Add encryption at host flag to the arm template #311
Conversation
|
|
kamilpi
force-pushed
the
feature/encryption-at-host
branch
from
1ee0bdf to
7a2c87e
Compare
There was a problem hiding this comment.
Hey @kamilpi thank you for this contribution, I added a comment about trusted launch but can you also take a look at the unit tests failing in the GitHub Checks? They are failing because your changes mean we generate a different Arm VM template than these unit tests expect, you can find these templates in ./builder/azure/arm/template_factory_test.TestVirtualMachineDeployment*.json please let me know if you have any questions or need some help fixing these unit tests!
| @@ -562,6 +562,8 @@ type Config struct { | |||
| LicenseType string `mapstructure:"license_type" required:"false"` | |||
| // Specifies if Secure Boot and Trusted Launch is enabled for the Virtual Machine. | |||
| SecureBootEnabled bool `mapstructure:"secure_boot_enabled" required:"false"` | |||
| // Specifies if Encryption at host is enabled for the Virtual Machine. | |||
There was a problem hiding this comment.
| // Specifies if Encryption at host is enabled for the Virtual Machine. | |
| // Specifies if Encryption at host is enabled for the Virtual Machine. | |
| // Requires enabling encryption at host in the Subscription read more [here](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell) |
There was a problem hiding this comment.
@kamilpi do you mind taking in this change as well? Afterwards you need to run make generate to generate the docs site from the config, let me know if you have any trouble with this as I can just commit the change to your fork
kamilpi
force-pushed
the
feature/encryption-at-host
branch
from
7a2c87e to
c73f089
Compare
kamilpi
force-pushed
the
feature/encryption-at-host
branch
from
c73f089 to
3abb3a3
Compare
|
Thanks for this contribution @kamilpi merging this now! We should have a release out containing this change in a few weeks |
|
does this solve the Trusted Launch issue @JenGoldstrich ? :) |
|
This breaks the build process when the feature is not enabled in the Azure subscription and the packer variable is not set, while it worked perfectly fine on 1.4.3. Details=[{"code":"BadRequest","message":"{\r\n "error": {\r\n "code": "InvalidParameter",\r\n "message": "The property 'securityProfile.encryptionAtHost' is not valid because the 'Microsoft.Compute/EncryptionAtHost' feature is not enabled for this subscription.",\r\n "target": "securityProfile.encryptionAtHost"\r\n }\r\n}"}] |
This is an additional parameter already existing in the arm template. We have restricted policies on our infrastructure where we are not able to create the virtual machine without Encryption at host enabled.
I know that it could be a dedicated subscription for the build process but this is the organization and certification requirement.