ResourceModules icon indicating copy to clipboard operation
ResourceModules copied to clipboard
verified publisher icon Azure

Microsoft.Compute/virtualMachines - Encryption settings for subs not having feature enabled

Open MariusStorhaug opened this issue 3 years ago • 5 comments

Description

VM module has the encryptionAtHost setting as True by default. However, in subscriptions where this feature is not enabled, the VM deployment fails.

This issue should end up with a decision and actions taken so we are sure that the consumer knows what to do when this setting is set to True. It should also end with a decision if we should set to true by default, relying on a discussion regarding what "secure by default" means.

MariusStorhaug avatar Apr 13 '22 06:04 MariusStorhaug

Could also be as easy as guiding the consumer to run the following:

azure-pipeline.yml

- stage: Prep
  displayName: Prepare subscription
  jobs:
  - job: PrepSub
    displayName: Prepare subscription
    steps:
    - task: AzurePowerShell@5
      inputs:
        azureSubscription: $(serviceConnection)
        ScriptType: 'InlineScript'
        azurePowerShellVersion: 'LatestVersion'
        pwsh: true
        Inline: |
          . .\Scripts\EnableResourceProviders\Enable-ResourceProviders.ps1 -Verbose

The Enable-ResourceProviders.ps1 script

[CmdletBinding()]
param ()

$ResourceProviders = Get-Content -Path $PSScriptRoot\ResourceProviders.json -Raw | ConvertFrom-Json

foreach ($ResourceProvider in $ResourceProviders) {
    Register-AzResourceProvider -ProviderNamespace $ResourceProvider.name
    foreach ($feature in $ResourceProvider.features) {
        Register-AzProviderFeature -ProviderNamespace $ResourceProvider.name -FeatureName $feature
    }
}

The ResourceProviders.json file:

[
    {
        "name": "Microsoft.Compute",
        "features": [
            "EncryptionAtHost"
        ]
    }
]

MariusStorhaug avatar Apr 13 '22 06:04 MariusStorhaug

I know it's a first draft, but if we implement that (and I think it's cool) then we should be idempotent - i.e. only try to register if its not already enabled. Also we'd need to clarify what the impact on a pipeline's runtime is

AlexanderSehr avatar Apr 13 '22 08:04 AlexanderSehr

Related to #1048

AlexanderSehr avatar Apr 13 '22 08:04 AlexanderSehr

Or pointing to the official 1 liner docs https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli#prerequisites. Including the feature registration in the pipeline wouldn't anyway cover scenario 2 (module consumers not leveraging the CI environment).

We should discuss if enabling that by default in the first place.

eriqua avatar Apr 25 '22 23:04 eriqua

Team decides:

  • disable by default
  • describe the parameter in the readme and that it is not secure
  • add a parameter file that enables it

rahalan avatar Jun 09 '22 15:06 rahalan