Skip to content

[Compute] az vm/vmss create: Install guest attestation extension when security type set to ConfidentialVM #30690

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zhoxing-ms merged 2 commits into from
Jan 23, 2025
Merged

[Compute] az vm/vmss create: Install guest attestation extension when security type set to ConfidentialVM #30690

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ce12275
add support for confidentialvm
yanzhudd Jan 22, 2025
a09d9c0
refine error message
yanzhudd Jan 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 8 additions & 4 deletions src/azure-cli/azure/cli/command_modules/vm/custom.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1141,7 +1141,8 @@ def create_vm(cmd, vm_name, resource_group_name, image=None, size='Standard_DS1_
# Guest Attestation Extension and enable System Assigned MSI by default
is_trusted_launch = security_type and security_type.lower() == 'trustedlaunch' and\
enable_vtpm and enable_secure_boot
if is_trusted_launch and enable_integrity_monitoring:
is_confidential_vm = security_type and security_type.lower() == 'confidentialvm'
if (is_trusted_launch or is_confidential_vm) and enable_integrity_monitoring:
vm = get_vm(cmd, resource_group_name, vm_name, 'instanceView')
client = _compute_client_factory(cmd.cli_ctx)
if vm.storage_profile.os_disk.os_type == 'Linux':
Expand All @@ -1164,7 +1165,8 @@ def create_vm(cmd, vm_name, resource_group_name, image=None, size='Standard_DS1_
logger.info('Guest Attestation Extension has been successfully installed by default '
'when Trusted Launch configuration is met')
except Exception as e:
logger.error('Failed to install Guest Attestation Extension for Trusted Launch. %s', e)
error_type = "Trusted Launch" if is_trusted_launch else "Confidential VM"
logger.error('Failed to install Guest Attestation Extension for %s. %s', error_type, e)
if count:
vm_names = [vm_name + str(i) for i in range(count)]
else:
Expand Down Expand Up @@ -3618,7 +3620,8 @@ def _get_public_ip_address_allocation(value, sku):
# Guest Attestation Extension and enable System Assigned MSI by default
is_trusted_launch = security_type and security_type.lower() == 'trustedlaunch' and\
enable_vtpm and enable_secure_boot
if is_trusted_launch and enable_integrity_monitoring:
is_confidential_vm = security_type and security_type.lower() == 'confidentialvm'
if (is_trusted_launch or is_confidential_vm) and enable_integrity_monitoring:
client = _compute_client_factory(cmd.cli_ctx)
vmss = client.virtual_machine_scale_sets.get(resource_group_name, vmss_name)
vmss.virtual_machine_profile.storage_profile.image_reference = None
Expand Down Expand Up @@ -3651,7 +3654,8 @@ def _get_public_ip_address_allocation(value, sku):
LongRunningOperation(cmd.cli_ctx)(client.virtual_machine_scale_sets.begin_update_instances(
resource_group_name, vmss_name, instance_ids))
except Exception as e:
logger.error('Failed to install Guest Attestation Extension for Trusted Launch. %s', e)
error_type = "Trusted Launch" if is_trusted_launch else "Confidential VM"
logger.error('Failed to install Guest Attestation Extension for %s. %s', error_type, e)

return deployment_result

Expand Down