Hotifx: Update TL as Default feature to further restrict it (#23297)

* Update NewAzureVMCommand.cs

* Update DiskCreateOrUpdateMethod.cs

* Update VirtualMachineScaleSetCreateOrUpdateMethod.cs

* Update NewAzureVMCommand.cs

* Update VirtualMachineScaleSetCreateOrUpdateMethod.cs

* Update DiskCreateOrUpdateMethod.cs

* Update NewAzureVMCommand.cs

* Update NewAzureVMCommand.cs

* Update New-AzVM.md

* Update New-AzVM.md

* Update VirtualMachineScaleSetCreateOrUpdateMethod.cs

* ensure flex defaulting works fine

* Update ExampleIssues.csv

---------

Co-authored-by: Yabo Hu <[email protected]>

Author: Sandido

src/Compute/Compute/Generated/VirtualMachineScaleSet/VirtualMachineScaleSetCreateOrUpdateMethod.cs

@@ -431,6 +431,7 @@ private bool shouldGuestAttestationExtBeInstalled(VirtualMachineScaleSet vmssPar
         {
             if (this.DisableIntegrityMonitoring != true &&
                     vmssParameters != null &&
+                    vmssParameters.OrchestrationMode != "Flexible" &&
                     vmssParameters.VirtualMachineProfile != null &&
                     vmssParameters.VirtualMachineProfile.SecurityProfile != null &&
                     vmssParameters.VirtualMachineProfile.SecurityProfile.SecurityType?.ToLower() == ConstantValues.TrustedLaunchSecurityType &&

src/Compute/Compute/Manual/VirtualMachineScaleSetCreateOrUpdateMethod.cs

@@ -557,6 +557,12 @@ private async Task<ResourceConfig<VirtualMachineScaleSet>> SimpleParameterSetOrc
 
                 var hostGroup = resourceGroup.CreateDedicatedHostGroupSubResourceFunc(_cmdlet.HostGroupId);
 
+                if (!_cmdlet.IsParameterBound(c => c.SystemAssignedIdentity)
+                    && _cmdlet.SystemAssignedIdentity == true)
+                {
+                    _cmdlet.SystemAssignedIdentity = false;
+                }
+
                 return resourceGroup.CreateVirtualMachineScaleSetConfigOrchestrationModeFlexible(
                     name: _cmdlet.VMScaleSetName,
                     subnet: subnet,
@@ -705,7 +711,8 @@ async Task SimpleParameterSetExecuteCmdlet(IAsyncCmdlet asyncCmdlet)
                 asyncCmdlet.WriteObject(psObject);
             }
 
-            if (shouldGuestAttestationExtBeInstalledSimple())
+            if (shouldGuestAttestationExtBeInstalledSimple()
+                && this.SystemAssignedIdentity == true)
             {
                 string extensionNameGA = "GuestAttestation";
                 var extensionDirect = new VirtualMachineScaleSetExtension();

src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs

@@ -412,6 +412,11 @@ public class NewAzureVMCommand : VirtualMachineBaseCmdlet
            Mandatory = false,
            ValueFromPipelineByPropertyName = true,
            HelpMessage = "This flag disables the default behavior to install the Guest Attestation extension to the virtual machine if: 1) SecurityType is TrustedLaunch, 2) SecureBootEnabled on the SecurityProfile is true, 3) VTpmEnabled on the SecurityProfile is true.")]
+        [Parameter(
+           ParameterSetName = SimpleParameterSet,
+           Mandatory = false,
+           ValueFromPipelineByPropertyName = true,
+           HelpMessage = "This flag disables the default behavior to install the Guest Attestation extension to the virtual machine if: 1) SecurityType is TrustedLaunch, 2) SecureBootEnabled on the SecurityProfile is true, 3) VTpmEnabled on the SecurityProfile is true.")]
         public SwitchParameter DisableIntegrityMonitoring { get; set; }
 
