Skip to content

Commit d81de41

Browse files
ninjarobotninjarobot
authored
Merge pull request #1162 from et1975/master
gallery image reference and security profile support for VMs
2 parents d3e8979 + 6d9525e commit d81de41

File tree

10 files changed

+530
-16
lines changed

10 files changed

+530
-16
lines changed

RELEASE_NOTES.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
Release Notes
22
=============
3+
## vNext
4+
- Support gallery references for VMs (`operating_system`)
5+
- Support for VM/VMSS security profile options (#1163)
36

47
## 1.9.6
58
- Network Interface: Support for adding Network Security Group (NSG) to Network Interface (NIC)

docs/content/api-overview/resources/virtual-machine.md

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,12 @@ In addition, every VM you create will add a SecureString parameter to the ARM te
2424
| diagnostics_support | Turns on diagnostics support using an automatically created storage account. |
2525
| diagnostics_support_managed | Turns on diagnostics support using an Azure-managed storage account. |
2626
| diagnostics_support_external | Turns on diagnostics support using an existing storage account. |
27+
| encryption_at_host | This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine or virtual machine scale set. This will enable the encryption for all the disks including Resource/Temp disk at host itself. The default behavior is: The Encryption at host will be disabled unless this property is set to true for the resource. |
28+
| encryption_identity | Specifies the Managed Identity used by ADE to get access token for keyvault operations. |
29+
| proxy_agent | Specifies ProxyAgent settings while creating the virtual machine. |
30+
| secure_boot | UEFI security settings for secure boot. |
31+
| vtpm | UEFI security settings for vTPM. |
32+
| security_type | Specifies the SecurityType of the virtual machine. It has to be set to any specified value to enable UefiSettings. The default behavior is: UefiSettings will not be enabled unless this property is set. |
2733
| vm_size | Sets the size of the VM. |
2834
| priority | Sets the VM Priority. Only one `spot_instance` or `priority` setting is allowed per VM. No priority is set by default. |
2935
| spot_instance | Makes the VM a spot instance. Shorthand for `priority (Spot (<EvictionPolicy>, <maxPrice>)`. Only one `spot_instance` or `priority` setting is allowed per VM. |
@@ -60,7 +66,7 @@ In addition, every VM you create will add a SecureString parameter to the ARM te
6066
| private_ip_allocation | Sets the *private* IP as Dynamic or Static. The default is dynamic. |
6167
| ip_forwarding | Enable or disable IP forwarding on the primary network interface. Secondary NICs will leave it undefined. |
6268
| accelerated_networking | Enable or disable accelerated networking on all network interfaces generated for the VM. |
63-
| add_ip_configuration | Add `ipConfig` definitions to add additional IP addresses or connect to multiple subnets. Connecting to additional subnets will generate a NIC for each subnet. |
69+
| add_ip_configuration | Add `ipConfig` definitions to add additional IP addresses or connect to multiple subnets. Connecting to additional subnets will generate a NIC for each subnet. |
6470
| network_security_group | Sets the Network Security Group (NSG) for VM/NIC. Enables you to create and share firewall rule sets. |
6571
| link_to_network_security_group | Specify an existing Network Security Group (NSG) for VM/NIC. |
6672
| link_application_security_groups | Link this VM to one or more application security groups (no dependency generated). |

docs/content/api-overview/resources/vm-scale-set.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,10 @@ The Virtual Machine Scale Set builder (`vmss`) creates a virtual machine scale s
2525
| vmss | scale_in_policy | Specify the policy for determining which VMs to remove when scaling in. |
2626
| vmss | scale_in_force_deletion | Indicates the VMs should be force deleted so they free the resources more quickly. |
2727
| vmss | upgrade_mode | Specify Manual, Automatic, or Rolling upgrades. Rolling upgrades require the Application Health Extension or a Health Probe to ensure newly replaced instances are healthy before replacing more of them. |
28+
| vmss | osupgrade_automatic | Indicates whether OS upgrades should automatically be applied to scale set instances in a rolling fashion when a newer version of the OS image becomes available. Default value is false. If this is set to true for Windows based scale sets, enableAutomaticUpdates is automatically set to false and cannot be set to true. |
29+
| vmss | osupgrade_automatic_rollback | Whether OS image rollback feature should be enabled. Enabled by default. |
30+
| vmss | osupgrade_rolling_upgrade | Indicates whether rolling upgrade policy should be used during Auto OS Upgrade. Default value is false. Auto OS Upgrade will fallback to the default policy if no policy is defined on the VMSS. |
31+
| vmss | osupgrade_rolling_upgrade_deferral | Indicates whether Auto OS Upgrade should undergo deferral. Deferred OS upgrades will send advanced notifications on a per-VM basis that an OS upgrade from rolling upgrades is incoming, via the IMDS tag 'Platform.PendingOSUpgrade'. The upgrade then defers until the upgrade is approved via an ApproveRollingUpgrade call. |
2832
| applicationHealthExtension | vmss | When adding the extension as a resource, this specifies the VM scale set it should be applied to. |
2933
| applicationHealthExtension | os | Operating system (Linux or Windows) to install the correct extension for that OS. |
3034
| applicationHealthExtension | protocol | Protocol (TCP, HTTP, or HTTPS) to probe, and if specifying HTTP or HTTPS, include the path. |

