Skip to content

Commit c9ab224

Browse files
erich-wangerich-wang
authored
Merge pull request #10866 from hyonholee/encryption
[Compute] Disk encryption update
2 parents ad439f0 + 9b4aef4 commit c9ab224

File tree

11 files changed

+1009
-148
lines changed

11 files changed

+1009
-148
lines changed

src/Compute/Compute.Test/ScenarioTests/DiskRPTests.ps1

Lines changed: 82 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -34,10 +34,13 @@ function Test-Disk
3434
$access = 'Read';
3535

3636
# Config create test
37-
$diskconfig = New-AzDiskConfig -Location $loc -DiskSizeGB 500 -SkuName UltraSSD_LRS -OsType Windows -CreateOption Empty -DiskMBpsReadWrite 8 -DiskIOPSReadWrite 500;
37+
$diskconfig = New-AzDiskConfig -Location $loc -DiskSizeGB 500 -SkuName UltraSSD_LRS -OsType Windows -CreateOption Empty `
38+
-DiskMBpsReadWrite 8 -DiskIOPSReadWrite 500 -EncryptionType "EncryptionAtRestWithCustomerKey" -DiskEncryptionSetId $encSetId;
3839
Assert-AreEqual "UltraSSD_LRS" $diskconfig.Sku.Name;
3940
Assert-AreEqual 500 $diskconfig.DiskIOPSReadWrite;
4041
Assert-AreEqual 8 $diskconfig.DiskMBpsReadWrite;
42+
Assert-AreEqual $encSetId $diskconfig.Encryption.DiskEncryptionSetId;
43+
Assert-AreEqual "EncryptionAtRestWithCustomerKey" $diskconfig.Encryption.Type;
4144

4245
$diskconfig = New-AzDiskConfig -Location $loc -Zone "1" -DiskSizeGB 5 -AccountType Standard_LRS -OsType Windows -CreateOption Empty `
4346
-EncryptionSettingsEnabled $true -HyperVGeneration "V1";
@@ -159,10 +162,14 @@ function Test-Disk
159162
Verify-PSOperationStatusResponse $st;
160163

161164
# Config update test
162-
$updateconfig = New-AzDiskUpdateConfig -DiskSizeGB 10 -AccountType UltraSSD_LRS -OsType Windows -DiskMBpsReadWrite 8 -DiskIOPSReadWrite 500;
165+
$encSetId = "fakeid";
166+
$updateconfig = New-AzDiskUpdateConfig -DiskSizeGB 10 -AccountType UltraSSD_LRS -OsType Windows -DiskMBpsReadWrite 8 -DiskIOPSReadWrite 500 `
167+
-EncryptionType "EncryptionAtRestWithCustomerKey" -DiskEncryptionSetId $encSetId;
163168
Assert-AreEqual "UltraSSD_LRS" $updateconfig.Sku.Name;
164169
Assert-AreEqual 500 $updateconfig.DiskIOPSReadWrite;
165-
Assert-AreEqual 8 $updateconfig.DiskMBpsReadWrite
170+
Assert-AreEqual 8 $updateconfig.DiskMBpsReadWrite;
171+
Assert-AreEqual $encSetId $updateconfig.Encryption.DiskEncryptionSetId;
172+
Assert-AreEqual "EncryptionAtRestWithCustomerKey" $updateconfig.Encryption.Type;
166173

167174
$updateconfig = New-AzDiskUpdateConfig -DiskSizeGB 10 -AccountType Premium_LRS -OsType Windows;
168175
$job = Update-AzDisk -ResourceGroupName $rgname -DiskName $diskname -DiskUpdate $updateconfig -AsJob;
@@ -204,6 +211,12 @@ function Test-Snapshot
204211
$access = 'Read';
205212

206213
# Config and create test
214+
$snapshotconfig = New-AzSnapshotConfig -Location $loc -DiskSizeGB 500 -SkuName UltraSSD_LRS -OsType Windows -CreateOption Empty `
215+
-EncryptionType "EncryptionAtRestWithCustomerKey" -DiskEncryptionSetId $encSetId;
216+
Assert-AreEqual "UltraSSD_LRS" $snapshotconfig.Sku.Name;
217+
Assert-AreEqual $encSetId $snapshotconfig.Encryption.DiskEncryptionSetId;
218+
Assert-AreEqual "EncryptionAtRestWithCustomerKey" $snapshotconfig.Encryption.Type;
219+
207220
$snapshotconfig = New-AzSnapshotConfig -Location $loc -DiskSizeGB 5 -AccountType Standard_LRS -OsType Windows -CreateOption Empty `
208221
-EncryptionSettingsEnabled $true -HyperVGeneration "V2";
209222

