Merge pull request #268621 from ShawnJackson/container-instances-tutorial-deploy-confidential-containers-cce-arm

ktoliver · web-flow · commit e33927da7fd0 · 2024-03-12T09:38:13.000-07:00
[AQ] edit pass: container-instances-tutorial-deploy-confidential-containers-cce-arm
diff --git a/articles/container-instances/container-instances-tutorial-deploy-confidential-containers-cce-arm.md b/articles/container-instances/container-instances-tutorial-deploy-confidential-containers-cce-arm.md
@@ -1,6 +1,6 @@
 ---
-title: Tutorial - Prepare a deployment for a confidential container on Azure Container Instances
-description: Azure Container Instances tutorial deploys a confidential container - ARM
+title: "Tutorial: Prepare a deployment for a confidential container on Azure Container Instances"
+description: Learn how to create an Azure Resource Manager template for a confidential container deployment with a custom confidential computing enforcement policy.
 ms.topic: tutorial
 ms.author: tomcassidy
 author: tomvcassidy
@@ -10,36 +10,37 @@ ms.date: 05/23/2023
 ms.custom: mvc, devx-track-arm-template, linux-related-content
 ---
 
-# Tutorial: Create an ARM template for a confidential container deployment with custom confidential computing enforcement policy
+# Tutorial: Prepare a deployment for a confidential container on Azure Container Instances
 
-Confidential containers on ACI is a SKU on the serverless platform that enables customers to run container applications in a hardware-based and attested trusted execution environment (TEE), which can protect data in use and provides in-memory encryption via Secure Nested Paging.
+In Azure Container Instances, you can use confidential containers on the serverless platform to run container applications in a hardware-based and attested trusted execution environment (TEE). This capability can help protect data in use and provides in-memory encryption via Secure Nested Paging.
 
-In this article, you'll:
+In this tutorial, you learn how to:
 
 > [!div class="checklist"]
-> * Create an ARM template for a confidential container group
-> * Generate a confidential computing enforcement (CCE) policy
-> * Deploy the confidential container group to Azure
+>
+> * Create an Azure Resource Manager template (ARM template) for a confidential container group.
+> * Generate a confidential computing enforcement (CCE) policy.
+> * Deploy the confidential container group to Azure.
 
-## Before you begin
+## Prerequisites
 
 [!INCLUDE [container-instances-tutorial-prerequisites-confidential-containers](../../includes/container-instances-tutorial-prerequisites-confidential-containers.md)]
 
-## Create an ACI container group ARM Template
+## Create an ARM template for a Container Instances container group
 
-In this tutorial, you deploy a hello world application that generates a hardware attestation report. You start by creating an ARM template with a container group resource to define the properties of this application. You'll use this ARM template with the Azure CLI confcom tooling to generate a confidential computing enforcement (CCE) policy for attestation. In this tutorial, we use this [ARM template](https://raw.githubusercontent.com/Azure-Samples/aci-confidential-hello-world/main/template.json?token=GHSAT0AAAAAAB5B6SJ7VUYU3G6MMQUL7KKKY7QBZBA). To view the source code for this application, visit [ACI Confidential Hello World](https://aka.ms/ccacihelloworld).
+In this tutorial, you deploy a Hello World application that generates a hardware attestation report. You start by creating an ARM template with a container group resource to define the properties of this application. You then use this ARM template with the Azure CLI confcom tooling to generate a CCE policy for attestation.
 
-> [!NOTE]
-> The ccePolicy parameter of the template is blank and needs to be updated based on the next step of this tutorial.
+This tutorial uses [this ARM template](https://raw.githubusercontent.com/Azure-Samples/aci-confidential-hello-world/main/template.json?token=GHSAT0AAAAAAB5B6SJ7VUYU3G6MMQUL7KKKY7QBZBA) as an example. To view the source code for this application, see [Azure Container Instances Confidential Hello World](https://aka.ms/ccacihelloworld).
 
