[Bug] Az.Compute - New-AzGalleryImageVersion fails when GalleryImageDefinition's SecurityType=ConfidentialVM #28657
Description
Description
Steps to reproduce:
- Create Gallery (New-AzGallery)
- Create Gallery Image Definition (New-AzGalleryImageDefinition) with SecurityType=ConfidentialVM
- Create Confidential VM
- Create Gallery Image Version (New-AzGalleryImageVersion) using the Confidential VM as source
Example:
$location = "eastus2euap"
$rgName = "rg-eastus2euap-1"
$galleryName = "acg_eastus2euap_1"
$galleryImageDefinition = "im-def-1"
$galleryImageVersion = "1.0.0"
$sourceImageId = "/subscriptions/b0852dd0-e006-4c86-9d10-3510b006d01c/resourceGroups/rg-eastus2euap-1/providers/Microsoft.Compute/virtualMachines/cvm-1"
$cvmEncryptionType = @{"confidentialVMEncryptionType"="EncryptedWithPmk"}
$securityProfile = @{"securityProfile"=$cvmEncryptionType}
$osDiskImage = @{"osDiskImage"=$securityProfile}
$targetRegion = @{"name"="eastus2euap"; "encryption"=$osDiskImage}
$targetRegions = @($targetRegion)
New-AzResourceGroup -Name $rgName -Location $location
# Create gallery
New-AzGallery -ResourceGroupName $rgName -Name $galleryName -Location $location
# Create galleryImageDefinition
$publisherName = "mypub"
$offerName = "myOffer"
$securityTypeFeature = @{"Name"="SecurityType";"Value"="ConfidentialVM"}
$features = @($securityTypeFeature)
New-AzGalleryImageDefinition -ResourceGroupName $rgName -Location $location -GalleryName $galleryName -Name $galleryImageDefinition -Publisher $publisherName -Offer $offerName -Sku $galleryImageDefinition -OsState "Specialized" -OsType "Windows" -Feature $features
# Create Confidential VM
az vm create -g rg-eastus2euap-1 -n cvm-1 --size Standard_DC2es_v5 --admin-username vmuser --admin-password <password> --enable-vtpm true --enable-secure-boot true `
--image "MicrosoftWindowsServer:WindowsServer:2022-datacenter-azure-edition:latest" --security-type ConfidentialVM --os-disk-security-encryption-type DiskWithVMGuestState
$targetRegionsJson = $targetRegions | ConvertTo-Json -Depth 10
Write-Host "Target Regions:`n$targetRegionsJson"
# Create GalleryImageVersion -- fails
New-AzGalleryImageVersion -ResourceGroupName $rgName `
-GalleryName $galleryName -GalleryImageDefinitionName $galleryImageDefinition `
-Name $galleryImageVersion -Location $location -SourceImageVMId $sourceImageId `
-TargetRegion $targetRegionsExpectation:
New-AzGalleryImageVersion should succeed
Observed output:
Target Regions:
{
"encryption": {
"osDiskImage": {
"securityProfile": {
"confidentialVMEncryptionType": "EncryptedWithPmk"
}
}
},
"name": "eastus2euap"
}
New-AzGalleryImageVersion: Q:\stuff\cli\a.ps1:29
Line |
29 | New-AzGalleryImageVersion -ResourceGroupName $rgName `
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| The regional encryption.osDiskImage.securityProfile.type must be specified when the SecurityType of the image definition is ConfidentialVM. ErrorCode: InvalidParameter ErrorMessage: The regional encryption.osDiskImage.securityProfile.type must be specified when the SecurityType of the image definition is
| ConfidentialVM. ErrorTarget: galleryArtifactVersion.properties.publishingProfile.targetRegions.encryption.osDiskImage.securityProfile StatusCode: 400 ReasonPhrase: Bad Request OperationID : 5c546cf9-59e2-47dc-811a-a8ad7590f44cARM Correlation ID for this request: 352d9a9a-cdba-44d6-b57c-c22783e5f6f7
$targetRegionsJson is correct as per the REST API spec
This is the request body the GalleryRP backend received
{
"location": "eastus2euap",
"properties": {
"publishingProfile": {
"targetRegions": [
{
"name": "eastus2euap",
"encryption": {
"osDiskImage": {}
}
}
]
},
"storageProfile": {
"source": {
"virtualMachineId": "/subscriptions/b0852dd0-e006-4c86-9d10-3510b006d01c/resourceGroups/rg-eastus2euap-1/providers/Microsoft.Compute/virtualMachines/cvm-1"
}
}
}
}encryption.osDiskImage is empty. Expected JSON:
{
"encryption": {
"osDiskImage": {
"securityProfile": {
