yonzhan
commented
6 months ago Thank you for opening this issue, we will look into it.
Closed martinezdylan closed 5 months ago
yonzhan
commented
6 months ago Thank you for opening this issue, we will look into it.
yanzhudd
commented
6 months ago Hi @martinezdylan
let me check with you if the newly added parameter --security-posture-reference should point to the id field of securityPostureReference?
martinezdylan
commented
6 months ago Hi @yanzhudd , the parameter should technically support what we have published to the REST API doc (ref. SecurityPostureReference)
How do you guys typically handle objects? Are they flattened into individual parameters? We will add more fields over time (e.g. isImmutable) to the definition so I'm curious if we'd have to submit something each time this changes.
yanzhudd
commented
6 months ago Hi @yanzhudd , the parameter should technically support what we have published to the REST API doc (ref. SecurityPostureReference)
How do you guys typically handle objects? Are they flattened into individual parameters? We will add more fields over time (e.g.
isImmutable) to the definition so I'm curious if we'd have to submit something each time this changes.
Hi @martinezdylan, yes, we always flatten the object into individual parameters, which is more easy to use for users. So, if there are more fields need to be supported, please specify them with corresponding newly added parameters. If there are other fields added in the future that need CLI to support, please submit feature requests then.
martinezdylan
commented
6 months ago I see, in that case, this request should be adjusted to include support for two parameters for az vmss create and az vmss update which would be the following:
--security-posture-reference-id to receive type string--security-posture-reference-id-exclude-extensions to receive type VirtualMachineExtension[]This would make Azure CLI consistent with what's found in our REST API. Let me know if I should adjust the original request or this comment would do.
yanzhudd
commented
6 months ago Hi @martinezdylan
may I ask why should we input a list of the entire objects of VirtualMachineExtension to the excludeExtensions field? It seems that the id of VirtualMachineExtension is enough to get the resource.
martinezdylan
commented
6 months ago Good question @yanzhudd , my understanding of the original author's reason for this is given the id of the VM Extension would be arbitrarily assigned at each provisioning of the resource. Thus, the match is made on three properties Name, Type, and Publisher. ref. VmssSecurityPostureProcessor.cs
yanzhudd
commented
5 months ago Hi @martinezdylan, we're trying to add some tests in CLI side for this change, but we're not familiar with the security posture resource. Do you know if there is any way to create a security posture resource using CLI command? If you're not sure about it either, could you please help to test this change? We'll provide a private package to you.
martinezdylan
commented
5 months ago Sure thing @yanzhudd , which region are you guys testing in? If you'd like to access the reference directly you could with either using either of the following for securityPostureReference.id:
/internal/Providers/Microsoft.Compute/galleries/SecurityPostureGallery-uiualhwjibht/securityPostures/VMSSUniformLinux/versions/1.0.0/internal/Providers/Microsoft.Compute/galleries/SecurityPostureGallery-uiualhwjibht/securityPostures/VMSSUniformLinux/versions/1.0.0But also, if you guys want to mock out the resource instead you can use the following payload:
{
"properties": {
"additionalSettings": [
{
"name": "SecurityPostureGuestAttestation",
"publisher": "Microsoft.Azure.Security.LinuxAttestation",
"type": "GuestAttestation",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true,
"enableAutomaticUpgrade": false,
"settings": {},
"protectedSettings": {}
},
{
"name": "SecurityPostureGuestConfiguration",
"publisher": "Microsoft.GuestConfiguration",
"type": "ConfigurationForLinux",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true,
"enableAutomaticUpgrade": false,
"settings": {},
"protectedSettings": {}
},
{
"name": "SecurityPostureSecurityAgent",
"publisher": "Microsoft.Azure.Security.Monitoring",
"type": "AzureSecurityLinuxAgent",
"typeHandlerVersion": "2.0",
"autoUpgradeMinorVersion": true,
"enableAutomaticUpgrade": false,
"settings": {},
"protectedSettings": {}
}
],
"excludeFromLatest": false,
"settings": [
{
"name": "enableBootDiagnostics",
"value": "true"
},
{
"name": "enableEncryptionAtHost",
"value": "true"
},
{
"name": "securityType",
"value": "TrustedLaunch"
},
{
"name": "secureBootEnabled",
"value": "true"
},
{
"name": "vTpmEnabled",
"value": "true"
}
]
},
"location": "SouthCentralUS",
"name": "1.0.0"
}I hope this helps, let me know if you need anything else.
