From 0c263e2fb706975ce3397e956e96e14c0ca1099e Mon Sep 17 00:00:00 2001 From: Kashif Mustahsan Date: Thu, 28 Oct 2021 13:47:09 -0700 Subject: [PATCH 1/3] KV changes --- .../stable/2021-07-01/compute.json | 17 +- ...eSetWithProtectedSettingsFromKeyVault.json | 293 ++++++++++++++++++ ...ureEnabled.json => UpdateVMExtension.json} | 12 + 3 files changed, 321 insertions(+), 1 deletion(-) create mode 100644 specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/CreateAScaleSetWithProtectedSettingsFromKeyVault.json rename specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/{UpdateVMExtensionWithSuppressFailureEnabled.json => UpdateVMExtension.json} (63%) diff --git a/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/compute.json b/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/compute.json index c0c702bf82a5..3fd4e6831a9b 100644 --- a/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/compute.json +++ b/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/compute.json @@ -1723,7 +1723,7 @@ "x-ms-long-running-operation": true, "x-ms-examples": { "Update VM extension.": { - "$ref": "./examples/compute/UpdateVMExtensionWithSuppressFailureEnabled.json" + "$ref": "./examples/compute/UpdateVMExtension.json" } } }, @@ -5425,6 +5425,9 @@ }, "Create a scale set with spot restore policy": { "$ref": "./examples/compute/CreateAScaleSetWithSpotRestorePolicy.json" + }, + "Create a VMSS with an extension with protectedSettingsFromKeyVault": { + "$ref": "./examples/compute/CreateAScaleSetWithProtectedSettingsFromKeyVault.json" } } }, @@ -9554,6 +9557,10 @@ "suppressFailures": { "type": "boolean", "description": "Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." + }, + "protectedSettingsFromKeyVault": { + "type": "object", + "description": "The extensions protected settings that are passed by reference, and consumed from key vault" } }, "description": "Describes the properties of a Virtual Machine Extension." @@ -9595,6 +9602,10 @@ "suppressFailures": { "type": "boolean", "description": "Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." + }, + "protectedSettingsFromKeyVault": { + "type": "object", + "description": "The extensions protected settings that are passed by reference, and consumed from key vault" } }, "description": "Describes the properties of a Virtual Machine Extension." @@ -13380,6 +13391,10 @@ "suppressFailures": { "type": "boolean", "description": "Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false." + }, + "protectedSettingsFromKeyVault": { + "type": "object", + "description": "The extensions protected settings that are passed by reference, and consumed from key vault" } }, "description": "Describes the properties of a Virtual Machine Scale Set Extension." diff --git a/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/CreateAScaleSetWithProtectedSettingsFromKeyVault.json b/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/CreateAScaleSetWithProtectedSettingsFromKeyVault.json new file mode 100644 index 000000000000..9222f9ad8cda --- /dev/null +++ b/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/CreateAScaleSetWithProtectedSettingsFromKeyVault.json @@ -0,0 +1,293 @@ +{ + "parameters": { + "subscriptionId": "{subscription-id}", + "resourceGroupName": "myResourceGroup", + "vmScaleSetName": "{vmss-name}", + "api-version": "2021-07-01", + "parameters": { + "sku": { + "tier": "Standard", + "capacity": 3, + "name": "Standard_D1_v2" + }, + "location": "westus", + "properties": { + "overprovision": true, + "virtualMachineProfile": { + "storageProfile": { + "imageReference": { + "sku": "2016-Datacenter", + "publisher": "MicrosoftWindowsServer", + "version": "latest", + "offer": "WindowsServer" + }, + "osDisk": { + "caching": "ReadWrite", + "managedDisk": { + "storageAccountType": "Standard_LRS" + }, + "createOption": "FromImage" + } + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "storageUri": "http://{existing-storage-account-name}.blob.core.windows.net", + "enabled": true + } + }, + "osProfile": { + "computerNamePrefix": "{vmss-name}", + "adminUsername": "{your-username}", + "adminPassword": "{your-password}" + }, + "extensionProfile": { + "extensions": [ + { + "name": "{extension-name}", + "properties": { + "autoUpgradeMinorVersion": false, + "publisher": "{extension-Publisher}", + "type": "{extension-Type}", + "typeHandlerVersion": "{handler-version}", + "settings": {}, + "protectedSettingsFromKeyVault": { + "sourceVault": { + "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults//kvName" + }, + "secretUrl": "https://kvName.vault.azure.net/secrets//secretName/79b88b3a6f5440ffb2e73e44a0db712e" + } + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "{vmss-name}", + "properties": { + "primary": true, + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "{vmss-name}", + "properties": { + "subnet": { + "id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/{existing-virtual-network-name}/subnets/{existing-subnet-name}" + } + } + } + ] + } + } + ] + } + }, + "upgradePolicy": { + "mode": "Manual" + } + } + } + }, + "responses": { + "200": { + "body": { + "sku": { + "tier": "Standard", + "capacity": 3, + "name": "Standard_D1_v2" + }, + "name": "{vmss-name}", + "properties": { + "singlePlacementGroup": true, + "overprovision": true, + "uniqueId": "d053ec5a-8da6-495f-ab13-38216503c6d7", + "virtualMachineProfile": { + "storageProfile": { + "imageReference": { + "sku": "2016-Datacenter", + "publisher": "MicrosoftWindowsServer", + "version": "latest", + "offer": "WindowsServer" + }, + "osDisk": { + "caching": "ReadWrite", + "managedDisk": { + "storageAccountType": "Standard_LRS" + }, + "createOption": "FromImage" + } + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "storageUri": "http://nsgdiagnostic.blob.core.windows.net", + "enabled": true + } + }, + "osProfile": { + "computerNamePrefix": "{vmss-name}", + "adminUsername": "{your-username}", + "secrets": [], + "windowsConfiguration": { + "provisionVMAgent": true, + "enableAutomaticUpdates": true + } + }, + "extensionProfile": { + "extensions": [ + { + "name": "{extension-name}", + "properties": { + "autoUpgradeMinorVersion": false, + "publisher": "{extension-Publisher}", + "type": "{extension-Type}", + "typeHandlerVersion": "{handler-version}", + "settings": {}, + "protectedSettingsFromKeyVault": { + "sourceVault": { + "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults//kvName" + }, + "secretUrl": "https://kvName.vault.azure.net/secrets//secretName/79b88b3a6f5440ffb2e73e44a0db712e" + } + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "{vmss-name}", + "properties": { + "dnsSettings": { + "dnsServers": [] + }, + "primary": true, + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "{vmss-name}", + "properties": { + "subnet": { + "id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/nsgExistingVnet/subnets/nsgExistingSubnet" + }, + "privateIPAddressVersion": "IPv4" + } + } + ], + "enableAcceleratedNetworking": false + } + } + ] + } + }, + "upgradePolicy": { + "mode": "Manual" + }, + "provisioningState": "Creating" + }, + "location": "westus", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachineScaleSets/{vmss-name}" + } + }, + "201": { + "body": { + "sku": { + "tier": "Standard", + "capacity": 3, + "name": "Standard_D1_v2" + }, + "name": "{vmss-name}", + "properties": { + "singlePlacementGroup": true, + "overprovision": true, + "uniqueId": "d053ec5a-8da6-495f-ab13-38216503c6d7", + "virtualMachineProfile": { + "storageProfile": { + "imageReference": { + "sku": "2016-Datacenter", + "publisher": "MicrosoftWindowsServer", + "version": "latest", + "offer": "WindowsServer" + }, + "osDisk": { + "caching": "ReadWrite", + "managedDisk": { + "storageAccountType": "Standard_LRS" + }, + "createOption": "FromImage" + } + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "storageUri": "http://nsgdiagnostic.blob.core.windows.net", + "enabled": true + } + }, + "osProfile": { + "computerNamePrefix": "{vmss-name}", + "adminUsername": "{your-username}", + "secrets": [], + "windowsConfiguration": { + "provisionVMAgent": true, + "enableAutomaticUpdates": true + } + }, + "extensionProfile": { + "extensions": [ + { + "name": "{extension-name}", + "properties": { + "autoUpgradeMinorVersion": false, + "publisher": "{extension-Publisher}", + "type": "{extension-Type}", + "typeHandlerVersion": "{handler-version}", + "settings": {}, + "protectedSettingsFromKeyVault": { + "sourceVault": { + "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults//kvName" + }, + "secretUrl": "https://kvName.vault.azure.net/secrets//secretName/79b88b3a6f5440ffb2e73e44a0db712e" + } + } + } + ] + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "{vmss-name}", + "properties": { + "dnsSettings": { + "dnsServers": [] + }, + "primary": true, + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "{vmss-name}", + "properties": { + "subnet": { + "id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/nsgExistingVnet/subnets/nsgExistingSubnet" + }, + "privateIPAddressVersion": "IPv4" + } + } + ], + "enableAcceleratedNetworking": false + } + } + ] + } + }, + "upgradePolicy": { + "mode": "Manual" + }, + "provisioningState": "Creating" + }, + "location": "westus", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachineScaleSets/{vmss-name}" + } + } + } +} diff --git a/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/UpdateVMExtensionWithSuppressFailureEnabled.json b/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/UpdateVMExtension.json similarity index 63% rename from specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/UpdateVMExtensionWithSuppressFailureEnabled.json rename to specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/UpdateVMExtension.json index 4c8b071f90b8..2a5c79d04800 100644 --- a/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/UpdateVMExtensionWithSuppressFailureEnabled.json +++ b/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/UpdateVMExtension.json @@ -14,6 +14,12 @@ "suppressFailures": true, "settings": { "UserName": "xyz@microsoft.com" + }, + "protectedSettingsFromKeyVault": { + "sourceVault": { + "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults//kvName" + }, + "secretUrl": "https://kvName.vault.azure.net/secrets//secretName/79b88b3a6f5440ffb2e73e44a0db712e" } } } @@ -34,6 +40,12 @@ "suppressFailures": true, "settings": { "UserName": "xyz@microsoft.com" + }, + "protectedSettingsFromKeyVault": { + "sourceVault": { + "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults//kvName" + }, + "secretUrl": "https://kvName.vault.azure.net/secrets//secretName/79b88b3a6f5440ffb2e73e44a0db712e" } } } From 465cf15e100c5f976e2c023d06044229277a4e49 Mon Sep 17 00:00:00 2001 From: Kashif Mustahsan Date: Thu, 28 Oct 2021 13:54:30 -0700 Subject: [PATCH 2/3] adding allowExtensionOperation --- .../Microsoft.Compute/stable/2021-07-01/compute.