         [Parameter(
@@ -785,11 +790,11 @@ async Task StrategyExecuteCmdletAsync(IAsyncCmdlet asyncCmdlet)
             // imagerefid is specifically shared gallery id, so don't want it.
             else
             {
-                this.SecurityType = ConstantValues.TrustedLaunchSecurityType;
                 if (!this.IsParameterBound(c => c.Image) 
                     && !this.IsParameterBound(c => c.ImageReferenceId) 
                     && !this.IsParameterBound(c => c.SharedGalleryImageId))
                 {
+                    this.SecurityType = ConstantValues.TrustedLaunchSecurityType;
                     this.Image = ConstantValues.TrustedLaunchDefaultImageAlias;
                     if (!this.IsParameterBound(c => c.EnableSecureBoot))
                     {

src/Compute/Compute/help/New-AzVM.md

@@ -26,7 +26,7 @@ New-AzVM [[-ResourceGroupName] <String>] [[-Location] <String>] [-EdgeZone <Stri
  [-Priority <String>] [-EvictionPolicy <String>] [-MaxPrice <Double>] [-EncryptionAtHost]
  [-HostGroupId <String>] [-SshKeyName <String>] [-GenerateSshKey] [-CapacityReservationGroupId <String>]
  [-UserData <String>] [-ImageReferenceId <String>] [-PlatformFaultDomain <Int32>] [-HibernationEnabled]
- [-vCPUCountAvailable <Int32>] [-vCPUCountPerCore <Int32>] [-DiskControllerType <String>]
+ [-vCPUCountAvailable <Int32>] [-vCPUCountPerCore <Int32>] [-DiskControllerType <String>] [-DisableIntegrityMonitoring]
  [-SharedGalleryImageId <String>] [-SecurityType <String>] [-EnableVtpm <Boolean>]
  [-EnableSecureBoot <Boolean>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
@@ -306,7 +306,7 @@ Set-AzVMSourceImage -VM $vmConfig -PublisherName $PublisherName -Offer $Offer -S
 Add-AzVMNetworkInterface -VM $vmConfig -Id $nic.Id;
 $vmConfig = Set-AzVMSecurityProfile -VM $vmConfig -SecurityType $securityType;
 $vmConfig = Set-AzVMUefi -VM $vmConfig -EnableVtpm $vtpm -EnableSecureBoot $secureboot;
-New-AzVM -ResourceGroupName $RGName -Location $loc -VM $vmConfig -DisableIntegrityMonitoring:$false;
+New-AzVM -ResourceGroupName $RGName -Location $loc -VM $vmConfig;
 # Verify values
 $vm = Get-AzVM -ResourceGroupName $rgname -Name $vmName;
 $vmExt = Get-AzVMExtension -ResourceGroupName $rgname -VMName $vmName -Name $extDefaultName;
@@ -548,7 +548,7 @@ This flag disables the default behavior to install the Guest Attestation extensi
 
 ```yaml
 Type: System.Management.Automation.SwitchParameter
-Parameter Sets: DefaultParameterSet
+Parameter Sets: DefaultParameterSet, SimpleParameterSet
 Aliases:
 
 Required: False

tools/StaticAnalysis/Exceptions/Az.Compute/ExampleIssues.csv

@@ -18,3 +18,6 @@
 "Az.Compute","Set-AzVMSecurityProfile","2","27","Capitalization_Conventions_Violated","5101","1","Set-AzVmUefi doesn't follow the Capitalization Conventions.","Set-AzVmUefi -VM $VirtualMachine -EnableVtpm $true -EnableSecureBoot $true","Check the Capitalization Conventions. Suggest format: Set-AzVMUefi"
 "Az.Compute","Set-AzVMSecurityProfile","2","33","Capitalization_Conventions_Violated","5101","1","Get-AzVm doesn't follow the Capitalization Conventions.","Get-AzVm -ResourceGroupName $rgname -Name $vmname","Check the Capitalization Conventions. Suggest format: Get-AzVM"
 "Az.Compute","New-AzVM","8","9","Invalid_Cmdlet","5000","1","New-AzResourceGroup is not a valid command name.","New-AzResourceGroup -Name $rgname -Location $loc -Force","Check the spell of New-AzResourceGroup."
+"Az.Compute","New-AzVM","6","3","Invalid_Cmdlet","5000","1","New-AzResourceGroup is not a valid command name.","New-AzResourceGroup -Name $resourceGroupName -Location $loc -Force","Check the spell of New-AzResourceGroup."
+"Az.Compute","New-AzVM","8","10","Invalid_Cmdlet","5000","1","New-AzResourceGroup is not a valid command name.","New-AzResourceGroup -Name $resourceGroupName -Location $loc -Force","Check the spell of New-AzResourceGroup."
+"Az.Compute","New-AzVM","9","4","Invalid_Cmdlet","5000","1","New-AzResourceGroup is not a valid command name.","New-AzResourceGroup -Name $rgname -Location $loc -Force","Check the spell of New-AzResourceGroup."