-There are two properties added to the Azure Container Instance resource definition to make the container group confidential:
+The example template adds two properties to the Container Instances resource definition to make the container group confidential:
 
-1. **sku**: The SKU property enables you to select between confidential and standard container group deployments. If this property isn't added, the container group will be deployed as standard SKU.
-2. **confidentialComputeProperties**: The confidentialComputeProperties object enables you to pass in a custom confidential computing enforcement policy for attestation of your container group. If this object isn't added to the resource there will be no validation of the software components running within the container group.
+* `sku`: Enables you to select between confidential and standard container group deployments. If you don't add this property to the resource, the container group will be a standard deployment.
+* `confidentialComputeProperties`: Enables you to pass in a custom CCE policy for attestation of your container group. If you don't add this object to the resource, the software components that run within the container group won't be validated.
 
-Use your preferred text editor to save this ARM template on your local machine as **template.json**.
+> [!NOTE]
+> The `ccePolicy` parameter under `confidentialComputeProperties` is blank. You'll fill it in after you generate the policy later in the tutorial.
 
-You can see under **confidentialComputeProperties**, we have left a blank **ccePolicy** for you to fill in once you generate the policy in the next step.
+Use your preferred text editor to save this ARM template on your local machine as *template.json*.
 
 ```ARM
 {
@@ -155,18 +156,17 @@ You can see under **confidentialComputeProperties**, we have left a blank **cceP
   }
 ```
 
-## Create a custom CCE Policy
-
-With the ARM template that you've crafted and the Azure CLI confcom extension, you're able to generate a custom CCE policy. the CCE policy is used for attestation. The tool takes the ARM template as an input to generate the policy. The policy enforces the specific container images, environment variables, mounts, and commands, which can then be validated when the container group starts up. For more information on the Azure CLI confcom extension, see [Azure CLI confcom extension](https://github.com/Azure/azure-cli-extensions/blob/main/src/confcom/azext_confcom/README.md).
+## Create a custom CCE policy
 
+With the ARM template that you crafted and the Azure CLI confcom extension, you can generate a custom CCE policy. The CCE policy is used for attestation. The tool takes the ARM template as an input to generate the policy. The policy enforces the specific container images, environment variables, mounts, and commands, which can then be validated when the container group starts up. For more information on the Azure CLI confcom extension, see the [documentation on GitHub](https://github.com/Azure/azure-cli-extensions/blob/main/src/confcom/azext_confcom/README.md).
 
-1. To generate the CCE policy, you'll run the following command using the ARM template as input:
+1. To generate the CCE policy, run the following command by using the ARM template as input:
 
    ```azurecli-interactive
    az confcom acipolicygen -a .\template.json --print-policy
    ```
 
-   When this command completes, you should see a Base 64 string generated as output in the format seen below. This string is the CCE policy that you will copy and paste into your ARM template under the ccePolicy property.
+   When this command finishes, a Base64 string generated as output should appear in the following format. This string is the CCE policy that you copy and paste into your ARM template as the value of the `ccePolicy` property.
 
