmdlet.VMScaleSetName,
562568
subnet: subnet,
@@ -705,7 +711,8 @@ async Task SimpleParameterSetExecuteCmdlet(IAsyncCmdlet asyncCmdlet)
705711
asyncCmdlet.WriteObject(psObject);
706712
}
707713

708-
if (shouldGuestAttestationExtBeInstalledSimple())
714+
if (shouldGuestAttestationExtBeInstalledSimple()
715+
&& this.SystemAssignedIdentity == true)
709716
{
710717
string extensionNameGA = "GuestAttestation";
711718
var extensionDirect = new VirtualMachineScaleSetExtension();

src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -412,6 +412,11 @@ public class NewAzureVMCommand : VirtualMachineBaseCmdlet
412412
Mandatory = false,
413413
ValueFromPipelineByPropertyName = true,
414414
HelpMessage = "This flag disables the default behavior to install the Guest Attestation extension to the virtual machine if: 1) SecurityType is TrustedLaunch, 2) SecureBootEnabled on the SecurityProfile is true, 3) VTpmEnabled on the SecurityProfile is true.")]
415+
[Parameter(
416+
ParameterSetName = SimpleParameterSet,
417+
Mandatory = false,
418+
ValueFromPipelineByPropertyName = true,
419+
HelpMessage = "This flag disables the default behavior to install the Guest Attestation extension to the virtual machine if: 1) SecurityType is TrustedLaunch, 2) SecureBootEnabled on the SecurityProfile is true, 3) VTpmEnabled on the SecurityProfile is true.")]
415420
public SwitchParameter DisableIntegrityMonitoring { get; set; }
416421

417422
[Parameter(
@@ -785,11 +790,11 @@ async Task StrategyExecuteCmdletAsync(IAsyncCmdlet asyncCmdlet)
785790
// imagerefid is specifically shared gallery id, so don't want it.
786791
else
787792
{
788-
this.SecurityType = ConstantValues.TrustedLaunchSecurityType;
789793
if (!this.IsParameterBound(c => c.Image)
790794
&& !this.IsParameterBound(c => c.ImageReferenceId)
791795
&& !this.IsParameterBound(c => c.SharedGalleryImageId))
792796
{
797+
this.SecurityType = ConstantValues.TrustedLaunchSecurityType;
793798
this.Image = ConstantValues.TrustedLaunchDefaultImageAlias;
794799
if (!this.IsParameterBound(c => c.EnableSecureBoot))
795800
{

src/Compute/Compute/help/New-AzVM.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ New-AzVM [[-ResourceGroupName] <String>] [[-Location] <String>] [-EdgeZone <Stri
2626
[-Priority <String>] [-EvictionPolicy <String>] [-MaxPrice <Double>] [-EncryptionAtHost]
2727
[-HostGroupId <String>] [-SshKeyName <String>] [-GenerateSshKey] [-CapacityReservationGroupId <String>]
2828
[-UserData <String>] [-ImageReferenceId <String>] [-PlatformFaultDomain <Int32>] [-HibernationEnabled]
29-
[-vCPUCountAvailable <Int32>] [-vCPUCountPerCore <Int32>] [-DiskControllerType <String>]
29+
[-vCPUCountAvailable <Int32>] [-vCPUCountPerCore <Int32>] [-DiskControllerType <String>] [-DisableIntegrityMonitoring]
3030
[-SharedGalleryImageId <String>] [-SecurityType <String>] [-EnableVtpm <Boolean>]
3131
[-EnableSecureBoot <Boolean>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
3232
[<CommonParameters>]
@@ -306,7 +306,7 @@ Set-AzVMSourceImage -VM $vmConfig -PublisherName $PublisherName -Offer $Offer -S
306306
Add-AzVMNetworkInterface -VM $vmConfig -Id $nic.Id;
307307
$vmConfig = Set-AzVMSecurityProfile -VM $vmConfig -SecurityType $securityType;
308308
$vmConfig = Set-AzVMUefi -VM $vmConfig -EnableVtpm $vtpm -EnableSecureBoot $secureboot;
309-
New-AzVM -ResourceGroupName $RGName -Location $loc -VM $vmConfig -DisableIntegrityMonitoring:$false;
309+
New-AzVM -ResourceGroupName $RGName -Location $loc -VM $vmConfig;
310310
# Verify values
311311
$vm = Get-AzVM -ResourceGroupName $rgname -Name $vmName;
312312
$vmExt = Get-AzVMExtension -ResourceGroupName $rgname -VMName $vmName -Name $extDefaultName;
@@ -548,7 +548,7 @@ This flag disables the default behavior to install the Guest Attestation extensi
548548
549549
```yaml
550550
Type: System.Management.Automation.SwitchParameter
551-
Parameter Sets: DefaultParameterSet
551+
Parameter Sets: DefaultParameterSet, SimpleParameterSet
552552
Aliases:
553553

554554
Required: False

tools/StaticAnalysis/Exceptions/Az.Compute/ExampleIssues.csv

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,3 +18,6 @@
1818
"Az.Compute","Set-AzVMSecurityProfile","2","27","Capitalization_Conventions_Violated","5101","1","Set-AzVmUefi doesn't follow the Capitalization Conventions.","Set-AzVmUefi -VM $VirtualMachine -EnableVtpm $true -EnableSecureBoot $true","Check the Capitalization Conventions. Suggest format: Set-AzVMUefi"
1919
"Az.Compute","Set-AzVMSecurityProfile","2","33","Capitalization_Conventions_Violated","5101","1","Get-AzVm doesn't follow the Capitalization Conventions.","Get-AzVm -ResourceGroupName $rgname -Name $vmname","Check the Capitalization Conventions. Suggest format: Get-AzVM"
2020
"Az.Compute","New-AzVM","8","9","Invalid_Cmdlet","5000","1","New-AzResourceGroup is not a valid command name.","New-AzResourceGroup -Name $rgname -Location $loc -Force","Check the spell of New-AzResourceGroup."
21+
"Az.Compute","New-AzVM","6","3","Invalid_Cmdlet","5000","1","New-AzResourceGroup is not a valid command name.","New-AzResourceGroup -Name $resourceGroupName -Location $loc -Force","Check the spell of New-AzResourceGroup."
22+
"Az.Compute","New-AzVM","8","10","Invalid_Cmdlet","5000","1","New-AzResourceGroup is not a valid command name.","New-AzResourceGroup -Name $resourceGroupName -Location $loc -Force","Check the spell of New-AzResourceGroup."
23+
"Az.Compute","New-AzVM","9","4","Invalid_Cmdlet","5000","1","New-AzResourceGroup is not a valid command name.","New-AzResourceGroup -Name $rgname -Location $loc -Force","Check the spell of New-AzResourceGroup."

0 commit comments

Comments
 (0)