Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

r/(linux|windows)_virtual_machine_scale_set - support for Disk Encryption Sets #5252

Merged
merged 9 commits into from
Jan 15, 2020
Merged

r/(linux|windows)_virtual_machine_scale_set - support for Disk Encryption Sets #5252

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
e7ee22a
Updaet VMSS 2.0 for SSE-CMK feature
ArcturusZhang Dec 25, 2019
492d9fc
Some changes to conform the changes in Managed Disk
ArcturusZhang Jan 14, 2020
ca15924
Goimports
ArcturusZhang Jan 14, 2020
68d1a43
Goimports
ArcturusZhang Jan 14, 2020
79e1e68
r/(linux|windows)_virtual_machine_scale_set: tests covering disk encr…
tombuildsstuff Jan 14, 2020
5cba210
r/(linux|windows)_virtuql_machine_scale_set: adding tests covering th…
tombuildsstuff Jan 14, 2020
9585723
r/(linux|windows)_virtual_machine_scale_set: updating the documentati…
tombuildsstuff Jan 14, 2020
0a20cf6
r/linux_virtual_machine_scale_set: fixing the tests
tombuildsstuff Jan 15, 2020
dc45065
r/linux_virtual_machine_scale_set: updating the caching property to m…
tombuildsstuff Jan 15, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
187 changes: 187 additions & 0 deletions ...nal/services/compute/tests/resource_arm_linux_virtual_machine_scale_set_disk_data_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,31 @@ func TestAccAzureRMLinuxVirtualMachineScaleSet_disksDataDiskCaching(t *testing.T
})
}

func TestAccAzureRMLinuxVirtualMachineScaleSet_disksDataDiskDiskEncryptionSet(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_linux_virtual_machine_scale_set", "test")

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { acceptance.PreCheck(t) },
Providers: acceptance.SupportedProviders,
CheckDestroy: testCheckAzureRMLinuxVirtualMachineScaleSetDestroy,
Steps: []resource.TestStep{
{
// TODO: After applying soft-delete and purge-protection in keyVault, this extra step can be removed.
Config: testAccAzureRMLinuxVirtualMachineScaleSet_disksDataDisk_diskEncryptionSetDependencies(data),
Check: resource.ComposeTestCheckFunc(
enableSoftDeleteAndPurgeProtectionForKeyVault("azurerm_key_vault.test"),
),
},
{
Config: testAccAzureRMLinuxVirtualMachineScaleSet_disksDataDisk_diskEncryptionSet(data),
Check: resource.ComposeTestCheckFunc(
testCheckAzureRMLinuxVirtualMachineScaleSetExists(data.ResourceName),
),
},
},
})
}

func TestAccAzureRMLinuxVirtualMachineScaleSet_disksDataDiskResizing(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_linux_virtual_machine_scale_set", "test")

Expand Down Expand Up @@ -424,6 +449,168 @@ resource "azurerm_linux_virtual_machine_scale_set" "test" {
`, template, data.RandomInteger, caching)
}

func testAccAzureRMLinuxVirtualMachineScaleSet_disksDataDisk_diskEncryptionSetDependencies(data acceptance.TestData) string {
// whilst this is in Preview it's only supported in: West Central US, Canada Central, North Europe
// TODO: switch back to default location
location := "westus2"

return fmt.Sprintf(`
data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "test" {
name = "acctestrg-%d"
tombuildsstuff marked this conversation as resolved.
Show resolved Hide resolved
location = "%s"
}

resource "azurerm_key_vault" "test" {
name = "acctestkv%s"
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
enabled_for_disk_encryption = true
}

resource "azurerm_key_vault_access_policy" "service-principal" {
key_vault_id = azurerm_key_vault.test.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.service_principal_object_id

key_permissions = [
"create",
"delete",
"get",
"update",
]

secret_permissions = [
"get",
"delete",
"set",
]
}

resource "azurerm_key_vault_key" "test" {
name = "examplekey"
key_vault_id = azurerm_key_vault.test.id
key_type = "RSA"
key_size = 2048

key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]

depends_on = ["azurerm_key_vault_access_policy.service-principal"]
}

resource "azurerm_virtual_network" "test" {
name = "acctestnw-%d"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
}

