From fb780d324ff4ac654e57e738337c96cc7d899320 Mon Sep 17 00:00:00 2001 From: songlu <442586197@qq.com> Date: Thu, 21 Jul 2022 14:41:01 +0800 Subject: [PATCH 1/6] warning log --- src/azure-cli/azure/cli/command_modules/vm/_validators.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/azure-cli/azure/cli/command_modules/vm/_validators.py b/src/azure-cli/azure/cli/command_modules/vm/_validators.py index b7529b8f900..d47a61283e6 100644 --- a/src/azure-cli/azure/cli/command_modules/vm/_validators.py +++ b/src/azure-cli/azure/cli/command_modules/vm/_validators.py @@ -1300,6 +1300,9 @@ def _validate_vm_vmss_msi(cmd, namespace, is_identity_assign=False): def _enable_msi_for_trusted_launch(namespace): # Enable system assigned msi by default when Trusted Launch configuration is met + if namespace.security_type.lower() == 'trustedlaunch': + logger.warning('Please set --enable-secure-boot to True and --enable-vtpm to True in order to receive the full' + ' suite of security features that comes with Trusted Launch.') is_trusted_launch = namespace.security_type and namespace.security_type.lower() == 'trustedlaunch' \ and namespace.enable_vtpm and namespace.enable_secure_boot if is_trusted_launch and not namespace.disable_integrity_monitoring: From 6d1c4536a92661fd628de403082f008edff53735 Mon Sep 17 00:00:00 2001 From: songlu <442586197@qq.com> Date: Thu, 21 Jul 2022 15:13:30 +0800 Subject: [PATCH 2/6] Update _validators.py --- src/azure-cli/azure/cli/command_modules/vm/_validators.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/azure-cli/azure/cli/command_modules/vm/_validators.py b/src/azure-cli/azure/cli/command_modules/vm/_validators.py index d47a61283e6..72bdcc63e41 100644 --- a/src/azure-cli/azure/cli/command_modules/vm/_validators.py +++ b/src/azure-cli/azure/cli/command_modules/vm/_validators.py @@ -1300,7 +1300,8 @@ def _validate_vm_vmss_msi(cmd, namespace, is_identity_assign=False): def _enable_msi_for_trusted_launch(namespace): # Enable system assigned msi by default when Trusted Launch configuration is met - if namespace.security_type.lower() == 'trustedlaunch': + if namespace.security_type.lower() == 'trustedlaunch' and \ + (namespace.enable_vtpm != True or namespace.enable_secure_boot != True): logger.warning('Please set --enable-secure-boot to True and --enable-vtpm to True in order to receive the full' ' suite of security features that comes with Trusted Launch.') is_trusted_launch = namespace.security_type and namespace.security_type.lower() == 'trustedlaunch' \ From 61e52be13925ca72bb1664ca66b4ef1ec64968e6 Mon Sep 17 00:00:00 2001 From: songlu <442586197@qq.com> Date: Thu, 21 Jul 2022 16:11:09 +0800 Subject: [PATCH 3/6] Update _validators.py --- src/azure-cli/azure/cli/command_modules/vm/_validators.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/azure-cli/azure/cli/command_modules/vm/_validators.py b/src/azure-cli/azure/cli/command_modules/vm/_validators.py index 72bdcc63e41..2bf50edb13e 100644 --- a/src/azure-cli/azure/cli/command_modules/vm/_validators.py +++ b/src/azure-cli/azure/cli/command_modules/vm/_validators.py @@ -1300,8 +1300,8 @@ def _validate_vm_vmss_msi(cmd, namespace, is_identity_assign=False): def _enable_msi_for_trusted_launch(namespace): # Enable system assigned msi by default when Trusted Launch configuration is met - if namespace.security_type.lower() == 'trustedlaunch' and \ - (namespace.enable_vtpm != True or namespace.enable_secure_boot != True): + if namespace.security_type and namespace.security_type.lower() == 'trustedlaunch' and \ + (namespace.enable_vtpm is not True or namespace.enable_secure_boot is not True): logger.warning('Please set --enable-secure-boot to True and --enable-vtpm to True in order to receive the full' ' suite of security features that comes with Trusted Launch.') is_trusted_launch = namespace.security_type and namespace.security_type.lower() == 'trustedlaunch' \ From de6aa39748a8532a4b29e7b5cfbf3f491347243a Mon Sep 17 00:00:00 2001 From: songlu <442586197@qq.com> Date: Thu, 21 Jul 2022 17:50:28 +0800 Subject: [PATCH 4/6] Update _validators.py --- .../azure/cli/command_modules/vm/_validators.py | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/src/azure-cli/azure/cli/command_modules/vm/_validators.py b/src/azure-cli/azure/cli/command_modules/vm/_validators.py index 2bf50edb13e..6617c50f16d 100644 --- a/src/azure-cli/azure/cli/command_modules/vm/_validators.py +++ b/src/azure-cli/azure/cli/command_modules/vm/_validators.py @@ -1300,10 +1300,6 @@ def _validate_vm_vmss_msi(cmd, namespace, is_identity_assign=False): def _enable_msi_for_trusted_launch(namespace): # Enable system assigned msi by default when Trusted Launch configuration is met - if namespace.security_type and namespace.security_type.lower() == 'trustedlaunch' and \ - (namespace.enable_vtpm is not True or namespace.enable_secure_boot is not True): - logger.warning('Please set --enable-secure-boot to True and --enable-vtpm to True in order to receive the full' - ' suite of security features that comes with Trusted Launch.') is_trusted_launch = namespace.security_type and namespace.security_type.lower() == 'trustedlaunch' \ and namespace.enable_vtpm and namespace.enable_secure_boot if is_trusted_launch and not namespace.disable_integrity_monitoring: @@ -1315,6 +1311,16 @@ def _enable_msi_for_trusted_launch(namespace): namespace.assign_identity.append(MSI_LOCAL_ID) +def _validate_trusted_launch(namespace): + if not namespace.security_type: + return + + if namespace.security_type.lower() == 'trustedlaunch' and \ + (namespace.enable_vtpm is not True or namespace.enable_secure_boot is not True): + logger.warning('Please set --enable-secure-boot to True and --enable-vtpm to True in order to receive the full' + ' suite of security features that comes with Trusted Launch.') + + def _validate_vm_vmss_set_applications(cmd, namespace): # pylint: disable=unused-argument if namespace.application_configuration_overrides and \ len(namespace.application_version_ids) != len(namespace.application_configuration_overrides): @@ -1386,6 +1392,7 @@ def process_vm_create_namespace(cmd, namespace): if namespace.secrets: _validate_secrets(namespace.secrets, namespace.os_type) + _validate_trusted_launch(namespace) _validate_vm_vmss_msi(cmd, namespace) if namespace.boot_diagnostics_storage: namespace.boot_diagnostics_storage = get_storage_blob_uri(cmd.cli_ctx, namespace.boot_diagnostics_storage) @@ -1679,6 +1686,7 @@ def process_vmss_create_namespace(cmd, namespace): _validate_vmss_create_nsg(cmd, namespace) _validate_vm_vmss_accelerated_networking(cmd.cli_ctx, namespace) _validate_vm_vmss_create_auth(namespace, cmd) + _validate_trusted_launch(namespace) _validate_vm_vmss_msi(cmd, namespace) _validate_proximity_placement_group(cmd, namespace) _validate_vmss_terminate_notification(cmd, namespace) From ba839791beab5caca237ab04d441821ac9ce4649 Mon Sep 17 00:00:00 2001 From: songlu <442586197@qq.com> Date: Fri, 22 Jul 2022 10:28:11 +0800 Subject: [PATCH 5/6] Update _validators.py --- .../azure/cli/command_modules/vm/_validators.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/azure-cli/azure/cli/command_modules/vm/_validators.py b/src/azure-cli/azure/cli/command_modules/vm/_validators.py index 6617c50f16d..8c0ae10165b 100644 --- a/src/azure-cli/azure/cli/command_modules/vm/_validators.py +++ b/src/azure-cli/azure/cli/command_modules/vm/_validators.py @@ -1312,13 +1312,12 @@ def _enable_msi_for_trusted_launch(namespace): def _validate_trusted_launch(namespace): - if not namespace.security_type: + if not namespace.security_type or namespace.security_type.lower() != 'trustedlaunch': return - if namespace.security_type.lower() == 'trustedlaunch' and \ - (namespace.enable_vtpm is not True or namespace.enable_secure_boot is not True): - logger.warning('Please set --enable-secure-boot to True and --enable-vtpm to True in order to receive the full' - ' suite of security features that comes with Trusted Launch.') + if not namespace.enable_vtpm or not namespace.enable_secure_boot: + logger.warning('It is recommended to specify "--enable-secure-boot True" and "--enable-secure-boot True"' + ' to receive the full suite of security features that comes with Trusted Launch.') def _validate_vm_vmss_set_applications(cmd, namespace): # pylint: disable=unused-argument From 8a0279c3dd57184f6dc5ae242685b88b399afc05 Mon Sep 17 00:00:00 2001 From: songlu <442586197@qq.com> Date: Fri, 22 Jul 2022 10:32:23 +0800 Subject: [PATCH 6/6] flex vmss --- src/azure-cli/azure/cli/command_modules/vm/_validators.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/azure-cli/azure/cli/command_modules/vm/_validators.py b/src/azure-cli/azure/cli/command_modules/vm/_validators.py index 8c0ae10165b..0086156951a 100644 --- a/src/azure-cli/azure/cli/command_modules/vm/_validators.py +++ b/src/azure-cli/azure/cli/command_modules/vm/_validators.py @@ -1596,6 +1596,7 @@ def process_vmss_create_namespace(cmd, namespace): if namespace.vm_sku and not namespace.image: raise ArgumentUsageError('usage error: please specify the --image when you want to specify the VM SKU') + _validate_trusted_launch(namespace) if namespace.image: if namespace.vm_sku is None: