Merge pull request #10208 from Jyotsna-Anand/jyanand-ade-updatekek

Fixed bug in Kek->NoKEK encryption settings update

Author: msJinLei

src/Compute/Compute.Test/ScenarioTests/VirtualMachineExtensionTests.ps1

@@ -1594,6 +1594,22 @@ function Test-AzureDiskEncryptionExtension
         Assert-NotNull $OsVolumeEncryptionSettings.DiskEncryptionKey.SecretUrl;
         Assert-NotNull $OsVolumeEncryptionSettings.DiskEncryptionKey.SourceVault;
 
+        #Update encryption settings on the VM from KEK to No KEK
+        Set-AzVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId -Force;
+        #Get encryption status
+        $encryptionStatus = Get-AzVmDiskEncryptionStatus -ResourceGroupName $rgname -VMName $vmName;
+        #Verify encryption is enabled on OS volume and data volumes
+        $OsVolumeEncryptionSettings = $encryptionStatus.OsVolumeEncryptionSettings;
+        Assert-AreEqual $encryptionStatus.OsVolumeEncrypted $true;
+        Assert-AreEqual $encryptionStatus.DataVolumesEncrypted $true;
+        #verify diskencryption keyvault url & secret url are not null
+        Assert-NotNull $OsVolumeEncryptionSettings;
+        Assert-NotNull $OsVolumeEncryptionSettings.DiskEncryptionKey.SecretUrl;
+        Assert-NotNull $OsVolumeEncryptionSettings.DiskEncryptionKey.SourceVault;
+		#verify key encryption key keyvault url & secret url are null after the update
+		Assert-Null $OsVolumeEncryptionSettings.KeyEncryptionKey.SecretUrl;
+        Assert-Null $OsVolumeEncryptionSettings.KeyEncryptionKey.SourceVault;
+
         #Remove the VM
         Remove-AzVm -ResourceGroupName $rgname -Name $vmName -Force;
 

src/Compute/Compute/ChangeLog.md

@@ -22,6 +22,7 @@
 * Add Priority, EvictionPolicy, and MaxPrice parameters to New-AzVM and New-AzVmss cmdlets
 * Fix warning message and help document for Add-AzVMAdditionalUnattendContent and Add-AzVMSshPublicKey cmdlets
 * Fix -skipVmBackup exception for Linux VMs with managed disks for Set-AzVMDiskEncryptionExtension. 
+* Fix bug in update encryption settings in Set-AzVMDiskEncryptionExtension, two pass scenario.
 
 ## Version 2.6.0
 * Add UploadSizeInBytes parameter tp New-AzDiskConfig

src/Compute/Compute/Extension/AzureDiskEncryption/SetAzureDiskEncryptionExtension.cs

@@ -314,6 +314,11 @@ private AzureOperationResponse<VirtualMachine> UpdateVmEncryptionSettings(DiskEn
                                                       ErrorCategory.InvalidResult,
                                                       null));
             }
+            //encryption settings object to clear out encryption settings before updating
+            DiskEncryptionSettings resetEncryptionSettings = new DiskEncryptionSettings();
+            resetEncryptionSettings.Enabled = false;
+            resetEncryptionSettings.DiskEncryptionKey = null;
+            resetEncryptionSettings.KeyEncryptionKey = null;
 
             DiskEncryptionSettings encryptionSettings = new DiskEncryptionSettings();
             encryptionSettings.Enabled = true;
@@ -326,6 +331,7 @@ private AzureOperationResponse<VirtualMachine> UpdateVmEncryptionSettings(DiskEn
                 encryptionSettings.KeyEncryptionKey.SourceVault = new SubResource(this.KeyEncryptionKeyVaultId);
                 encryptionSettings.KeyEncryptionKey.KeyUrl = this.KeyEncryptionKeyUrl;
             }
+
             vmParameters.StorageProfile.OsDisk.EncryptionSettings = encryptionSettings;
             var parameters = new VirtualMachine
             {
@@ -352,14 +358,35 @@ private AzureOperationResponse<VirtualMachine> UpdateVmEncryptionSettings(DiskEn
             }
             else
             {
-
-                // stop-update-start
+                // stop-clear-update-start
                 // stop vm
                 this.ComputeClient.ComputeManagementClient.VirtualMachines
                     .DeallocateWithHttpMessagesAsync(this.ResourceGroupName, this.VMName).GetAwaiter()
                     .GetResult();
 
