Disk Access changes (#12673)

* baseline work * New-AzDiskAccess Remove-AzDiskAccess * New cmdlets * New disk config (#12665) * Checking in changes * checking in changes * new cmdlets * help docs * help docs * fix errors * update help * Checking in SnapshotConfigTests * remove Online: lines from help doc * remove online line * Disk access (#12713) * comments remain, committing so others can see content. * New-AzDiskEncryptionSetConfig dev and testing * New-AzDiskEncryptionSetConfig changelog and help doc Co-authored-by: Adam Sandor <[email protected]> * clean up test * changelog.md * adding parameters to New-AzDiskUpdateConfig * Improving default testing of New-AzDiskEncryptionSetConfig EncryptionType param (#12759) * Improving default testing * update recorded test file * correcting incorrect copy and paste to Test-DiskAccessObject test * Addressing review comments * Update ChangeLog.md * Update New-AzDiskEncryptionSetConfig.md * add argument completer Co-authored-by: Theodore Chang <[email protected]> Co-authored-by: Adam Sandor <[email protected]> Co-authored-by: Jin Lei <[email protected]>
Azure · Sep 4, 2020 · 6a8b914 · 6a8b914
1 parent e2f6357
commit 6a8b914
Show file tree

Hide file tree

Showing 31 changed files with 8,169 additions and 15 deletions.
diff --git a/src/Compute/Compute.Test/ScenarioTests/DiskRPTests.cs b/src/Compute/Compute.Test/ScenarioTests/DiskRPTests.cs
@@ -65,5 +65,34 @@ public void TestDiskEncryptionSet()
         {
             TestRunner.RunTestScript("Test-DiskEncryptionSet");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestDiskEncryptionSetConfigEncryptionType()
+        {
+            TestRunner.RunTestScript("Test-DiskEncryptionSetConfigEncryptionType");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestDiskAccessObject()
+        {
+            TestRunner.RunTestScript("Test-DiskAccessObject");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestDiskConfigDiskAccessNetworkAccess()
+        {
+            TestRunner.RunTestScript("Test-DiskConfigDiskAccessNetworkAccess");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestSnapshotConfigDiskAccessNetworkPolicy()
+        {
+            TestRunner.RunTestScript("Test-SnapshotConfigDiskAccessNetworkPolicy");
+        }
+
     }
 }
diff --git a/src/Compute/Compute.Test/ScenarioTests/DiskRPTests.ps1 b/src/Compute/Compute.Test/ScenarioTests/DiskRPTests.ps1
@@ -921,3 +921,250 @@ function Test-DiskEncryptionSet
         $encSet | Remove-AzDiskEncryptionSet -Force;
     }
 }
+
+<#
+.SYNOPSIS
+Testing the EncryptionType parameter passed to the Config obejct is inherited by an associated DiskEncryptionSet object. 
+#>
+function Test-DiskEncryptionSetConfigEncryptionType
+{
+    # Setup
+    $loc = 'centraluseuap';
+    $rgname = 'adamGroupDES7';
+    $encryptionName = "enc" + $rgname;
+
+    $vaultName1 = 'kv15' + $rgname ;
+    $vaultName2 = 'kv16' + $rgname ;
+
+    try
+    {
+        <#
+        # 
+        # Note: In order to record this test, you need to run the following commands to create KeyValut key and KeyVault secret in a separate Powershell window.
+        #
+        Note: In order to record this test, you need to run the following commands to create KeyValut key and KeyVault secret in a separate Powershell window.
+        $vaultName1 = 'kv15' + $rgname ;
+        $kekName1 = 'kek15' + $rgname;
+        $secretname1 = 'mysecret15';
+        $secretdata1 = 'mysecretvalue15';
+        $securestring1 = ConvertTo-SecureString $secretdata1 -Force -AsPlainText;
+
+        $vaultName2 = 'kv16' + $rgname;
+        $kekName2 = 'kek15' + $rgname; #not a typo
+        $secretname2 = 'mysecret16';
+        $secretdata2 = 'mysecretvalue16';
+        $securestring2 = ConvertTo-SecureString $secretdata1 -Force -AsPlainText;
+
+        New-AzResourceGroup -Name $rgname -Location $loc -Force;
+        $vault1 = New-AzKeyVault -VaultName $vaultName1 -ResourceGroupName $rgname -Location $loc -Sku Standard;
+        $vault2 = New-AzKeyVault -VaultName $vaultName2 -ResourceGroupName $rgname -Location $loc -Sku Standard;
+        $mocksourcevault1 = $vault1.ResourceId;
+        $mocksourcevault2 = $vault2.ResourceId;
+        $userPrincipalName = (Get-AzContext).Account.Id;
