Merge pull request Azure#1243 from AzureRT/dev

Disk encryption feature

Author: markcowl

src/ResourceManager/Compute/AzureRM.Compute.psd1

@@ -9,7 +9,7 @@
 @{  
 
 # Version number of this module.  
-ModuleVersion = '1.0.1' 
+ModuleVersion = '1.1.0'
 
 # ID used to uniquely identify this module  
 GUID = '0a83c907-1ffb-4d87-a492-c65ac7d7ed37'  

src/ResourceManager/Compute/Commands.Compute.Test/Commands.Compute.Test.csproj

@@ -67,7 +67,8 @@
       <HintPath>..\..\..\packages\Microsoft.Azure.Management.Authorization.1.0.0\lib\net40\Microsoft.Azure.Management.Authorization.dll</HintPath>
     </Reference>
     <Reference Include="Microsoft.Azure.Management.Compute, Version=9.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Compute.9.0.0\lib\net40\Microsoft.Azure.Management.Compute.dll</HintPath>
+      <SpecificVersion>False</SpecificVersion>
+      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Compute.9.1.0\lib\net40\Microsoft.Azure.Management.Compute.dll</HintPath>
       <Private>True</Private>
     </Reference>
     <Reference Include="Microsoft.Azure.Management.Network, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/ResourceManager/Compute/Commands.Compute.Test/ScenarioTests/VirtualMachineExtensionTests.cs

@@ -53,5 +53,13 @@ public void TestVirtualMachineAccessExtension()
         {
             ComputeTestController.NewInstance.RunPsTest("Test-VirtualMachineAccessExtension");
         }
+
+        [Fact(Skip = "TODO: only works for live mode")]
+        [Trait(Category.RunType, Category.LiveOnly)]
+        public void TestAzureDiskEncryptionExtension()
+        {
+            ComputeTestController.NewInstance.RunPsTest("Test-AzureDiskEncryptionExtension");
+        }
+
     }
 }

src/ResourceManager/Compute/Commands.Compute.Test/ScenarioTests/VirtualMachineExtensionTests.ps1

