Merge pull request #6040 from ejarvi/singlepass

Set-AzureRmVmDiskEncryptionExtension makes AAD parameters optional

Author: markcowl

src/ResourceManager/Common/Commands.ScenarioTests.ResourceManager.Common/EnvironmentSetupHelper.cs

@@ -592,6 +592,7 @@ public virtual Collection<PSObject> RunPowerShellTest(params string[] scripts)
                 d.Add("Microsoft.Features", null);
                 d.Add("Microsoft.Authorization", null);
                 d.Add("Microsoft.Compute", null);
+                d.Add("Microsoft.Azure.Management.KeyVault", null);
                 var providersToIgnore = new Dictionary<string, string>();
                 providersToIgnore.Add("Microsoft.Azure.Management.Resources.ResourceManagementClient", "2016-02-01");
                 HttpMockServer.Matcher = new PermissiveRecordMatcherWithApiExclusion(true, d, providersToIgnore);

src/ResourceManager/Compute/ChangeLog.md

@@ -28,6 +28,7 @@
 * Set minimum dependency of module to PowerShell 5.0
 * Introduce multiple breaking changes
     - Please refer to the migration guide for more details
+* `Set-AzureRmVmDiskEncryptionExtension` makes AAD parameters optional 
 
 ## Version 4.6.0
 * `Get-AzureRmVmssDiskEncryptionStatus` supports encryption status at data disk level

src/ResourceManager/Compute/Commands.Compute.Test/Commands.Compute.Test.csproj

@@ -66,6 +66,10 @@
     <Reference Include="Microsoft.Azure.Management.Compute">
       <HintPath>..\..\..\packages\Microsoft.Azure.Management.Compute.18.0.0\lib\net452\Microsoft.Azure.Management.Compute.dll</HintPath>
     </Reference>
+    <Reference Include="Microsoft.Azure.Management.KeyVault, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <SpecificVersion>False</SpecificVersion>
+      <HintPath>..\..\..\packages\Microsoft.Azure.Management.KeyVault.2.3.0-preview\lib\net452\Microsoft.Azure.Management.KeyVault.dll</HintPath>
+    </Reference>
     <Reference Include="Microsoft.Azure.Management.Network, Version=17.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <HintPath>..\..\..\packages\Microsoft.Azure.Management.Network.17.0.0-preview\lib\net452\Microsoft.Azure.Management.Network.dll</HintPath>
       <Private>True</Private>
@@ -393,6 +397,9 @@
     <None Include="SessionRecords\Microsoft.Azure.Commands.Compute.Test.ScenarioTests.StrategiesVmssTests\TestSimpleNewVmssWithUserAssignedIdentity.json">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>
+    <None Include="SessionRecords\Microsoft.Azure.Commands.Compute.Test.ScenarioTests.VirtualMachineExtensionTests\TestAzureDiskEncryptionExtensionSinglePass.json">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
     <None Include="Templates\azuredeploy.json">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </None>

src/ResourceManager/Compute/Commands.Compute.Test/Common/ComputeTestController.cs

@@ -17,6 +17,7 @@
 using Microsoft.Azure.Graph.RBAC;
 using Microsoft.Azure.Management.Authorization;
 using Microsoft.Azure.Management.Compute;
+using Microsoft.Azure.Management.KeyVault;
 using Microsoft.Azure.Management.Network;
 using Microsoft.Azure.Management.Resources;
 using Microsoft.Azure.Management.Storage;
@@ -54,9 +55,10 @@ public sealed class ComputeTestController : RMTestBase
 
         public AuthorizationManagementClient AuthorizationManagementClient { get; private set; }
 
-
         public StorageManagementClient StorageClient { get; private set; }
 
+        public KeyVaultManagementClient KeyVaultManagementClient { get; private set; }
+
         public NetworkManagementClient NetworkManagementClient { get; private set; }
 
         public ComputeManagementClient ComputeManagementClient { get; private set; }
@@ -189,6 +191,7 @@ private void SetupManagementClients(RestTestFramework.MockContext context)
             StorageClient = GetStorageManagementClient(context);
             GalleryClient = GetGalleryClient();
             //var eventsClient = GetEventsClient();
+            KeyVaultManagementClient = GetKeyVaultManagementClient(context);
             NetworkManagementClient = this.GetNetworkManagementClientClient(context);
             ComputeManagementClient = GetComputeManagementClient(context);
             AuthorizationManagementClient = GetAuthorizationManagementClient();
@@ -202,6 +205,7 @@ private void SetupManagementClients(RestTestFramework.MockContext context)
                 StorageClient,
                 GalleryClient,
                 //eventsClient,
+                KeyVaultManagementClient,
                 NetworkManagementClient,
                 ComputeManagementClient,
                 AuthorizationManagementClient,
@@ -277,6 +281,13 @@ private GalleryClient GetGalleryClient()
         //    return TestBase.GetServiceClient<EventsClient>(this.csmTestFactory);
         //}
 