@@ -315,6 +328,11 @@ function Test-Snapshot
315328
Verify-PSOperationStatusResponse $st;
316329

317330
# Config update test
331+
$encSetId = "fakeid";
332+
$updateconfig = New-AzSnapshotUpdateConfig -EncryptionType "EncryptionAtRestWithCustomerKey" -DiskEncryptionSetId $encSetId;
333+
Assert-AreEqual $encSetId $updateconfig.Encryption.DiskEncryptionSetId;
334+
Assert-AreEqual "EncryptionAtRestWithCustomerKey" $updateconfig.Encryption.Type;
335+
318336
$updateconfig = New-AzSnapshotUpdateConfig -DiskSizeGB 10 -AccountType Premium_LRS -OsType Windows;
319337
$job = Update-AzSnapshot -ResourceGroupName $rgname -SnapshotName $snapshotname -SnapshotUpdate $updateconfig -AsJob;
320338
$result = $job | Wait-Job;
@@ -799,30 +817,49 @@ function Test-DiskEncryptionSet
799817
{
800818
# Setup
801819
$loc = "westcentralus";
802-
$rgname = "pstest";
820+
$rgname = "psenctest";
803821
$encryptionName = "enc" + $rgname;
804-
$vaultName = 'kv' + $rgname;
805-
$kekName = 'kek' + $rgname;
822+
823+
$vaultName1 = 'kv1' + $rgname ;
824+
$kekName1 = 'kek1' + $rgname;
825+
$secretname1 = 'mysecret1';
826+
$secretdata1 = 'mysecretvalue1';
827+
$securestring1 = ConvertTo-SecureString $secretdata1 -Force -AsPlainText;
828+
829+
$vaultName2 = 'kv2' + $rgname ;
830+
$kekName2 = 'kek1' + $rgname;
831+
$secretname2 = 'mysecret2';
832+
$secretdata2 = 'mysecretvalue2';
833+
$securestring2 = ConvertTo-SecureString $secretdata1 -Force -AsPlainText;
806834

807835
try
808836
{
809837
#
810838
# Note: In order to record this test, you need to run the following commands to create KeyValut key and KeyVault secret in a separate Powershell window.
811839
#
812840
#New-AzResourceGroup -Name $rgname -Location $loc -Force;
813-
#$vault = New-AzKeyVault -VaultName $vaultName -ResourceGroupName $rgname -Location $loc -Sku Standard;
841+
#$vault1 = New-AzKeyVault -VaultName $vaultName1 -ResourceGroupName $rgname -Location $loc -Sku Standard;
842+
#$vault2 = New-AzKeyVault -VaultName $vaultName2 -ResourceGroupName $rgname -Location $loc -Sku Standard;
843+
#$mocksourcevault1 = $vault1.ResourceId;
844+
#$mocksourcevault2 = $vault2.ResourceId;
814845
#$userPrincipalName = (Get-AzContext).Account.Id;
815-
#Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $rgname -EnabledForDiskEncryption;
816-
#Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $rgname -ServicePrincipalName $userPrincipalName -PermissionsToKeys decrypt,encrypt,unwrapKey,wrapKey,verify,sign,get,list,update,create,import,delete,backup,restore,recover,purge;
817-
#$kek = Add-AzKeyVaultKey -VaultName $vaultName -Name $kekName -Destination "Software";
818-
#$secret = Set-AzKeyVaultSecret -VaultName $vaultName -Name $secretname -SecretValue $securestring;
819-
#$mockkey = $kek.Id
846+
#Set-AzKeyVaultAccessPolicy -VaultName $vaultName1 -ResourceGroupName $rgname -EnabledForDiskEncryption;
847+
#Set-AzKeyVaultAccessPolicy -VaultName $vaultName2 -ResourceGroupName $rgname -EnabledForDiskEncryption;
848+
#$kek1 = Add-AzKeyVaultKey -VaultName $vaultName1 -Name $kekName1 -Destination "Software";
849+
#$kek2 = Add-AzKeyVaultKey -VaultName $vaultName2 -Name $kekName2 -Destination "Software";
850+
#$secret1 = Set-AzKeyVaultSecret -VaultName $vaultName1 -Name $secretname1 -SecretValue $securestring1;
851+
#$secret2 = Set-AzKeyVaultSecret -VaultName $vaultName2 -Name $secretname2 -SecretValue $securestring2;
852+
#$mockkey1 = $kek1.Id
853+
#$mockkey2 = $kek2.Id
820854

