Skip to content

Commit

Permalink
Add Managed Identity Support in Azure Disk Encryption (#26652)
Browse files Browse the repository at this point in the history
* Changes

* Add UT's

* Unwanted changes

* Update markdown file

* Modified code and handle comments

* Update comments and removed unwanted code

* update test case

* fix comments

* fix changelog

* Addressed comments

* fix changes

* Removed unwanted changes

* Throw exception when encryption identity is not part of assigned Identities

* Remove unwanted changes

* Remove changes not required

* remove unwanted changes1

* fix remaining unwanted changes

* fix identation issues

* markdown check

---------

Co-authored-by: Anshul Jain <anshjain@microsoft.com>
  • Loading branch information
anshuljain26 and Anshul Jain authored Jan 8, 2025
1 parent 0709a7b commit 91fe3f0
Show file tree
Hide file tree
Showing 17 changed files with 23,394 additions and 9 deletions.
41 changes: 41 additions & 0 deletions src/Compute/Compute.Test/ScenarioTests/ComputeTestCommon.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,47 @@ function Create-KeyVault
return $properties
}

# Create key vault resources
function Create-KeyVaultWithAclEncryptionIdentity
{
Param
(
[Parameter(Mandatory=$true, Position=0)]
[string] $resourceGroupName,
[Parameter(Mandatory=$true, Position=1)]
[string] $location,
[Parameter(Mandatory=$false, Position=2)]
[string] $vaultName,
[Parameter(Mandatory=$false, Position=3)]
[String] $userIdentityPrincipalId
)

# initialize parameters if needed
if ([string]::IsNullOrEmpty($resourceGroupName)) { $resourceGroupName = Get-ComputeTestResourceName }
if ([string]::IsNullOrEmpty($location)) { $location = Get-ComputeVMLocation }
if ([string]::IsNullOrEmpty($vaultName)) { $vaultName = 'kv' + $resourceGroupName }

# create vault
$vault = New-AzKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName -Location $location -Sku standard -DisableRbacAuthorization
$vault = Get-AzKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName

# create access policy
$servicePrincipalName = (Get-AzContext).Account.Id
Assert-NotNull $servicePrincipalName
if (-not [string]::IsNullOrEmpty($userIdentityPrincipalId)) {
Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $resourceGroupName -ObjectId $userIdentityPrincipalId -PermissionsToKeys all -PermissionsToSecrets all
}
Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $resourceGroupName -EnabledForDeployment -EnabledForTemplateDeployment

# return the newly created key vault properties
$properties = New-Object PSObject -Property @{
DiskEncryptionKeyVaultId = $vault.ResourceId
DiskEncryptionKeyVaultUrl = $vault.VaultUri
#KeyEncryptionKeyUrl = $kek.Key.kid
}
return $properties
}

# Create a new virtual machine with other necessary resources configured
function Create-VirtualMachine
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,33 @@ public void TestAzureDiskEncryptionLnxManagedDisk()
TestRunner.RunTestScript("Test-AzureDiskEncryptionLnxManagedDisk");
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
public void TestAzureDiskEncryptionWithEncryptionIdentityAddedInAzVmConfig()
{
TestRunner.RunTestScript("Test-AzureDiskEncryptionWithEncryptionIdentityAddedInAzVmConfig");
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
public void TestAzureDiskEncryptionWithEncryptionIdentityAddedInSetADECmdlet()
{
TestRunner.RunTestScript("Test-AzureDiskEncryptionWithEncryptionIdentityAddedInSetADECmdlet");
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
public void TestAzureDiskEncryptionWithIdentityNotSetInVirtualMachine()
{
TestRunner.RunTestScript("Test-AzureDiskEncryptionWithIdentityNotSetInVirtualMachine");
}
[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
public void TestAzureDiskEncryptionWithIdentityNotAckledInKeyVault()
{
TestRunner.RunTestScript("Test-AzureDiskEncryptionWithIdentityNotAckledInKeyVault");
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
public void TestVirtualMachineBginfoExtension()
Expand Down

Large diffs are not rendered by default.

