Skip to content

Trusted Launch CLI Change Request - VM Disk Snapshot & Config #22275

New issue
New issue
Closed
Closed
Trusted Launch CLI Change Request - VM Disk Snapshot & Config#22275

Description

@AjKundnani

AjKundnani
openedon May 5, 2022

Related command

az snapshot show
az disk create
az disk grant-access

Resource Provider

Microsoft.Compute/disks
Microsoft.Compute/snapshots

Description of Feature or Work Requested

feature request to add output value, new parameter and add values into existing parameters for following commands to support Trusted Launch VM Disks:

Feature request is to provide customers with completion of Trusted Launch VM (already GA) disk management:

  • validate if the snapshot customer has taken is enabled for TrustedLaunch.
  • import managed OS disk for Trusted Launch VMs. optionally along with VMGuestState disk if required.
  • upload managed OS disk with VM Guest State using new string parameter --upload-type which will replace existing parameter --for-upload

Additional Output Value

az snapshot show

When customer use az snapshot show command, the output should return SecurityProfile of the snapshot. SecurityProfile output is already supported in az disk show command, same needs to be extended to snapshots as well.

 "securityProfile": {
    "securityType": "TrustedLaunch"
  },

New Parameter

--security-data-uri (az disk create)

New string parameter --security-data-uri for command az disk create:

  • Allows customer to pass Blob URI for VM Guest State VHD. If customer does not use this parameter, DiskRP will create new VM Guest State (i.e., optional parameter)
  • When specified, the command should interpret that disk will be imported from un-managed VHD in storage account or another managed disk for TrustedLaunch VM OS Disk Security Type.
  • --security-type parameter mandatory when --security-data-uri value is passed.
  • --hyper-v-generation parameter value should be V2
  • This is the URI of a blob to be imported into VM guest state.
--upload-type (az disk create)

New string parameter --upload-type to replace --for-upload parameter in az disk create:

Accepted Value Description
Upload For Standard disk only upload scenario.
  • If used with TrustedLaunch --security-type, DiskRP will create new VM Guest State blob
  • Set Disk CreateOption to Upload in DiskRP API.
UploadWithSecurityData For OS Disk upload along with VM Guest State.
  • --security-type parameter mandatory
  • Set Disk CreateOption to UploadPreparedSecure in DiskRP API.
  • --hyper-v-generation parameter value should be V2
  • Parameter --secure-vm-guest-state-sas switched to true or ON for az disk grant-access
  • Not valid for data disk upload, only to be used for OS Disk upload at present.
--secure-vm-guest-state-sas (az disk grant-access)

New switch parameter --secure-vm-guest-state-sas for az disk grant-access:

  • Allows customer to query VM Guest State SAS.
  • Required when new parameter --Upload-Type is set to UploadWithSecurityData in az disk create command, which'll set CreateOption to UploadPreparedSecure
  • Output would show both accessSas and securityDataAccessSAS in response. If parameter not used, then output would return only accessSas