821855
$subId = Get-SubscriptionIdFromResourceGroup $rgname;
822-
$mockkey = "https://kvpstest.vault.azure.net:443/keys/kekpstest/bf109281146949a9b3ae234db1728493";
823-
$mocksourcevault = '/subscriptions/' + $subId + '/resourceGroups/' + $rgname + '/providers/Microsoft.KeyVault/vaults/' + $vaultName;
856+
$mockkey1 = "https://kv1psenctest.vault.azure.net:443/keys/kek1psenctest/21571e3773bb4e6495c2d314a3f5de8b";
857+
$mockkey2 = "https://kv2psenctest.vault.azure.net:443/keys/kek1psenctest/d4bae3704edb4d4da592360a756cd278";
858+
859+
$mocksourcevault1 = '/subscriptions/' + $subId + '/resourceGroups/' + $rgname + '/providers/Microsoft.KeyVault/vaults/' + $vaultName1;
860+
$mocksourcevault2 = '/subscriptions/' + $subId + '/resourceGroups/' + $rgname + '/providers/Microsoft.KeyVault/vaults/' + $vaultName2;
824861

825-
New-AzDiskEncryptionSetConfig -Location $loc -KeyUrl $mockkey -SourceVaultId $mocksourcevault -IdentityType "SystemAssigned" `
862+
New-AzDiskEncryptionSetConfig -Location $loc -KeyUrl $mockkey1 -SourceVaultId $mocksourcevault1 -IdentityType "SystemAssigned" `
826863
| New-AzDiskEncryptionSet -ResourceGroupName $rgname -Name $encryptionName;
827864

828865
$encSet = Get-AzDiskEncryptionSet -ResourceGroupName $rgname -Name $encryptionName;
@@ -831,14 +868,42 @@ function Test-DiskEncryptionSet
831868
Assert-AreEqual "SystemAssigned" $encSet.Identity.Type;
832869
Assert-NotNull $encSet.Identity.PrincipalId;
833870
Assert-NotNull $encSet.Identity.TenantId;
834-
Assert-AreEqual $mockkey $encSet.ActiveKey.KeyUrl;
835-
Assert-AreEqual $mocksourcevault $encSet.ActiveKey.SourceVault.Id;
871+
Assert-AreEqual $mockkey1 $encSet.ActiveKey.KeyUrl;
872+
Assert-AreEqual $mocksourcevault1 $encSet.ActiveKey.SourceVault.Id;
873+
Assert-AreEqual 0 $encSet.Tags.Count;
836874

837875
$encSets = Get-AzDiskEncryptionSet -ResourceGroupName $rgname;
838876
Assert-True {$encSets.Count -ge 1};
839877

840878
$encSets = Get-AzDiskEncryptionSet;
841879
Assert-True {$encSets.Count -ge 1};
880+
881+
$tags = @{test1 = "testval1"; test2 = "testval2" };
882+
Assert-ThrowsContains { `
883+
Update-AzDiskEncryptionSet -ResourceGroupName $rgname -Name $encryptionName -KeyUrl $mockkey2 -SourceVaultId $mocksourcevault2 -Tag $tags; } `
884+
"Key rotation in disk encryption set is not supported in this version."
885+
886+
Update-AzDiskEncryptionSet -ResourceId $encSet.Id -Tag $tags;
887+
888+
$encSet = Get-AzDiskEncryptionSet -ResourceGroupName $rgname -Name $encryptionName;
889+
Assert-AreEqual 2 $encSet.Tags.Count;
890+
Assert-AreEqual "testval1" $encSet.Tags.test1;
891+
Assert-AreEqual "testval2" $encSet.Tags.test2;
892+
893+
$tags = @{test1 = "testval2"; test2 = "testval1" };
894+
$encSet | Update-AzDiskEncryptionSet -KeyUrl $mockkey1 -SourceVaultId $mocksourcevault1 -Tag $tags;
895+
896+
$encSet = Get-AzDiskEncryptionSet -ResourceGroupName $rgname -Name $encryptionName;
897+
Assert-AreEqual $encryptionName $encSet.Name;
898+
Assert-AreEqual $loc $encSet.Location;
899+
Assert-AreEqual "SystemAssigned" $encSet.Identity.Type;
900+
Assert-NotNull $encSet.Identity.PrincipalId;
901+
Assert-NotNull $encSet.Identity.TenantId;
902+
Assert-AreEqual $mockkey1 $encSet.ActiveKey.KeyUrl;
903+
Assert-AreEqual $mocksourcevault1 $encSet.ActiveKey.SourceVault.Id;
904+
Assert-AreEqual 2 $encSet.Tags.Count;
905+
Assert-AreEqual "testval2" $encSet.Tags.test1;
906+
Assert-AreEqual "testval1" $encSet.Tags.test2;
842907
}
843908
finally
844909
{

0 commit comments

Comments
 (0)