-                // update vm
+                // first update vm call to clear encryption settings
+                vmParameters = (this.ComputeClient.ComputeManagementClient.VirtualMachines.Get(
+                this.ResourceGroupName, this.VMName));
+                vmParameters.StorageProfile.OsDisk.EncryptionSettings = resetEncryptionSettings;
+                parameters = new VirtualMachine
+                {
+                    DiagnosticsProfile = vmParameters.DiagnosticsProfile,
+                    HardwareProfile = vmParameters.HardwareProfile,
+                    StorageProfile = vmParameters.StorageProfile,
+                    NetworkProfile = vmParameters.NetworkProfile,
+                    OsProfile = vmParameters.OsProfile,
+                    Plan = vmParameters.Plan,
+                    AvailabilitySet = vmParameters.AvailabilitySet,
+                    Location = vmParameters.Location,
+                    Tags = vmParameters.Tags
+                };
+
+                updateResult = this.ComputeClient.ComputeManagementClient.VirtualMachines.CreateOrUpdateWithHttpMessagesAsync(
+                    this.ResourceGroupName,
+                    vmParameters.Name,
+                    parameters).GetAwaiter().GetResult();
+
+                // second update vm call to set new encryption settings
                 vmParameters = (this.ComputeClient.ComputeManagementClient.VirtualMachines.Get(
                 this.ResourceGroupName, this.VMName));
                 vmParameters.StorageProfile.OsDisk.EncryptionSettings = encryptionSettings;
@@ -566,23 +593,23 @@ public override void ExecuteCmdlet()
                                                                       new DiskEncryptionSettings { Enabled = false };
 
                     // Single Pass
-                    //      newer model, supported by newer extension versions and host functionality 
+                    //      newer model, supported by newer extension versions and host functionality
                     //      if SinglePassParameterSet is used, cmdlet will default to newer extension version
                     //      [first and only pass]
                     //          only one enable extension call will be issued from the cmdlet n
-                    //          No AD identity information or protected settings will be passed to the extension 
-                    //          Host performs the necessary key vault operations and vm model updates 
+                    //          No AD identity information or protected settings will be passed to the extension
+                    //          Host performs the necessary key vault operations and vm model updates
                     // Dual Pass
-                    //      older model, supported by older extension versions  
+                    //      older model, supported by older extension versions
                     //      if an AD ParameterSet is used, cmdlet will default to older extension version
-                    //      [first pass] 
+                    //      [first pass]
                     //          AD identity information is passed into the VM via protected settings of the extension
-                    //          VM uses the AD identity to authenticate and perform key vault operations  
+                    //          VM uses the AD identity to authenticate and perform key vault operations
                     //          VM returns result of key vault operation to caller via the extension status message
                     //      [second pass]
                     //          powershell reads extension status message returned from first pass
                     //          updates VM model with encryption settings
-                    //          updates VM 
+                    //          updates VM
 
                     // First Pass
                     AzureOperationResponse<VirtualMachineExtension> firstPass = this.VirtualMachineExtensionClient.CreateOrUpdateWithHttpMessagesAsync(
@@ -608,7 +635,7 @@ public override void ExecuteCmdlet()
                     }
                     else
                     {
-                        // Second pass 
+                        // Second pass
                         var secondPass = UpdateVmEncryptionSettings(encryptionSettingsBackup);
                         WriteObject(ComputeAutoMapperProfile.Mapper.Map<PSAzureOperationResponse>(secondPass));
                     }