-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Compute] az vm/vmss create
: Install guest attestation extension and turn on system MSI by default when Trusted Launch configuration is met
#22048
Conversation
Compute |
src/azure-cli/azure/cli/command_modules/vm/tests/latest/test_vm_commands.py
Outdated
Show resolved
Hide resolved
self.cmd('vm show -g {rg} -n {vm2}', checks=[ | ||
self.check('resources', None), | ||
self.check('securityProfile.securityType', 'TrustedLaunch'), | ||
self.check('securityProfile.uefiSettings.secureBootEnabled', True), | ||
self.check('securityProfile.uefiSettings.vTpmEnabled', True) | ||
]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add an explicit check to ensure that the extension does not show up in the extension list when --disable-integrity-monitoring is passed in? Same for identity?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good suggestion! We can also add an explicit check whether MSI is enabled
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
self.check('resources', None)
means no extension, self.check('identity', None)
will be added.
src/azure-cli/azure/cli/command_modules/vm/tests/latest/test_vm_commands.py
Show resolved
Hide resolved
Co-authored-by: Sirfame Lin <64871536+sirfamelin@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Hi @zhoxing-ms, is there a way for me to test this package out before it is officially published? |
@sirfamelin In fact, this feature has been released in the last sprint. You can update the CLI to the latest version (2.36.0) and then try it |
Description
Guest Attestation Extension and enable System Assigned MSI by default when Trusted Launch configuration is met #21395
Testing Guide
History Notes
[Compute]
az vm/vmss create
: Install guest attestation extension and enable system managed identity by default when Trusted Launch configuration is met[Compute]
az vm/vmss create
: Add new parameter--disable-integrity-monitoring
to disable the default behavior (installing guest attestation extension and turning on MSI) when creating VM/VMSS compliant with Trusted LaunchThis checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.