+        private KeyVaultManagementClient GetKeyVaultManagementClient(RestTestFramework.MockContext context)
+        {
+            return testViaCsm
+                ? context.GetServiceClient<KeyVaultManagementClient>(RestTestFramework.TestEnvironmentFactory.GetTestEnvironment())
+                : TestBase.GetServiceClient<KeyVaultManagementClient>(new RDFETestEnvironmentFactory());
+        }
+
         private NetworkManagementClient GetNetworkManagementClientClient(RestTestFramework.MockContext context)
         {
             return testViaCsm

src/ResourceManager/Compute/Commands.Compute.Test/ScenarioTests/ComputeTestCommon.ps1

@@ -94,14 +94,65 @@ function Get-ComputeDefaultLocation
     return $test_location;
 }
 
+# Create key vault resources
+function Create-KeyVault
+{
+    Param
+    (
+         [Parameter(Mandatory=$true, Position=0)]
+         [string] $resourceGroupName,
+         [Parameter(Mandatory=$true, Position=1)]
+         [string] $location,
+         [Parameter(Mandatory=$false, Position=2)]
+         [string] $vaultName
+    )
+
+	# initialize parameters if needed
+	if ([string]::IsNullOrEmpty($resourceGroupName)) { $resourceGroupName = Get-ComputeTestResourceName }
+    if ([string]::IsNullOrEmpty($location)) { $location = Get-ComputeVMLocation }
+    if ([string]::IsNullOrEmpty($vaultName)) { $vaultName = 'kv' + $resourceGroupName }
+
+	# create vault
+	$vault = New-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName -Location $location -Sku standard
+	$vault = Get-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName
+
+	# create access policy
+	$servicePrincipalName = (Get-AzureRmContext).Account.Id
+	Assert-NotNull $servicePrincipalName
+	#Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $resourceGroupName -ServicePrincipalName $servicePrincipalName -PermissionsToKeys Create
+	Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $resourceGroupName -EnabledForDiskEncryption -EnabledForDeployment -EnabledForTemplateDeployment
+
+	# create key encryption key 
+	#$kekName = 'kek' + $resourceGroupName
+	#$kek = Add-AzureKeyVaultKey -VaultName $vaultName -Name $kekName -Destination "Software"
+
+	# return the newly created key vault properties
+	$properties = New-Object PSObject -Property @{
+		DiskEncryptionKeyVaultId = $vault.ResourceId
+		DiskEncryptionKeyVaultUrl = $vault.VaultUri
+		#KeyEncryptionKeyVaultId = $vault.ResourceId
+		#KeyEncryptionKeyUrl = $kek.Key.kid
+	}
+	return $properties
+}
+
 # Create a new virtual machine with other necessary resources configured
-function Create-VirtualMachine($rgname, $vmname, $loc)
-{
-    # Initialize parameters
-    $rgname = if ([string]::IsNullOrEmpty($rgname)) { Get-ComputeTestResourceName } else { $rgname }
-    $vmname = if ([string]::IsNullOrEmpty($vmname)) { 'vm' + $rgname } else { $vmname }
-    $loc = if ([string]::IsNullOrEmpty($loc)) { Get-ComputeVMLocation } else { $loc }
-    Write-Host $vmname
+function Create-VirtualMachine
+{	
+    Param
+    (
+         [Parameter(Mandatory=$false, Position=0)]
+         [string] $rgname,
+         [Parameter(Mandatory=$false, Position=1)]
+         [string] $vmname,
+         [Parameter(Mandatory=$false, Position=2)]
+         [string] $loc		 
+    )
+
+    # initialize parameters if needed
+	if ([string]::IsNullOrEmpty($rgname)) { $rgname = Get-ComputeTestResourceName }
+	if ([string]::IsNullOrEmpty($vmname)) { $vmname = 'vm' + $rgname }
+	if ([string]::IsNullOrEmpty($loc)) { $loc = Get-ComputeVMLocation } 
 
     # Common
     $g = New-AzureRmResourceGroup -Name $rgname -Location $loc -Force;

src/ResourceManager/Compute/Commands.Compute.Test/ScenarioTests/VirtualMachineExtensionTests.cs

@@ -80,6 +80,13 @@ public void TestAzureDiskEncryptionExtension()
             ComputeTestController.NewInstance.RunPsTest("Test-AzureDiskEncryptionExtension");
         }
 
+        [Fact(Skip = "TODO: only works for live mode due to key vault dependency")]
+        [Trait(Category.RunType, Category.LiveOnly)]
+        public void TestAzureDiskEncryptionExtensionSinglePass()
+        {
+            ComputeTestController.NewInstance.RunPsTest("Test-AzureDiskEncryptionExtensionSinglePass");
+        }
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         public void TestVirtualMachineBginfoExtension()

src/ResourceManager/Compute/Commands.Compute.Test/ScenarioTests/VirtualMachineExtensionTests.ps1

