Make ImageReference strongly-typed and checked up-front

docs/custom-images.md

@@ -1,23 +1,33 @@
 # Fuzzing using Custom OS Images
 
-In order to use custom OS images in OneFzuz, the image _must_ run the
-[Azure VM Agent](https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/overview).
+In order to use custom OS images in OneFuzz, the image _must_ run the [Azure VM
+Agent](https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/overview).
 
 Building custom images can be automated using the
 [Linux](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/image-builder)
 or
 [Windows](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/image-builder)
 image builders for Azure.
 
-If you have a custom Windows VHD, you should follow the
-[Guide to prepare a VHD for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image).
+If you have a custom Windows VHD, you should follow the [Guide to prepare a VHD
+for
+Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/prepare-for-upload-vhd-image).
 
 From there, rather than using Image SKUs such as
-`Canonical:0001-com-ubuntu-server-focal:20_04-lts:latest`, use the full resource ID to the
-shared image, such as
-`/subscriptions/MYSUBSCRIPTION/resourceGroups/MYGROUP/providers/Microsoft.Compute/galleries/MYGALLERY/images/MYDEFINITION/versions/MYVERSION`
+`Canonical:0001-com-ubuntu-server-focal:20_04-lts:latest`, use the full resource ID for the
+shared image. Supported ID formats are:
 
-The images must be hosted in a
-[Shared Image Gallery](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/shared-image-galleries).
-The Service Principal for the OneFuzz instance must have RBAC to the shared
-image gallery sufficient to deploy the images.
+- VM image:<br/>
+  `/subscriptions/{subscription}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/images/{image}`
+- gallery image (latest):<br/>
+  `/subscriptions/{subscription}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/galleries/{gallery}/images/{image}`
+- gallery image (specific version):<br/>
+  `/subscriptions/{subscription}/resourceGroups/{resourceGroup}/providers/Microsoft.Compute/galleries/{gallery}/images/{image}/versions/{version}`
+- shared gallery image (latest):<br/>
+  `/subscriptions/{subscription}/providers/Microsoft.Compute/locations/{location}/sharedGalleries/{gallery}/images/{image}`,
+- shared gallery image (specific version):<br/>
+  `/subscriptions/{subscription}/providers/Microsoft.Compute/locations/{location}/sharedGalleries/{gallery}/images/{image}/versions/{version}`
+
+The Service Principal for the OneFuzz instance must have RBAC to the image
+sufficient to read and deploy the images, and the image must be replicated into
+the region of the scaleset.

src/ApiService/ApiService/Functions/Scaleset.cs

@@ -76,13 +76,13 @@ private async Task<HttpResponseData> Post(HttpRequestData req) {
                 context: "ScalesetCreate");
         }
 
-        string image;
+        ImageReference image;
         if (create.Image is null) {
             var config = await _context.ConfigOperations.Fetch();
             if (pool.Os == Os.Windows) {
-                image = config.DefaultWindowsVmImage;
+                image = config.DefaultWindowsVmImage ?? DefaultImages.Windows;
             } else {
-                image = config.DefaultLinuxVmImage;
+                image = config.DefaultLinuxVmImage ?? DefaultImages.Linux;
             }
         } else {
             image = create.Image;

src/ApiService/ApiService/OneFuzzTypes/Model.cs

@@ -223,7 +223,7 @@ public record TaskDetails(
 public record TaskVm(
     Region Region,
     string Sku,
-    string Image,
+    ImageReference Image,
     bool? RebootAfterSetup,
     long Count = 1,
     bool SpotInstance = false
@@ -345,28 +345,23 @@ public record InstanceConfig
     string[] AllowedAadTenants,
     [DefaultValue(InitMethod.DefaultConstructor)] NetworkConfig NetworkConfig,
     [DefaultValue(InitMethod.DefaultConstructor)] NetworkSecurityGroupConfig ProxyNsgConfig,
-    AzureVmExtensionConfig? Extensions,
-    string DefaultWindowsVmImage = "MicrosoftWindowsDesktop:Windows-10:win10-21h2-pro:latest",
-    string DefaultLinuxVmImage = "Canonical:0001-com-ubuntu-server-focal:20_04-lts:latest",
+    AzureVmExtensionConfig? Extensions = null,
+    ImageReference? DefaultWindowsVmImage = null,
+    ImageReference? DefaultLinuxVmImage = null,
     string ProxyVmSku = "Standard_B2s",
     bool RequireAdminPrivileges = false,
     IDictionary<Endpoint, ApiAccessRule>? ApiAccessRules = null,
     IDictionary<PrincipalId, GroupId[]>? GroupMembership = null,
     IDictionary<string, string>? VmTags = null,
     IDictionary<string, string>? VmssTags = null
 ) : EntityBase() {
+
     public InstanceConfig(string instanceName) : this(
-        instanceName,
-        null,
-        Array.Empty<string>(),
-        new NetworkConfig(),
-        new NetworkSecurityGroupConfig(),
-        null,
-        "MicrosoftWindowsDesktop:Windows-10:win10-21h2-pro:latest",
-        "Canonical:0001-com-ubuntu-server-focal:20_04-lts:latest",
-        "Standard_B2s",
-        false
-        ) { }
+        InstanceName: instanceName,
+        Admins: null,
+        AllowedAadTenants: Array.Empty<string>(),
+        NetworkConfig: new NetworkConfig(),
+        ProxyNsgConfig: new NetworkSecurityGroupConfig()) { }
 
     public static List<Guid>? CheckAdmins(List<Guid>? value) {
         if (value is not null && value.Count == 0) {
@@ -378,8 +373,8 @@ public InstanceConfig(string instanceName) : this(
 
     public InstanceConfig() : this(String.Empty) { }
 
-    //# At the moment, this only checks allowed_aad_tenants, however adding
-    //# support for 3rd party JWT validation is anticipated in a future release.
+    // At the moment, this only checks allowed_aad_tenants, however adding
+    // support for 3rd party JWT validation is anticipated in a future release.
     public ResultVoid<List<string>> CheckInstanceConfig() {
         List<string> errors = new();
         if (AllowedAadTenants.Length == 0) {
@@ -415,7 +410,7 @@ public record Scaleset(
     [RowKey] Guid ScalesetId,
     ScalesetState State,
     string VmSku,
-    string Image,
+    ImageReference Image,
     Region Region,
     long Size,
     bool? SpotInstances,
@@ -757,7 +752,7 @@ public record Vm(
     string Name,
     Region Region,
     string Sku,
-    string Image,
+    ImageReference Image,
     Authentication Auth,
     Nsg? Nsg,
     IDictionary<string, string>? Tags

src/ApiService/ApiService/OneFuzzTypes/Requests.cs

@@ -191,7 +191,7 @@ public record ProxyReset(
 public record ScalesetCreate(
     [property: Required] PoolName PoolName,
     [property: Required] string VmSku,
-    string? Image,
+    ImageReference? Image,
     Region? Region,
     [property: Range(1, long.MaxValue), Required] long Size,
     [property: Required] bool SpotInstances,

src/ApiService/ApiService/OneFuzzTypes/Responses.cs

@@ -127,7 +127,7 @@ public record ScalesetResponse(
     ScalesetState State,
     Authentication? Auth,
     string VmSku,
-    string Image,
+    ImageReference Image,
     Region Region,
     long Size,
     bool? SpotInstances,

src/ApiService/ApiService/Program.cs

@@ -123,7 +123,6 @@ public static async Async.Task Main() {
                 .AddScoped<INodeTasksOperations, NodeTasksOperations>()
                 .AddScoped<INodeMessageOperations, NodeMessageOperations>()
                 .AddScoped<IRequestHandling, RequestHandling>()
-                .AddScoped<IImageOperations, ImageOperations>()
                 .AddScoped<ITeams, Teams>()
                 .AddScoped<IGithubIssues, GithubIssues>()
                 .AddScoped<IAdo, Ado>()