search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.99k stars 2.96k forks source link

VM/VMSS to support v2 Version of Azure Metadata Security Protocol #29279

Open hmyan90 opened 3 months ago

hmyan90 commented 3 months ago

Preconditions

Need to release Python SDK support 2024-07-01

Related command

Please see v1 https://github.com/Azure/azure-cli/issues/27729 , this v2 involves deleting a parameter (proxy-agent-mode) from the v1 version and add a couple new

az vm create [--enable-proxy-agent {false, true}] [--wire-server-mode {Audit, Enforce, Disabled}] [--wire-server-profile "/subscriptions/{subId}/resourceGroups/{rgName}/providers/Microsoft.Compute/galleries/{galleryName}/InVMAccessControlProfiles/{profileName}/versions/{version}" ] [--imds-mode {Audit, Enforce, Disabled}] [--imds-profile "/subscriptions/{subId}/resourceGroups/{rgName}/providers/Microsoft.Compute/galleries/{galleryName}/InVMAccessControlProfiles/{profileName}/versions/{version}" ] [--keyIncarnationId integer] az vm update [--enable-proxy-agent {false, true}] [--wire-server-mode {Audit, Enforce, Disabled}] [--wire-server-profile "/subscriptions/{subId}/resourceGroups/{rgName}/providers/Microsoft.Compute/galleries/{galleryName}/InVMAccessControlProfiles/{profileName}/versions/{version}" ] [--imds-mode {Audit, Enforce, Disabled}] [--imds-profile "/subscriptions/{subId}/resourceGroups/{rgName}/providers/Microsoft.Compute/galleries/{galleryName}/InVMAccessControlProfiles/{profileName}/versions/{version}" ] [--keyIncarnationId integer] az vmss create [--enable-proxy-agent {false, true}] [--wire-server-mode {Audit, Enforce, Disabled}] [--wire-server-profile "/subscriptions/{subId}/resourceGroups/{rgName}/providers/Microsoft.Compute/galleries/{galleryName}/InVMAccessControlProfiles/{profileName}/versions/{version}" ] [--imds-mode {Audit, Enforce, Disabled}] [--imds-profile "/subscriptions/{subId}/resourceGroups/{rgName}/providers/Microsoft.Compute/galleries/{galleryName}/InVMAccessControlProfiles/{profileName}/versions/{version}" ] az vmss update [--enable-proxy-agent {false, true}] [--wire-server-mode {Audit, Enforce, Disabled}] [--wire-server-profile "/subscriptions/{subId}/resourceGroups/{rgName}/providers/Microsoft.Compute/galleries/{galleryName}/InVMAccessControlProfiles/{profileName}/versions/{version}" ] [--imds-mode {Audit, Enforce, Disabled}] [--imds-profile "/subscriptions/{subId}/resourceGroups/{rgName}/providers/Microsoft.Compute/galleries/{galleryName}/InVMAccessControlProfiles/{profileName}/versions/{version}" ] *Note; VMSS doesn't support --keyIncarnationId

Resource Provider

Microsoft.Compute

Description of Feature or Work Requested

PM doc: https://microsoft.sharepoint.com/:w:/r/teams/CPlat-PM/_layouts/15/Doc.aspx?sourcedoc=%7BDD02825F-7D23-4C67-B21C-6352733A8858%7D&file=Wire-Server%20Endpoint%20Security%20PM%20Spec.docx&action=default&mobileredirect=true&share=IQFfggLdI31nTLIcY1JzOohYAV82cMdRnCluKCTcaCyt91E

User can opt-in the Azure metadata security protocol for their VM by specifying the newly introduced VM or VMSS property, thus their VM can be protected from SSRF and Scorpin heart attack to IMDS and WireServer endpoints.

Need to support for vm create, vm update, vmss create, vmss update.

Minimum API Version Required

2024-03-01

Swagger PR link / SDK link

https://github.com/Azure/azure-rest-api-specs/pull/29402

Request Example

VM: https://github.com/Azure/azure-rest-api-specs/blob/c9d9a0180149e72541752672790ed642a439adfa/specification/compute/resource-manager/Microsoft.Compute/ComputeRP/stable/2023-09-01/examples/virtualMachineExamples/VirtualMachine_Create_WithProxyAgentSettings.json

VMSS: https://github.com/Azure/azure-rest-api-specs/blob/c9d9a0180149e72541752672790ed642a439adfa/specification/compute/resource-manager/Microsoft.Compute/ComputeRP/stable/2023-09-01/examples/virtualMachineScaleSetExamples/VirtualMachineScaleSet_Create_WithProxyAgentSettings.json

Target Date

08-06-2024

PM Contact

minnielahoti@microsoft.com

Engineer Contact

huiya@microsoft.com

Additional context

No response

yonzhan commented 3 months ago

Thank you for opening this issue, we will look into it.

zhoxing-ms commented 3 months ago

User can opt-in the Azure metadata security protocol for their VM by specifying the newly introduced VM or VMSS property, thus their VM can be protected from SSRF and Scorpin heart attack to IMDS and WireServer endpoints.

Target Date 08-06-2024

@hmyan90 This new feature seems to be related to security, right? If so, we will schedule it for the next sprint

hmyan90 commented 3 months ago

User can opt-in the Azure metadata security protocol for their VM by specifying the newly introduced VM or VMSS property, thus their VM can be protected from SSRF and Scorpin heart attack to IMDS and WireServer endpoints.

Target Date 08-06-2024

@hmyan90 This new feature seems to be related to security, right? If so, we will schedule it for the next sprint

yes, this is a very high priority security feature. We will need to get it into July release. Please reach out to PM minnielahoti@microsoft.com for the priority clarify if needed. thanks.

Jing-song commented 3 months ago

Hi @hmyan90, could you please help generate python sdk in Swagger PR https://github.com/Azure/azure-rest-api-specs/pull/29402 so that we can use it for development and testing.

github-actions[bot] commented 1 week ago

Here are some similar issues that might help you. Please check if they can solve your problem.