martinezdylan
commented
5 months ago Also, thinking about this again - we would need to enable this feature for whichever subscription you're using. We have internal docs which can be found here: https://dev.azure.com/msazure/AzureWiki/_wiki/wikis/AzureWiki.wiki/636324/Virtual-Machine-Scale-Sets-(VMSS)
Note: The only region I'd recommend testing in would be EastUS2EUAP until we can publish the security postures to other production regions which should be happening soon.
Let me know if you need my help with any enablement.
yanzhudd
commented
5 months ago Hi @martinezdylan,
thanks for your quick reply and info.
Now I can sent request with the id field of securityPostureReference set to "/internal/Providers/Microsoft.Compute/galleries/SecurityPostureGallery-uiualhwjibht/securityPostures/VMSSUniformLinux/versions/1.0.0" without any error. However, it seems that the field is still null when requesting the VMSS resource. Does that meet your expectation?
BTW, this is a private package for this change: https://dev.azure.com/azclitools/public/_build/results?buildId=139035&view=artifacts&pathAsName=false&type=publishedArtifacts. Would be appreciate if you could test it when you are available. If there is any issue, please let us know.
martinezdylan
commented
5 months ago Thanks so much for providing the private package - I'll try and give it a shot on a subscription that has the feature enabled. It should update the VMSS DataModel to reflect a securityPostureReference with the id provided, but I think the issue is likely your subscription / feature enablement unless you followed the Wiki page? Also, just curious, which region were you testing in?
I'll take a look to see if I can use the private CLI and will update here once I have it.
yanzhudd
commented
5 months ago Thanks @martinezdylan
I'm going through the wiki to enable this feature, but I'm not familiar with the Geneva ACIS Action and have no idea how to access it.
And I'm trying to register our subId using CLI command, but an error is reported.
If you are convenient, could you please help to register our subId?
0b1f6471-1bf0-4dda-aec3-cb9272f09590
Now I'm testing it in EastUS2EUAP as you recommended.
martinezdylan
commented
5 months ago Hi @yanzhudd, no worries I actually got the AFEC added to your sub for you. Could you try again when you get a chance? It should definitely give you a result now.
yanzhudd
commented
5 months ago Hi @martinezdylan, it seems I still cannot get the expected result. Could you please help to look at what's incorrect with my input? Here are some request info:
Request URL: 'https://management.azure.com/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourcegroups/zytest/providers/Microsoft.Resources/deployments/vmss_deploy_I2XZAL5VjnGqSo1gDALMer6SIBW6LQPo?api-version=2022-09-01' Request method: 'PUT'
Response status: 201 'x-ms-request-id': 'c6760190-8966-4548-8fdf-d677f3910828' 'x-ms-correlation-request-id': 'c6760190-8966-4548-8fdf-d677f3910828' 'x-ms-routing-request-id': 'SOUTHEASTASIA:20240318T025513Z:c6760190-8966-4548-8fdf-d677f3910828'
Thanks!
martinezdylan
commented
5 months ago Hi @yanzhudd, can you try changing the ?api-version and set it to 2023-03-01? I'm pretty sure that's what it is.
yanzhudd
commented
5 months ago Thanks @martinezdylan
the way CLI creates VMSS is by using ARM template and the API version mentioned above is that of ARM.