14 changes: 14 additions & 0 deletions src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.cs
Original file line number Diff line number Diff line change
Expand Up @@ -675,5 +675,19 @@ public void TestVMSetAzOSCredentialNullRef()
{
TestRunner.RunTestScript("Test-VMSetAzOSCredentialNullRef");
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
public void TestAddEncryptionIdentityInAzureVmConfig()
{
TestRunner.RunTestScript("Test-AddEncryptionIdentityInAzureVmConfig");
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
public void TestEncryptionIdentityNotPartOfAssignedIdentitiesInAzureVm()
{
TestRunner.RunTestScript("Test-EncryptionIdentityNotPartOfAssignedIdentitiesInAzureVm");
}
}
}
162 changes: 162 additions & 0 deletions src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -7727,3 +7727,165 @@ function Test-VMwithSSHKeyEd25519
Clean-ResourceGroup $rgname;
}
}

<#
.SYNOPSIS
Test Test-AddEncryptionIdentityInAzureVmConfig add encryptionIdentity for Azure disk encryption using managed Identity.
#>
function Test-AddEncryptionIdentityInAzureVmConfig{
$rgName = Get-ComputeTestResourceName;
try {
# create virtual machine
$loc = "eastus2euap";
New-AzResourceGroup -Name $rgname -Location $loc -Force;
# VM Profile & Hardware
$vmsize = 'Standard_D2S_V3';
$vmname = 'vm' + $rgname;
$imagePublisher = "RedHat";
$imageOffer = "RHEL";
$imageSku = "92-gen2";
$encIdentity = "/subscriptions/759532d8-9991-4d04-878f-49f0f4804906/resourceGroups/linuxRhel-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testingazmsi";
$p = New-AzVMConfig -VMName $vmname -VMSize $vmsize -EncryptionIdentity $encIdentity -IdentityType UserAssigned -IdentityId $encIdentity;

Assert-AreEqual $p.HardwareProfile.VmSize $vmsize;
$subnet = New-AzVirtualNetworkSubnetConfig -Name ('subnet' + $rgname) -AddressPrefix "10.0.0.0/24";
$vnet = New-AzVirtualNetwork -Force -Name ('vnet' + $rgname) -ResourceGroupName $rgname -Location $loc -AddressPrefix "10.0.0.0/16" -Subnet $subnet;
$vnet = Get-AzVirtualNetwork -Name ('vnet' + $rgname) -ResourceGroupName $rgname;
$subnetId = $vnet.Subnets[0].Id;
$pubip = New-AzPublicIpAddress -Force -Name ('pubip' + $rgname) -ResourceGroupName $rgname -Location $loc -AllocationMethod Static -DomainNameLabel ('pubip' + $rgname);
$pubip = Get-AzPublicIpAddress -Name ('pubip' + $rgname) -ResourceGroupName $rgname;
$pubipId = $pubip.Id;
$nic = New-AzNetworkInterface -Force -Name ('nic' + $rgname) -ResourceGroupName $rgname -Location $loc -SubnetId $subnetId -PublicIpAddressId $pubip.Id;
$nic = Get-AzNetworkInterface -Name ('nic' + $rgname) -ResourceGroupName $rgname;
$nicId = $nic.Id;
Write-Verbose "Completed one instances";
$p = Add-AzVMNetworkInterface -VM $p -Id $nicId;
Assert-AreEqual $p.NetworkProfile.NetworkInterfaces.Count 1;
Assert-AreEqual $p.NetworkProfile.NetworkInterfaces[0].Id $nicId;

$osDiskName = 'linuxOsDisk';
$osDiskCaching = 'ReadWrite';
$osDiskVhdUri = "https://$stoname.blob.core.windows.net/test/linuxos.vhd";
$p = Set-AzVMOSDisk -VM $p -Name $osDiskName -Caching $osDiskCaching -CreateOption FromImage -Linux;
Assert-AreEqual $p.StorageProfile.OSDisk.Caching $osDiskCaching;
Assert-AreEqual $p.StorageProfile.OSDisk.Name $osDiskName;
# OS & Image
$user = "Foo12";
$password = $PLACEHOLDER;
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force; <#[SuppressMessage("Microsoft.Security", "CS001:SecretInline", Justification="Credentials are used only for the duration of test. Resources are deleted at the end of the test.")]#>
$cred = New-Object System.Management.Automation.PSCredential ($user, $securePassword);
$computerName = 'test';
$vhdContainer = "https://$stoname.blob.core.windows.net/test";

