Skip to content

Commit c81a741

Browse files
cormacpaynecormacpayne
authored
Merge pull request Azure#297 from vermashi/shiv-allow-update-encryption-settings
Allow updates for encryption settings on premium storage VMs
2 parents 636b366 + 267a55b commit c81a741

File tree

2 files changed

+61
-20
lines changed

2 files changed

+61
-20
lines changed

src/ResourceManager/Compute/Commands.Compute.Test/ScenarioTests/VirtualMachineExtensionTests.ps1

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1044,18 +1044,19 @@ function Test-AzureDiskEncryptionExtension
10441044

10451045
#KeyVault config variables
10461046
$vaultName = "detestvault";
1047+
$vault2Name = "detestvault2";
10471048
$kekName = "dstestkek";
10481049

10491050
#VM config variables
10501051
$vmName = "detestvm";
1051-
$vmsize = 'Standard_D2';
1052+
$vmsize = 'Standard_DS2';
10521053
$imagePublisher = "MicrosoftWindowsServer";
10531054
$imageOffer = "WindowsServer";
10541055
$imageSku ="2012-R2-Datacenter";
10551056

10561057
#Storage config variables
10571058
$storageAccountName = "deteststore";
1058-
$stotype = 'Standard_LRS';
1059+
$stotype = 'Premium_LRS';
10591060
$vhdContainerName = "vhds";
10601061
$osDiskName = 'osdisk' + $vmName;
10611062
$dataDiskName = 'datadisk' + $vmName;
@@ -1117,6 +1118,17 @@ function Test-AzureDiskEncryptionExtension
11171118
$keyVaultResourceId = $keyVault.ResourceId;
11181119
$keyEncryptionKeyUrl = $kek.Key.kid;
11191120

1121+
# Create the 2nd key vault
1122+
$keyVault2 = New-AzureRmKeyVault -VaultName $vault2Name -ResourceGroupName $rgname -Location $loc -Sku standard;
1123+
$keyVault2 = Get-AzureRmKeyVault -VaultName $vault2Name -ResourceGroupName $rgname
1124+
#set enabledForDiskEncryption
1125+
Set-AzureRmKeyVaultAccessPolicy -VaultName $vault2Name -ResourceGroupName $rgname -EnabledForDiskEncryption;
1126+
#set permissions to AAD app to write secrets and keys
1127+
Set-AzureRmKeyVaultAccessPolicy -VaultName $vault2Name -ServicePrincipalName $aadClientID -PermissionsToKeys all -PermissionsToSecrets all
1128+
1129+
$diskEncryptionKeyVaultUrl2 = $keyVault2.VaultUri;
1130+
$keyVaultResourceId2 = $keyVault2.ResourceId;
1131+
11201132
# VM Profile & Hardware
11211133
$p = New-AzureRmVMConfig -VMName $vmname -VMSize $vmsize;
11221134

@@ -1169,6 +1181,9 @@ function Test-AzureDiskEncryptionExtension
11691181
Assert-NotNull $OsVolumeEncryptionSettings.DiskEncryptionKey.SecretUrl;
11701182
Assert-NotNull $OsVolumeEncryptionSettings.DiskEncryptionKey.SourceVault;
11711183

1184+
# Change settings on the VM
1185+
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl2 -DiskEncryptionKeyVaultId $keyVaultResourceId2 -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $keyVaultResourceId -Force;
1186+
11721187
#Add a couple of data volumes to encrypt them
11731188
$p = Add-AzureRmVMDataDisk -VM $p -Name $extraDataDiskName1 -Caching 'ReadOnly' -DiskSizeInGB 2 -Lun 1 -VhdUri $dataDiskVhdUri -CreateOption Empty;
11741189
$p = Add-AzureRmVMDataDisk -VM $p -Name $extraDataDiskName2 -Caching 'ReadOnly' -DiskSizeInGB 2 -Lun 1 -VhdUri $dataDiskVhdUri -CreateOption Empty;

src/ResourceManager/Compute/Commands.Compute/Extension/AzureDiskEncryption/SetAzureDiskEncryptionExtension.cs

Lines changed: 44 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -265,7 +265,7 @@ private string GetExtensionStatusMessage()
265265
/// <summary>
266266
/// This function gets the VM model, fills in the OSDisk properties with encryptionSettings and does an UpdateVM
267267
/// </summary>
268-
private AzureOperationResponse<VirtualMachine> UpdateVmEncryptionSettings()
268+
private AzureOperationResponse<VirtualMachine> UpdateVmEncryptionSettings(DiskEncryptionSettings encryptionSettingsBackup)
269269
{
270270
string statusMessage = GetExtensionStatusMessage();
271271

@@ -282,14 +282,6 @@ private AzureOperationResponse<VirtualMachine> UpdateVmEncryptionSettings()
282282
null));
283283
}
284284

