Change type of encryption_at_host to *bool
#338
Conversation
|
|
KMConner
force-pushed
the
encrypt-at-host-nil
branch
from
89e7794 to
798cbe1
Compare
There was a problem hiding this comment.
Hi @KMConner,
Thanks for submitting this PR, I reviewed the code, and while this works, I wonder if we can only add the attribute to the template if it is set, and not systematically.
This may not cover all cases though, but I'll leave this suggestion here, feel free to respond when you have time.
Other than this concern, the code looks legit, I'll come back to this when there's an update, and if we decide to keep the code as-is, we can merge.
| @@ -533,7 +533,7 @@ func (s *TemplateBuilder) SetSecurityProfile(secureBootEnabled bool, vtpmEnabled | |||
| resource.Properties.SecurityProfile.UefiSettings.SecureBootEnabled = common.BoolPtr(secureBootEnabled) | |||
| resource.Properties.SecurityProfile.UefiSettings.VTpmEnabled = common.BoolPtr(vtpmEnabled) | |||
| } | |||
| resource.Properties.SecurityProfile.EncryptionAtHost = common.BoolPtr(encryptionAtHost) | |||
| resource.Properties.SecurityProfile.EncryptionAtHost = encryptionAtHost | |||
There was a problem hiding this comment.
I wonder, should we only set the parameter if true instead of always setting a value? This would be a different (simpler) implementation than what you propose here, that being said maybe there's a case for setting encryptionAtHost to false manually?
If so the current approach makes sense and we can accept it as-is.
cc @JenGoldstrich since you know Azure much better than I do
There was a problem hiding this comment.
I'm conflicted tbh, to do what you suggest it would need to be refactored to be something like this
if encryptionAtHost != nil && *encryptionAtHost {
resource.Properties.SecurityProfile.EncryptionAtHost = encryptionAtHost
}
While we would avoid setting the the field in the template by changing to this, it requires that extra nil check and a true/false. check, when we never actually send false, only true and nil, since sending false is what causes this issue for Azure Subscriptions without this feature enabled (TBH this feels like an API bug but thats an aside). But I will accept either solution tbh
|
Hey @KMConner thanks for your PR, I merged a PR that modifies the template builder quite a lot, do you mind rebasing on top of those changes, and making sure your changes still resolve your issue? Honestly after bumping the deployment API version we might have resolved this issue so it'd be helpful for you to re-test with the version of the plugin on main (If you'd prefer I can trigger a release next week for you to try before we move forward). If you still experience this issue on the new API I'm happy to merge this change to unblock you from upgrading your Azure plugin |
KMConner
force-pushed
the
encrypt-at-host-nil
branch
from
d61a569 to
9e58ff8
Compare
There was a problem hiding this comment.
Thanks for rebasing, @KMConner this LGTM, I manually tested this field and ran acceptance tests, thanks for your contribution!
In v1.4.4,
encryption_at_hostflag was introduced, but we need to enable EncryptionAtHost on Azure subscrioptions in oder to useencryption_at_hostfeature.packer buildwith arm builder always fails on Azure subscription if EncryptionAtHost feature is not enabled.This error happens even if
encryption_at_hostis set to false orencryption_at_hostis not specified.The below is the error message.
This is because
securityProfile.encryptionAtHostproperty is always specified in the template deployed while build.The property should not be specified when EncryptionAtHost feature is not enabled (Error happend even if
falseis specified).So, I changed
encryption_at_hostargument fromboolto*bool, so thatsecurityProfile.encryptionAtHostproperty is not contained in the deployed template whenencryption_at_hostis not specified.