The actual API version for creating VMSS resource is 2023-09-01, and here is our request body:
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminPassword": {
"type": "securestring",
"metadata": {
"description": "Secure adminPassword"
}
}
},
"variables": {},
"resources": [
{
"apiVersion": "2022-01-01",
"type": "Microsoft.Network/publicIPAddresses",
"name": "vmss3LBPublicIP",
"location": "eastus2euap",
"tags": {},
"dependsOn": [],
"properties": {
"publicIPAllocationMethod": "Static"
},
"sku": {
"name": "Standard"
}
},
{
"type": "Microsoft.Network/loadBalancers",
"name": "vmss3LB",
"location": "eastus2euap",
"tags": {},
"apiVersion": "2022-01-01",
"dependsOn": [
"Microsoft.Network/publicIpAddresses/vmss3LBPublicIP"
],
"properties": {
"backendAddressPools": [
{
"name": "vmss3LBBEPool"
}
],
"frontendIPConfigurations": [
{
"name": "loadBalancerFrontEnd",
"properties": {
"publicIPAddress": {
"id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/zytest/providers/Microsoft.Network/publicIPAddresses/vmss3LBPublicIP"
}
}
}
],
"loadBalancingRules": [
{
"name": "LBRule",
"properties": {
"frontendIPConfiguration": {
"id": "[concat(resourceId('Microsoft.Network/loadBalancers', 'vmss3LB'), '/frontendIPConfigurations/', 'loadBalancerFrontEnd')]"
},
"backendAddressPool": {
"id": "[concat(resourceId('Microsoft.Network/loadBalancers', 'vmss3LB'), '/backendAddressPools/', 'vmss3LBBEPool')]"
},
"protocol": "tcp",
"frontendPort": 80,
"backendPort": 80,
"enableFloatingIP": false,
"idleTimeoutInMinutes": 5
}
}
]
},
"sku": {
"name": "Standard"
}
},
{
"type": "Microsoft.Network/networkSecurityGroups",
"name": "vmss3NSG",
"apiVersion": "2015-06-15",
"location": "eastus2euap",
"tags": {},
"dependsOn": [],
"properties": {
"securityRules": [
{
"name": "default-allow-ssh",
"properties": {
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "22",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 1000,
"direction": "Inbound"
}
}
]
}
},
{
"type": "Microsoft.Network/loadBalancers/inboundNatRules",
"apiVersion": "2022-01-01",
"name": "vmss3LB/NatRule",
"location": "eastus2euap",
"properties": {
"frontendIPConfiguration": {
"id": "[concat(resourceId('Microsoft.Network/loadBalancers', 'vmss3LB'), '/frontendIPConfigurations/', 'loadBalancerFrontEnd')]"
},
"backendAddressPool": {
"id": "[concat(resourceId('Microsoft.Network/loadBalancers', 'vmss3LB'), '/backendAddressPools/', 'vmss3LBBEPool')]"
},
"backendPort": 3389,
"frontendPortRangeStart": "50000",
"frontendPortRangeEnd": "50119",
"protocol": "tcp",
"idleTimeoutInMinutes": 5
},
"dependsOn": [
"[concat('Microsoft.Network/loadBalancers/', 'vmss3LB')]"
]
},
{
"type": "Microsoft.Compute/virtualMachineScaleSets",
"name": "vmss3",
"location": "eastus2euap",
"tags": {},
"apiVersion": "2023-09-01",
"dependsOn": [
"Microsoft.Network/loadBalancers/vmss3LB",
"Microsoft.Network/networkSecurityGroups/vmss3NSG"
],
"properties": {
"singlePlacementGroup": null,
"platformFaultDomainCount": 1,
"virtualMachineProfile": {
"storageProfile": {
"osDisk": {
"createOption": "FromImage",
"caching": "ReadWrite",
"managedDisk": {
"storageAccountType": null
}
},
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "2022-datacenter-g2",
"version": "latest"
}
},
"osProfile": {
"computerNamePrefix": "vmss3",
"adminUsername": "azureuser",
"adminPassword": "[parameters('adminPassword')]",
"windowsConfiguration": {
"provisionVMAgent": true,
"enableAutomaticUpdates": false,
"patchSettings": {
"patchMode": "Manual"
}
}
},
"networkProfile": {
"networkInterfaceConfigurations": [
{
"name": "vmss31b1aNic",
"properties": {
"ipConfigurations": [
{
"name": "vmss31b1aIPConfig",
"properties": {
"subnet": {
"id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/zytest/providers/Microsoft.Network/virtualNetworks/vmss1VNET/subnets/vmss1Subnet"
},
"loadBalancerBackendAddressPools": [
{
"id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/zytest/providers/Microsoft.Network/loadBalancers/vmss3LB/backendAddressPools/vmss3LBBEPool"
}
]
}
}
],
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', 'vmss3NSG')]"
},
"primary": "true"
}
}
],
"networkApiVersion": "2020-11-01"
},
"securityPostureReference": {
"id": "/internal/Providers/Microsoft.Compute/galleries/SecurityPostureGallery-uiualhwjibht/securityPostures/VMSSUniformLinux/versions/1.0.0",
"excludeExtensions": null
}
},
"orchestrationMode": "Flexible"
},
"sku": {
"name": "Standard_DS1_v2",
"capacity": 2
}
}
],
"outputs": {
"VMSS": {
"type": "object",
"value": "[reference(resourceId('Microsoft.Compute/virtualMachineScaleSets', 'vmss3'),providers('Microsoft.Compute', 'virtualMachineScaleSets').apiVersions[0])]"
}
}
},
"parameters": {
"adminPassword": {
"value": "testPassword0"
}
},
"mode": "incremental"
}
}Ahh, thanks for included the full requestBody. I see you've set the orchestrationMode to Flexible. At this time, we only have support for Uniform. Could you update your request?
