Spec for ProtectedSettingsFromKeyVault and AllowExtensionOperations (Azure#16590)

* KV changes

* adding allowExtensionOperation

* fixing examples

Author: kamusta-msft

specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/compute.json

@@ -1723,7 +1723,7 @@
         "x-ms-long-running-operation": true,
         "x-ms-examples": {
           "Update VM extension.": {
-            "$ref": "./examples/compute/UpdateVMExtensionWithSuppressFailureEnabled.json"
+            "$ref": "./examples/compute/UpdateVMExtension.json"
           }
         }
       },
@@ -5425,6 +5425,9 @@
           },
           "Create a scale set with spot restore policy": {
             "$ref": "./examples/compute/CreateAScaleSetWithSpotRestorePolicy.json"
+          },
+          "Create a VMSS with an extension with protectedSettingsFromKeyVault": {
+            "$ref": "./examples/compute/CreateAScaleSetWithProtectedSettingsFromKeyVault.json"
           }
         }
       },
@@ -9554,6 +9557,10 @@
         "suppressFailures": {
           "type": "boolean",
           "description": "Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false."
+        },
+        "protectedSettingsFromKeyVault": {
+          "type": "object",
+          "description": "The extensions protected settings that are passed by reference, and consumed from key vault"
         }
       },
       "description": "Describes the properties of a Virtual Machine Extension."
@@ -9595,6 +9602,10 @@
         "suppressFailures": {
           "type": "boolean",
           "description": "Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false."
+        },
+        "protectedSettingsFromKeyVault": {
+          "type": "object",
+          "description": "The extensions protected settings that are passed by reference, and consumed from key vault"
         }
       },
       "description": "Describes the properties of a Virtual Machine Extension."
@@ -12610,6 +12621,10 @@
             "$ref": "#/definitions/VaultSecretGroup"
           },
           "description": "Specifies set of certificates that should be installed onto the virtual machines in the scale set. To install certificates on a virtual machine it is recommended to use the [Azure Key Vault virtual machine extension for Linux](https://docs.microsoft.com/azure/virtual-machines/extensions/key-vault-linux) or the [Azure Key Vault virtual machine extension for Windows](https://docs.microsoft.com/azure/virtual-machines/extensions/key-vault-windows)."
+        },
+        "allowExtensionOperations": {
+          "type": "boolean",
+          "description": "Specifies whether extension operations should be allowed on the virtual machine scale set. <br><br>This may only be set to False when no extensions are present on the virtual machine scale set."
         }
       },
       "description": "Describes a virtual machine scale set OS profile."
@@ -13380,6 +13395,10 @@
         "suppressFailures": {
           "type": "boolean",
           "description": "Indicates whether failures stemming from the extension will be suppressed (Operational failures such as not connecting to the VM will not be suppressed regardless of this value). The default is false."
+        },
+        "protectedSettingsFromKeyVault": {
+          "type": "object",
+          "description": "The extensions protected settings that are passed by reference, and consumed from key vault"
         }
       },
       "description": "Describes the properties of a Virtual Machine Scale Set Extension."

specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/CreateAScaleSetWithProtectedSettingsFromKeyVault.json