    ```output
    cGFja2FnZSBwb2xpY3kKCmFwaV9zdm4gOj0gIjAuOS4wIgoKaW1wb3J0IGZ1dHVyZS5rZXl3b3Jkcy5ldmVyeQppbXBvcnQgZnV0dXJlLmtleXdvcmRzLmluCgpmcmFnbWVudHMgOj0gWwpdCgpjb250YWluZXJzIDo9IFsKICAgIHsKICAgICAgICAiY29tbWFuZCI6IFsiL3BhdXNlIl0sCiAgICAgICAgImVudl9ydWxlcyI6IFt7InBhdHRlcm4iOiAiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iLCAic3RyYXRlZ3kiOiAic3RyaW5nIiwgInJlcXVpcmVkIjogdHJ1ZX0seyJwYXR0ZXJuIjogIlRFUk09eHRlcm0iLCAic3RyYXRlZ3kiOiAic3RyaW5nIiwgInJlcXVpcmVkIjogZmFsc2V9XSwKICAgICAgICAibGF5ZXJzIjogWyIxNmI1MTQwNTdhMDZhZDY2NWY5MmMwMjg2M2FjYTA3NGZkNTk3NmM3NTVkMjZiZmYxNjM2NTI5OTE2OWU4NDE1Il0sCiAgICAgICAgIm1vdW50cyI6IFtdLAogICAgICAgICJleGVjX3Byb2Nlc3NlcyI6IFtdLAogICAgICAgICJzaWduYWxzIjogW10sCiAgICAgICAgImFsbG93X2VsZXZhdGVkIjogZmFsc2UsCiAgICAgICAgIndvcmtpbmdfZGlyIjogIi8iCiAgICB9LApdCmFsbG93X3Byb3BlcnRpZXNfYWNjZXNzIDo9IHRydWUKYWxsb3dfZHVtcF9zdGFja3MgOj0gdHJ1ZQphbGxvd19ydW50aW1lX2xvZ2dpbmcgOj0gdHJ1ZQphbGxvd19lbnZpcm9ubWVudF92YXJpYWJsZV9kcm9wcGluZyA6PSB0cnVlCmFsbG93X3VuZW5jcnlwdGVkX3NjcmF0Y2ggOj0gdHJ1ZQoKCm1vdW50X2RldmljZSA6PSB7ICJhbGxvd2VkIiA6IHRydWUgfQp1bm1vdW50X2RldmljZSA6PSB7ICJhbGxvd2VkIiA6IHRydWUgfQptb3VudF9vdmVybGF5IDo9IHsgImFsbG93ZWQiIDogdHJ1ZSB9CnVubW91bnRfb3ZlcmxheSA6PSB7ICJhbGxvd2VkIiA6IHRydWUgfQpjcmVhdGVfY29udGFpbmVyIDo9IHsgImFsbG93ZWQiIDogdHJ1ZSB9CmV4ZWNfaW5fY29udGFpbmVyIDo9IHsgImFsbG93ZWQiIDogdHJ1ZSB9CmV4ZWNfZXh0ZXJuYWwgOj0geyAiYWxsb3dlZCIgOiB0cnVlIH0Kc2h1dGRvd25fY29udGFpbmVyIDo9IHsgImFsbG93ZWQiIDogdHJ1ZSB9CnNpZ25hbF9jb250YWluZXJfcHJvY2VzcyA6PSB7ICJhbGxvd2VkIiA6IHRydWUgfQpwbGFuOV9tb3VudCA6PSB7ICJhbGxvd2VkIiA6IHRydWUgfQpwbGFuOV91bm1vdW50IDo9IHsgImFsbG93ZWQiIDogdHJ1ZSB9CmdldF9wcm9wZXJ0aWVzIDo9IHsgImFsbG93ZWQiIDogdHJ1ZSB9CmR1bXBfc3RhY2tzIDo9IHsgImFsbG93ZWQiIDogdHJ1ZSB9CnJ1bnRpbWVfbG9nZ2luZyA6PSB7ICJhbGxvd2VkIiA6IHRydWUgfQpsb2FkX2ZyYWdtZW50IDo9IHsgImFsbG93ZWQiIDogdHJ1ZSB9CnNjcmF0Y2hfbW91bnQgOj0geyAiYWxsb3dlZCIgOiB0cnVlIH0Kc2NyYXRjaF91bm1vdW50IDo9IHsgImFsbG93ZWQiIDogdHJ1ZSB9CnJlYXNvbiA6PSB7ImVycm9ycyI6IGRhdGEuZnJhbWV3b3JrLmVycm9yc30K
@@ -176,61 +176,64 @@ With the ARM template that you've crafted and the Azure CLI confcom extension, y
 
 ## Deploy the template
 
-1. Select the following **Deploy to Azure** button to sign in to Azure and begin an Azure Container Instances deployment.
+In the following steps, you use the Azure portal to deploy the template. You can also use Azure PowerShell, the Azure CLI, or the REST API. To learn about other deployment methods, see [Deploy templates](../azure-resource-manager/templates/deploy-cli.md).
+
+1. Select the **Deploy to Azure** button to sign in to Azure and begin a Container Instances deployment.
 
    :::image type="content" source="~/articles/reusable-content/ce-skilling/azure/media/template-deployments/deploy-to-azure-button.svg" alt-text="Button to deploy the Resource Manager template to Azure." border="false" link="https://ms.portal.azure.com/#create/Microsoft.Template":::
 
-1. Choose **Build your own template in the editor**. You'll see a mostly blank template JSON.
+1. Select **Build your own template in the editor**.
 