yanzhudd
commented
5 months ago Hi @martinezdylan it seems still to return a null for securityPostureReference field. Here is the new request body:
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"name": "vmss1VNET",
"type": "Microsoft.Network/virtualNetworks",
"location": "eastus2euap",
"apiVersion": "2015-06-15",
"dependsOn": [],
"tags": {},
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "vmss1Subnet",
"properties": {
"addressPrefix": "10.0.0.0/24"
}
}
]
}
},
{
"apiVersion": "2022-01-01",
"type": "Microsoft.Network/publicIPAddresses",
"name": "vmss1LBPublicIP",
"location": "eastus2euap",
"tags": {},
"dependsOn": [],
"properties": {
"publicIPAllocationMethod": "Static"
},
"sku": {
"name": "Standard"
}
},
{
"type": "Microsoft.Network/loadBalancers",
"name": "vmss1LB",
"location": "eastus2euap",
"tags": {},
"apiVersion": "2022-01-01",
"dependsOn": [
"Microsoft.Network/virtualNetworks/vmss1VNET",
"Microsoft.Network/publicIpAddresses/vmss1LBPublicIP"
],
"properties": {
"backendAddressPools": [
{
"name": "vmss1LBBEPool"
}
],
"frontendIPConfigurations": [
{
"name": "loadBalancerFrontEnd",
"properties": {
"publicIPAddress": {
"id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/zytest2/providers/Microsoft.Network/publicIPAddresses/vmss1LBPublicIP"
}
}
}
],
"loadBalancingRules": [
{
"name": "LBRule",
"properties": {
"frontendIPConfiguration": {
"id": "[concat(resourceId('Microsoft.Network/loadBalancers', 'vmss1LB'), '/frontendIPConfigurations/', 'loadBalancerFrontEnd')]"
},
"backendAddressPool": {
"id": "[concat(resourceId('Microsoft.Network/loadBalancers', 'vmss1LB'), '/backendAddressPools/', 'vmss1LBBEPool')]"
},
"protocol": "tcp",
"frontendPort": 80,
"backendPort": 80,
"enableFloatingIP": false,
"idleTimeoutInMinutes": 5
}
}
]
},
"sku": {
"name": "Standard"
}
},
{
"type": "Microsoft.Network/networkSecurityGroups",
"name": "vmss1NSG",
"apiVersion": "2015-06-15",
"location": "eastus2euap",
"tags": {},
"dependsOn": [],
"properties": {
"securityRules": [
{
"name": "default-allow-ssh",
"properties": {
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "22",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 1000,
"direction": "Inbound"
}
}
]
}
},
{
"type": "Microsoft.Network/loadBalancers/inboundNatRules",
"apiVersion": "2022-01-01",
"name": "vmss1LB/NatRule",
"location": "eastus2euap",
"properties": {
"frontendIPConfiguration": {
"id": "[concat(resourceId('Microsoft.Network/loadBalancers', 'vmss1LB'), '/frontendIPConfigurations/', 'loadBalancerFrontEnd')]"
},
"backendAddressPool": {
"id": "[concat(resourceId('Microsoft.Network/loadBalancers', 'vmss1LB'), '/backendAddressPools/', 'vmss1LBBEPool')]"
},
"backendPort": 22,
"frontendPortRangeStart": "50000",
"frontendPortRangeEnd": "50119",
"protocol": "tcp",
"idleTimeoutInMinutes": 5
},
"dependsOn": [
"[concat('Microsoft.Network/loadBalancers/', 'vmss1LB')]"
]
},
{
"type": "Microsoft.Compute/virtualMachineScaleSets",
"name": "vmss1",
"location": "eastus2euap",
"tags": {},
"apiVersion": "2023-09-01",
"dependsOn": [
"Microsoft.Network/virtualNetworks/vmss1VNET",
"Microsoft.Network/loadBalancers/vmss1LB",
"Microsoft.Network/networkSecurityGroups/vmss1NSG"
],
"properties": {
"overprovision": true,
"upgradePolicy": {
"mode": "manual",
"rollingUpgradePolicy": {}
},
"singlePlacementGroup": null,
"virtualMachineProfile": {
"storageProfile": {
"osDisk": {
"createOption": "FromImage",