@@ -0,0 +1,293 @@
+{
+  "parameters": {
+    "subscriptionId": "{subscription-id}",
+    "resourceGroupName": "myResourceGroup",
+    "vmScaleSetName": "{vmss-name}",
+    "api-version": "2021-07-01",
+    "parameters": {
+      "sku": {
+        "tier": "Standard",
+        "capacity": 3,
+        "name": "Standard_D1_v2"
+      },
+      "location": "westus",
+      "properties": {
+        "overprovision": true,
+        "virtualMachineProfile": {
+          "storageProfile": {
+            "imageReference": {
+              "sku": "2016-Datacenter",
+              "publisher": "MicrosoftWindowsServer",
+              "version": "latest",
+              "offer": "WindowsServer"
+            },
+            "osDisk": {
+              "caching": "ReadWrite",
+              "managedDisk": {
+                "storageAccountType": "Standard_LRS"
+              },
+              "createOption": "FromImage"
+            }
+          },
+          "diagnosticsProfile": {
+            "bootDiagnostics": {
+              "storageUri": "http://{existing-storage-account-name}.blob.core.windows.net",
+              "enabled": true
+            }
+          },
+          "osProfile": {
+            "computerNamePrefix": "{vmss-name}",
+            "adminUsername": "{your-username}",
+            "adminPassword": "{your-password}"
+          },
+          "extensionProfile": {
+            "extensions": [
+              {
+                "name": "{extension-name}",
+                "properties": {
+                  "autoUpgradeMinorVersion": false,
+                  "publisher": "{extension-Publisher}",
+                  "type": "{extension-Type}",
+                  "typeHandlerVersion": "{handler-version}",
+                  "settings": {},
+                  "protectedSettingsFromKeyVault": {
+                    "sourceVault": {
+                      "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/kvName"
+                    },
+                    "secretUrl": "https://kvName.vault.azure.net/secrets/secretName/79b88b3a6f5440ffb2e73e44a0db712e"
+                  }
+                }
+              }
+            ]
+          },
+          "networkProfile": {
+            "networkInterfaceConfigurations": [
+              {
+                "name": "{vmss-name}",
+                "properties": {
+                  "primary": true,
+                  "enableIPForwarding": true,
+                  "ipConfigurations": [
+                    {
+                      "name": "{vmss-name}",
+                      "properties": {
+                        "subnet": {
+                          "id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/{existing-virtual-network-name}/subnets/{existing-subnet-name}"
+                        }
+                      }
+                    }
+                  ]
+                }
+              }
+            ]
+          }
+        },
+        "upgradePolicy": {
+          "mode": "Manual"
+        }
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "sku": {
+          "tier": "Standard",
+          "capacity": 3,
+          "name": "Standard_D1_v2"
+        },
+        "name": "{vmss-name}",
+        "properties": {
+          "singlePlacementGroup": true,
+          "overprovision": true,
+          "uniqueId": "d053ec5a-8da6-495f-ab13-38216503c6d7",
+          "virtualMachineProfile": {
+            "storageProfile": {
+              "imageReference": {
+                "sku": "2016-Datacenter",
+                "publisher": "MicrosoftWindowsServer",
+                "version": "latest",
+                "offer": "WindowsServer"
+              },
+              "osDisk": {
+                "caching": "ReadWrite",
+                "managedDisk": {
+                  "storageAccountType": "Standard_LRS"
+                },
+                "createOption": "FromImage"
+              }
+            },
+            "diagnosticsProfile": {
+              "bootDiagnostics": {
+                "storageUri": "http://nsgdiagnostic.blob.core.windows.net",
+                "enabled": true
+              }
+            },
+            "osProfile": {
+              "computerNamePrefix": "{vmss-name}",
+              "adminUsername": "{your-username}",
+              "secrets": [],
+              "windowsConfiguration": {
+                "provisionVMAgent": true,
+                "enableAutomaticUpdates": true
+              }
+            },
+            "extensionProfile": {
+              "extensions": [
+                {
+                  "name": "{extension-name}",
+                  "properties": {
+                    "autoUpgradeMinorVersion": false,
+                    "publisher": "{extension-Publisher}",
+                    "type": "{extension-Type}",
+                    "typeHandlerVersion": "{handler-version}",
+                    "settings": {},
+                    "protectedSettingsFromKeyVault": {
+                      "sourceVault": {
+                        "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/kvName"
+                      },
+                      "secretUrl": "https://kvName.vault.azure.net/secrets/secretName/79b88b3a6f5440ffb2e73e44a0db712e"
+                    }
+                  }
+                }
+              ]
+            },
+            "networkProfile": {
+              "networkInterfaceConfigurations": [
+                {
+                  "name": "{vmss-name}",
+                  "properties": {
+                    "dnsSettings": {
+                      "dnsServers": []
+                    },
+                    "primary": true,
+                    "enableIPForwarding": true,
+                    "ipConfigurations": [
