search

Azure / azure-rest-api-specs

The source for REST API specifications for Microsoft Azure.
MIT License
2.62k stars 5.04k forks source link

Trusted Launch SSE+CMK Azure Compute Gallery confusing error #29280

Open JenGoldstrich opened 4 months ago

JenGoldstrich commented 4 months ago

API Spec link

compute/galleryimageversions

API Spec version

any that supports disk encryption set ids

Question/Query

When trying to capture a Trusted Launch VM using dobule encryption to ACG I get a very long error with a stack trace, this happens on any API client to any galleryimageversions version.

$ az sig image-version create --resource-group jennatest \
        --gallery-name test --gallery-image-definition testt \            
        --gallery-image-version 1.0.5 \
        --virtual-machine {secret} \
        --target-regions westus  \
        --target-region-encryption {double-encrypted-key}  --location westus

Code: InternalOperationError
Message: Replication failed in this region due to 'Contract.Assert failed: Data model DiskEncryptionSetId '' does not match DiskRP returned DiskEncryptionSetId '/subscriptions/secret/resourceGroups/SHARED/providers/Microsoft.Compute/diskEncryptionSets/blah'

Call stack:
   at Microsoft.Windows.Azure.GCM.Contract.Assert(Boolean condition, String userMessage) in X:\bt\1257000\repo\src\Shared\Lib\Common\Contracts.cs:line 82
   at Microsoft.WindowsAzure.PlatformImageRepository.ArtifactService.GoalSeeking.ReplicationBlockBase`3.ValidateDiskRPEncryptionResult(Encryption dmEncryption, Encryption resultEncryption) in X:\bt\1253263\repo\src\CRP-PIR\ArtifactService\GoalSeeking\Blocks\ReplicationBlockBase.cs:line 357
   at Microsoft.WindowsAzure.PlatformImageRepository.ArtifactService.GoalSeeking.AllocateSnapshotsBlock.ProcessSingleAllocateSnapshotResult(ReplicatedArtifact replicatedArtifact, VMImageSnapshotResult snapshotResult, Int32 maximumSourceDiskSizeInGb) in X:\bt\1253263\repo\src\CRP-PIR\ArtifactService\GoalSeeking\Blocks\AllocateSnapshotsBlock.cs:line 722
   at 
   ... (see github issue from Packer Azure plugin for full trace)

This was reported on a repo I maintain here https://github.com/hashicorp/packer-plugin-azure/issues/418 and originally here https://github.com/hashicorp/packer-plugin-azure/issues/304, the Packer Azure plugin invokes the API and runs into the same error.

The documentation for Trusted Launch and double encryption does not make it clear that this is not supported, however an Azure engineer who previously engaged on this issue let me know that the ACG product team says its not supported and there are no plans to support it. I've spent quite a bit of time trying to gather this information and understand that this just isn't supported on Azure.

Can we please update this error message in the API to make it clearer that this functionality is not supported, something simple like "Azure Compute Gallery does not support Trusted Launch images using Disk Encryption Sets" and document it. Users currently do not clearly know from reading the error and the Azure docs that ACG does not support this type of image.

Environment

No response

JenGoldstrich commented 2 weeks ago

Hey @zzhxiaofeng do you have an update on this issue? It's something that has confused several of my team's users so it'd be great for the Azure API to return a more user friendly error here