-
Notifications
You must be signed in to change notification settings - Fork 5.1k
[Compute] AZ and VMSS rolling upgrade update and tests #3739
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
Closed
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
21aacef
Update Compute client library to version 16.2.0 with updated Swagger …
hyonholee edb6997
Add tests for vmss encryption settings, forceUpdate, and vmInstancdIDs.
hyonholee 4fa3dbb
Merge branch 'psSdkJson6' of https://github.com/Azure/azure-sdk-for-n…
hyonholee 8728263
Merge branch 'psSdkJson6' of https://github.com/Azure/azure-sdk-for-n…
hyonholee 20d6154
Merge branch 'psSdkJson6' of https://github.com/Azure/azure-sdk-for-n…
hyonholee 2ea7fc5
Re-generate Compute client library with updated swagger spec and add …
hyonholee File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
185 changes: 185 additions & 0 deletions
185
src/SDKs/Compute/Compute.Tests/Resources/DiskEncryptionPreRequisites.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,185 @@ | ||
| Param( | ||
| [Parameter(Mandatory = $true, | ||
| HelpMessage="Name of the resource group to which the KeyVault belongs to. A new resource group with this name will be created if one doesn't exist")] | ||
| [ValidateNotNullOrEmpty()] | ||
| [string]$resourceGroupName, | ||
|
|
||
| [Parameter(Mandatory = $true, | ||
| HelpMessage="Name of the KeyVault in which encryption keys are to be placed. A new vault with this name will be created if one doesn't exist")] | ||
| [ValidateNotNullOrEmpty()] | ||
| [string]$keyVaultName, | ||
|
|
||
| [Parameter(Mandatory = $true, | ||
| HelpMessage="Location of the KeyVault. Important note: Make sure the KeyVault and VMs to be encrypted are in the same region / location.")] | ||
| [ValidateNotNullOrEmpty()] | ||
| [string]$location, | ||
|
|
||
| [Parameter(Mandatory = $true, | ||
| HelpMessage="Name of the AAD application that will be used to write secrets to KeyVault. A new application with this name will be created if one doesn't exist. If this app already exists, pass aadClientSecret parameter to the script")] | ||
| [ValidateNotNullOrEmpty()] | ||
| [string]$aadAppName, | ||
|
|
||
| [Parameter(Mandatory = $false, | ||
| HelpMessage="Client secret of the AAD application that was created earlier")] | ||
| [ValidateNotNullOrEmpty()] | ||
| [string]$aadClientSecret, | ||
|
|
||
| [Parameter(Mandatory = $false, | ||
| HelpMessage="Identifier of the Azure subscription to be used. Default subscription will be used if not specified.")] | ||
| [ValidateNotNullOrEmpty()] | ||
| [string]$subscriptionId, | ||
|
|
||
| [Parameter(Mandatory = $false, | ||
| HelpMessage="Name of optional key encryption key in KeyVault. A new key with this name will be created if one doesn't exist")] | ||
| [ValidateNotNullOrEmpty()] | ||
| [string]$keyEncryptionKeyName | ||
|
|
||
| ) | ||
|
|
||
| ######################################################################################################################## | ||
| # Section1: Log-in to Azure and select appropriate subscription. | ||
| ######################################################################################################################## | ||
|
|
||
|
|
||
| # Write-Host 'Please log into Azure now' -foregroundcolor Green; | ||
| # Login-AzureRmAccount -ErrorAction "Stop" 1> $null; | ||
|
|
||
| # if($subscriptionId) | ||
| # { | ||
| # Select-AzureRmSubscription -SubscriptionId $subscriptionId; | ||
| # } | ||
|
|
||
|
|
||
| ######################################################################################################################## | ||
| # Section2: Create AAD app . Fill in $aadClientSecret variable if AAD app was already created | ||
| ######################################################################################################################## | ||
|
|
||
|
|
||
| # Check if AAD app with $aadAppName was already created | ||
| $SvcPrincipals = (Get-AzureRmADServicePrincipal -SearchString $aadAppName); | ||
| if(-not $SvcPrincipals) | ||
| { | ||
| # Create a new AD application if not created before | ||
| $identifierUri = [string]::Format("http://localhost:8080/{0}",[Guid]::NewGuid().ToString("N")); | ||
| $defaultHomePage = 'http://contoso.com'; | ||
| $now = [System.DateTime]::Now; | ||
| $oneYearFromNow = $now.AddYears(1); | ||
| $aadClientSecret = [Guid]::NewGuid(); | ||
|
|
||
| Write-Host "Creating new AAD application ($aadAppName)"; | ||
| $ADApp = New-AzureRmADApplication -DisplayName $aadAppName -HomePage $defaultHomePage -IdentifierUris $identifierUri -StartDate $now -EndDate $oneYearFromNow -Password $aadClientSecret; | ||
| $servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $ADApp.ApplicationId; | ||
| $SvcPrincipals = (Get-AzureRmADServicePrincipal -SearchString $aadAppName); | ||
| if(-not $SvcPrincipals) | ||
| { | ||
| # AAD app wasn't created | ||
| Write-Error "Failed to create AAD app $aadAppName. Please log-in to Azure using Login-AzureRmAccount and try again"; | ||
| return; | ||
| } | ||
| $aadClientID = $servicePrincipal.ApplicationId; | ||
| Write-Host "Created a new AAD Application ($aadAppName) with ID: $aadClientID "; | ||
| } | ||
| else | ||
| { | ||
| if(-not $aadClientSecret) | ||
| { | ||
| $aadClientSecret = Read-Host -Prompt "Aad application ($aadAppName) was already created, input corresponding aadClientSecret and hit ENTER. It can be retrieved from https://manage.windowsazure.com portal" ; | ||