"confidentialVMEncryptionType": "EncryptedWithPmk"
}
}
}
}Here's an equivalent az cli command that works (trailing comma may need to be escaped in powershell)
az sig image-version create -g $rgName --gallery-name $galleryName --gallery-image-definition $galleryImageDefinition --gallery-image-version $galleryImageVersion --virtual-machine $sourceImageId --target-regions eastus2euap --target-region-cvm-encryption EncryptedWithPmk, CLI had the same issue, but it was fixed in Azure/azure-cli#22995
Additionally, this example in the documentation is incorrect. Instead of
$cvmOsDiskEncryption = @{CVMEncryptionType='EncryptedWithCmk'; CVMDiskEncryptionSetID=$cvmDiskEncryptionSetId}it should be
$cvmOsDiskEncryption = @{cofidentialVMEncryptionType='EncryptedWithCmk'; secureVMDiskEncryptionSetId=$cvmDiskEncryptionSetId}This is documented in the REST API specs here
Additional references:
Issue script & Debug output
$location = "eastus2euap"
$rgName = "rg-eastus2euap-1"
$galleryName = "acg_eastus2euap_1"
$galleryImageDefinition = "im-def-1"
$galleryImageVersion = "1.0.0"
$sourceImageId = "/subscriptions/b0852dd0-e006-4c86-9d10-3510b006d01c/resourceGroups/rg-eastus2euap-1/providers/Microsoft.Compute/virtualMachines/cvm-1"
$cvmEncryptionType = @{"confidentialVMEncryptionType"="EncryptedWithPmk"}
$securityProfile = @{"securityProfile"=$cvmEncryptionType}
$osDiskImage = @{"osDiskImage"=$securityProfile}
$targetRegion = @{"name"="eastus2euap"; "encryption"=$osDiskImage}
$targetRegions = @($targetRegion)
New-AzResourceGroup -Name $rgName -Location $location
# Create gallery
New-AzGallery -ResourceGroupName $rgName -Name $galleryName -Location $location
# Create galleryImageDefinition
$publisherName = "mypub"
$offerName = "myOffer"
$securityTypeFeature = @{"Name"="SecurityType";"Value"="ConfidentialVM"}
$features = @($securityTypeFeature)
New-AzGalleryImageDefinition -ResourceGroupName $rgName -Location $location -GalleryName $galleryName -Name $galleryImageDefinition -Publisher $publisherName -Offer $offerName -Sku $galleryImageDefinition -OsState "Specialized" -OsType "Windows" -Feature $features
# Create Confidential VM
az vm create -g rg-eastus2euap-1 -n cvm-1 --size Standard_DC2es_v5 --admin-username vmuser --admin-password <password> --enable-vtpm true --enable-secure-boot true `
--image "MicrosoftWindowsServer:WindowsServer:2022-datacenter-azure-edition:latest" --security-type ConfidentialVM --os-disk-security-encryption-type DiskWithVMGuestState
$targetRegionsJson = $targetRegions | ConvertTo-Json -Depth 10
Write-Host "Target Regions:`n$targetRegionsJson"
# Create GalleryImageVersion -- fails
New-AzGalleryImageVersion -ResourceGroupName $rgName `
-GalleryName $galleryName -GalleryImageDefinitionName $galleryImageDefinition `
-Name $galleryImageVersion -Location $location -SourceImageVMId $sourceImageId `
-TargetRegion $targetRegionsEnvironment data
Name Value
---- -----
PSVersion 7.5.3
PSEdition Core
GitCommitId 7.5.3
OS Microsoft Windows 10.0.26100
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0Module versions
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 4.2.0 Az.Accounts {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script 9.3.0 Az.Compute {Add-AzImageDataDisk, Add-AzVhd, Add-AzVMAdditionalUnattendContent, Add-AzVMDataDisk…}Error output
Line |
29 | New-AzGalleryImageVersion -ResourceGroupName $rgName `
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| The regional encryption.osDiskImage.securityProfile.type must be specified when the SecurityType of the image definition is ConfidentialVM. ErrorCode: InvalidParameter ErrorMessage: The regional encryption.osDiskImage.securityProfile.type must be specified when the SecurityType of the image definition is
| ConfidentialVM. ErrorTarget: galleryArtifactVersion.properties.publishingProfile.targetRegions.encryption.osDiskImage.securityProfile StatusCode: 400 ReasonPhrase: Bad Request OperationID : 5c546cf9-59e2-47dc-811a-a8ad7590f44c