Hotifx: Update TL as Default feature to further restrict it (#23297)

* Update NewAzureVMCommand.cs * Update DiskCreateOrUpdateMethod.cs * Update VirtualMachineScaleSetCreateOrUpdateMethod.cs * Update NewAzureVMCommand.cs * Update VirtualMachineScaleSetCreateOrUpdateMethod.cs * Update DiskCreateOrUpdateMethod.cs * Update NewAzureVMCommand.cs * Update NewAzureVMCommand.cs * Update New-AzVM.md * Update New-AzVM.md * Update VirtualMachineScaleSetCreateOrUpdateMethod.cs * ensure flex defaulting works fine * Update ExampleIssues.csv --------- Co-authored-by: Yabo Hu <[email protected]>
Azure · Nov 8, 2023 · bd31663 · bd31663
1 parent 50b9d53
commit bd31663
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 5 deletions.
diff --git a/...te/Compute/Generated/VirtualMachineScaleSet/VirtualMachineScaleSetCreateOrUpdateMethod.cs b/...te/Compute/Generated/VirtualMachineScaleSet/VirtualMachineScaleSetCreateOrUpdateMethod.cs
@@ -431,6 +431,7 @@ private bool shouldGuestAttestationExtBeInstalled(VirtualMachineScaleSet vmssPar
         {
             if (this.DisableIntegrityMonitoring != true &&
                     vmssParameters != null &&
+                    vmssParameters.OrchestrationMode != "Flexible" &&
                     vmssParameters.VirtualMachineProfile != null &&
                     vmssParameters.VirtualMachineProfile.SecurityProfile != null &&
                     vmssParameters.VirtualMachineProfile.SecurityProfile.SecurityType?.ToLower() == ConstantValues.TrustedLaunchSecurityType &&

diff --git a/src/Compute/Compute/Manual/VirtualMachineScaleSetCreateOrUpdateMethod.cs b/src/Compute/Compute/Manual/VirtualMachineScaleSetCreateOrUpdateMethod.cs
@@ -557,6 +557,12 @@ private async Task<ResourceConfig<VirtualMachineScaleSet>> SimpleParameterSetOrc
 
                 var hostGroup = resourceGroup.CreateDedicatedHostGroupSubResourceFunc(_cmdlet.HostGroupId);
 
+                if (!_cmdlet.IsParameterBound(c => c.SystemAssignedIdentity)
+                    && _cmdlet.SystemAssignedIdentity == true)
+                {
+                    _cmdlet.SystemAssignedIdentity = false;
+                }
+
                 return resourceGroup.CreateVirtualMachineScaleSetConfigOrchestrationModeFlexible(
                     name: _cmdlet.VMScaleSetName,
                     subnet: subnet,
@@ -705,7 +711,8 @@ async Task SimpleParameterSetExecuteCmdlet(IAsyncCmdlet asyncCmdlet)
                 asyncCmdlet.WriteObject(psObject);
             }
 
-            if (shouldGuestAttestationExtBeInstalledSimple())
+            if (shouldGuestAttestationExtBeInstalledSimple()
+                && this.SystemAssignedIdentity == true)
             {
                 string extensionNameGA = "GuestAttestation";
                 var extensionDirect = new VirtualMachineScaleSetExtension();

diff --git a/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs b/src/Compute/Compute/VirtualMachine/Operation/NewAzureVMCommand.cs
@@ -412,6 +412,11 @@ public class NewAzureVMCommand : VirtualMachineBaseCmdlet
            Mandatory = false,
            ValueFromPipelineByPropertyName = true,
            HelpMessage = "This flag disables the default behavior to install the Guest Attestation extension to the virtual machine if: 1) SecurityType is TrustedLaunch, 2) SecureBootEnabled on the SecurityProfile is true, 3) VTpmEnabled on the SecurityProfile is true.")]
+        [Parameter(
+           ParameterSetName = SimpleParameterSet,
+           Mandatory = false,
+           ValueFromPipelineByPropertyName = true,
+           HelpMessage = "This flag disables the default behavior to install the Guest Attestation extension to the virtual machine if: 1) SecurityType is TrustedLaunch, 2) SecureBootEnabled on the SecurityProfile is true, 3) VTpmEnabled on the SecurityProfile is true.")]
         public SwitchParameter DisableIntegrityMonitoring { get; set; }
 