samples/.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
farmer-deploy.json

src/Farmer/Arm/Compute.fs

Lines changed: 118 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -198,6 +198,69 @@ type NetworkInterfaceConfiguration = {
198198
|}
199199
|}
200200

201+
type VmProxyAgentSettings = {
202+
Enabled: bool
203+
KeyIncarnationId: int
204+
Mode: VmProxyAgentMode
205+
}
206+
207+
type UefiSettings = {
208+
SecureBoot: FeatureFlag option
209+
Vtpm: FeatureFlag option
210+
} with
211+
212+
static member Default = { SecureBoot = None; Vtpm = None }
213+
214+
type VmSecurityProfile = {
215+
EncryptionAtHost: bool option
216+
EncryptionIdentity: Identity.ManagedIdentity option
217+
ProxyAgentSettings: VmProxyAgentSettings option
218+
SecurityType: VmSecurityType option
219+
UefiSettings: UefiSettings option
220+
} with
221+
222+
static member Default = {
223+
EncryptionAtHost = None
224+
EncryptionIdentity = None
225+
ProxyAgentSettings = None
226+
SecurityType = None
227+
UefiSettings = None
228+
}
229+
230+
member this.ToArmJson = {|
231+
encryptionAtHost = this.EncryptionAtHost |> Option.toNullable
232+
encryptionIdentity =
233+
this.EncryptionIdentity
234+
|> Option.map (fun x -> {|
235+
userAssignedIdentityResourceId =
236+
if x = ManagedIdentity.Empty then
237+
Unchecked.defaultof<_>
238+
else
239+
x.ToArmJson
240+
|})
241+
|> Option.defaultValue Unchecked.defaultof<_>
242+
proxyAgentSettings =
243+
this.ProxyAgentSettings
244+
|> Option.map (fun x -> {|
245+
enabled = x.Enabled
246+
keyIncarnationId = x.KeyIncarnationId
247+
mode = x.Mode.ArmValue
248+
|})
249+
|> Option.defaultValue Unchecked.defaultof<_>
250+
securityType =
251+
this.SecurityType
252+
|> Option.map _.ArmValue
253+
|> Option.defaultValue Unchecked.defaultof<_>
254+
uefiSettings =
255+
this.UefiSettings
256+
|> Option.map (fun x -> {|
257+
secureBootEnabled = x.SecureBoot |> Option.map FeatureFlag.toBool |> Option.toNullable
258+
vTpmEnabled = x.Vtpm |> Option.map FeatureFlag.toBool |> Option.toNullable
259+
|})
260+
|> Option.defaultValue Unchecked.defaultof<_>
261+
|}
262+
263+
201264
module VirtualMachine =
202265
let additionalCapabilities (dataDisks: DataDiskCreateOption list) =
203266
// If data disks use UltraSSD then enable that support
@@ -285,7 +348,17 @@ module VirtualMachine =
285348
{|
286349
imageReference =
287350
match osDisk with
288-
| FromImage(imageDefintion, _) ->
351+
| FromImage(GalleryImageRef(_, (SharedGalleryImageId _ as imageRef)), _) ->
352+
{|
353+
sharedGalleryImageId = imageRef.ArmValue
354+
|}
355+
:> obj
356+
| FromImage(GalleryImageRef(_, (CommunityGalleryImageId _ as imageRef)), _) ->
357+
{|
358+
communityGalleryImageId = imageRef.ArmValue
359+
|}
360+
:> obj
361+
| FromImage(ImageDefinition imageDefintion, _) ->
289362
{|
290363
publisher = imageDefintion.Publisher.ArmValue
291364
offer = imageDefintion.Offer.ArmValue
@@ -395,6 +468,7 @@ type VirtualMachine = {
395468
Dependencies: ResourceId Set
396469
AvailabilityZone: string option
397470
DiagnosticsEnabled: bool option
471+
SecurityProfile: VmSecurityProfile option
398472
StorageAccount: LinkedResource option
399473
Size: VMSize
400474
Priority: Priority option
@@ -456,6 +530,10 @@ type VirtualMachine = {
456530
this.CustomData,
457531
this.PublicKeys
458532
)
533+
securityProfile =
534+
this.SecurityProfile
535+
|> Option.map _.ToArmJson
536+
|> Option.defaultValue Unchecked.defaultof<_>
459537
storageProfile = VirtualMachine.storageProfile (this.Name, this.OsDisk, this.DataDisks, false)
460538
networkProfile = VirtualMachine.networkProfile (this.NetworkInterfaceIds, [])
461539
diagnosticsProfile = VirtualMachine.diagnosticsProfile (this.DiagnosticsEnabled, this.StorageAccount)
@@ -481,11 +559,44 @@ type VirtualMachine = {
481559
zones = this.AvailabilityZone |> Option.map ResizeArray |> Option.toObj
482560
|}
483561

