Description
openedon May 5, 2022
Related command
az snapshot show
az disk create
az disk grant-access
Resource Provider
Microsoft.Compute/disks
Microsoft.Compute/snapshots
Description of Feature or Work Requested
feature request to add output value, new parameter and add values into existing parameters for following commands to support Trusted Launch VM Disks:
Feature request is to provide customers with completion of Trusted Launch VM (already GA) disk management:
- validate if the snapshot customer has taken is enabled for TrustedLaunch.
- import managed OS disk for Trusted Launch VMs. optionally along with VMGuestState disk if required.
- upload managed OS disk with VM Guest State using new string parameter --upload-type which will replace existing parameter
--for-upload
Additional Output Value
az snapshot show
When customer use az snapshot show
command, the output should return SecurityProfile of the snapshot. SecurityProfile output is already supported in az disk show
command, same needs to be extended to snapshots as well.
"securityProfile": {
"securityType": "TrustedLaunch"
},
New Parameter
--security-data-uri (az disk create
)
New string parameter --security-data-uri for command az disk create
:
- Allows customer to pass Blob URI for VM Guest State VHD. If customer does not use this parameter, DiskRP will create new VM Guest State (i.e., optional parameter)
- When specified, the command should interpret that disk will be imported from un-managed VHD in storage account or another managed disk for TrustedLaunch VM OS Disk Security Type.
- --security-type parameter mandatory when --security-data-uri value is passed.
- --hyper-v-generation parameter value should be V2
- This is the URI of a blob to be imported into VM guest state.
--upload-type (az disk create
)
New string parameter --upload-type to replace --for-upload
parameter in az disk create
:
Accepted Value | Description |
---|---|
Upload | For Standard disk only upload scenario.
|
UploadWithSecurityData | For OS Disk upload along with VM Guest State.
|
--secure-vm-guest-state-sas (az disk grant-access
)
New switch parameter --secure-vm-guest-state-sas for az disk grant-access
:
- Allows customer to query VM Guest State SAS.
- Required when new parameter --Upload-Type is set to UploadWithSecurityData in
az disk create
command, which'll set CreateOption to UploadPreparedSecure - Output would show both accessSas and securityDataAccessSAS in response. If parameter not used, then output would return only accessSas
End to End Usage
Scenario 1 - Get Trusted Launch VM Disk Snapshot
-
Get Virtual Machine Disk snapshot.
az snapshot show --id $snapshotResourceId
{ "completionPercent": null, "creationData": { "createOption": "Copy", "galleryImageReference": null, "imageReference": null, "logicalSectorSize": null, "sourceResourceId": "/subscriptions/390a3e32-6963-47d8-bcef-ee8db1c22720/resourceGroups/tvm-cli-change-rg/providers/Microsoft.Compute/disks/tvm-cli-change-vm_OsDisk_1_78358962d0b645a0a3899f18c98b099a", "sourceUniqueId": "78358962-d0b6-45a0-a389-9f18c98b099a", "sourceUri": null, "storageAccountId": null, "uploadSizeBytes": null }, "diskAccessId": null, "diskSizeBytes": 32213303296, "diskSizeGb": 30, "diskState": "Unattached", "encryption": { "diskEncryptionSetId": null, "type": "EncryptionAtRestWithPlatformKey" }, "encryptionSettingsCollection": null, "extendedLocation": null, "hyperVGeneration": "V2", "id": "/subscriptions/390a3e32-6963-47d8-bcef-ee8db1c22720/resourceGroups/tvm-cli-change-rg/providers/Microsoft.Compute/snapshots/test01", "incremental": false, "location": "southeastasia", "managedBy": null, "name": "test01", "networkAccessPolicy": "AllowAll", "osType": "Linux", "provisioningState": "Succeeded", "publicNetworkAccess": "Enabled", "purchasePlan": null, "resourceGroup": "tvm-cli-change-rg", "securityProfile": { "securityType": "TrustedLaunch" }, "sku": { "name": "Standard_LRS", "tier": "Standard" }, "supportedCapabilities": { "acceleratedNetwork": true, "architecture": "x64" }, "supportsHibernation": null, "tags": {}, "timeCreated": "2022-04-29T12:48:54.475669+00:00", "type": "Microsoft.Compute/snapshots", "uniqueId": "8e845670-5c0f-4153-a178-9a544ba4b7e1" }
Scenario 2 - Secure Import of Trusted Launch VM OS Disk
-
Create disk with --security-data-uri parameter:
az disk create -n $diskName -g $resourceGroup \ -l $location --os-type Windows --hyper-v-generation V2 \ --security-type "TrustedLaunch" \ --source $sourceDiskVhdUri --security-data-uri $guestStateDiskVhdUri \ --sku standard_lrs
Scenario 3 - Secure Upload of Trusted Launch VM OS Disk
-
Create an empty disk with --Upload-Type parameter:
az disk create -n $diskName -g $resourceGroup \ -l $location --os-type Windows --hyper-v-generation V2 \ --security-type "TrustedLaunch" --Upload-Type "UploadWithSecurityData" \ --upload-size-bytes 34359738880 --sku standard_lrs
-
Grant access to generate accessSas and securityDataAccessSAS using --secure-vm-guest-state-sas parameter
diskSas = $(az disk grant-access -n $diskName -g $resourceGroupName \ --access-level Write --duration-in-seconds 86400 \ --secure-vm-guest-state-sas)
Returned value schema:
{ "accessSas": "https://md-impexp-t0rdsfgsdfg4.blob.core.windows.net/w2c3mj0ksfgl/abcd?sv=2017-04-17&sr=b&si=600a9281-d39e-4cc3-91d2-923c4a696537&sig=xXaT6mFgf139ycT87CADyFxb%2BnPXBElYirYRlbnJZbs%3D", "securityDataAccessSas": "<VM Guest State Sas URI>" }
-
Copy Disk Content from Local Disk:
AzCopy.exe copy "c:\somewhere\mydisk.vhd" $diskSas.AccessSAS --blob-type PageBlob
-
Copy VM Guest State content from a local VHD:
AzCopy.exe copy "c:\somewhere\myvmgs.vhd" $diskSas.securityDataAccessSAS --blob-type PageBlob
Minimum API Version Required
2021-08-01
Swagger PR link
Azure/azure-rest-api-specs#17118
Request Example
Target Date
2022-07-05
Additional context
Request for Trusted Launch VM feature.
- Link to CVM Disk RP Swagger Spec
- Trusted Launch specific modifications in Get-AzSnapshot response & New-AzDiskConfig cmdlet
Contacts
Role | Contact |
---|---|
Main developer contacts (emails + github aliases) | Abhishek Verma (AZURE) Abhishek.Verma@microsoft.com, Anshul Solanki Anshul.Solanki@microsoft.com |
PM contact (email + github alias) | Ajay Kundnani ajay.kundnani@microsoft.com |
Other people who should attend a design review (email) | Run Cai run.cai@microsoft.com, Deepak J V J.Deepak@microsoft.com |