@@ -790,3 +790,138 @@ function Test-VirtualMachineAccessExtension
         Clean-ResourceGroup $rgname
     }
 }
+
+<#
+.SYNOPSIS
+Test AzureDiskEncryption extension
+#>
+function Test-AzureDiskEncryptionExtension
+{
+    # This test should be run in Live mode only not in Playback mode
+	#Pre-requisites to be filled in before running this test. The AAD app should belong to the directory as the user running the test.
+    $aadClientID = "";
+	$aadClientSecret = "";
+	#Fill in VM admin user and password
+	$adminUser = "";
+	$adminPassword = "";
+
+	#Resource group variables
+	$rgName = "detestrg";
+	$loc = "South Central US";
+
+	#KeyVault config variables
+	$vaultName = "detestvault";
+	$kekName = "dstestkek";
+
+	#VM config variables
+	$vmName = "detestvm";
+	$vmsize = 'Standard_D2';
+	$imagePublisher = "MicrosoftWindowsServer";
+	$imageOffer = "WindowsServer";
+	$imageSku ="2012-R2-Datacenter";
+
+	#Storage config variables
+	$storageAccountName = "deteststore";
+	$stotype = 'Standard_LRS';
+	$vhdContainerName = "vhds";
+    $osDiskName = 'osdisk' + $vmName;
+	$dataDiskName = 'datadisk' + $vmName;
+    $osDiskCaching = 'ReadWrite';
+	
+	#Network config variables
+	$vnetName = "detestvnet";
+	$subnetName = "detestsubnet";
+	$publicIpName = 'pubip' + $vmName;
+	$nicName = 'nic' + $vmName;
+
+
+	#Disk encryption variables
+	$keyEncryptionAlgorithm = "RSA-OAEP";
+	$volumeType = "All";
+
+    try
+    {
+        Login-AzureRmAccount;
+        # Create new resource group      
+        New-AzureRmResourceGroup -Name $rgname -Location $loc -Force;
+
+		# Create new KeyVault
+		$keyVault = New-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $rgname -Location $loc -Sku standard;
+		$keyVault = Get-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $rgname
+		#set enabledForDiskEncryption
+        Write-Host 'Press go to https://resources.azure.com and set enabledForDiskEncryption flag on KeyVault. [ENTER] to continue or [CTRL-C] to abort...'
+        Read-Host
+		#set permissions to AAD app to write secrets and keys
+		Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -ServicePrincipalName $aadClientID -PermissionsToKeys all -PermissionsToSecrets all 
+		#create a key in KeyVault to use as Kek
+		$kek = Add-AzureKeyVaultKey -VaultName $vaultName -Name $kekName -Destination "Software"
+
+		$diskEncryptionKeyVaultUrl = $keyVault.VaultUri;
+		$keyVaultResourceId = $keyVault.ResourceId;
+		$keyEncryptionKeyUrl = $kek.Key.kid;
+
+        # VM Profile & Hardware   
+        $p = New-AzureRmVMConfig -VMName $vmname -VMSize $vmsize;
+
+        # NRP
+        $subnet = New-AzureRmVirtualNetworkSubnetConfig -Name ($subnetName) -AddressPrefix "10.0.0.0/24";
+        $vnet = New-AzureRmVirtualNetwork -Force -Name ($vnetName) -ResourceGroupName $rgname -Location $loc -AddressPrefix "10.0.0.0/16" -Subnet $subnet;
+        $vnet = Get-AzureRmVirtualNetwork -Name ($vnetName) -ResourceGroupName $rgname;
+        $subnetId = $vnet.Subnets[0].Id;
+        $pubip = New-AzureRmPublicIpAddress -Force -Name ($publicIpName) -ResourceGroupName $rgname -Location $loc -AllocationMethod Dynamic -DomainNameLabel ($publicIpName);
+        $pubip = Get-AzureRmPublicIpAddress -Name ($publicIpName) -ResourceGroupName $rgname;
+        $pubipId = $pubip.Id;
+        $nic = New-AzureRmNetworkInterface -Force -Name ($nicName) -ResourceGroupName $rgname -Location $loc -SubnetId $subnetId -PublicIpAddressId $pubip.Id;
+        $nic = Get-AzureRmNetworkInterface -Name ($nicName) -ResourceGroupName $rgname;
+        $nicId = $nic.Id;
+
+        $p = Add-AzureRmVMNetworkInterface -VM $p -Id $nicId;
+
+        # Storage Account (SA)
+        New-AzureRmStorageAccount -ResourceGroupName $rgname -Name $storageAccountName -Location $loc -Type $stotype;
+        $stokey = (Get-AzureRmStorageAccountKey -ResourceGroupName $rgname -Name $storageAccountName).Key1;
+
+        $osDiskVhdUri = "https://$storageAccountName.blob.core.windows.net/$vhdContainerName/$osDiskName.vhd";
+        $dataDiskVhdUri = "https://$storageAccountName.blob.core.windows.net/$vhdContainerName/$dataDiskName.vhd";
+
+        $p = Set-AzureRmVMOSDisk -VM $p -Name $osDiskName -VhdUri $osDiskVhdUri -Caching $osDiskCaching -CreateOption FromImage;
+        $p = Add-AzureRmVMDataDisk -VM $p -Name $dataDiskName -Caching 'ReadOnly' -DiskSizeInGB 2 -Lun 1 -VhdUri $dataDiskVhdUri -CreateOption Empty;
+
+        # OS & Image
+        $securePassword = ConvertTo-SecureString $adminPassword -AsPlainText -Force;
+        $cred = New-Object System.Management.Automation.PSCredential ($adminUser, $securePassword);
+        $computerName = $vmName;
+        $vhdContainer = "https://$storageAccountName.blob.core.windows.net/$vhdContainerName";
+
+        $p = Set-AzureRmVMOperatingSystem -VM $p -Windows -ComputerName $computerName -Credential $cred -ProvisionVMAgent;
+        $p = Set-AzureRmVMSourceImage -VM $p -PublisherName $imagePublisher -Offer $imageOffer -Skus $imageSku -Version "latest";
+
+
+        # Virtual Machine
+        New-AzureRmVM -ResourceGroupName $rgname -Location $loc -VM $p;
+
+		#Enable encryption on the VM
+        Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $keyVaultResourceId -Force;
+        #Get encryption status
+        $encryptionStatus = Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $rgname -VMName $vmName;
+        #Remove AzureDiskEncryption extension
+        Remove-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName;
+
+        #Remove the VM 
+        Remove-AzureRmVm -ResourceGroupName $rgname -Name $vmName -Force;
+
+        #Create a brand new VM using the same OS vhd encrypted above
+        $p.StorageProfile.ImageReference = $null;
+        $p.OSProfile = $null;
+        $p.StorageProfile.DataDisks = $null;
+        $p = Set-AzureRmVMOSDisk -VM $p -Name $p.StorageProfile.OSDisk.Name -VhdUri $p.StorageProfile.OSDisk.VirtualHardDisk.Uri -Caching ReadWrite -CreateOption attach -DiskEncryptionKeyUrl $encryptionStatus.OsVolumeEncryptionSettings.DiskEncryptionKey.SecretUrl -DiskEncryptionKeyVaultId $encryptionStatus.OsVolumeEncryptionSettings.DiskEncryptionKey.SourceVault.ReferenceUri -Windows;
+
+        New-AzureRmVM -ResourceGroupName $rgname -Location $loc -VM $p;
+
+    }
+    finally
+    {
+        # Cleanup
+        Remove-AzureRmResourceGroup -Name $rgname -Force;
+    }
+}

