Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Compute] az vm/vmss create: Install guest attestation extension and turn on system MSI by default when Trusted Launch configuration is met #22048

Merged
merged 18 commits into from
Apr 22, 2022
Merged

[Compute] az vm/vmss create: Install guest attestation extension and turn on system MSI by default when Trusted Launch configuration is met #22048

merged 18 commits into from
Apr 22, 2022

Conversation

Jing-song
Copy link
Contributor

@Jing-song Jing-song commented Apr 13, 2022
edited by zhoxing-ms
Loading

Description

Guest Attestation Extension and enable System Assigned MSI by default when Trusted Launch configuration is met #21395

Testing Guide

History Notes

[Compute] az vm/vmss create: Install guest attestation extension and enable system managed identity by default when Trusted Launch configuration is met
[Compute] az vm/vmss create: Add new parameter --disable-integrity-monitoring to disable the default behavior (installing guest attestation extension and turning on MSI) when creating VM/VMSS compliant with Trusted Launch

This checklist is used to make sure that common guidelines for a pull request are followed.

@Jing-song Jing-song self-assigned this Apr 13, 2022
@ghost ghost requested a review from yonzhan April 13, 2022 07:32
@ghost ghost added the Auto-Assign Auto assign by bot label Apr 13, 2022
@ghost ghost assigned zhoxing-ms Apr 13, 2022
@ghost ghost added this to the Apr 2022 (2022-04-26) milestone Apr 13, 2022
@Jing-song Jing-song linked an issue Apr 13, 2022 that may be closed by this pull request
Include Guest Attestation Extension and enable System Assigned MSI by default when Trusted Launch configuration is met #21395
Closed
@ghost ghost added the Compute az vm/vmss/image/disk/snapshot label Apr 13, 2022
@yonzhan
Copy link
Collaborator

yonzhan commented Apr 13, 2022

Compute

sirfamelin
sirfamelin reviewed Apr 19, 2022
View reviewed changes
src/azure-cli/azure/cli/command_modules/vm/tests/latest/test_vm_commands.py Outdated
Comment on lines 6978 to 6983
self.cmd('vm show -g {rg} -n {vm2}', checks=[
self.check('resources', None),
self.check('securityProfile.securityType', 'TrustedLaunch'),
self.check('securityProfile.uefiSettings.secureBootEnabled', True),
self.check('securityProfile.uefiSettings.vTpmEnabled', True)
])
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add an explicit check to ensure that the extension does not show up in the extension list when --disable-integrity-monitoring is passed in? Same for identity?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good suggestion! We can also add an explicit check whether MSI is enabled

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

self.check('resources', None) means no extension, self.check('identity', None) will be added.

zhoxing-ms and others added 2 commits April 20, 2022 11:03
@zhoxing-ms @sirfamelin
Update src/azure-cli/azure/cli/command_modules/vm/_params.py
d3d87b8 
Co-authored-by: Sirfame Lin <64871536+sirfamelin@users.noreply.github.com>
@Jing-song
update
1aeaf1a
sirfamelin
sirfamelin approved these changes Apr 21, 2022
View reviewed changes
Copy link

@sirfamelin sirfamelin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@zhoxing-ms zhoxing-ms merged commit a0057a0 into Azure:dev Apr 22, 2022
@sirfamelin
Copy link

Hi @zhoxing-ms, is there a way for me to test this package out before it is officially published?

@zhoxing-ms
Copy link
Contributor

@sirfamelin In fact, this feature has been released in the last sprint. You can update the CLI to the latest version (2.36.0) and then try it

@Jing-song Jing-song deleted the jins-exmsi branch July 5, 2022 02:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zhoxing-ms zhoxing-ms zhoxing-ms approved these changes

@sirfamelin sirfamelin sirfamelin approved these changes

@jsntcy jsntcy Awaiting requested review from jsntcy jsntcy is a code owner

@wangzelin007 wangzelin007 Awaiting requested review from wangzelin007 wangzelin007 is a code owner

@yonzhan yonzhan Awaiting requested review from yonzhan

Assignees

@zhoxing-ms zhoxing-ms

@Jing-song Jing-song

Labels
Auto-Assign Auto assign by bot Compute az vm/vmss/image/disk/snapshot
Projects
None yet
Milestone
Apr 2022 (2022-04-26)
4 participants
@Jing-song @yonzhan @sirfamelin @zhoxing-ms