Azure Disk Encryption

src/ResourceManager/Compute/Commands.Compute.Test/Commands.Compute.Test.csproj

@@ -64,7 +64,7 @@
       <HintPath>..\..\..\packages\Microsoft.Azure.Management.Authorization.2.0.0\lib\net40\Microsoft.Azure.Management.Authorization.dll</HintPath>
     </Reference>
     <Reference Include="Microsoft.Azure.Management.Compute, Version=10.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Compute.11.3.0-prerelease\lib\net45\Microsoft.Azure.Management.Compute.dll</HintPath>
+      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Compute.12.0.0-prerelease\lib\net45\Microsoft.Azure.Management.Compute.dll</HintPath>
       <Private>True</Private>
     </Reference>
     <Reference Include="Microsoft.Azure.Management.Network, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/ResourceManager/Compute/Commands.Compute.Test/ScenarioTests/VirtualMachineExtensionTests.ps1

@@ -923,14 +923,14 @@ function Test-AzureDiskEncryptionExtension
 {
     # This test should be run in Live mode only not in Playback mode
 	#Pre-requisites to be filled in before running this test. The AAD app should belong to the directory as the user running the test.
-    $aadClientID = "";
-	$aadClientSecret = "";
+	$aadAppName = "detestaadapp";
+
 	#Fill in VM admin user and password
 	$adminUser = "";
 	$adminPassword = "";
 
 	#Resource group variables
-	$rgName = "detestrg";
+	$rgName = "detestrg_" + [Guid]::NewGuid();
 	$loc = "South Central US";
 
 	#KeyVault config variables
@@ -951,6 +951,8 @@ function Test-AzureDiskEncryptionExtension
     $osDiskName = 'osdisk' + $vmName;
 	$dataDiskName = 'datadisk' + $vmName;
     $osDiskCaching = 'ReadWrite';
+	$extraDataDiskName1 = $dataDiskName + '1';
+	$extraDataDiskName2 = $dataDiskName + '2';
 
 	#Network config variables
 	$vnetName = "detestvnet";
@@ -969,12 +971,49 @@ function Test-AzureDiskEncryptionExtension
         # Create new resource group      
         New-AzureRmResourceGroup -Name $rgname -Location $loc -Force;
 
+		#Check if AAD app was already created
+		$SvcPrincipals = (Get-AzureRmADServicePrincipal -SearchString $aadAppName);
+		if(-not $SvcPrincipals)
+		{
+			# Create a new AD application if not created before
+			$identifierUri = [string]::Format("http://localhost:8080/{0}",[Guid]::NewGuid().ToString("N"));
+			$defaultHomePage = 'http://contoso.com';
+			$now = [System.DateTime]::Now;
+			$oneYearFromNow = $now.AddYears(1);
+			$aadClientSecret = [Guid]::NewGuid();
+
+			Write-Host "Creating new AAD application ($aadAppName)";
+			$ADApp = New-AzureRmADApplication -DisplayName $aadAppName -HomePage $defaultHomePage -IdentifierUris $identifierUri  -StartDate $now -EndDate $oneYearFromNow -Password $aadClientSecret;
+			$servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $ADApp.ApplicationId;
+			$SvcPrincipals = (Get-AzureRmADServicePrincipal -SearchString $aadAppName);
+			if(-not $SvcPrincipals)
+			{
+				# AAD app wasn't created 
+				Write-Error "Failed to create AAD app $aadAppName. Please log-in to Azure using Login-AzureRmAccount and try again";
+				return;
+			}
+			$aadClientID = $servicePrincipal.ApplicationId;
+			Write-Host "Created a new AAD Application ($aadAppName) with ID: $aadClientID ";
+		}
+		else
+		{
+			if(-not $aadClientSecret)
+			{
+				$aadClientSecret = Read-Host -Prompt "Aad application ($aadAppName) was alerady created, input corresponding aadClientSecret and hit ENTER. It can be retrieved from https://manage.windowsazure.com portal" ;
+			}
+			if(-not $aadClientSecret)
+			{
+				Write-Error "Aad application ($aadAppName) was alerady created. Re-run the script by supplying aadClientSecret parameter with corresponding secret from https://manage.windowsazure.com portal";
+				return;
+			}
+			$aadClientID = $SvcPrincipals[0].ApplicationId;
+		}
+
 		# Create new KeyVault
 		$keyVault = New-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $rgname -Location $loc -Sku standard;
 		$keyVault = Get-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $rgname
 		#set enabledForDiskEncryption
-        Write-Host 'Press go to https://resources.azure.com and set enabledForDiskEncryption flag on KeyVault. [ENTER] to continue or [CTRL-C] to abort...'
-        Read-Host
+        Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $rgname -EnabledForDiskEncryption;
 		#set permissions to AAD app to write secrets and keys
 		Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -ServicePrincipalName $aadClientID -PermissionsToKeys all -PermissionsToSecrets all 
 		#create a key in KeyVault to use as Kek
@@ -1019,17 +1058,71 @@ function Test-AzureDiskEncryptionExtension
 