+        Set-AzKeyVaultAccessPolicy -VaultName $vaultName1 -ResourceGroupName $rgname -EnabledForDiskEncryption;
+        Set-AzKeyVaultAccessPolicy -VaultName $vaultName2 -ResourceGroupName $rgname -EnabledForDiskEncryption;
+        $kek1 = Add-AzKeyVaultKey -VaultName $vaultName1 -Name $kekName1 -Destination "Software";
+        $kek2 = Add-AzKeyVaultKey -VaultName $vaultName2 -Name $kekName2 -Destination "Software";
+        $secret1 = Set-AzKeyVaultSecret -VaultName $vaultName1 -Name $secretname1 -SecretValue $securestring1;
+        $secret2 = Set-AzKeyVaultSecret -VaultName $vaultName2 -Name $secretname2 -SecretValue $securestring2;
+        $mockkey1 = $kek1.Id
+        $mockkey2 = $kek2.Id
+        #>
+
+        $mockkey1 = "https://kv15adamgroupdes7.vault.azure.net/keys/kek15adamGroupDES7/74332f302a0e48999415f6f9bbf7430c";
+        $mockkey2 = "https://kv16adamgroupdes7.vault.azure.net/keys/kek15adamGroupDES7/84412eaa63f344bf8a1b15612f2b36cb";
+        $subId = Get-SubscriptionIdFromResourceGroup $rgname;
+        $mocksourcevault1 = '/subscriptions/' + $subId + '/resourceGroups/' + $rgname + '/providers/Microsoft.KeyVault/vaults/' + $vaultName1;
+        $mocksourcevault2 = '/subscriptions/' + $subId + '/resourceGroups/' + $rgname + '/providers/Microsoft.KeyVault/vaults/' + $vaultName2;
+
+        $encryptionType = "EncryptionAtRestWithPlatformAndCustomerKeys";
+
+        $encSetConfig = New-AzDiskEncryptionSetConfig -Location $loc -EncryptionType $encryptionType;
+
+        $encSetConfigValues = New-AzDiskEncryptionSetConfig -Location $loc -KeyUrl $mockkey1 -SourceVaultId $mocksourcevault1 -EncryptionType $encryptionType -IdentityType "SystemAssigned" `
+
+        $encSet = New-AzDiskEncryptionSet -ResourceGroupName $rgname -Name $encryptionName -DiskEncryptionSet $encSetConfigValues;
+
+        Assert-NotNull $encSetConfig;
+        Assert-AreEqual $encSetConfig.EncryptionType $encryptionType;
+
+        Assert-NotNull $encSet;
+        Assert-AreEqual $encryptionType $encSet.EncryptionType;
+
+        # Test default EncryptionType value
+        $encSetConfigDefault = New-AzDiskEncryptionSetConfig -Location $loc -KeyUrl $mockkey2 -SourceVaultId $mocksourcevault2 -IdentityType "SystemAssigned";
+        Assert-NotNull $encSetConfigDefault;
+        Assert-AreEqual $encSetDefaultConfig.EncryptionType $null;
+
+        $encryptionNameDefault = $encryptionName + "Default";
+        $encryptionTypeDefault = "EncryptionAtRestWithCustomerKey";
+
+        $encSetDefault = New-AzDiskEncryptionSet -ResourceGroupName $rgname -Name $encryptionNameDefault -DiskEncryptionSet $encSetConfigDefault;
+        Assert-NotNull $encSetDefault;
+        Assert-AreEqual $encSetDefault.EncryptionType $encryptionTypeDefault;
+
+    }
+    finally
+    {
+        # Cleanup
+        $encSet | Remove-AzDiskEncryptionSet -Force;
+        $encSetDefault | Remove-AzDiskEncryptionSet -Force;
+    }
+}
+
+<#
+.SYNOPSIS
+Testing diskAssess object
+#>
+function Test-DiskAccessObject
+{
+    $rgname = Get-ComputeTestResourceName;
+    $rgname2 = $rgname + '2';
+    $diskname1Rg1 = 'diskaccess1' + $rgname;
+    $diskName2Rg1 = 'diskAccess2' + $rgname;
+    $diskName3Rg2 = 'diskAccess1' + $rgname2;
+
+    try
+    {
+        # Common
+        $loc = "northcentralus";
+        New-AzResourceGroup -Name $rgname -Location $loc -Force;
+        New-AzResourceGroup -Name $rgname2 -Location $loc -Force;
+
+        #Create DiskAccess1 in ResourceGroup1
+        New-AzDiskAccess -ResourceGroupName $rgname -Name $diskname1Rg1 -location $loc
+
+        #Use Get-AzDiskAccess on DiskAccess1 using Default ParameterSet
+        $diskAccess1 = Get-AzDiskAccess -ResourceGroupName $rgname -Name $diskname1Rg1
+        #Use Get-AzDiskAccess on DiskAccess1 using resourceId
+        $diskAccess1check = Get-AzDiskAccess -resourceId $diskAccess1.id
+
+        #check if diskAccess1 is good
+        Assert-NotNull $diskAccess1
+        Assert-AreEqual $diskAccess1.Name $diskname1Rg1
+
+        #ASSERT check if diskaccess1 and diskaccess1check are same
+        Assert-AreEqual $diskAccess1.id $diskAccess1check.id
+
+        #Create DiskAccess2 in ResourceGroup1
+        New-AzDiskAccess -ResourceGroupName $rgname -Name $diskname2Rg1 -location $loc
+
+        #Use Get-AzDiskAccess by resourceGroupName