src/ResourceManager/Compute/Commands.Compute.Test/ScenarioTests/VirtualMachineProfileTests.ps1

@@ -244,13 +244,22 @@ function Test-VirtualMachineProfileWithoutAUC
     $dataDiskVhdUri2 = "https://$stoname.blob.core.windows.net/test/data2.vhd";
     $dataDiskVhdUri3 = "https://$stoname.blob.core.windows.net/test/data3.vhd";
 
-    $p = Set-AzureRmVMOSDisk -VM $p -Name $osDiskName -VhdUri $osDiskVhdUri -Caching $osDiskCaching -CreateOption Empty;
+    $dekUri = "https://testvault123.vault.azure.net/secrets/Test1/514ceb769c984379a7e0230bddaaaaaa";
+    $dekId =  "/subscriptions/" + $subid + "/resourceGroups/RgTest1/providers/Microsoft.KeyVault/vaults/TestVault123";
+    $kekUri = "http://keyVaultName.vault.azure.net/secrets/secretName/secretVersion";
+    $kekId = "/subscriptions/" + $subid + "/resourceGroups/RgTest1/providers/Microsoft.KeyVault/vaults/TestVault123";
+
+    $p = Set-AzureRmVMOSDisk -VM $p -Windows -Name $osDiskName -VhdUri $osDiskVhdUri -Caching $osDiskCaching -CreateOption Empty -DiskEncryptionKeyUrl $dekUri -DiskEncryptionKeyVaultId $dekId -KeyEncryptionKeyUrl $kekUri -KeyEncryptionKeyVaultId $kekId;
 
     $p = Add-AzureRmVMDataDisk -VM $p -Name 'testDataDisk1' -Caching 'ReadOnly' -DiskSizeInGB 10 -Lun 0 -VhdUri $dataDiskVhdUri1 -CreateOption Empty;
     $p = Add-AzureRmVMDataDisk -VM $p -Name 'testDataDisk2' -Caching 'ReadOnly' -DiskSizeInGB 11 -Lun 1 -VhdUri $dataDiskVhdUri2 -CreateOption Empty;
     $p = Add-AzureRmVMDataDisk -VM $p -Name 'testDataDisk3' -Caching 'ReadOnly' -DiskSizeInGB 12 -Lun 2 -VhdUri $dataDiskVhdUri3 -CreateOption Empty;
     $p = Remove-AzureRmVMDataDisk -VM $p -Name 'testDataDisk3';
 
+    Assert-AreEqual $p.StorageProfile.OSDisk.EncryptionSettings.DiskEncryptionKey.SourceVault.ReferenceUri $dekId
+    Assert-AreEqual $p.StorageProfile.OSDisk.EncryptionSettings.DiskEncryptionKey.SecretUrl $dekUri
+    Assert-AreEqual $p.StorageProfile.OSDisk.EncryptionSettings.KeyEncryptionKey.SourceVault.ReferenceUri $kekId
+    Assert-AreEqual $p.StorageProfile.OSDisk.EncryptionSettings.KeyEncryptionKey.KeyUrl $kekUri
     Assert-AreEqual $p.StorageProfile.OSDisk.Caching $osDiskCaching;
     Assert-AreEqual $p.StorageProfile.OSDisk.Name $osDiskName;
     Assert-AreEqual $p.StorageProfile.OSDisk.VirtualHardDisk.Uri $osDiskVhdUri;

src/ResourceManager/Compute/Commands.Compute.Test/ScenarioTests/VirtualMachineTests.cs

@@ -23,7 +23,7 @@ public partial class VirtualMachineTests
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         public void TestVirtualMachine()
         {
-            ComputeTestController.NewInstance.RunPsTest("Test-VirtualMachine");
+            ComputeTestController.NewInstance.RunPsTest(@"Test-VirtualMachine $null");
         }
 
         [Fact]

src/ResourceManager/Compute/Commands.Compute.Test/ScenarioTests/VirtualMachineTests.ps1

@@ -18,13 +18,17 @@ Test Virtual Machines
 #>
 function Test-VirtualMachine
 {
+    param ($loc)
     # Setup
     $rgname = Get-ComputeTestResourceName
 
     try
     {
         # Common
-        $loc = Get-ComputeVMLocation;
+        if ($loc -eq $null)
+        {
+            $loc = Get-ComputeVMLocation;
+        }
         New-AzureRmResourceGroup -Name $rgname -Location $loc -Force;
 
         # VM Profile & Hardware

src/ResourceManager/Compute/Commands.Compute.Test/packages.config

@@ -7,7 +7,7 @@
   <package id="Microsoft.Azure.Gallery" version="2.6.2-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Graph.RBAC" version="1.7.0-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Management.Authorization" version="1.0.0" targetFramework="net45" />
-  <package id="Microsoft.Azure.Management.Compute" version="9.0.0" targetFramework="net45" />
+  <package id="Microsoft.Azure.Management.Compute" version="9.1.0" targetFramework="net45" />
   <package id="Microsoft.Azure.Management.Network" version="2.0.13-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Management.Resources" version="2.18.7-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Management.Storage" version="3.0.0" targetFramework="net45" />