End to End Usage

Scenario 1 - Get Trusted Launch VM Disk Snapshot

  1. Get Virtual Machine Disk snapshot.

    az snapshot show --id $snapshotResourceId

    {
  "completionPercent": null,
  "creationData": {
    "createOption": "Copy",
    "galleryImageReference": null,
    "imageReference": null,
    "logicalSectorSize": null,
    "sourceResourceId": "/subscriptions/390a3e32-6963-47d8-bcef-ee8db1c22720/resourceGroups/tvm-cli-change-rg/providers/Microsoft.Compute/disks/tvm-cli-change-vm_OsDisk_1_78358962d0b645a0a3899f18c98b099a",
    "sourceUniqueId": "78358962-d0b6-45a0-a389-9f18c98b099a",
    "sourceUri": null,
    "storageAccountId": null,
    "uploadSizeBytes": null
  },
  "diskAccessId": null,
  "diskSizeBytes": 32213303296,
  "diskSizeGb": 30,
  "diskState": "Unattached",
  "encryption": {
    "diskEncryptionSetId": null,
    "type": "EncryptionAtRestWithPlatformKey"
  },
  "encryptionSettingsCollection": null,
  "extendedLocation": null,
  "hyperVGeneration": "V2",
  "id": "/subscriptions/390a3e32-6963-47d8-bcef-ee8db1c22720/resourceGroups/tvm-cli-change-rg/providers/Microsoft.Compute/snapshots/test01",
  "incremental": false,
  "location": "southeastasia",
  "managedBy": null,
  "name": "test01",
  "networkAccessPolicy": "AllowAll",
  "osType": "Linux",
  "provisioningState": "Succeeded",
  "publicNetworkAccess": "Enabled",
  "purchasePlan": null,
  "resourceGroup": "tvm-cli-change-rg",
  "securityProfile": {
    "securityType": "TrustedLaunch"
  },
  "sku": {
    "name": "Standard_LRS",
    "tier": "Standard"
  },
  "supportedCapabilities": {
    "acceleratedNetwork": true,
    "architecture": "x64"
  },
  "supportsHibernation": null,
  "tags": {},
  "timeCreated": "2022-04-29T12:48:54.475669+00:00",
  "type": "Microsoft.Compute/snapshots",
  "uniqueId": "8e845670-5c0f-4153-a178-9a544ba4b7e1"
}
Scenario 2 - Secure Import of Trusted Launch VM OS Disk

  1. Create disk with --security-data-uri parameter:

    az disk create -n $diskName -g $resourceGroup \
    -l $location --os-type Windows --hyper-v-generation V2 \
    --security-type "TrustedLaunch" \
    --source $sourceDiskVhdUri --security-data-uri $guestStateDiskVhdUri \
    --sku standard_lrs
Scenario 3 - Secure Upload of Trusted Launch VM OS Disk

  1. Create an empty disk with --Upload-Type parameter:

    az disk create -n $diskName -g $resourceGroup \
    -l $location --os-type Windows --hyper-v-generation V2 \
    --security-type "TrustedLaunch" --Upload-Type "UploadWithSecurityData" \
    --upload-size-bytes 34359738880 --sku standard_lrs

  2. Grant access to generate accessSas and securityDataAccessSAS using --secure-vm-guest-state-sas parameter

    diskSas = $(az disk grant-access -n $diskName -g $resourceGroupName \
    --access-level Write --duration-in-seconds 86400 \
    --secure-vm-guest-state-sas)

    Returned value schema:

    {
  "accessSas": "https://md-impexp-t0rdsfgsdfg4.blob.core.windows.net/w2c3mj0ksfgl/abcd?sv=2017-04-17&sr=b&si=600a9281-d39e-4cc3-91d2-923c4a696537&sig=xXaT6mFgf139ycT87CADyFxb%2BnPXBElYirYRlbnJZbs%3D",
  "securityDataAccessSas": "<VM Guest State Sas URI>"
}

  3. Copy Disk Content from Local Disk:

    AzCopy.exe copy "c:\somewhere\mydisk.vhd" $diskSas.AccessSAS --blob-type PageBlob

  4. Copy VM Guest State content from a local VHD:

    AzCopy.exe copy "c:\somewhere\myvmgs.vhd" $diskSas.securityDataAccessSAS --blob-type PageBlob

Minimum API Version Required

2021-08-01

Swagger PR link

Azure/azure-rest-api-specs#17118

Request Example

Target Date

2022-07-05

Additional context

Request for Trusted Launch VM feature.

Contacts

Role Contact
Main developer contacts (emails + github aliases) Abhishek Verma (AZURE) Abhishek.Verma@microsoft.com, Anshul Solanki Anshul.Solanki@microsoft.com
PM contact (email + github alias) Ajay Kundnani ajay.kundnani@microsoft.com
Other people who should attend a design review (email) Run Cai run.cai@microsoft.com, Deepak J V J.Deepak@microsoft.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

Auto-AssignAuto assign by botComputeaz vm/vmss/image/disk/snapshotfeature-request

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions