ADE extension two pass to single pass migration (#14687)

* Updates for ADE migration * Added -MigrationRecovery logic * Fixed bugs in migration logic * Fixed Migrate param sets * Fixed DEK parameter sets in .md file * Updated KEKUrl, KEKId Parameter sets * Static analysis error suppression added * Update ChangeLog * Added migration scenario test * Remove log line * Scenario test for migration * Updated ChangeLog
Azure · Apr 22, 2021 · a6ae8c0 · a6ae8c0
1 parent b7cc802
commit a6ae8c0
Show file tree

Hide file tree

Showing 13 changed files with 3,852 additions and 3,890 deletions.
diff --git a/src/Compute/Compute.Test/ScenarioTests/VirtualMachineExtensionTests.cs b/src/Compute/Compute.Test/ScenarioTests/VirtualMachineExtensionTests.cs
@@ -109,6 +109,13 @@ public void TestAzureDiskEncryptionExtension()
             TestRunner.RunTestScript("Test-AzureDiskEncryptionExtension");
         }
 
+        [Fact(Skip = "TODO: only works for live mode")]
+        [Trait(Category.RunType, Category.LiveOnly)]
+        public void TestAzureDiskEncryptionExtensionDualPassToSinglePassMigration()
+        {
+            TestRunner.RunTestScript("Test-AzureDiskEncryptionExtensionDualPassToSinglePassMigration");
+        }
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         public void TestAzureDiskEncryptionExtensionSinglePass()

diff --git a/src/Compute/Compute.Test/ScenarioTests/VirtualMachineExtensionTests.ps1 b/src/Compute/Compute.Test/ScenarioTests/VirtualMachineExtensionTests.ps1
@@ -1042,7 +1042,7 @@ function Test-VirtualMachineCustomScriptExtensionManagedDisk
         New-AzResourceGroup -Name $rgname -Location $loc -Force;
 
         # Create a VM with managed disk
-        $vmname0 = $rgname + "v0";        
+        $vmname0 = $rgname + "v0";
         $username = "admin01";
         $password = Get-PasswordForVM | ConvertTo-SecureString -AsPlainText -Force;
         $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password;
@@ -1063,7 +1063,7 @@ function Test-VirtualMachineCustomScriptExtensionManagedDisk
         $managedDisk = Get-AzDisk -ResourceGroupName $rgname -DiskName $vm.StorageProfile.OsDisk.Name;
 
         # Create a managed OS disk by copying the OS disk of the stopped VM.
-        $diskname = $rgname + "disk";        
+        $diskname = $rgname + "disk";
         $diskConfig = New-AzDiskConfig -SourceResourceId $managedDisk.Id -Location $loc -CreateOption Copy;
         New-AzDisk -ResourceGroupName $rgname -DiskName $diskname -Disk $diskConfig;
         $disk = Get-AzDisk -ResourceGroupName $rgname -DiskName $diskname;
@@ -1104,7 +1104,7 @@ function Test-VirtualMachineCustomScriptExtensionManagedDisk
 
         # Create a VM using the managed OS disk.
         New-AzVM -ResourceGroupName $rgname -Location $loc -VM $p;
-        $vm = Get-AzVM -ResourceGroupName $rgname -Name $vmname1;       
+        $vm = Get-AzVM -ResourceGroupName $rgname -Name $vmname1;
         Assert-Null $vm.OSProfile;
 
         # Storage Account (SA)
@@ -1407,6 +1407,16 @@ function Test-AzureDiskEncryptionExtensionSinglePass
         Assert-NotNull $settings
         Assert-NotNull $settings.DiskEncryptionKey.SecretUrl
         Assert-AreEqual $settings.DiskEncryptionKey.SourceVault.Id $kv.DiskEncryptionKeyVaultId
+
+        #Enable using -Migrate flag and verify exception is thrown
+        Write-Verbose "Use -Migrate flag"
+        Assert-ThrowsContains { Set-AzVMDiskEncryptionExtension -ResourceGroupName $vm.ResourceGroupName -VMName $vm.Name -Migrate -Force; } `
+        "Migration is only supported for VMs using Azure Disk Encryption (with AAD). -Migrate parameter is unsupported for this VM as it is running Azure Disk Encryption (without AAD)";
+
+        # Enable using -MigrationRecovery flag and verify exception is thrown
+        Write-Verbose "Use -MigrationRecovery flag"
+        Assert-ThrowsContains { Set-AzVMDiskEncryptionExtension -ResourceGroupName $vm.ResourceGroupName -VMName $vm.Name -MigrationRecovery -Force; } `
+        "Invalid -MigrationRecovery parameter. VM does not meet the prerequisites for migration recovery";
     }
     finally
     {
@@ -1638,7 +1648,12 @@ function Test-AzureDiskEncryptionLnxManagedDisk
         $computerName = 'test';
         $vhdContainer = "https://$stoname.blob.core.windows.net/test";
 
-        $p = Set-AzVMOperatingSystem -VM $p -Linux -ComputerName $computerName -Credential $cred;
+        $p = Set-AzVMOperatingSystem -VM $p -Linux -ComputerName $computerName -Credential $cred -DisablePasswordAuthentication;
+        Write-Verbose "Adding SSH public key for VM"
+        $sshPublicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9tGj7bjzqid3QP5YpH2+YGK8Or2KRZLdNuRGiFqgefGEF4uZrsKXeRXAXS7ia5CdCSIu020PDR69nPZq3dEQGp8GNMKXvfIBIpI++BISbT1jPuMVwEnI4JESGI4ay1glh1JtbRzQsktNjUGUYDxoOAYbtj3GU5lvw2CJ5WmobtcQbXLHWYqdDmTZQ7ry7l6GCjJSzye4IkwlQoGUql/T2iU2bLQyOCsFzcDEzFv6hVR8iFcV+eOJNHIkjCQz3Bw+tOTZbHMz1G95tSswdkrdwfMvR8fkWmby39lnFC+I7xcySQI6FMzaQZ7bA0tFGpp1JoThy5J5hBak5yOTqGBYL dummy@cc-1b92760a-6bb78476c6-h5cwh";
+        $sshPath = "/home/" + $user + "/.ssh/authorized_keys"
+        Add-AzVMSshPublicKey -VM $p -KeyData $sshPublicKey -Path $sshPath
+        Write-Verbose "Added SSH public key successfully."
         $p = Set-AzVMSourceImage -VM $p -PublisherName $imagePublisher -Offer $imageOffer -Skus $imageSku -Version "latest"
         Assert-AreEqual $p.OSProfile.AdminUsername $user;
         Assert-AreEqual $p.OSProfile.ComputerName $computerName;
@@ -1653,6 +1668,21 @@ function Test-AzureDiskEncryptionLnxManagedDisk
         # Enable single pass encryption without -skipVmBackup on Linux VM managed disk and verify exception is thrown
         Assert-ThrowsContains { Set-AzVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmname -DiskEncryptionKeyVaultUrl $kv.DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $kv.DiskEncryptionKeyVaultId -VolumeType "OS" -Force; } `
             "skipVmBackup parameter is a required parameter for encrypting Linux VMs with managed disks"; #>
+
+        # Enable with normal parameters
+        Set-AzVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmname -DiskEncryptionKeyVaultUrl $kv.DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $kv.DiskEncryptionKeyVaultId -VolumeType "OS" -Force -skipVmBackup;
+        $status = Get-AzVmDiskEncryptionStatus -ResourceGroupName $rgname -VMName $vmname
+        Assert-NotNull $status
+        Assert-AreEqual $status.OsVolumeEncrypted EncryptionInProgress;
+
+        # Enable using -Migrate flag and verify exception is thrown
+        Assert-ThrowsContains { Set-AzVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmname -Migrate -Force; } `
+            "Migration is only supported for VMs using Azure Disk Encryption (with AAD). -Migrate parameter is unsupported for this VM as it is running Azure Disk Encryption (without AAD)";
+
+        # Enable using -MigrationRecovery flag and verify exception is thrown
+        Assert-ThrowsContains { Set-AzVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmname -MigrationRecovery -Force; } `
+            "Invalid -MigrationRecovery parameter. VM does not meet the prerequisites for migration recovery";
+
     }
     finally
     {
@@ -1902,6 +1932,97 @@ function Test-AzureDiskEncryptionExtension
     }
 }
 
+<#
+.SYNOPSIS
+Test the Set-AzVMDiskEncryptionExtension dual pass to single pass migration scenario
+#>
+function Test-AzureDiskEncryptionExtensionDualPassToSinglePassMigration
+{
+    # This test should be run in Live mode only not in Playback mode
+    # pre-requisites to be filled in before running this test. The AAD app should belong to the directory as the user running the test.
+    $resourceGroupName = Get-ComputeTestResourceName
+    try
+    {
+        #Check if AAD app was already created
+        $aadAppName = "detestapp"
+        $SvcPrincipals = Get-AzADServicePrincipal -SearchString $aadAppName;
+        if(-not $SvcPrincipals)
+        {
+            # Create a new AD application if not created before
+            $identifierUri = [string]::Format("http://localhost:8080/{0}", $rgname);
+            $defaultHomePage = 'http://contoso.com';
+            $now = [System.DateTime]::Now;
+            $oneYearFromNow = $now.AddYears(1);
+            $aadClientSecret = Get-ResourceName;
+            $ADApp = New-AzADApplication -DisplayName $aadAppName -HomePage $defaultHomePage -IdentifierUris $identifierUri  -StartDate $now -EndDate $oneYearFromNow -Password $aadClientSecret;
+            Assert-NotNull $ADApp;
+            $servicePrincipal = New-AzADServicePrincipal -ApplicationId $ADApp.ApplicationId;
+            $SvcPrincipals = (Get-AzADServicePrincipal -SearchString $aadAppName);
+            # Was AAD app created?
+            Assert-NotNull $SvcPrincipals;
+            $aadClientID = $servicePrincipal.ApplicationId;
+        }
+        else
+        {
+            # Was AAD app already created?
+            Assert-NotNull $aadClientSecret;
+            $aadClientID = $SvcPrincipals[0].ApplicationId;
+			Write-Verbose "Got SPN client ID.."
+        }
+
+		# create virtual machine and key vault prerequisites
+        $vm = Create-VirtualMachine $resourceGroupName
+
+        # Create new KeyVault
+        $vaultName = "detestvault";
+        $keyVault = New-AzKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName -Location $loc -Sku standard;
+        $keyVault = Get-AzKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName
+        #set enabledForDiskEncryption
+        Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $resourceGroupName -EnabledForDiskEncryption;
+        #set permissions to AAD app to write secrets and keys
+        Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ServicePrincipalName $aadClientID -PermissionsToKeys all -PermissionsToSecrets all
+        $diskEncryptionKeyVaultUrl = $keyVault.VaultUri;
+        $keyVaultResourceId = $keyVault.ResourceId;
+
+        #Enable encryption on the VM
+        Set-AzVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId -Force;
+        # verify encryption state
+        $status = Get-AzVmDiskEncryptionStatus -ResourceGroupName $vm.ResourceGroupName -VMName $vm.Name
+        Assert-NotNull $status
+        Assert-AreEqual $status.OsVolumeEncrypted Encrypted
+
+        # verify encryption settings
+        $settings = $status.OsVolumeEncryptionSettings
+        Assert-NotNull $settings
+        Assert-NotNull $settings.DiskEncryptionKey.SecretUrl
+        Assert-AreEqual $settings.DiskEncryptionKey.SourceVault.Id $keyVaultResourceId
+
+        # migrate VM to single pass
+        Write-Verbose "Migrate VM to 1pass"
+        Set-AzVMDiskEncryptionExtension -ResourceGroupName $vm.ResourceGroupName -VMName $vm.Name -Migrate -Force;
+        Write-Verbose "Migration complete"
+
+        # verify encryption state
+        $status = Get-AzVmDiskEncryptionStatus -ResourceGroupName $vm.ResourceGroupName -VMName $vm.Name
+        Assert-NotNull $status
+        Assert-AreEqual $status.OsVolumeEncrypted Encrypted
+
+        # verify encryption settings
+        $settings = $status.OsVolumeEncryptionSettings
+        Assert-NotNull $settings
+        Assert-NotNull $settings.DiskEncryptionKey.SecretUrl
+        Assert-AreEqual $settings.DiskEncryptionKey.SourceVault.Id $keyVaultResourceId
+
+        #verify VM Model is null after Migration
+        $vmModel = Get-AzVM  -ResourceGroupName $vm.ResourceGroupName -Name $vm.Name
+        Assert-Null $vmModel.StorageProfile.OSDisk.EncryptionSettings
+    }
+    finally
+    {
+       Clean-ResourceGroup($resourceGroupName)
+    }
+}
+
 <#
 .SYNOPSIS
 Test Virtual Machine BGInfo Extensions
@@ -2554,20 +2675,20 @@ function Test-VirtualMachineExtensionEnableAutomaticUpgrade
         Assert-NotNull $vm;
         $vmss = Get-AzVmss -Name $vmssname -ResourceGroupName $rgname;
         Assert-NotNull $vmss;
-        
+
         # Extension
         $extname = 'csetest';
         $publisher = 'Microsoft.Compute';
         $exttype = 'CustomScriptExtension';
         $extver = '1.1';
-        
+
         # Set extension settings by raw strings
         $settingstr = '{"fileUris":[],"commandToExecute":"powershell Get-Process"}';
         $protectedsettingstr = '{"storageAccountName":"somename","storageAccountKey":"somekey"}';
 
-        Set-AzVMExtension -ResourceGroupName $rgname -Location $loc -VMName $vmname -Name $extname -Publisher $publisher -ExtensionType $exttype -TypeHandlerVersion $extver -SettingString $settingstr -ProtectedSettingString $protectedsettingstr -enableAutomaticUpgrade $False; 
-        $VMSSext = Add-AzVmssExtension -VirtualMachineScaleSet $vmss -Name $extname -Publisher $publisher -Type $exttype -TypeHandlerVersion $extver -enableAutomaticUpgrade $False; 
-        
+        Set-AzVMExtension -ResourceGroupName $rgname -Location $loc -VMName $vmname -Name $extname -Publisher $publisher -ExtensionType $exttype -TypeHandlerVersion $extver -SettingString $settingstr -ProtectedSettingString $protectedsettingstr -enableAutomaticUpgrade $False;
+        $VMSSext = Add-AzVmssExtension -VirtualMachineScaleSet $vmss -Name $extname -Publisher $publisher -Type $exttype -TypeHandlerVersion $extver -enableAutomaticUpgrade $False;
+
         $VMext = Get-AzVMExtension -ResourceGroupName $rgname -VMName $vmname -Name $extname;
 
         # check enableAutomaticUpgrade property

diff --git a/...cenarioTests.VirtualMachineExtensionTests/TestAzureDiskEncryptionExtensionSinglePass.json b/...cenarioTests.VirtualMachineExtensionTests/TestAzureDiskEncryptionExtensionSinglePass.json
diff --git a/...est.ScenarioTests.VirtualMachineExtensionTests/TestAzureDiskEncryptionLnxManagedDisk.json b/...est.ScenarioTests.VirtualMachineExtensionTests/TestAzureDiskEncryptionLnxManagedDisk.json
diff --git a/src/Compute/Compute/ChangeLog.md b/src/Compute/Compute/ChangeLog.md
@@ -20,6 +20,9 @@
 
 -->
 ## Upcoming Release
+* Updated the `Set-AzVMDiskEncryptionExtension` cmdlet to support ADE extension migration from two pass (version with AAD input parameters) to single pass (version without AAD input parameters).
+    - Added a switch parameter `-Migrate` to trigger migration workflow.
+    - Added a switch parameter `-MigrationRecovery` to trigger recovery workflow for VMs experiencing failures after migration from two pass ADE.
 
 ## Version 4.11.0
 * Fixed a bug when 1 data disk attached to VMSS for Remove-AzVmssDataDisk [#13368]

diff --git a/src/Compute/Compute/Extension/AzureDiskEncryption/AzureDiskEncryptionExtensionConstants.cs b/src/Compute/Compute/Extension/AzureDiskEncryption/AzureDiskEncryptionExtensionConstants.cs
@@ -22,8 +22,12 @@ public static class AzureDiskEncryptionExtensionConstants
         public const string singlePassParameterSet = "SinglePassParameterSet";
         public const string aadClientCertParameterSet = "AADClientCertParameterSet";
         public const string aadClientSecretParameterSet = "AADClientSecretParameterSet";
+        public const string migrateAdeVersionParameterSet = "MigrateADEVersionParameterSet";
+        public const string migrateAdeVersionRecoveryParameterSet = "MigrateADEVersionRecoveryParameterSet";
         public const string enableEncryptionOperation = "EnableEncryption";
         public const string enableEncryptionFormatAllOperation = "EnableEncryptionFormatAll";
+        public const string migrateAdeOperationKey = "MigrateFlag";
+        public const string migrateAdeOperationValue = "Migrate";
         public const string disableEncryptionOperation = "DisableEncryption";
         public const string queryEncryptionStatusOperation = "QueryEncryptionStatus";
         public const string encryptionResultOsKey = "os";

diff --git a/...mpute/Compute/Extension/AzureDiskEncryption/AzureDiskEncryptionExtensionPublicSettings.cs b/...mpute/Compute/Extension/AzureDiskEncryption/AzureDiskEncryptionExtensionPublicSettings.cs
@@ -25,5 +25,6 @@ public class AzureDiskEncryptionExtensionPublicSettings
         public string AadClientCertThumbprint { get; set; }
         public string SequenceVersion { get; set; }
         public string EncryptionOperation { get; set; }
+        public string MigrateFlag { get; set; }
     }
 }