Merge pull request #234263 from divargas-msft/patch-1

[Doc-a-thon] Updating quick-create-confidential-vm-arm-amd.md

Author: v-shils

articles/confidential-computing/quick-create-confidential-vm-arm-amd.md

@@ -6,7 +6,7 @@ ms.service: virtual-machines
 ms.subservice: confidential-computing
 ms.workload: infrastructure
 ms.topic: quickstart
-ms.date: 7/14/2022
+ms.date: 04/12/2023
 ms.author: RunCai
 ms.custom: mode-arm, devx-track-azurecli, devx-track-arm-template
 ms.devlang: azurecli
@@ -32,13 +32,13 @@ To create and deploy your confidential VM using an ARM template through the Azur
 
 1. Sign in to your Azure account in the Azure CLI.
 
-    ```azurecli
+    ```azurecli-interactive
     az login
     ```
 
 1. Set your Azure subscription. Replace `<subscription-id>` with your subscription identifier. Make sure to use a subscription that meets the [prerequisites](#prerequisites).
 
-    ```azurecli
+    ```azurecli-interactive
     az account set --subscription <subscription-id>
     ```
 
@@ -55,15 +55,14 @@ To create and deploy your confidential VM using an ARM template through the Azur
     ```
 
     If the resource group you specified doesn't exist, create a resource group with that name.
-    
-    ```azurecli
+
+    ```azurecli-interactive
     az group create -n $resourceGroup -l $region
     ```
 
 1. Deploy your VM to Azure using an ARM template with a custom parameter file
 
-      
-    ```azurecli
+    ```azurecli-interactive
     az deployment group create `
      -g $resourceGroup `
      -n $deployName `
@@ -73,7 +72,6 @@ To create and deploy your confidential VM using an ARM template through the Azur
         vmName=$vmName
     ```
 
-
 ### Define custom parameter file
 
 When you create a confidential VM through the Azure Command-Line Interface (Azure CLI), you need to define a custom parameter file. To create a custom JSON parameter file:
@@ -151,6 +149,9 @@ Use this example to create a custom parameter file for a Linux-based confidentia
 }
 ```
 
+> [!NOTE]
+> Replace the osImageName value accordingly.
+
 ## Deploy confidential VM template with OS disk confidential encryption via customer-managed key
 
 1. Sign in to your Azure account through the Azure CLI.
@@ -161,83 +162,81 @@ Use this example to create a custom parameter file for a Linux-based confidentia
 
 1. Set your Azure subscription. Replace `<subscription-id>` with your subscription identifier. Make sure to use a subscription that meets the [prerequisites](#prerequisites).
 
-    ```azurecli
+    ```azurecli-interactive
     az account set --subscription <subscription-id>
     ```
+
 1. Grant confidential VM Service Principal `Confidential VM Orchestrator` to tenant
     
     For this step you need to be a Global Admin or you need to have the User Access Administrator RBAC role.
-    
-    ```azurecli
+
+    ```azurecli-interactive
     Connect-AzureAD -Tenant "your tenant ID"
     New-AzureADServicePrincipal -AppId bf7b6499-ff71-4aa2-97a4-f372087be7f0 -DisplayName "Confidential VM Orchestrator"    
     ```
+
 1. Set up your Azure key vault. For how to use an Azure Key Vault Managed HSM instead, see the next step.
 
     1. Create a resource group for your key vault. Your key vault instance and your confidential VM must be in the same Azure region.
-    
-        ```azurecli
+
+        ```azurecli-interactive
         $resourceGroup = <key vault resource group>
         $region = <Azure region>
         az group create --name $resourceGroup --location $region
         ```
-    
+
     1. Create a key vault instance with a premium SKU in your preferred region.
-    
-        ```azurecli
+
+        ```azurecli-interactive
         $KeyVault = <name of key vault>
         az keyvault create --name $KeyVault --resource-group $resourceGroup --location $region --sku Premium --enable-purge-protection 
         ```
 
     1. Make sure that you have an **owner** role in this key vault.
-    
     1. Give `Confidential VM Orchestrator` permissions to `get` and `release` the key vault.
-    
-        ```azurecli
+
+        ```azurecli-interactive
         $cvmAgent = az ad sp show --id "bf7b6499-ff71-4aa2-97a4-f372087be7f0" | Out-String | ConvertFrom-Json
         az keyvault set-policy --name $KeyVault --object-id $cvmAgent.objectId --key-permissions get release
         ```
 
 1. (Optional) If you don't want to use an Azure key vault, you can create an Azure Key Vault Managed HSM instead.
 
     1. Follow the [quickstart to create an Azure Key Vault Managed HSM](../key-vault/managed-hsm/quick-create-cli.md) to provision and activate Azure Key Vault Managed HSM. 
-    
     1. Enable purge protection on the Azure Managed HSM. This step is required to enable key release.
     
-        ```azurecli
+        ```azurecli-interactive
         az keyvault update-hsm --subscription $subscriptionId -g $resourceGroup --hsm-name $hsm --enable-purge-protection true
         ```
 
-
     1. Give `Confidential VM Orchestrator` permissions to managed HSM.
-    
-        ```azurecli
+
+        ```azurecli-interactive
         $cvmAgent = az ad sp show --id "bf7b6499-ff71-4aa2-97a4-f372087be7f0" | Out-String | ConvertFrom-Json
         az keyvault role assignment create --hsm-name $hsm --assignee $cvmAgent.objectId --role "Managed HSM Crypto Service Release User" --scope /keys/$KeyName 
         ```
 
 1. Create a new key using Azure Key Vault. For how to use an Azure Managed HSM instead, see the next step.
 
     1. Prepare and download the [key release policy](https://cvmprivatepreviewsa.blob.core.windows.net/cvmpublicpreviewcontainer/skr-policy.json) to your local disk.
-    
     1. Create a new key.
 
-        ```azurecli
+        ```azurecli-interactive
         $KeyName = <name of key>
         $KeySize = 3072
         az keyvault key create --vault-name $KeyVault --name $KeyName --ops wrapKey unwrapkey --kty RSA-HSM --size $KeySize --exportable true --policy "@.\skr-policy.json"    
         ```
 
     1. Get information about the key that you created.
-        
-        ```azurecli
+
+        ```azurecli-interactive
         $encryptionKeyVaultId = ((az keyvault show -n $KeyVault -g $resourceGroup) | ConvertFrom-Json).id
         $encryptionKeyURL= ((az keyvault key show --vault-name $KeyVault --name $KeyName) | ConvertFrom-Json).key.kid        
         ```
-       
+
     1. Deploy a Disk Encryption Set (DES) using a [DES ARM template](https://cvmprivatepreviewsa.blob.core.windows.net/cvmpublicpreviewcontainer/deploymentTemplate/deployDES.json) (`deployDES.json`).
 
-        ```azurecli
+        ```azurecli-interactive
         $desName = <name of DES>
         $deployName = <name of deployment>
         $desArmTemplate = <name of DES ARM template file>
@@ -253,7 +252,7 @@ Use this example to create a custom parameter file for a Linux-based confidentia
 
     1. Assign key access to the DES file.
 
-        ```azurecli
+        ```azurecli-interactive
         $desIdentity= (az disk-encryption-set show -n $desName -g 
         $resourceGroup --query [identity.principalId] -o tsv)
         az keyvault set-policy -n $KeyVault `
@@ -263,26 +262,24 @@ Use this example to create a custom parameter file for a Linux-based confidentia
         ```
 
  1. (Optional) Create a new key from an Azure Managed HSM.
-
     1. Prepare and download the [key release policy](https://cvmprivatepreviewsa.blob.core.windows.net/cvmpublicpreviewcontainer/skr-policy.json) to your local disk.
-    
     1. Create the new key.
 
-        ```azurecli
+        ```azurecli-interactive
         $KeyName = <name of key>
         $KeySize = 3072
         az keyvault key create --hsm-name $hsm --name $KeyName --ops wrapKey unwrapkey --kty RSA-HSM --size $KeySize --exportable true --policy "@.\skr-policy.json"   
         ```
 
     1. Get information about the key that you created.
-    
-          ```azurecli
+
+          ```azurecli-interactive
           $encryptionKeyURL = ((az keyvault key show --hsm-name $hsm --name $KeyName) | ConvertFrom-Json).key.kid      
           ```
- 
+
     1. Deploy a DES.
 
-          ```azurecli
+          ```azurecli-interactive
           $desName = <name of DES>
           az disk-encryption-set create -n $desName `
            -g $resourceGroup `
@@ -291,7 +288,7 @@ Use this example to create a custom parameter file for a Linux-based confidentia
 
     1. Assign key access to the DES.
 
-          ```azurecli
+          ```azurecli-interactive
           desIdentity=$(az disk-encryption-set show -n $desName -g $resourceGroup --query [identity.principalId] -o tsv)
           az keyvault set-policy -n $hsm `
               -g $resourceGroup `
@@ -300,16 +297,16 @@ Use this example to create a custom parameter file for a Linux-based confidentia
           ```
 
 1. Deploy your confidential VM with the customer-managed key.
- 
+
     1. Get the resource ID for the DES.
  
-        ```azurecli
+        ```azurecli-interactive
         $desID = (az disk-encryption-set show -n $desName -g $resourceGroup --query [id] -o tsv)
         ```
-      
+
     1. Deploy your confidential VM using the [confidential VM ARM template](https://cvmprivatepreviewsa.blob.core.windows.net/cvmpublicpreviewcontainer/deploymentTemplate/deployCPSCVM_cmk.json) (`deployCPSCVM_cmk.json`) and a [deployment parameter file](#example-deployment-parameter-file) (for example, `azuredeploy.parameters.win2022.json`) with the customer-managed key.
-        
-        ```azurecli
+
+        ```azurecli-interactive
         $deployName = <name of deployment>
         $vmName = <name of confidential VM>
         $cvmArmTemplate = <name of confidential VM ARM template file>
@@ -325,7 +322,7 @@ Use this example to create a custom parameter file for a Linux-based confidentia
         ```
 
 1. Connect to your confidential VM to make sure the creation was successful.
-        
+
 ### Example deployment parameter file
 
 This is an example parameter file for a Windows Server 2022 Gen 2 confidential VM: 
@@ -356,7 +353,7 @@ This is an example parameter file for a Windows Server 2022 Gen 2 confidential V
       }
     }
 }
-```   
+```
 
 ## Next steps