+                      {
+                        "name": "{vmss-name}",
+                        "properties": {
+                          "subnet": {
+                            "id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/nsgExistingVnet/subnets/nsgExistingSubnet"
+                          },
+                          "privateIPAddressVersion": "IPv4"
+                        }
+                      }
+                    ],
+                    "enableAcceleratedNetworking": false
+                  }
+                }
+              ]
+            }
+          },
+          "upgradePolicy": {
+            "mode": "Manual"
+          },
+          "provisioningState": "Creating"
+        },
+        "location": "westus",
+        "type": "Microsoft.Compute/virtualMachineScaleSets",
+        "id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachineScaleSets/{vmss-name}"
+      }
+    },
+    "201": {
+      "body": {
+        "sku": {
+          "tier": "Standard",
+          "capacity": 3,
+          "name": "Standard_D1_v2"
+        },
+        "name": "{vmss-name}",
+        "properties": {
+          "singlePlacementGroup": true,
+          "overprovision": true,
+          "uniqueId": "d053ec5a-8da6-495f-ab13-38216503c6d7",
+          "virtualMachineProfile": {
+            "storageProfile": {
+              "imageReference": {
+                "sku": "2016-Datacenter",
+                "publisher": "MicrosoftWindowsServer",
+                "version": "latest",
+                "offer": "WindowsServer"
+              },
+              "osDisk": {
+                "caching": "ReadWrite",
+                "managedDisk": {
+                  "storageAccountType": "Standard_LRS"
+                },
+                "createOption": "FromImage"
+              }
+            },
+            "diagnosticsProfile": {
+              "bootDiagnostics": {
+                "storageUri": "http://nsgdiagnostic.blob.core.windows.net",
+                "enabled": true
+              }
+            },
+            "osProfile": {
+              "computerNamePrefix": "{vmss-name}",
+              "adminUsername": "{your-username}",
+              "secrets": [],
+              "windowsConfiguration": {
+                "provisionVMAgent": true,
+                "enableAutomaticUpdates": true
+              }
+            },
+            "extensionProfile": {
+              "extensions": [
+                {
+                  "name": "{extension-name}",
+                  "properties": {
+                    "autoUpgradeMinorVersion": false,
+                    "publisher": "{extension-Publisher}",
+                    "type": "{extension-Type}",
+                    "typeHandlerVersion": "{handler-version}",
+                    "settings": {},
+                    "protectedSettingsFromKeyVault": {
+                      "sourceVault": {
+                        "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/kvName"
+                      },
+                      "secretUrl": "https://kvName.vault.azure.net/secrets/secretName/79b88b3a6f5440ffb2e73e44a0db712e"
+                    }
+                  }
+                }
+              ]
+            },
+            "networkProfile": {
+              "networkInterfaceConfigurations": [
+                {
+                  "name": "{vmss-name}",
+                  "properties": {
+                    "dnsSettings": {
+                      "dnsServers": []
+                    },
+                    "primary": true,
+                    "enableIPForwarding": true,
+                    "ipConfigurations": [
+                      {
+                        "name": "{vmss-name}",
+                        "properties": {
+                          "subnet": {
+                            "id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/nsgExistingVnet/subnets/nsgExistingSubnet"
+                          },
+                          "privateIPAddressVersion": "IPv4"
+                        }
+                      }
+                    ],
+                    "enableAcceleratedNetworking": false
+                  }
+                }
+              ]
+            }
+          },
+          "upgradePolicy": {
+            "mode": "Manual"
+          },
+          "provisioningState": "Creating"
+        },
+        "location": "westus",
+        "type": "Microsoft.Compute/virtualMachineScaleSets",
+        "id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachineScaleSets/{vmss-name}"
+      }
+    }
+  }
+}

specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/UpdateVMExtensionWithSuppressFailureEnabled.json renamed to specification/compute/resource-manager/Microsoft.Compute/stable/2021-07-01/examples/compute/UpdateVMExtension.json

@@ -14,6 +14,12 @@
         "suppressFailures": true,
         "settings": {
           "UserName": "[email protected]"
+        },
+        "protectedSettingsFromKeyVault": {
+          "sourceVault": {
+            "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/kvName"
+          },
+          "secretUrl": "https://kvName.vault.azure.net/secrets/secretName/79b88b3a6f5440ffb2e73e44a0db712e"
         }
       }
     }
@@ -34,6 +40,12 @@
           "suppressFailures": true,
           "settings": {
             "UserName": "[email protected]"
+          },
+          "protectedSettingsFromKeyVault": {
+            "sourceVault": {
+              "id": "/subscriptions/a53f7094-a16c-47af-abe4-b05c05d0d79a/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/kvName"
+            },
+            "secretUrl": "https://kvName.vault.azure.net/secrets/secretName/79b88b3a6f5440ffb2e73e44a0db712e"
           }
         }
       }