-   ![Screenshot of Build your own template in the editor button on deployment screen, PNG.](./media/container-instances-confidential-containers-tutorials/confidential-containers-cce-build-template.png)
+   ![Screenshot of the button for building your own template in the editor.](./media/container-instances-confidential-containers-tutorials/confidential-containers-cce-build-template.png)
 
-1. Select **Load file** and upload **template.json**, which you've modified by adding the CCE policy you generated in the previous steps.
+   The template JSON that appears is mostly blank.
 
-   ![Screenshot of Load file button on template screen, PNG.](./media/container-instances-confidential-containers-tutorials/confidential-containers-cce-load-file.png)
+1. Select **Load file** and upload *template.json*, which you modified by adding the CCE policy in the previous steps.
 
-1. Click **Save**.
+   ![Screenshot of the button for loading a file.](./media/container-instances-confidential-containers-tutorials/confidential-containers-cce-load-file.png)
 
-1. Select or enter the following values.
+1. Select **Save**.
 
-   * **Subscription**: select an Azure subscription.
-   * **Resource group**: select **Create new**, enter a unique name for the resource group, and then select **OK**.
-   * **Location**: select a location for the resource group. Choose a region where the [Confidential SKU is supported](./container-instances-region-availability.md#linux-container-groups). Example: **North Europe**.
-   * **Name**: accept the generated name for the instance, or enter a name.
-   * **Image**: accept the default image name. This sample Linux image displays a hardware attestation.
+1. Select or enter the following values:
 
-   Accept default values for the remaining properties.
+   * **Subscription**: Select an Azure subscription.
+   * **Resource group**: Select **Create new**, enter a unique name for the resource group, and then select **OK**.
+   * **Name**: Accept the generated name for the instance, or enter a name.
+   * **Location**: Select a location for the resource group. Choose a region where [confidential containers are supported](./container-instances-region-availability.md#linux-container-groups). Example: **North Europe**.
+   * **Image**: Accept the default image name. This sample Linux image displays a hardware attestation.
 
-   Review the terms and conditions. If you agree, select **I agree to the terms and conditions stated above**.
+   Accept default values for the remaining properties, and then select **Review + create**.
 
-   ![Screenshot of custom ARM template deployment, PNG.](media/container-instances-confidential-containers-tutorials/confidential-containers-cce-custom-arm-deployment.png)
+   ![Screenshot of details for a custom ARM template deployment.](media/container-instances-confidential-containers-tutorials/confidential-containers-cce-custom-arm-deployment.png)
 
-1. After the instance has been created successfully, you get a notification:
+1. Review the terms and conditions. If you agree, select **I agree to the terms and conditions stated above**.
 
-   ![Screenshot of portal notification for successful deployment, PNG.](media/container-instances-confidential-containers-tutorials/confidential-containers-cce-deployment-succeed.png)
+1. Wait until the **Deployment succeeded** notification appears. It confirms that you successfully created the instance.
 
-The Azure portal is used to deploy the template. In addition to the Azure portal, you can use the Azure PowerShell, Azure CLI, and REST API. To learn other deployment methods, see [Deploy templates](../azure-resource-manager/templates/deploy-cli.md).
+   ![Screenshot of a portal notification for successful deployment.](media/container-instances-confidential-containers-tutorials/confidential-containers-cce-deployment-succeed.png)
 
 ## Review deployed resources
 
-Use the Azure portal or a tool such as the [Azure CLI](container-instances-quickstart.md) to review the properties of the container instance.
+In the following steps, you use the Azure portal to review the properties of the container instance. You can also use a tool such as the [Azure CLI](container-instances-quickstart.md).
 
-1. In the portal, search for Container Instances, and select the container instance you created.
+1. In the portal, search for **Container Instances**, and then select the container instance that you created.
 
-2. On the **Overview** page, note the **Status** of the instance and its **IP address**.
+2. On the **Overview** page, note the status of the instance and its IP address.
 
-    ![Screenshot of overview page for container group instance, PNG.](media/container-instances-confidential-containers-tutorials/confidential-containers-cce-portal.png)
+    ![Screenshot of the overview page for a container group instance.](media/container-instances-confidential-containers-tutorials/confidential-containers-cce-portal.png)
 
-3. Once its status is *Running*, navigate to the IP address in your browser.
+3. When the status of the instance is **Running**, go to the IP address in your browser.
 