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/compute.json b/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/compute.json index 3fd4e6831a9b..63bf03fa5e95 100644 --- a/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/compute.json +++ b/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/compute.json @@ -12621,6 +12621,10 @@ "$ref": "#/definitions/VaultSecretGroup" }, "description": "Specifies set of certificates that should be installed onto the virtual machines in the scale set. To install certificates on a virtual machine it is recommended to use the [Azure Key Vault virtual machine extension for Linux](https://docs.microsoft.com/azure/virtual-machines/extensions/key-vault-linux) or the [Azure Key Vault virtual machine extension for Windows](https://docs.microsoft.com/azure/virtual-machines/extensions/key-vault-windows)." + }, + "allowExtensionOperations": { + "type": "boolean", + "description": "Specifies whether extension operations should be allowed on the virtual machine scale set.

This may only be set to False when no extensions are present on the virtual machine scale set." } }, "description": "Describes a virtual machine scale set OS profile." From 0c9fad429f1ae7f27e6d68f5ba6a6cd1e25bfe4b Mon Sep 17 00:00:00 2001 From: Kashif Mustahsan Date: Fri, 19 Nov 2021 15:04:12 -0800 Subject: [PATCH 3/3] fixing examples --- ...teAScaleSetWithProtectedSettingsFromKeyVault.json | 12 ++++++------ .../examples/compute/UpdateVMExtension.json | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/CreateAScaleSetWithProtectedSettingsFromKeyVault.json b/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/CreateAScaleSetWithProtectedSettingsFromKeyVault.json index 9222f9ad8cda..a46730933b7e 100644 --- a/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/CreateAScaleSetWithProtectedSettingsFromKeyVault.json +++ b/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/CreateAScaleSetWithProtectedSettingsFromKeyVault.json @@ -52,9 +52,9 @@ "settings": {}, "protectedSettingsFromKeyVault": { "sourceVault": { - "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults//kvName" + "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/kvName" }, - "secretUrl": "https://kvName.vault.azure.net/secrets//secretName/79b88b3a6f5440ffb2e73e44a0db712e" + "secretUrl": "https://kvName.vault.azure.net/secrets/secretName/79b88b3a6f5440ffb2e73e44a0db712e" } } } @@ -144,9 +144,9 @@ "settings": {}, "protectedSettingsFromKeyVault": { "sourceVault": { - "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults//kvName" + "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/kvName" }, - "secretUrl": "https://kvName.vault.azure.net/secrets//secretName/79b88b3a6f5440ffb2e73e44a0db712e" + "secretUrl": "https://kvName.vault.azure.net/secrets/secretName/79b88b3a6f5440ffb2e73e44a0db712e" } } } @@ -244,9 +244,9 @@ "settings": {}, "protectedSettingsFromKeyVault": { "sourceVault": { - "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults//kvName" + "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/kvName" }, - "secretUrl": "https://kvName.vault.azure.net/secrets//secretName/79b88b3a6f5440ffb2e73e44a0db712e" + "secretUrl": "https://kvName.vault.azure.net/secrets/secretName/79b88b3a6f5440ffb2e73e44a0db712e" } } } diff --git a/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/UpdateVMExtension.json b/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/UpdateVMExtension.json index 2a5c79d04800..0d4bcf6ddcc1 100644 --- a/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/UpdateVMExtension.json +++ b/specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/UpdateVMExtension.json @@ -17,9 +17,9 @@ }, "protectedSettingsFromKeyVault": { "sourceVault": { - "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults//kvName" + "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/kvName" }, - "secretUrl": "https://kvName.vault.azure.net/secrets//secretName/79b88b3a6f5440ffb2e73e44a0db712e" + "secretUrl": "https://kvName.vault.azure.net/secrets/secretName/79b88b3a6f5440ffb2e73e44a0db712e" } } } @@ -43,9 +43,9 @@ }, "protectedSettingsFromKeyVault": { "sourceVault": { - "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults//kvName" + "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/kvName" }, - "secretUrl": "https://kvName.vault.azure.net/secrets//secretName/79b88b3a6f5440ffb2e73e44a0db712e" + "secretUrl": "https://kvName.vault.azure.net/secrets/secretName/79b88b3a6f5440ffb2e73e44a0db712e" } } }