"caching": "ReadWrite",
"managedDisk": {
"storageAccountType": null
}
},
"imageReference": {
"publisher": "Canonical",
"offer": "UbuntuServer",
"sku": "18.04-LTS",
"version": "latest"
}
},
"osProfile": {
"computerNamePrefix": "vmss18b64",
"adminUsername": "sdk-test-admin",
"linuxConfiguration": {
"disablePasswordAuthentication": true,
"ssh": {
"publicKeys": [
{
"path": "/home/sdk-test-admin/.ssh/authorized_keys",
"keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQTqmLx6HirtKwbUQJgOMcZZ8SXT2Xd5q0UaNicbSItgGFgLJEEuGxkZgda5XoCOcavRIndHFQ7SoZKCvb385Wmxtpbc8nqJaYM+lCbJf7nWuEoWobr4nFOEzf8ofqKe+64PaYb+tZFR2jjfWMSM3h8BLx1lJDs2zvwv9J5Gh50B0CnEdohy3C6uySU5zupHksadB9HtvaRDnjWuNgFN2h6IYZYLcu/l9DfM0N6ZjYfPToZk5D2xJqdoRkpG3mtP82Ib+eqnYo2VFtd2fHuexlp0O8u43j/YSjPinxij+Dm6P4jzaq+5n8+tEb7w1giD7LvZ+Tg4HmQIauhv+bvVVn"
}
]
}
}
},
"networkProfile": {
"networkInterfaceConfigurations": [
{
"name": "vmss18b64Nic",
"properties": {
"ipConfigurations": [
{
"name": "vmss18b64IPConfig",
"properties": {
"subnet": {
"id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/zytest2/providers/Microsoft.Network/virtualNetworks/vmss1VNET/subnets/vmss1Subnet"
},
"loadBalancerBackendAddressPools": [
{
"id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/zytest2/providers/Microsoft.Network/loadBalancers/vmss1LB/backendAddressPools/vmss1LBBEPool"
}
]
}
}
],
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', 'vmss1NSG')]"
},
"primary": "true"
}
}
]
},
"securityPostureReference": {
"id": "/internal/Providers/Microsoft.Compute/galleries/SecurityPostureGallery-uiualhwjibht/securityPostures/VMSSUniformLinux/versions/1.0.0",
"excludeExtensions": null
}
},
"orchestrationMode": "Uniform"
},
"sku": {
"name": "Standard_DS1_v2",
"capacity": 2
}
}
],
"outputs": {
"VMSS": {
"type": "object",
"value": "[reference(resourceId('Microsoft.Compute/virtualMachineScaleSets', 'vmss1'),providers('Microsoft.Compute', 'virtualMachineScaleSets').apiVersions[0])]"
}
}
},
"parameters": {},
"mode": "incremental"
}
}And here is the GET result:
{
"additionalCapabilities": null,
"automaticRepairsPolicy": null,
"constrainedMaximumCapacity": null,
"doNotRunExtensionsOnOverprovisionedVMs": false,
"etag": null,
"extendedLocation": null,
"hostGroup": null,
"id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/zytest2/providers/Microsoft.Compute/virtualMachineScaleSets/vmss1",
"identity": null,
"location": "eastus2euap",
"name": "vmss1",
"orchestrationMode": "Uniform",
"overprovision": true,
"plan": null,
"platformFaultDomainCount": 5,
"priorityMixPolicy": null,
"provisioningState": "Succeeded",
"proximityPlacementGroup": null,
"resiliencyPolicy": null,
"resourceGroup": "zytest2",
"scaleInPolicy": null,
"singlePlacementGroup": true,
"sku": {
"capacity": 2,
"name": "Standard_DS1_v2",
"tier": "Standard"
},
"spotRestorePolicy": null,
"tags": {},
"timeCreated": "2024-03-20T03:33:19.289944+00:00",
"type": "Microsoft.Compute/virtualMachineScaleSets",
"uniqueId": "d7c7907e-69ee-44c2-be8c-fa13d8cff8d5",
"upgradePolicy": {
"automaticOsUpgradePolicy": null,
"mode": "Manual",
"rollingUpgradePolicy": {
"enableCrossZoneUpgrade": null,
"maxBatchInstancePercent": 20,
"maxSurge": false,
"maxUnhealthyInstancePercent": 20,
"maxUnhealthyUpgradedInstancePercent": 20,
"pauseTimeBetweenBatches": "PT0S",
"prioritizeUnhealthyInstances": null,
"rollbackFailedInstancesOnPolicyBreach": false
}
},
"virtualMachineProfile": {
