az vm encryption enable continues even if it cannot write secret to vault

[AdamSharif-MSFT]

I have tested the following scenarios and established that each time the key is not written to the vault, and there is no error in the CLI, but encryption proceeds. This means that if the VM is stopped/deallocated and then started up, the access to the encrypted volume is lost, and it is unrecoverable. The only clue is some 500 errors which show in the logs for the ADE extension afterwards:

1. KV & VM in different sub
2. KV & VM in different region
3. KV & VM in different RG with just short path used for --disk-encryption-keyvault rather than full resource ID
4. ADE access not enabled on the KV

In each case, encryption proceeds without any warning, and no secrets are written to the vault.

[adewaleo]

@ejarvi, please can you take a look at the configurations provided by @AdamSharif-MSFT? Are they supported, particularly when the KV and VM are in different subs and regions? EDIT: also, we think the extension should error out when it fails to write the secret.

[ejarvi]

ADE does not support scenarios where the KV and VM are in different subs and/or regions (doc). However this pain seems preventable and I would agree that in these cases we want the extension to error out safely with a more clear and actionable error message for the user.

Keeping this issue open to track that.

[adewaleo]

We will also add some keyvault validation that we currently run for VMSS encryption to VM encryption.