| } | ||
| if(-not $aadClientSecret) | ||
| { | ||
| Write-Error "Aad application ($aadAppName) was already created. Re-run the script by supplying aadClientSecret parameter with corresponding secret from https://manage.windowsazure.com portal"; | ||
| return; | ||
| } | ||
| $aadClientID = $SvcPrincipals[0].ApplicationId; | ||
| } | ||
|
|
||
| # Before proceeding to Section3, make sure $aadClientID and $aadClientSecret have valid values | ||
| ######################################################################################################################## | ||
| # Section3: Create KeyVault or setup existing keyVault | ||
| ######################################################################################################################## | ||
|
|
||
| Try | ||
| { | ||
| $resGroup = Get-AzureRmResourceGroup -Name $resourceGroupName -ErrorAction SilentlyContinue; | ||
| } | ||
| Catch [System.ArgumentException] | ||
| { | ||
| Write-Host "Couldn't find resource group: ($resourceGroupName)"; | ||
| $resGroup = $null; | ||
| } | ||
|
|
||
| #Create a new resource group if it doesn't exist | ||
| if (-not $resGroup) | ||
| { | ||
| Write-Host "Creating new resource group: ($resourceGroupName)"; | ||
| $resGroup = New-AzureRmResourceGroup -Name $resourceGroupName -Location $location; | ||
| Write-Host "Created a new resource group named $resourceGroupName to place keyVault"; | ||
| } | ||
|
|
||
| Try | ||
| { | ||
| $keyVault = Get-AzureRmKeyVault -VaultName $keyVaultName -ErrorAction SilentlyContinue; | ||
| } | ||
| Catch [System.ArgumentException] | ||
| { | ||
| Write-Host "Couldn't find Key Vault: $keyVaultName"; | ||
| $keyVault = $null; | ||
| } | ||
|
|
||
| #Create a new vault if vault doesn't exist | ||
| if (-not $keyVault) | ||
| { | ||
| Write-Host "Creating new key vault: ($keyVaultName)"; | ||
| $keyVault = New-AzureRmKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -Sku Standard -Location $location; | ||
| Write-Host "Created a new KeyVault named $keyVaultName to store encryption keys"; | ||
| } | ||
| # Specify privileges to the vault for the AAD application - https://msdn.microsoft.com/en-us/library/mt603625.aspx | ||
| Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -ServicePrincipalName $aadClientID -PermissionsToKeys wrapKey -PermissionsToSecrets set; | ||
|
|
||
| Set-AzureRmKeyVaultAccessPolicy -VaultName $keyVaultName -EnabledForDiskEncryption; | ||
|
|
||
| $diskEncryptionKeyVaultUrl = $keyVault.VaultUri; | ||
| $keyVaultResourceId = $keyVault.ResourceId; | ||
|
|
||
| if($keyEncryptionKeyName) | ||
| { | ||
| Try | ||
| { | ||
| $kek = Get-AzureKeyVaultKey -VaultName $keyVaultName -Name $keyEncryptionKeyName -ErrorAction SilentlyContinue; | ||
| } | ||
| Catch [Microsoft.Azure.KeyVault.KeyVaultClientException] | ||
| { | ||
| Write-Host "Couldn't find key encryption key named : $keyEncryptionKeyName in Key Vault: $keyVaultName"; | ||
| $kek = $null; | ||
| } | ||
|
|
||
| if(-not $kek) | ||
| { | ||
| Write-Host "Creating new key encryption key named:$keyEncryptionKeyName in Key Vault: $keyVaultName"; | ||
| $kek = Add-AzureKeyVaultKey -VaultName $keyVaultName -Name $keyEncryptionKeyName -Destination Software -ErrorAction SilentlyContinue; | ||
| Write-Host "Created key encryption key named:$keyEncryptionKeyName in Key Vault: $keyVaultName"; | ||
| } | ||
|
|
||
| $keyEncryptionKeyUrl = $kek.Key.Kid; | ||
| } | ||
|
|
||
| ######################################################################################################################## | ||
| # Section4: Displays values that should be used while enabling encryption. Please note these down | ||
| ######################################################################################################################## | ||
| Write-Host "Please note down below aadClientID, aadClientSecret, diskEncryptionKeyVaultUrl, keyVaultResourceId values that will be needed to enable encryption on your VMs " -foregroundcolor Green; | ||
| Write-Host "`t aadClientID: $aadClientID" -foregroundcolor Green; | ||
| Write-Host "`t aadClientSecret: $aadClientSecret" -foregroundcolor Green; | ||
| Write-Host "`t diskEncryptionKeyVaultUrl: $diskEncryptionKeyVaultUrl" -foregroundcolor Green; | ||
| Write-Host "`t keyVaultResourceId: $keyVaultResourceId" -foregroundcolor Green; | ||
| if($keyEncryptionKeyName) | ||
| { | ||
| Write-Host "`t keyEncryptionKeyURL: $keyEncryptionKeyUrl" -foregroundcolor Green; | ||
| } | ||
| Write-Host "Please Press [Enter] after saving values displayed above. They are needed to enable encryption using Set-AzureRmVmDiskEncryptionExtension cmdlet" -foregroundcolor Green; | ||
| Read-Host; | ||
|
|
||
| ######################################################################################################################## | ||
| # For each VM you want to encrypt, run the below cmdlet | ||
| # $vmName = 'Name of VM to encrypt'; | ||
| # Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $resourceGroupName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId; | ||
| ######################################################################################################################## | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this in the repo?