"applicationProfile": null,
"billingProfile": null,
"capacityReservation": null,
"diagnosticsProfile": null,
"evictionPolicy": null,
"extensionProfile": null,
"hardwareProfile": null,
"licenseType": null,
"networkProfile": {
"healthProbe": null,
"networkApiVersion": null,
"networkInterfaceConfigurations": [
{
"auxiliaryMode": null,
"auxiliarySku": null,
"deleteOption": null,
"disableTcpStateTracking": false,
"dnsSettings": {
"dnsServers": []
},
"enableAcceleratedNetworking": null,
"enableFpga": null,
"enableIpForwarding": false,
"ipConfigurations": [
{
"applicationGatewayBackendAddressPools": null,
"applicationSecurityGroups": null,
"loadBalancerBackendAddressPools": [
{
"id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/zytest2/providers/Microsoft.Network/loadBalancers/vmss1LB/backendAddressPools/vmss1LBBEPool",
"resourceGroup": "zytest2"
}
],
"loadBalancerInboundNatPools": null,
"name": "vmss18b64IPConfig",
"primary": null,
"privateIpAddressVersion": "IPv4",
"publicIpAddressConfiguration": null,
"subnet": {
"id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/zytest2/providers/Microsoft.Network/virtualNetworks/vmss1VNET/subnets/vmss1Subnet",
"resourceGroup": "zytest2"
}
}
],
"name": "vmss18b64Nic",
"networkSecurityGroup": {
"id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/zytest2/providers/Microsoft.Network/networkSecurityGroups/vmss1NSG",
"resourceGroup": "zytest2"
},
"primary": true
}
]
},
"osProfile": {
"adminPassword": null,
"adminUsername": "sdk-test-admin",
"allowExtensionOperations": true,
"computerNamePrefix": "vmss18b64",
"customData": null,
"linuxConfiguration": {
"disablePasswordAuthentication": true,
"enableVmAgentPlatformUpdates": false,
"patchSettings": null,
"provisionVmAgent": true,
"ssh": {
"publicKeys": [
{
"keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQTqmLx6HirtKwbUQJgOMcZZ8SXT2Xd5q0UaNicbSItgGFgLJEEuGxkZgda5XoCOcavRIndHFQ7SoZKCvb385Wmxtpbc8nqJaYM+lCbJf7nWuEoWobr4nFOEzf8ofqKe+64PaYb+tZFR2jjfWMSM3h8BLx1lJDs2zvwv9J5Gh50B0CnEdohy3C6uySU5zupHksadB9HtvaRDnjWuNgFN2h6IYZYLcu/l9DfM0N6ZjYfPToZk5D2xJqdoRkpG3mtP82Ib+eqnYo2VFtd2fHuexlp0O8u43j/YSjPinxij+Dm6P4jzaq+5n8+tEb7w1giD7LvZ+Tg4HmQIauhv+bvVVn",
"path": "/home/sdk-test-admin/.ssh/authorized_keys"
}
]
}
},
"requireGuestProvisionSignal": true,
"secrets": [],
"windowsConfiguration": null
},
"priority": null,
"scheduledEventsProfile": null,
"securityPostureReference": null,
"securityProfile": null,
"serviceArtifactReference": null,
"storageProfile": {
"dataDisks": null,
"diskControllerType": null,
"imageReference": {
"communityGalleryImageId": null,
"exactVersion": null,
"id": null,
"offer": "UbuntuServer",
"publisher": "Canonical",
"sharedGalleryImageId": null,
"sku": "18.04-LTS",
"version": "latest"
},
"osDisk": {
"caching": "ReadWrite",
"createOption": "FromImage",
"deleteOption": null,
"diffDiskSettings": null,
"diskSizeGb": 30,
"image": null,
"managedDisk": {
"diskEncryptionSet": null,
"securityProfile": null,
"storageAccountType": "Premium_LRS"
},
"name": null,
"osType": "Linux",
"vhdContainers": null,
"writeAcceleratorEnabled": null
}
},
"timeCreated": "2024-03-20T03:33:19.289944+00:00",
"userData": null
},
"zoneBalance": null,
"zones": null
}Hi @yanzhudd , it seems the dynamic config got rolled back in this region basically disabling security posture. I'm working to get it re-enabled and will update here once I have the approval / it enabled.
