When trying to capture a Trusted Launch VM using dobule encryption to ACG I get a very long error with a stack trace, this happens on any API client to any galleryimageversions version.
$ az sig image-version create --resource-group jennatest \
--gallery-name test --gallery-image-definition testt \
--gallery-image-version 1.0.5 \
--virtual-machine {secret} \
--target-regions westus \
--target-region-encryption {double-encrypted-key} --location westus
Code: InternalOperationError
Message: Replication failed in this region due to 'Contract.Assert failed: Data model DiskEncryptionSetId '' does not match DiskRP returned DiskEncryptionSetId '/subscriptions/secret/resourceGroups/SHARED/providers/Microsoft.Compute/diskEncryptionSets/blah'
Call stack:
at Microsoft.Windows.Azure.GCM.Contract.Assert(Boolean condition, String userMessage) in X:\bt\1257000\repo\src\Shared\Lib\Common\Contracts.cs:line 82
at Microsoft.WindowsAzure.PlatformImageRepository.ArtifactService.GoalSeeking.ReplicationBlockBase`3.ValidateDiskRPEncryptionResult(Encryption dmEncryption, Encryption resultEncryption) in X:\bt\1253263\repo\src\CRP-PIR\ArtifactService\GoalSeeking\Blocks\ReplicationBlockBase.cs:line 357
at Microsoft.WindowsAzure.PlatformImageRepository.ArtifactService.GoalSeeking.AllocateSnapshotsBlock.ProcessSingleAllocateSnapshotResult(ReplicatedArtifact replicatedArtifact, VMImageSnapshotResult snapshotResult, Int32 maximumSourceDiskSizeInGb) in X:\bt\1253263\repo\src\CRP-PIR\ArtifactService\GoalSeeking\Blocks\AllocateSnapshotsBlock.cs:line 722
at
... (see github issue from Packer Azure plugin for full trace)
The documentation for Trusted Launch and double encryption does not make it clear that this is not supported, however an Azure engineer who previously engaged on this issue let me know that the ACG product team says its not supported and there are no plans to support it. I've spent quite a bit of time trying to gather this information and understand that this just isn't supported on Azure.
Can we please update this error message in the API to make it clearer that this functionality is not supported, something simple like "Azure Compute Gallery does not support Trusted Launch images using Disk Encryption Sets" and document it. Users currently do not clearly know from reading the error and the Azure docs that ACG does not support this type of image.
Hey @zzhxiaofeng do you have an update on this issue? It's something that has confused several of my team's users so it'd be great for the Azure API to return a more user friendly error here
API Spec link
compute/galleryimageversions
API Spec version
any that supports disk encryption set ids
Question/Query
When trying to capture a Trusted Launch VM using dobule encryption to ACG I get a very long error with a stack trace, this happens on any API client to any galleryimageversions version.
This was reported on a repo I maintain here https://github.com/hashicorp/packer-plugin-azure/issues/418 and originally here https://github.com/hashicorp/packer-plugin-azure/issues/304, the Packer Azure plugin invokes the API and runs into the same error.
The documentation for Trusted Launch and double encryption does not make it clear that this is not supported, however an Azure engineer who previously engaged on this issue let me know that the ACG product team says its not supported and there are no plans to support it. I've spent quite a bit of time trying to gather this information and understand that this just isn't supported on Azure.
Can we please update this error message in the API to make it clearer that this functionality is not supported, something simple like "Azure Compute Gallery does not support Trusted Launch images using Disk Encryption Sets" and document it. Users currently do not clearly know from reading the error and the Azure docs that ACG does not support this type of image.
Environment
No response