resource "azurerm_subnet" "test" {
name = "internal"
resource_group_name = azurerm_resource_group.test.name
virtual_network_name = azurerm_virtual_network.test.name
address_prefix = "10.0.2.0/24"
}
`, data.RandomInteger, location, data.RandomString, data.RandomInteger)
}

func testAccAzureRMLinuxVirtualMachineScaleSet_disksDataDisk_diskEncryptionSetResource(data acceptance.TestData) string {
template := testAccAzureRMLinuxVirtualMachineScaleSet_disksDataDisk_diskEncryptionSetDependencies(data)
return fmt.Sprintf(`
%s

resource "azurerm_disk_encryption_set" "test" {
name = "acctestdes-%d"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
key_vault_key_id = azurerm_key_vault_key.test.id

identity {
type = "SystemAssigned"
}
}

resource "azurerm_key_vault_access_policy" "disk-encryption" {
key_vault_id = azurerm_key_vault.test.id

key_permissions = [
"get",
"wrapkey",
"unwrapkey",
]

tenant_id = azurerm_disk_encryption_set.test.identity.0.tenant_id
object_id = azurerm_disk_encryption_set.test.identity.0.principal_id
}

resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = azurerm_key_vault.test.id
role_definition_name = "Reader"
principal_id = azurerm_disk_encryption_set.test.identity.0.principal_id
}
`, template, data.RandomInteger)
}

func testAccAzureRMLinuxVirtualMachineScaleSet_disksDataDisk_diskEncryptionSet(data acceptance.TestData) string {
template := testAccAzureRMLinuxVirtualMachineScaleSet_disksDataDisk_diskEncryptionSetResource(data)
return fmt.Sprintf(`
%s

resource "azurerm_linux_virtual_machine_scale_set" "test" {
name = "acctestvmss-%d"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
sku = "Standard_F2"
instances = 1
admin_username = "adminuser"
admin_password = "P@ssword1234!"

disable_password_authentication = false

source_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}

os_disk {
storage_account_type = "Standard_LRS"
caching = "ReadWrite"
}

data_disk {
storage_account_type = "Standard_LRS"
caching = "ReadWrite"
disk_encryption_set_id = azurerm_disk_encryption_set.test.id
disk_size_gb = 10
lun = 10
}

network_interface {
name = "example"
primary = true

ip_configuration {
name = "internal"
primary = true
subnet_id = azurerm_subnet.test.id
}
}
}
`, template, data.RandomInteger)
}

func testAccAzureRMLinuxVirtualMachineScaleSet_disksDataDiskResize(data acceptance.TestData, diskSizeGb int) string {
template := testAccAzureRMLinuxVirtualMachineScaleSet_template(data)
return fmt.Sprintf(`
Expand Down
185 changes: 185 additions & 0 deletions ...ernal/services/compute/tests/resource_arm_linux_virtual_machine_scale_set_disk_os_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,31 @@ func TestAccAzureRMLinuxVirtualMachineScaleSet_disksOSDiskCustomSize(t *testing.
})
}

func TestAccAzureRMLinuxVirtualMachineScaleSet_disksOSDiskDiskEncryptionSet(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_linux_virtual_machine_scale_set", "test")

resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { acceptance.PreCheck(t) },
Providers: acceptance.SupportedProviders,
CheckDestroy: testCheckAzureRMLinuxVirtualMachineScaleSetDestroy,
Steps: []resource.TestStep{
{
// TODO: After applying soft-delete and purge-protection in keyVault, this extra step can be removed.
Config: testAccAzureRMLinuxVirtualMachineScaleSet_disksOSDisk_diskEncryptionSetDependencies(data),
Check: resource.ComposeTestCheckFunc(
enableSoftDeleteAndPurgeProtectionForKeyVault("azurerm_key_vault.test"),
),
},
{
Config: testAccAzureRMLinuxVirtualMachineScaleSet_disksOSDisk_diskEncryptionSet(data),
Check: resource.ComposeTestCheckFunc(
testCheckAzureRMLinuxVirtualMachineScaleSetExists(data.ResourceName),
),
},
},
})
}

func TestAccAzureRMLinuxVirtualMachineScaleSet_disksOSDiskEphemeral(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_linux_virtual_machine_scale_set", "test")