         $p = Set-AzureRmVMOperatingSystem -VM $p -Windows -ComputerName $computerName -Credential $cred -ProvisionVMAgent;
         $p = Set-AzureRmVMSourceImage -VM $p -PublisherName $imagePublisher -Offer $imageOffer -Skus $imageSku -Version "latest";
-
-
+
         # Virtual Machine
         New-AzureRmVM -ResourceGroupName $rgname -Location $loc -VM $p;
 
 		#Enable encryption on the VM
         Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $keyVaultResourceId -Force;
         #Get encryption status
         $encryptionStatus = Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $rgname -VMName $vmName;
+		#Verify encryption is enabled on OS volume and data volumes
+		$OsVolumeEncryptionSettings = $encryptionStatus.OsVolumeEncryptionSettings;
+		Assert-AreEqual $encryptionStatus.OsVolumeEncrypted $true;
+		Assert-AreEqual $encryptionStatus.DataVolumesEncrypted $true;
+		#verify diskencryption keyvault url & kek url are not null
+		Assert-NotNull $OsVolumeEncryptionSettings;
+		Assert-NotNull $OsVolumeEncryptionSettings.DiskEncryptionKey.SecretUrl;
+		Assert-NotNull $OsVolumeEncryptionSettings.DiskEncryptionKey.SourceVault;
+
+		#Add a couple of data volumes to encrypt them
+        $p = Add-AzureRmVMDataDisk -VM $p -Name $extraDataDiskName1 -Caching 'ReadOnly' -DiskSizeInGB 2 -Lun 1 -VhdUri $dataDiskVhdUri -CreateOption Empty;
+        $p = Add-AzureRmVMDataDisk -VM $p -Name $extraDataDiskName2 -Caching 'ReadOnly' -DiskSizeInGB 2 -Lun 1 -VhdUri $dataDiskVhdUri -CreateOption Empty;
+		#Enable encryption on the VM
+        Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $keyVaultResourceId -Force;
+        #Get encryption status
+        $encryptionStatus = Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $rgname -VMName $vmName;
+		#Verify encryption is enabled on OS volume and data volumes
+		$OsVolumeEncryptionSettings = $encryptionStatus.OsVolumeEncryptionSettings;
+		Assert-AreEqual $encryptionStatus.OsVolumeEncrypted $true;
+		Assert-AreEqual $encryptionStatus.DataVolumesEncrypted $true;
+		#verify diskencryption keyvault url & kek url are not null
+		Assert-NotNull $OsVolumeEncryptionSettings;
+		Assert-NotNull $OsVolumeEncryptionSettings.DiskEncryptionKey.SecretUrl;
+		Assert-NotNull $OsVolumeEncryptionSettings.DiskEncryptionKey.SourceVault;
+
+		Read-Host
+
+		#Disable encryption on the VM
+		Disable-AzureRmVMDiskEncryption -ResourceGroupName $rgname -VMName $vmName;
+		#Get encryption status
+        $encryptionStatus = Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $rgname -VMName $p.StorageProfile.OSDisk.Name;
+		#Verify encryption is disabled on OS volume and data volumes
+		$OsVolumeEncryptionSettings = $encryptionStatus.OsVolumeEncryptionSettings;
+		Assert-AreEqual $encryptionStatus.OsVolumeEncrypted $false;
+		Assert-AreEqual $encryptionStatus.DataVolumesEncrypted $false;
+
         #Remove AzureDiskEncryption extension
         Remove-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName;
+        #Get encryption status again to make sure it's the same as before when the extension was installed
+        $encryptionStatus = Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $rgname -VMName $vmName;
+		#Verify encryption is disabled on OS volume and data volumes
+		$OsVolumeEncryptionSettings = $encryptionStatus.OsVolumeEncryptionSettings;
+		Assert-AreEqual $encryptionStatus.OsVolumeEncrypted $false;
+		Assert-AreEqual $encryptionStatus.DataVolumesEncrypted $false;
+
+		#Enable encryption on the VM
+        Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $keyVaultResourceId -Force;
+        #Get encryption status
+        $encryptionStatus = Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $rgname -VMName $vmName;
+		#Verify encryption is enabled on OS volume and data volumes
+		$OsVolumeEncryptionSettings = $encryptionStatus.OsVolumeEncryptionSettings;
+		Assert-AreEqual $encryptionStatus.OsVolumeEncrypted $true;
+		Assert-AreEqual $encryptionStatus.DataVolumesEncrypted $true;
+		#verify diskencryption keyvault url & kek url are not null
+		Assert-NotNull $OsVolumeEncryptionSettings;
+		Assert-NotNull $OsVolumeEncryptionSettings.DiskEncryptionKey.SecretUrl;
+		Assert-NotNull $OsVolumeEncryptionSettings.DiskEncryptionKey.SourceVault;
 
         #Remove the VM 
         Remove-AzureRmVm -ResourceGroupName $rgname -Name $vmName -Force;
@@ -1041,12 +1134,12 @@ function Test-AzureDiskEncryptionExtension
         $p = Set-AzureRmVMOSDisk -VM $p -Name $p.StorageProfile.OSDisk.Name -VhdUri $p.StorageProfile.OSDisk.Vhd.Uri -Caching ReadWrite -CreateOption attach -DiskEncryptionKeyUrl $encryptionStatus.OsVolumeEncryptionSettings.DiskEncryptionKey.SecretUrl -DiskEncryptionKeyVaultId $encryptionStatus.OsVolumeEncryptionSettings.DiskEncryptionKey.SourceVault.Id -Windows;
 
         New-AzureRmVM -ResourceGroupName $rgname -Location $loc -VM $p;
-
     }
     finally
     {
         # Cleanup
         Remove-AzureRmResourceGroup -Name $rgname -Force;
+		Remove-AzureRmADApplication -ApplicationObjectId $ADApp.ApplicationId -Force;
     }
 }
 

src/ResourceManager/Compute/Commands.Compute.Test/ScenarioTests/VirtualMachineProfileTests.ps1

@@ -165,11 +165,11 @@ function Test-VirtualMachineProfile
     Assert-AreEqual $timeZone $p.OSProfile.WindowsConfiguration.TimeZone;
 
     # Verify Additional Unattend Content
-    Assert-AreEqual "Microsoft-Windows-Shell-Setup" $p.OSProfile.WindowsConfiguration.AdditionalUnattendContent[0].ComponentName;
+    #Assert-AreEqual "Microsoft-Windows-Shell-Setup" $p.OSProfile.WindowsConfiguration.AdditionalUnattendContent[0].ComponentName;
     Assert-AreEqual $aucContent $p.OSProfile.WindowsConfiguration.AdditionalUnattendContent[0].Content;
     Assert-AreEqual "oobeSystem" $p.OSProfile.WindowsConfiguration.AdditionalUnattendContent[0].PassName;
     Assert-AreEqual $aucSetting $p.OSProfile.WindowsConfiguration.AdditionalUnattendContent[0].SettingName;
-    Assert-AreEqual "Microsoft-Windows-Shell-Setup" $p.OSProfile.WindowsConfiguration.AdditionalUnattendContent[1].ComponentName;
+    #Assert-AreEqual "Microsoft-Windows-Shell-Setup" $p.OSProfile.WindowsConfiguration.AdditionalUnattendContent[1].ComponentName;
     Assert-AreEqual $aucContent $p.OSProfile.WindowsConfiguration.AdditionalUnattendContent[1].Content;
     Assert-AreEqual "oobeSystem" $p.OSProfile.WindowsConfiguration.AdditionalUnattendContent[1].PassName;
     Assert-AreEqual $aucSetting $p.OSProfile.WindowsConfiguration.AdditionalUnattendContent[1].SettingName;