$p = Set-AzVMOperatingSystem -VM $p -Linux -ComputerName $computerName -Credential $cred -DisablePasswordAuthentication;
Write-Verbose "Adding SSH public key for VM"
$sshPublicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9tGj7bjzqid3QP5YpH2+YGK8Or2KRZLdNuRGiFqgefGEF4uZrsKXeRXAXS7ia5CdCSIu020PDR69nPZq3dEQGp8GNMKXvfIBIpI++BISbT1jPuMVwEnI4JESGI4ay1glh1JtbRzQsktNjUGUYDxoOAYbtj3GU5lvw2CJ5WmobtcQbXLHWYqdDmTZQ7ry7l6GCjJSzye4IkwlQoGUql/T2iU2bLQyOCsFzcDEzFv6hVR8iFcV+eOJNHIkjCQz3Bw+tOTZbHMz1G95tSswdkrdwfMvR8fkWmby39lnFC+I7xcySQI6FMzaQZ7bA0tFGpp1JoThy5J5hBak5yOTqGBYL dummy@cc-1b92760a-6bb78476c6-h5cwh";
$sshPath = "/home/" + $user + "/.ssh/authorized_keys"
Add-AzVMSshPublicKey -VM $p -KeyData $sshPublicKey -Path $sshPath
Write-Verbose "Added SSH public key successfully."
$p = Set-AzVMSourceImage -VM $p -PublisherName $imagePublisher -Offer $imageOffer -Skus $imageSku -Version "latest"
Assert-AreEqual $p.OSProfile.AdminUsername $user;
Assert-AreEqual $p.OSProfile.ComputerName $computerName;
Assert-AreEqual $p.OSProfile.AdminPassword $password;
Assert-AreEqual $p.StorageProfile.ImageReference.Offer $imageOffer;
Assert-AreEqual $p.StorageProfile.ImageReference.Publisher $imagePublisher;
Assert-AreEqual $p.StorageProfile.ImageReference.Sku $imageSku;
$p = Set-AzVMBootDiagnostic -VM $p -Disable

# Virtual Machine
New-AzVM -ResourceGroupName $rgname -Location $loc -VM $p;
$vm = Get-AzVM -ResourceGroupName $rgname -Name $vmname;
Write-Verbose "The value of the variable is: $vm"
Assert-AreEqual $vmname $vm.Name;
Assert-AreEqual "UserAssigned" $vm.Identity.Type
Assert-NotNull $vm.Identity.UserAssignedIdentities
Assert-AreEqual 1 $vm.Identity.UserAssignedIdentities.Count
Assert-True { $vm.Identity.UserAssignedIdentities.ContainsKey($encIdentity) }
Assert-NotNull $vm.Identity.UserAssignedIdentities[$encIdentity].PrincipalId
Assert-NotNull $vm.Identity.UserAssignedIdentities[$encIdentity].ClientId
Write-Verbose $vm.SecurityProfile;
Assert-NotNull $vm.SecurityProfile.EncryptionIdentity
Assert-AreEqual $encIdentity $vm.SecurityProfile.EncryptionIdentity.UserAssignedIdentityResourceId

}
finally {
clean-ResourceGroup $rgName;
}
}

<#
.SYNOPSIS
Test Test-EncryptionIdentityNotPartOfAssignedIdentitiesInAzureVm Throw Exceptions if the EncryptionIdentity
is not a part of assignedIdentities in a VM.
#>
function Test-EncryptionIdentityNotPartOfAssignedIdentitiesInAzureVm{
$rgName = Get-ComputeTestResourceName;
try {
# create virtual machine
$loc = "eastus2euap";
New-AzResourceGroup -Name $rgname -Location $loc -Force;
# VM Profile & Hardware
$vmsize = 'Standard_D2S_V3';
$vmname = 'vm' + $rgname;
$imagePublisher = "RedHat";
$imageOffer = "RHEL";
$imageSku = "92-gen2";
$assignedIdentity = "/subscriptions/759532d8-9991-4d04-878f-49f0f4804906/resourceGroups/linuxRhel-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testingazmsi";
$encIdentity = "/subscriptions/759532d8-9991-4d04-878f-49f0f4804906/resourceGroups/linuxRhel-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testcliIdentity"
$p = New-AzVMConfig -VMName $vmname -VMSize $vmsize -EncryptionIdentity $encIdentity -IdentityType UserAssigned -IdentityId $assignedIdentity;