285-
DiskEncryptionSettings encryptionSettingsBackup = vmParameters.StorageProfile.OsDisk.EncryptionSettings;
286-
287-
if (encryptionSettingsBackup == null)
288-
{
289-
encryptionSettingsBackup = new DiskEncryptionSettings();
290-
encryptionSettingsBackup.Enabled = false;
291-
}
292-
293285
DiskEncryptionSettings encryptionSettings = new DiskEncryptionSettings();
294286
encryptionSettings.Enabled = true;
295287
encryptionSettings.DiskEncryptionKey = new KeyVaultSecretReference();
@@ -315,21 +307,50 @@ private AzureOperationResponse<VirtualMachine> UpdateVmEncryptionSettings()
315307
Tags = vmParameters.Tags
316308
};
317309

318-
AzureOperationResponse<VirtualMachine> updateResult = this.ComputeClient.ComputeManagementClient.VirtualMachines.CreateOrUpdateWithHttpMessagesAsync(
319-
this.ResourceGroupName,
320-
vmParameters.Name,
321-
parameters).GetAwaiter().GetResult();
310+
AzureOperationResponse<VirtualMachine> updateResult = null;
322311

323-
if(!updateResult.Response.IsSuccessStatusCode)
312+
// The 2nd pass. TODO: If something goes wrong here, try to revert to encryptionSettingsBackup.
313+
if (encryptionSettingsBackup.Enabled != true)
314+
{
315+
updateResult = this.ComputeClient.ComputeManagementClient.VirtualMachines.CreateOrUpdateWithHttpMessagesAsync(
316+
this.ResourceGroupName,
317+
vmParameters.Name,
318+
parameters).GetAwaiter().GetResult();
319+
}
320+
else
324321
{
322+
323+
// stop-update-start
324+
// stop vm
325+
this.ComputeClient.ComputeManagementClient.VirtualMachines
326+
.DeallocateWithHttpMessagesAsync(this.ResourceGroupName, this.VMName).GetAwaiter()
327+
.GetResult();
328+
329+
// update vm
325330
vmParameters = (this.ComputeClient.ComputeManagementClient.VirtualMachines.Get(
326-
this.ResourceGroupName, this.VMName));
327-
vmParameters.StorageProfile.OsDisk.EncryptionSettings = encryptionSettingsBackup;
331+
this.ResourceGroupName, this.VMName));
332+
vmParameters.StorageProfile.OsDisk.EncryptionSettings = encryptionSettings;
333+
parameters = new VirtualMachine
334+
{
335+
DiagnosticsProfile = vmParameters.DiagnosticsProfile,
336+
HardwareProfile = vmParameters.HardwareProfile,
337+
StorageProfile = vmParameters.StorageProfile,
338+
NetworkProfile = vmParameters.NetworkProfile,
339+
OsProfile = vmParameters.OsProfile,
340+
Plan = vmParameters.Plan,
341+
AvailabilitySet = vmParameters.AvailabilitySet,
342+
Location = vmParameters.Location,
343+
Tags = vmParameters.Tags
344+
};
328345

329-
this.ComputeClient.ComputeManagementClient.VirtualMachines.CreateOrUpdateWithHttpMessagesAsync(
346+
updateResult = this.ComputeClient.ComputeManagementClient.VirtualMachines.CreateOrUpdateWithHttpMessagesAsync(
330347
this.ResourceGroupName,
331348
vmParameters.Name,
332349
parameters).GetAwaiter().GetResult();
350+
351+
// start vm
352+
this.ComputeClient.ComputeManagementClient.VirtualMachines
353+
.StartWithHttpMessagesAsync(ResourceGroupName, this.VMName).GetAwaiter().GetResult();
333354
}
334355

335356
return updateResult;
@@ -467,6 +488,10 @@ public override void ExecuteCmdlet()
467488

468489
VirtualMachineExtension parameters = GetVmExtensionParameters(virtualMachineResponse);
469490

491+
DiskEncryptionSettings encryptionSettingsBackup = virtualMachineResponse.StorageProfile.OsDisk.EncryptionSettings ??
492+
new DiskEncryptionSettings { Enabled = false };
493+
494+
// The "1st pass". If this goes wrong, just bubble up the error and abort.
470495
AzureOperationResponse<VirtualMachineExtension> extensionPushResult = this.VirtualMachineExtensionClient.CreateOrUpdateWithHttpMessagesAsync(
471496
this.ResourceGroupName,
472497
this.VMName,
@@ -484,7 +509,8 @@ public override void ExecuteCmdlet()
484509
null));
485510
}
486511

487-
var op = UpdateVmEncryptionSettings();
512+
var op = UpdateVmEncryptionSettings(encryptionSettingsBackup);
513+
488514
var result = Mapper.Map<PSAzureOperationResponse>(op);
489515
WriteObject(result);
490516
}

0 commit comments

Comments
 (0)