Merge pull request #3600 from Azure/nwnt/trusted-launch-devproxy

Make dev-proxy use Trusted Launch

pkg/deploy/assets/cluster-development-predeploy.json

@@ -139,7 +139,7 @@
             "type": "Microsoft.Compute/diskEncryptionSets",
             "location": "[resourceGroup().location]",
             "condition": "[parameters('ci')]",
-            "apiVersion": "2020-12-01",
+            "apiVersion": "2021-12-01",
             "dependsOn": [
                 "[resourceId('Microsoft.KeyVault/vaults/keys', parameters('kvName'), concat(resourceGroup().name, '-disk-encryption-key'))]"
             ]

pkg/deploy/assets/env-development.json

@@ -267,7 +267,7 @@
             "name": "[concat(resourceGroup().name, '-disk-encryption-set')]",
             "type": "Microsoft.Compute/diskEncryptionSets",
             "location": "[resourceGroup().location]",
-            "apiVersion": "2020-12-01",
+            "apiVersion": "2021-12-01",
             "dependsOn": [
                 "[resourceId('Microsoft.KeyVault/vaults/keys', concat(take(resourceGroup().name,10), '-dev-sharedKV'), concat(resourceGroup().name, '-disk-encryption-key'))]"
             ]
@@ -353,6 +353,9 @@
                             }
                         ]
                     },
+                    "securityProfile": {
+                        "securityType": "TrustedLaunch"
+                    },
                     "extensionProfile": {
                         "extensions": [
                             {
@@ -417,7 +420,7 @@
             "tags": {
                 "azsecpack": "nonprod"
             },
-            "apiVersion": "2020-12-01",
+            "apiVersion": "2021-12-01",
             "dependsOn": [
                 "[resourceId('Microsoft.Network/loadBalancers', 'dev-lb-internal')]"
             ]

pkg/deploy/assets/gateway-production.json

@@ -309,7 +309,7 @@
             "type": "Microsoft.Compute/virtualMachineScaleSets",
             "location": "[resourceGroup().location]",
             "tags": {},
-            "apiVersion": "2020-12-01",
+            "apiVersion": "2021-12-01",
             "dependsOn": [
                 "[resourceId('Microsoft.Network/loadBalancers', 'gateway-lb-internal')]"
             ]

pkg/deploy/assets/rp-production.json

@@ -462,7 +462,7 @@
             "type": "Microsoft.Compute/virtualMachineScaleSets",
             "location": "[resourceGroup().location]",
             "tags": {},
-            "apiVersion": "2020-12-01",
+            "apiVersion": "2021-12-01",
             "dependsOn": [
                 "[resourceId('Microsoft.Authorization/roleAssignments', guid(resourceGroup().id, parameters('rpServicePrincipalId'), 'RP / Reader'))]",
                 "[resourceId('Microsoft.Network/loadBalancers', 'rp-lb')]"

pkg/deploy/generator/resources_dev.go

@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"strings"
 
-	mgmtcompute "github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2020-06-01/compute"
+	mgmtcompute "github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2021-12-01/compute"
 	mgmtkeyvault "github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2019-09-01/keyvault"
 	mgmtnetwork "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2020-08-01/network"
 	"github.com/Azure/go-autorest/autorest/to"
@@ -143,6 +143,9 @@ func (g *generator) devProxyVMSS() *arm.Resource {
 							},
 						},
 					},
+					SecurityProfile: &mgmtcompute.SecurityProfile{
+						SecurityType: mgmtcompute.SecurityTypesTrustedLaunch,
+					},
 					StorageProfile: &mgmtcompute.VirtualMachineScaleSetStorageProfile{
 						ImageReference: &mgmtcompute.ImageReference{
 							Publisher: to.StringPtr("MicrosoftCBLMariner"),
@@ -390,7 +393,7 @@ func (g *generator) devDiskEncryptionKey() *arm.Resource {
 func (g *generator) devDiskEncryptionSet() *arm.Resource {
 	diskEncryptionSet := &mgmtcompute.DiskEncryptionSet{
 		EncryptionSetProperties: &mgmtcompute.EncryptionSetProperties{
-			ActiveKey: &mgmtcompute.KeyVaultAndKeyReference{
+			ActiveKey: &mgmtcompute.KeyForDiskEncryptionSet{
 				KeyURL: to.StringPtr(fmt.Sprintf("[reference(resourceId('Microsoft.KeyVault/vaults/keys', %s, %s), '%s', 'Full').properties.keyUriWithVersion]", sharedKeyVaultName, sharedDiskEncryptionKeyName, azureclient.APIVersion("Microsoft.KeyVault"))),
 				SourceVault: &mgmtcompute.SourceVault{
 					ID: to.StringPtr(fmt.Sprintf("[resourceId('Microsoft.KeyVault/vaults', %s)]", sharedKeyVaultName)),
@@ -401,7 +404,7 @@ func (g *generator) devDiskEncryptionSet() *arm.Resource {
 		Name:     to.StringPtr(fmt.Sprintf("[%s]", sharedDiskEncryptionSetName)),
 		Type:     to.StringPtr("Microsoft.Compute/diskEncryptionSets"),
 		Location: to.StringPtr("[resourceGroup().location]"),
-		Identity: &mgmtcompute.EncryptionSetIdentity{Type: mgmtcompute.SystemAssigned},
+		Identity: &mgmtcompute.EncryptionSetIdentity{Type: mgmtcompute.DiskEncryptionSetIdentityTypeSystemAssigned},
 	}
 
 	return &arm.Resource{

pkg/util/azureclient/apiversions.go

@@ -12,7 +12,7 @@ var apiVersions = map[string]string{
 	"microsoft.authorization":                  "2018-09-01-preview",
 	"microsoft.authorization/denyassignments":  "2018-07-01-preview",
 	"microsoft.authorization/roledefinitions":  "2018-01-01-preview",
-	"microsoft.compute":                        "2020-12-01",
+	"microsoft.compute":                        "2021-12-01",
 	"microsoft.compute/diskencryptionsets":     "2021-04-01",
 	"microsoft.compute/disks":                  "2019-03-01",
 	"microsoft.compute/galleries":              "2022-03-03",