-    ![Screenshot of browser view of app deployed using Azure Container Instances, PNG.](media/container-instances-confidential-containers-tutorials/confidential-containers-aci-hello-world.png)
+    ![Screenshot of a browser view of an app deployed via Azure Container Instances.](media/container-instances-confidential-containers-tutorials/confidential-containers-aci-hello-world.png)
 
     The presence of the attestation report below the Azure Container Instances logo confirms that the container is running on hardware that supports a TEE.
-    If you deploy to hardware that does not support a TEE, for example by choosing a region where the ACI Confidential SKU is not available, no attestation report will be shown.
 
-## Next Steps
+    If you deploy to hardware that doesn't support a TEE (for example, by choosing a region where Container Instances Confidential isn't available), no attestation report appears.
+
+## Related content
 
-Now that you have deployed a confidential container group on ACI, you can learn more about how policies are enforced.
+Now that you've deployed a confidential container group on Container Instances, you can learn more about how policies are enforced:
 
-* [Confidential computing enforcement policies overview](./container-instances-confidential-overview.md)
+* [Confidential containers on Azure Container Instances](./container-instances-confidential-overview.md)
 * [Azure CLI confcom extension examples](https://github.com/Azure/azure-cli-extensions/blob/main/src/confcom/azext_confcom/README.md)
 * [Confidential Hello World application](https://aka.ms/ccacihelloworld)
diff --git a/includes/container-instances-tutorial-prerequisites-confidential-containers.md b/includes/container-instances-tutorial-prerequisites-confidential-containers.md
@@ -1,6 +1,6 @@
 ---
-title: include file
-description: include file
+title: Include file
+description: Include file
 services: container-instances
 author: tomvcassidy
 
@@ -11,24 +11,22 @@ ms.author: tomcassidy
 ms.custom: include file
 ---
 
-You must satisfy the following requirements to complete this tutorial:
+To complete this tutorial, you must satisfy the following requirements:
 
-1. **Azure CLI**: You must have Azure CLI version 2.44.1 or later installed on your local computer. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI][azure-cli-install].
+* **Azure CLI**: You must have Azure CLI version 2.44.1 or later installed on your local computer. To find your version, run `az --version`. If you need to install or upgrade, see [Install the Azure CLI][azure-cli-install].
 
-2. **Azure CLI confcom extension**: You must have the Azure CLI confcom extension version 0.2.13+ installed to generate confidential computing enforcement policies. 
+* **Azure CLI confcom extension**: You must have Azure CLI confcom extension version 0.30+ installed to generate confidential computing enforcement policies.
 
-**Docker**: This tutorial assumes a basic understanding of core Docker concepts like containers, container images, and basic `docker` commands. For a primer on Docker and container basics, see the [Docker overview][docker-get-started].
+  ```bash
+   az extension add -n confcom
+  ```
 
-**Docker**: To complete this tutorial, you need Docker installed locally. Docker provides packages that configure the Docker environment on [macOS][docker-mac], [Windows][docker-windows], and [Linux][docker-linux].
+* **Docker**: You need Docker installed locally. Docker provides packages that configure the Docker environment on [macOS][docker-mac], [Windows][docker-windows], and [Linux][docker-linux].
 
-**Azure CLI confcom extension**: You must have the Azure CLI confcom extension version 0.30+ to generate confidential computing enforcement policies. 
-   
-```bash
-   az extension add -n confcom
- ```
+  This tutorial assumes a basic understanding of core Docker concepts like containers, container images, and basic `docker` commands. For a primer on Docker and container basics, see the [Docker overview][docker-get-started].
 
 > [!IMPORTANT]
-> Because the Azure Cloud shell does not include the Docker daemon, you *must* install both the Azure CLI and Docker Engine on your *local computer* to complete this tutorial. You cannot use the Azure Cloud Shell for this tutorial.
+> Because Azure Cloud Shell doesn't include the Docker daemon, you must install both the Azure CLI and Docker Engine on your *local computer* to complete this tutorial. You can't use Azure Cloud Shell for this tutorial.
 
 <!-- LINKS - External -->
 [docker-get-started]: https://docs.docker.com/engine/docker-overview/