yanzhudd
commented
5 months ago Hi @yanzhudd , it seems the dynamic config got rolled back in this region basically disabling security posture. I'm working to get it re-enabled and will update here once I have the approval / it enabled.
Hi @martinezdylan, I want to note that there will be a code freeze on 03-26 for this release train, so please re-enable that as soon as possible if you want to catch this train, so that we have time to run the test. Alternatively, if you are available, please use the private package to test it from your side. If the change works, we could merge the PR first and add test later.
martinezdylan
commented
5 months ago Hi @yanzhudd, it should work completely in EastUS2EUAP. Can you try again? Also, would it be possible to also include support for a parameter we'd be rolling out shortly? This would bring the total to the following:
--security-posture-reference-id (string)--security-posture-reference-exclude-extensions (array of VM Extensions)--security-posture-reference-is-immutable (boolean)Let me know if this is possible & how testing goes.
yanzhudd
commented
5 months ago Hi @yanzhudd, it should work completely in EastUS2EUAP. Can you try again? Also, would it be possible to also include support for a parameter we'd be rolling out shortly? This would bring the total to the following:
--security-posture-reference-id(string)--security-posture-reference-exclude-extensions(array of VM Extensions)--security-posture-reference-is-immutable(boolean)Let me know if this is possible & how testing goes.
Hi @martinezdylan
CLI is developed based on swagger and Python SDK, and we need to map the newly added parameter to a backend field. Therefore, we only support parameters that are already supported by swagger and the SDK, otherwise they won't work successfully even if they are added. Thus, --security-posture-reference-is-immutable may cannot be included in this change.
Once the SDK is released, you could raise another feature request to us, and we would work on it.
yanzhudd
commented
5 months ago Hi @martinezdylan,
we notice that none of the examples in the swagger include excludeExtensions value. In order to visualize how to input this parameter, it would be good to add some help messages in the CLI. Therefore, could you please help to provide an example of this value?
Preconditions
Related command
az vmss createandaz vmss updateResource Provider
N/A
Description of Feature or Work Requested
We'd like to have the ability to provide a
securityPostureReferenceobject via CLI for bothaz vmss createandaz vmss updatecommands to be consistent. ref. https://learn.microsoft.com/en-us/rest/api/compute/virtual-machine-scale-sets/get?view=rest-compute-2023-10-02&tabs=HTTP#securityposturereferenceMinimum API Version Required
2023-03-01
Swagger PR link / SDK link
https://github.com/Azure/azure-rest-api-specs/pull/23106
Request Example
https://github.com/Azure/azure-rest-api-specs/blob/6bc6d5759767ea537c0b63b28d785e7e6ea0a90b/specification/compute/resource-manager/Microsoft.Compute/ComputeRP/stable/2023-03-01/examples/virtualMachineScaleSetExamples/VirtualMachineScaleSet_Create_WithSecurityPostureReference.json
Target Date
2024-04-01
PM Contact
danielli
Engineer Contact
dymartinez
Additional context
No response