Expand Down Expand Up @@ -287,6 +312,166 @@ resource "azurerm_linux_virtual_machine_scale_set" "test" {
`, template, data.RandomInteger, diskSize)
}

func testAccAzureRMLinuxVirtualMachineScaleSet_disksOSDisk_diskEncryptionSetDependencies(data acceptance.TestData) string {
// whilst this is in Preview it's only supported in: West Central US, Canada Central, North Europe
// TODO: switch back to default location
location := "westus2"

return fmt.Sprintf(`
data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "test" {
name = "acctestrg-%d"
tombuildsstuff marked this conversation as resolved.
Show resolved Hide resolved
location = "%s"
}

resource "azurerm_key_vault" "test" {
name = "acctestkv%s"
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
enabled_for_disk_encryption = true
}

resource "azurerm_key_vault_access_policy" "service-principal" {
key_vault_id = azurerm_key_vault.test.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.service_principal_object_id

key_permissions = [
"create",
"delete",
"get",
"update",
]

secret_permissions = [
"get",
"delete",
"set",
]
}

resource "azurerm_key_vault_key" "test" {
name = "examplekey"
key_vault_id = azurerm_key_vault.test.id
key_type = "RSA"
key_size = 2048

key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]

depends_on = ["azurerm_key_vault_access_policy.service-principal"]
}

resource "azurerm_virtual_network" "test" {
name = "acctestnw-%d"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
}

resource "azurerm_subnet" "test" {
name = "internal"
resource_group_name = azurerm_resource_group.test.name
virtual_network_name = azurerm_virtual_network.test.name
address_prefix = "10.0.2.0/24"
}
`, data.RandomInteger, location, data.RandomString, data.RandomInteger)
}

func testAccAzureRMLinuxVirtualMachineScaleSet_disksOSDisk_diskEncryptionSetResource(data acceptance.TestData) string {
template := testAccAzureRMLinuxVirtualMachineScaleSet_disksOSDisk_diskEncryptionSetDependencies(data)
return fmt.Sprintf(`
%s

resource "azurerm_disk_encryption_set" "test" {
name = "acctestdes-%d"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
key_vault_key_id = azurerm_key_vault_key.test.id

identity {
type = "SystemAssigned"
}
}

resource "azurerm_key_vault_access_policy" "disk-encryption" {
key_vault_id = azurerm_key_vault.test.id

key_permissions = [
"get",
"wrapkey",
"unwrapkey",
]

tenant_id = azurerm_disk_encryption_set.test.identity.0.tenant_id
object_id = azurerm_disk_encryption_set.test.identity.0.principal_id
}

resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = azurerm_key_vault.test.id
role_definition_name = "Reader"
principal_id = azurerm_disk_encryption_set.test.identity.0.principal_id
}
`, template, data.RandomInteger)
}

func testAccAzureRMLinuxVirtualMachineScaleSet_disksOSDisk_diskEncryptionSet(data acceptance.TestData) string {
template := testAccAzureRMLinuxVirtualMachineScaleSet_disksOSDisk_diskEncryptionSetResource(data)
return fmt.Sprintf(`
%s

resource "azurerm_linux_virtual_machine_scale_set" "test" {
name = "acctestvmss-%d"
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location
sku = "Standard_F2s_v2"
instances = 1
admin_username = "adminuser"
admin_password = "P@ssword1234!"

disable_password_authentication = false

source_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}

os_disk {
storage_account_type = "Standard_LRS"
caching = "ReadOnly"
disk_encryption_set_id = azurerm_disk_encryption_set.test.id
}

network_interface {
name = "example"
primary = true

ip_configuration {
name = "internal"
primary = true
subnet_id = azurerm_subnet.test.id
}
}

depends_on = [
"azurerm_role_assignment.disk-encryption-read-keyvault",
"azurerm_key_vault_access_policy.disk-encryption",
]
}
`, template, data.RandomInteger)
}

func testAccAzureRMLinuxVirtualMachineScaleSet_disksOSDiskEphemeral(data acceptance.TestData) string {
template := testAccAzureRMLinuxVirtualMachineScaleSet_template(data)
return fmt.Sprintf(`
Expand Down
Loading