562+
type VmssAutomaticOSUpgradePolicy = {
563+
DisableAutomaticRollback: bool option
564+
EnableAutomaticOSUpgrade: bool option
565+
OsRollingUpgradeDeferral: bool option
566+
UseRollingUpgradePolicy: bool option
567+
} with
568+
569+
member this.ArmJson = {|
570+
disableAutomaticRollback = this.DisableAutomaticRollback |> Option.toNullable
571+
enableAutomaticOSUpgrade = this.EnableAutomaticOSUpgrade |> Option.toNullable
572+
osRollingUpgradeDeferral = this.OsRollingUpgradeDeferral |> Option.toNullable
573+
useRollingUpgradePolicy = this.UseRollingUpgradePolicy |> Option.toNullable
574+
|}
575+
576+
static member Default = {
577+
DisableAutomaticRollback = None
578+
EnableAutomaticOSUpgrade = None
579+
OsRollingUpgradeDeferral = None
580+
UseRollingUpgradePolicy = None
581+
}
582+
484583
type ScaleSetUpgradePolicy = {
485584
Mode: VmScaleSet.UpgradeMode
585+
AutomaticOSUpgradePolicy: VmssAutomaticOSUpgradePolicy option
486586
} with
487587

488-
member this.ArmJson = {| mode = this.Mode.ArmValue |}
588+
static member Default = {
589+
Mode = VmScaleSet.UpgradeMode.Automatic
590+
AutomaticOSUpgradePolicy = None
591+
}
592+
593+
member this.ArmJson = {|
594+
mode = this.Mode.ArmValue
595+
automaticOSUpgradePolicy =
596+
this.AutomaticOSUpgradePolicy
597+
|> Option.map _.ArmJson
598+
|> Option.defaultValue Unchecked.defaultof<_>
599+
|}
489600

490601
type ScaleSetScaleInPolicy = {
491602
// Set false when reusing disks or MAC addresses
@@ -522,6 +633,7 @@ type VirtualMachineScaleSet = {
522633
Size: VMSize
523634
Capacity: int
524635
ScaleInPolicy: ScaleSetScaleInPolicy
636+
SecurityProfile: VmSecurityProfile option
525637
UpgradePolicy: ScaleSetUpgradePolicy
526638
AutomaticRepairsPolicy: ScaleSetAutomaticRepairsPolicy option
527639
Priority: Priority option
@@ -609,6 +721,10 @@ type VirtualMachineScaleSet = {
609721
this.CustomData,
610722
this.PublicKeys
611723
)
724+
securityProfile =
725+
this.SecurityProfile
726+
|> Option.map _.ToArmJson
727+
|> Option.defaultValue Unchecked.defaultof<_>
612728
storageProfile =
613729
VirtualMachine.storageProfile (this.Name, this.OsDisk, this.DataDisks, true)
614730
networkProfile = {|

0 commit comments

Comments
 (0)