Assert-AreEqual $p.HardwareProfile.VmSize $vmsize;
$subnet = New-AzVirtualNetworkSubnetConfig -Name ('subnet' + $rgname) -AddressPrefix "10.0.0.0/24";
$vnet = New-AzVirtualNetwork -Force -Name ('vnet' + $rgname) -ResourceGroupName $rgname -Location $loc -AddressPrefix "10.0.0.0/16" -Subnet $subnet;
$vnet = Get-AzVirtualNetwork -Name ('vnet' + $rgname) -ResourceGroupName $rgname;
$subnetId = $vnet.Subnets[0].Id;
$pubip = New-AzPublicIpAddress -Force -Name ('pubip' + $rgname) -ResourceGroupName $rgname -Location $loc -AllocationMethod Static -DomainNameLabel ('pubip' + $rgname);
$pubip = Get-AzPublicIpAddress -Name ('pubip' + $rgname) -ResourceGroupName $rgname;
$pubipId = $pubip.Id;
$nic = New-AzNetworkInterface -Force -Name ('nic' + $rgname) -ResourceGroupName $rgname -Location $loc -SubnetId $subnetId -PublicIpAddressId $pubip.Id;
$nic = Get-AzNetworkInterface -Name ('nic' + $rgname) -ResourceGroupName $rgname;
$nicId = $nic.Id;
Write-Verbose "Completed one instances";
$p = Add-AzVMNetworkInterface -VM $p -Id $nicId;
Assert-AreEqual $p.NetworkProfile.NetworkInterfaces.Count 1;
Assert-AreEqual $p.NetworkProfile.NetworkInterfaces[0].Id $nicId;

$osDiskName = 'linuxOsDisk';
$osDiskCaching = 'ReadWrite';
$osDiskVhdUri = "https://$stoname.blob.core.windows.net/test/linuxos.vhd";
$p = Set-AzVMOSDisk -VM $p -Name $osDiskName -Caching $osDiskCaching -CreateOption FromImage -Linux;
Assert-AreEqual $p.StorageProfile.OSDisk.Caching $osDiskCaching;
Assert-AreEqual $p.StorageProfile.OSDisk.Name $osDiskName;
# OS & Image
$user = "Foo12";
$password = $PLACEHOLDER;
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force; <#[SuppressMessage("Microsoft.Security", "CS001:SecretInline", Justification="Credentials are used only for the duration of test. Resources are deleted at the end of the test.")]#>
$cred = New-Object System.Management.Automation.PSCredential ($user, $securePassword);
$computerName = 'test';
$vhdContainer = "https://$stoname.blob.core.windows.net/test";

$p = Set-AzVMOperatingSystem -VM $p -Linux -ComputerName $computerName -Credential $cred -DisablePasswordAuthentication;
Write-Verbose "Adding SSH public key for VM"
$sshPublicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9tGj7bjzqid3QP5YpH2+YGK8Or2KRZLdNuRGiFqgefGEF4uZrsKXeRXAXS7ia5CdCSIu020PDR69nPZq3dEQGp8GNMKXvfIBIpI++BISbT1jPuMVwEnI4JESGI4ay1glh1JtbRzQsktNjUGUYDxoOAYbtj3GU5lvw2CJ5WmobtcQbXLHWYqdDmTZQ7ry7l6GCjJSzye4IkwlQoGUql/T2iU2bLQyOCsFzcDEzFv6hVR8iFcV+eOJNHIkjCQz3Bw+tOTZbHMz1G95tSswdkrdwfMvR8fkWmby39lnFC+I7xcySQI6FMzaQZ7bA0tFGpp1JoThy5J5hBak5yOTqGBYL dummy@cc-1b92760a-6bb78476c6-h5cwh";
$sshPath = "/home/" + $user + "/.ssh/authorized_keys"
Add-AzVMSshPublicKey -VM $p -KeyData $sshPublicKey -Path $sshPath
Write-Verbose "Added SSH public key successfully."
$p = Set-AzVMSourceImage -VM $p -PublisherName $imagePublisher -Offer $imageOffer -Skus $imageSku -Version "latest"
Assert-AreEqual $p.OSProfile.AdminUsername $user;
Assert-AreEqual $p.OSProfile.ComputerName $computerName;
Assert-AreEqual $p.OSProfile.AdminPassword $password;
Assert-AreEqual $p.StorageProfile.ImageReference.Offer $imageOffer;
Assert-AreEqual $p.StorageProfile.ImageReference.Publisher $imagePublisher;
Assert-AreEqual $p.StorageProfile.ImageReference.Sku $imageSku;
$p = Set-AzVMBootDiagnostic -VM $p -Disable

# Virtual Machine
Assert-ThrowsContains {New-AzVM -ResourceGroupName $rgname -Location $loc -VM $p} `
"Encryption Identity should be an ARM Resource ID of one of the user assigned identities associated to the resource";

}
finally {
clean-ResourceGroup $rgName;
}
}

Loading

0 comments on commit 91fe3f0

Please sign in to comment.