         [Parameter(
@@ -785,11 +790,11 @@ async Task StrategyExecuteCmdletAsync(IAsyncCmdlet asyncCmdlet)
             // imagerefid is specifically shared gallery id, so don't want it.
             else
             {
-                this.SecurityType = ConstantValues.TrustedLaunchSecurityType;
                 if (!this.IsParameterBound(c => c.Image) 
                     && !this.IsParameterBound(c => c.ImageReferenceId) 
                     && !this.IsParameterBound(c => c.SharedGalleryImageId))
                 {
+                    this.SecurityType = ConstantValues.TrustedLaunchSecurityType;
                     this.Image = ConstantValues.TrustedLaunchDefaultImageAlias;
                     if (!this.IsParameterBound(c => c.EnableSecureBoot))
                     {

diff --git a/src/Compute/Compute/help/New-AzVM.md b/src/Compute/Compute/help/New-AzVM.md
@@ -26,7 +26,7 @@ New-AzVM [[-ResourceGroupName] <String>] [[-Location] <String>] [-EdgeZone <Stri
  [-Priority <String>] [-EvictionPolicy <String>] [-MaxPrice <Double>] [-EncryptionAtHost]
  [-HostGroupId <String>] [-SshKeyName <String>] [-GenerateSshKey] [-CapacityReservationGroupId <String>]
  [-UserData <String>] [-ImageReferenceId <String>] [-PlatformFaultDomain <Int32>] [-HibernationEnabled]
- [-vCPUCountAvailable <Int32>] [-vCPUCountPerCore <Int32>] [-DiskControllerType <String>]
+ [-vCPUCountAvailable <Int32>] [-vCPUCountPerCore <Int32>] [-DiskControllerType <String>] [-DisableIntegrityMonitoring]
  [-SharedGalleryImageId <String>] [-SecurityType <String>] [-EnableVtpm <Boolean>]
  [-EnableSecureBoot <Boolean>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
@@ -306,7 +306,7 @@ Set-AzVMSourceImage -VM $vmConfig -PublisherName $PublisherName -Offer $Offer -S
 Add-AzVMNetworkInterface -VM $vmConfig -Id $nic.Id;
 $vmConfig = Set-AzVMSecurityProfile -VM $vmConfig -SecurityType $securityType;
 $vmConfig = Set-AzVMUefi -VM $vmConfig -EnableVtpm $vtpm -EnableSecureBoot $secureboot;
-New-AzVM -ResourceGroupName $RGName -Location $loc -VM $vmConfig -DisableIntegrityMonitoring:$false;
+New-AzVM -ResourceGroupName $RGName -Location $loc -VM $vmConfig;
 # Verify values
 $vm = Get-AzVM -ResourceGroupName $rgname -Name $vmName;
 $vmExt = Get-AzVMExtension -ResourceGroupName $rgname -VMName $vmName -Name $extDefaultName;
@@ -548,7 +548,7 @@ This flag disables the default behavior to install the Guest Attestation extensi
 
 ```yaml
 Type: System.Management.Automation.SwitchParameter
-Parameter Sets: DefaultParameterSet
+Parameter Sets: DefaultParameterSet, SimpleParameterSet
 Aliases:
 
 Required: False

diff --git a/tools/StaticAnalysis/Exceptions/Az.Compute/ExampleIssues.csv b/tools/StaticAnalysis/Exceptions/Az.Compute/ExampleIssues.csv
@@ -18,3 +18,6 @@
 "Az.Compute","Set-AzVMSecurityProfile","2","27","Capitalization_Conventions_Violated","5101","1","Set-AzVmUefi doesn't follow the Capitalization Conventions.","Set-AzVmUefi -VM $VirtualMachine -EnableVtpm $true -EnableSecureBoot $true","Check the Capitalization Conventions. Suggest format: Set-AzVMUefi"
 "Az.Compute","Set-AzVMSecurityProfile","2","33","Capitalization_Conventions_Violated","5101","1","Get-AzVm doesn't follow the Capitalization Conventions.","Get-AzVm -ResourceGroupName $rgname -Name $vmname","Check the Capitalization Conventions. Suggest format: Get-AzVM"
 "Az.Compute","New-AzVM","8","9","Invalid_Cmdlet","5000","1","New-AzResourceGroup is not a valid command name.","New-AzResourceGroup -Name $rgname -Location $loc -Force","Check the spell of New-AzResourceGroup."
+"Az.Compute","New-AzVM","6","3","Invalid_Cmdlet","5000","1","New-AzResourceGroup is not a valid command name.","New-AzResourceGroup -Name $resourceGroupName -Location $loc -Force","Check the spell of New-AzResourceGroup."
+"Az.Compute","New-AzVM","8","10","Invalid_Cmdlet","5000","1","New-AzResourceGroup is not a valid command name.","New-AzResourceGroup -Name $resourceGroupName -Location $loc -Force","Check the spell of New-AzResourceGroup."
+"Az.Compute","New-AzVM","9","4","Invalid_Cmdlet","5000","1","New-AzResourceGroup is not a valid command name.","New-AzResourceGroup -Name $rgname -Location $loc -Force","Check the spell of New-AzResourceGroup."