@@ -1027,6 +1027,45 @@ function Test-VirtualMachineAccessExtension
     }
 }
 
+<#
+.SYNOPSIS
+Test the Set-AzureRmVMDiskEncryptionExtension single pass scenario
+#>
+function Test-AzureDiskEncryptionExtensionSinglePass
+{
+	$resourceGroupName = Get-ComputeTestResourceName	
+	try 
+	{ 
+		# create virtual machine and key vault prerequisites
+		$vm = Create-VirtualMachine $resourceGroupName
+		$kv = Create-KeyVault $vm.ResourceGroupName $vm.Location
+
+		# enable encryption with single pass syntax (omits AD parameters)
+		Set-AzureRmVMDiskEncryptionExtension `
+			-ResourceGroupName $vm.ResourceGroupName `
+			-VMName $vm.Name `
+			-DiskEncryptionKeyVaultUrl $kv.DiskEncryptionKeyVaultUrl `
+			-DiskEncryptionKeyVaultId $kv.DiskEncryptionKeyVaultId `
+			-Force
+
+		# verify encryption state
+		$status = Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $vm.ResourceGroupName -VMName $vm.Name
+		Assert-NotNull $status
+		Assert-AreEqual $status.OsVolumeEncrypted Encrypted
+		Assert-AreEqual $status.DataVolumesEncrypted NotEncrypted
+
+		# verify encryption settings 
+		$settings = $status.OsVolumeEncryptionSettings
+		Assert-NotNull $settings
+		Assert-NotNull $settings.DiskEncryptionKey.SecretUrl
+		Assert-NotNull $settings.DiskEncryptionKey.SourceVault
+	}
+	finally
+	{
+		Clean-ResourceGroup($resourceGroupName)
+	}
+}
+
 <#
 .SYNOPSIS
 Test AzureDiskEncryption extension

src/ResourceManager/Compute/Commands.Compute.Test/SessionRecords/Microsoft.Azure.Commands.Compute.Test.ScenarioTests.VirtualMachineExtensionTests/TestAzureDiskEncryptionExtensionSinglePass.json

@@ -7,6 +7,7 @@
   <package id="Microsoft.Azure.Graph.RBAC" version="3.4.0-preview" targetFramework="net452" />
   <package id="Microsoft.Azure.Management.Authorization" version="2.0.0" targetFramework="net45" />
   <package id="Microsoft.Azure.Management.Compute" version="18.0.0" targetFramework="net452" />
+  <package id="Microsoft.Azure.Management.KeyVault" version="2.3.0-preview" targetFramework="net452" />
   <package id="Microsoft.Azure.Management.Network" version="17.0.0-preview" targetFramework="net452" />
   <package id="Microsoft.Azure.Management.Storage" version="4.1.0-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Test.Framework" version="1.0.6179.26854-prerelease" targetFramework="net45" />

src/ResourceManager/Compute/Commands.Compute.Test/packages.config

@@ -15,10 +15,11 @@
 namespace Microsoft.Azure.Commands.Compute.Extension.AzureDiskEncryption
 {
     /// <summary>
-    /// This class includes contant values used in AzureDiskEncryption
+    /// This class includes constant values used in AzureDiskEncryption
     /// </summary>
     public static class AzureDiskEncryptionExtensionConstants
     {
+        public const string singlePassParameterSet = "SinglePassParameterSet";
         public const string aadClientCertParameterSet = "AADClientCertParameterSet";
         public const string aadClientSecretParameterSet = "AADClientSecretParameterSet";
         public const string enableEncryptionOperation = "EnableEncryption";

src/ResourceManager/Compute/Commands.Compute/Extension/AzureDiskEncryption/AzureDiskEncryptionExtensionConstants.cs

@@ -27,11 +27,13 @@ public class AzureDiskEncryptionExtensionContext : PSVirtualMachineExtension
         public const string LinuxExtensionDefaultName = "AzureDiskEncryptionForLinux";
         public const string LinuxExtensionDefaultType = "AzureDiskEncryptionForLinux";
         public const string LinuxExtensionDefaultVersion = "0.1";
+        public const string LinuxExtensionSinglePassVersion = "1.1";
 
         public const string ExtensionDefaultPublisher = "Microsoft.Azure.Security";
         public const string ExtensionDefaultName = "AzureDiskEncryption";
         public const string ExtensionDefaultType = "AzureDiskEncryption";
         public const string ExtensionDefaultVersion = "1.1";
+        public const string ExtensionSinglePassVersion = "2.2";
         public const string VolumeTypeOS = "OS";
         public const string VolumeTypeData = "Data";
         public const string VolumeTypeAll = "All";