src/ResourceManager/Compute/Commands.Compute/Commands.Compute.csproj

@@ -81,7 +81,8 @@
       <Private>True</Private>
     </Reference>
     <Reference Include="Microsoft.Azure.Management.Compute, Version=9.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Compute.9.0.0\lib\net40\Microsoft.Azure.Management.Compute.dll</HintPath>
+      <SpecificVersion>False</SpecificVersion>
+      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Compute.9.1.0\lib\net40\Microsoft.Azure.Management.Compute.dll</HintPath>
       <Private>True</Private>
     </Reference>
     <Reference Include="Microsoft.Azure.Management.Network, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
@@ -206,6 +207,19 @@
     <Compile Include="ExtensionImages\GetAzureVMExtensionImageTypeCommand.cs" />
     <Compile Include="ExtensionImages\GetAzureVMExtensionImageCommand.cs" />
     <Compile Include="ExtensionImages\VirtualMachineExtensionImageBaseCmdlet.cs" />
+    <Compile Include="Extension\AzureDiskEncryption\AzureDiskEncryptionExtensionContext.cs" />
+    <Compile Include="Extension\AzureDiskEncryption\AzureDiskEncryptionExtensionProtectedSettings.cs" />
+    <Compile Include="Extension\AzureDiskEncryption\AzureDiskEncryptionExtensionPublicSettings.cs" />
+    <Compile Include="Extension\AzureDiskEncryption\GetAzureDiskEncryptionStatus.cs" />
+    <Compile Include="Extension\AzureDiskEncryption\RemoveAzureDiskEncryptionExtension.cs" />
+    <Compile Include="Extension\AzureDiskEncryption\SetAzureDiskEncryptionExtension.cs" />
+    <Compile Include="Extension\AzureVMBackup\AzureVMBackupExtensionUtil.cs" />
+    <Compile Include="Extension\AzureVMBackup\AzureVMBackupException.cs" />
+    <Compile Include="Extension\AzureVMBackup\AzureVMBackupExtensionProtectedSettings.cs" />
+    <Compile Include="Extension\AzureVMBackup\AzureVMBackupExtensionPublicSettings.cs" />
+    <Compile Include="Extension\AzureVMBackup\AzureVMBackupConfig.cs" />
+    <Compile Include="Extension\AzureVMBackup\RemoveAzureVMBackup.cs" />
+    <Compile Include="Extension\AzureVMBackup\SetAzureVMBackupExtension.cs" />
     <Compile Include="Extension\CustomScript\GetAzureVMCustomScriptExtensionCommand.cs" />
     <Compile Include="Extension\CustomScript\CustomScriptExtensionPrivateSettings.cs" />
     <Compile Include="Extension\CustomScript\CustomScriptExtensionPublicSettings.cs" />
@@ -241,6 +255,7 @@
     <Compile Include="Extension\SqlServer\VirtualMachineSqlServerExtensionContext.cs" />
     <Compile Include="Images\GetAzureVMImageCommand.cs" />
     <Compile Include="Common\HashTableExtensions.cs" />
+    <Compile Include="Models\AzureDiskEncryptionStatusContext.cs" />
     <Compile Include="Models\PSComputeLongRunningOperation.cs" />
     <Compile Include="Models\PSOperation.cs" />
     <Compile Include="Extension\VMAccess\GetAzureVMAccessExtension.cs" />

src/ResourceManager/Compute/Commands.Compute/Common/ConstantStringTypes.cs

@@ -28,6 +28,10 @@ public static class HelpMessages
         public const string VMOSDiskCaching = "The virtual machine OS disk's caching.";
         public const string VMOSDiskWindowsOSType = "The virtual machine disk's OS is Windows.";
         public const string VMOSDiskLinuxOSType = "The virtual machine disk's OS is Linux.";
+        public const string VMOSDiskDiskEncryptionKeyUrl = "the URL referencing a secret in a disk encryption key vault";
+        public const string VMOSDiskDiskEncryptionKeyVaultId = "the Id of a disk encryption key vault";
+        public const string VMOSDiskKeyEncryptionKeyUrl = "the URL referencing a key in a key encryption key vault";
+        public const string VMOSDiskKeyEncryptionKeyVaultId = "the Id of a key encryption key Vault";
         public const string VMSourceImageUri = "The virtual machine OS disk's source image Uri.";
 
         public const string VMDataDiskName = "The virtual machine data disk's name.";
@@ -110,5 +114,14 @@ public static class ProfileNouns
 
         // Sql Server
         public const string VirtualMachineSqlServerExtension = "AzureRmVMSqlServerExtension";
+
+        //AzureDiskEncryption
+        public const string AzureDiskEncryptionExtension = "AzureRmVMDiskEncryptionExtension";
+        public const string AzureDiskEncryptionStatus = "AzureRmVMDiskEncryptionStatus";
+
+        //AzureVMBackup
+        public const string AzureVMBackup = "AzureRmVMBackup";
+        public const string AzureVMBackupExtension = "AzureRmVMBackupExtension";
+
     }
 }