+        $rg1Result = Get-AzDiskAccess -ResourceGroupName $rgname
+
+        Assert-AreEqual $rg1Result.count 2
+
+        #add DiskAccess3 to ResourceGroup2
+        New-AzDiskAccess -ResourceGroupName $rgname2 -Name $diskname3Rg2 -location $loc
+
+        #use get-azdiskaccess with no parameters. count should be >= 3
+        $allResult = Get-AzDiskAccess
+
+        Assert-True {$allResult.Count -gt 2;}
+
+        #remove-AzDiskAccess to DiskAccess1 by resourceId
+        Remove-AzDiskAccess -resourceid $diskAccess1.id
+
+        #Remove-AzDiskAccess to DiskAccess2 by default parameter set
+        Remove-AzDiskAccess -ResourceGroupName $rgname -Name $diskname2Rg1
+
+        #Get-AzDiskAccess by resource group. Count should be 0
+        $allResult = Get-AzDiskAccess -ResourceGroupName $rgname
+
+        Assert-AreEqual $allResult.count 0
+
+    }
+    finally
+    {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+        Clean-ResourceGroup $rgname2
+    }
+}
+
+<#
+.SYNOPSIS
+Testing DiskConfig property NetworkAccessPolicy
+#>
+function Test-DiskConfigDiskAccessNetworkAccess
+{
+    # Setup
+    $rgname = Get-ComputeTestResourceName;
+    $diskname0 = 'disk0' + $rgname;
+
+    try
+    {
+        # Common
+        $loc = Get-ComputeVMLocation;
+        New-AzResourceGroup -Name $rgname -Location $loc -Force;
+
+        #Testing disk access
+        $diskAccess = New-AzDiskAccess -ResourceGroupName $rgname -Name "diskaccessname" -location $loc
+        $diskconfig = New-AzDiskConfig -Location $loc -SkuName 'Standard_LRS' -OsType 'Windows' `
+                                        -UploadSizeInBytes 35183298347520 -CreateOption 'Upload' -DiskAccessId $diskAccess.Id;
+        New-AzDisk -ResourceGroupName $rgname -DiskName $diskname0 -Disk $diskconfig;
+        $disk = Get-AzDisk -ResourceGroupName $rgname -DiskName $diskname0;
+
+        Assert-AreEqual $diskAccess.Id $disk.DiskAccessId;
+
+        Remove-AzDisk -ResourceGroupName $rgname -DiskName $diskname0 -Force;
+
+        $diskconfig2 = New-AzDiskConfig -Location $loc -SkuName 'Standard_LRS' -OsType 'Windows' `
+                                        -UploadSizeInBytes 35183298347520 -CreateOption 'Upload' -NetworkAccessPolicy "AllowAll";
+        New-AzDisk -ResourceGroupName $rgname -DiskName $diskname0 -Disk $diskconfig2;
+        $disk2 = Get-AzDisk -ResourceGroupName $rgname -DiskName $diskname0;
+        Assert-AreEqual "AllowAll" $disk2.NetworkAccessPolicy;
+
+    }
+    finally
+    {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+    }
+}
+
+<#
+.SYNOPSIS
+Testing SnapshotConfig property NetworkAccessPolicy
+#>
+function Test-SnapshotConfigDiskAccessNetworkPolicy
+{
+    # Setup
+    $rgname = Get-ComputeTestResourceName;
+    $snapshotname = 'snapshot' + $rgname;
+
+    try
+    {
+        # Common
+        $loc = Get-ComputeVMLocation;
+        New-AzResourceGroup -Name $rgname -Location $loc -Force;
+
+        # Config and create test
+        $diskAccess = New-AzDiskAccess -ResourceGroupName $rgname -Name "diskaccessname" -location $loc
+
+        $snapshotconfig = New-AzSnapshotConfig -Location $loc -DiskSizeGB 5 -AccountType Standard_LRS -OsType Windows -CreateOption Empty `
+                                               -EncryptionSettingsEnabled $true  -HyperVGeneration "V2" -DiskAccessId $diskAccess.Id;
+
+        $snapshotconfig.EncryptionSettingsCollection.Enabled = $false;
+        $snapshotconfig.EncryptionSettingsCollection.EncryptionSettings = $null;
+        $snapshotconfig.CreationData.ImageReference = $null;
+        $job = New-AzSnapshot -ResourceGroupName $rgname -SnapshotName $snapshotname -Snapshot $snapshotconfig -AsJob;
+        $result = $job | Wait-Job;
+        Assert-AreEqual "Completed" $result.State;
+
+        $snapshot = Get-AzSnapshot -ResourceGroupName $rgname
+        Assert-AreEqual $diskAccess.Id $snapshot.DiskAccessId
+
+        # Remove test
+        $job = Remove-AzSnapshot -ResourceGroupName $rgname -SnapshotName $snapshotname -Force -AsJob;
+        $result = $job | Wait-Job;
+        Assert-AreEqual "Completed" $result.State;
+        $st = $job | Receive-Job;
+        Verify-PSOperationStatusResponse $st;
+    }
+    finally
+    {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+    }
+}