Azure · zhoxing-ms · Jun 29, 2022 · Jun 8, 2022 · Jun 10, 2022 · Jun 16, 2022
@@ -1506,6 +1506,9 @@ disk create:
     source_storage_account_id:
       rule_exclusions:
       - option_length_too_long
+    secure_vm_disk_encryption_set:
+      rule_exclusions:
+      - option_length_too_long
 disk update:
   parameters:
     network_access_policy:

@@ -166,6 +166,7 @@ def load_arguments(self, _):
     for scope in ['disk create', 'snapshot create']:
         with self.argument_context(scope) as c:
             c.argument('source', help='source to create the disk/snapshot from, including unmanaged blob uri, managed disk id or name, or snapshot id or name')
+            c.argument('secure_vm_disk_encryption_set', help='Name or ID of disk encryption set created with ConfidentialVmEncryptedWithCustomerKey encryption type.')
     # endregion
 
     # region Disks
@@ -1435,8 +1436,8 @@ def load_arguments(self, _):
         c.argument('disk_encryption_set_name', disk_encryption_set_name)
         c.argument('key_url', help='URL pointing to a key or secret in KeyVault.')
         c.argument('source_vault', help='Name or ID of the KeyVault containing the key or secret.')
-        c.argument('encryption_type', arg_type=get_enum_type(['EncryptionAtRestWithPlatformKey', 'EncryptionAtRestWithCustomerKey', 'EncryptionAtRestWithPlatformAndCustomerKeys']),
-                   help='The type of key used to encrypt the data of the disk. EncryptionAtRestWithPlatformKey: Disk is encrypted at rest with Platform managed key. It is the default encryption type. EncryptionAtRestWithCustomerKey: Disk is encrypted at rest with Customer managed key that can be changed and revoked by a customer. EncryptionAtRestWithPlatformAndCustomerKeys: Disk is encrypted at rest with 2 layers of encryption. One of the keys is Customer managed and the other key is Platform managed.')
+        c.argument('encryption_type', arg_type=get_enum_type(['EncryptionAtRestWithPlatformKey', 'EncryptionAtRestWithCustomerKey', 'EncryptionAtRestWithPlatformAndCustomerKeys', 'ConfidentialVmEncryptedWithCustomerKey']),
+                   help='The type of key used to encrypt the data of the disk. EncryptionAtRestWithPlatformKey: Disk is encrypted at rest with Platform managed key. It is the default encryption type. EncryptionAtRestWithCustomerKey: Disk is encrypted at rest with Customer managed key that can be changed and revoked by a customer. EncryptionAtRestWithPlatformAndCustomerKeys: Disk is encrypted at rest with 2 layers of encryption. One of the keys is Customer managed and the other key is Platform managed. ConfidentialVmEncryptedWithCustomerKey: An additional encryption type accepted for confidential VM. Disk is encrypted at rest with Customer managed key.')
         c.argument('location', validator=get_default_location_from_resource_group)
         c.argument('tags', tags_type)
         c.argument('enable_auto_key_rotation', arg_type=get_three_state_flag(), min_api='2020-12-01',

@@ -283,6 +283,7 @@ class ExtensionUpdateLongRunningOperation(LongRunningOperation):  # pylint: disa
 
 
 # region Disks (Managed)
+# pylint: disable=line-too-long
 def create_managed_disk(cmd, resource_group_name, disk_name, location=None,  # pylint: disable=too-many-locals, too-many-branches, too-many-statements
                         size_gb=None, sku='Premium_LRS', os_type=None,
                         source=None, for_upload=None, upload_size_bytes=None,  # pylint: disable=unused-argument
@@ -297,7 +298,7 @@ def create_managed_disk(cmd, resource_group_name, disk_name, location=None,  # p
                         network_access_policy=None, disk_access=None, logical_sector_size=None,
                         tier=None, enable_bursting=None, edge_zone=None, security_type=None, support_hibernation=None,
                         public_network_access=None, accelerated_network=None, architecture=None,
-                        data_access_auth_mode=None, gallery_image_reference_type=None):
+                        data_access_auth_mode=None, gallery_image_reference_type=None, secure_vm_disk_encryption_set=None):
     from msrestazure.tools import resource_id, is_valid_resource_id
     from azure.cli.core.commands.client_factory import get_subscription_id
 
@@ -374,6 +375,20 @@ def create_managed_disk(cmd, resource_group_name, disk_name, location=None,  # p
             subscription=get_subscription_id(cmd.cli_ctx), resource_group=resource_group_name,
             namespace='Microsoft.Compute', type='diskAccesses', name=disk_access)
 
+    if security_type:
+        if security_type.lower().startswith('confidentialvm_') and hyper_v_generation.lower() != 'v2':
+            raise ArgumentUsageError('usage error: --security-type should be ConfidentialVM_* only if --hyper-v-generation is set to V2')
+
+    if secure_vm_disk_encryption_set:
+        if not security_type or security_type.lower() != 'confidentialvm_diskencryptedwithcustomerkey':
+            raise ArgumentUsageError('usage error: --securevm-disk-encryption-set can only be specified only when --security-type is set to ConfidentialVM_DiskEncryptedWithCustomerKey')
+        if not is_valid_resource_id(secure_vm_disk_encryption_set):
+            secure_vm_disk_encryption_set = resource_id(
+                subscription=get_subscription_id(cmd.cli_ctx), resource_group=resource_group_name,
+                namespace='Microsoft.Compute', type='diskEncryptionSets', name=secure_vm_disk_encryption_set)
+    elif security_type and security_type.lower() == 'confidentialvm_diskencryptedwithcustomerkey':
+        raise ArgumentUsageError('usage error: --securevm-disk-encryption-set is mandatory when --security-type is set to ConfidentialVM_DiskEncryptedWithCustomerKey')
+
     encryption = None
     if disk_encryption_set or encryption_type:
         encryption = Encryption(type=encryption_type, disk_encryption_set_id=disk_encryption_set)
@@ -406,8 +421,10 @@ def create_managed_disk(cmd, resource_group_name, disk_name, location=None,  # p
         disk.bursting_enabled = enable_bursting
     if edge_zone is not None:
         disk.extended_location = edge_zone
-    if security_type is not None:
+    if security_type:
         disk.security_profile = {'securityType': security_type}
+        if secure_vm_disk_encryption_set:
+            disk.security_profile['secure_vm_disk_encryption_set_id'] = secure_vm_disk_encryption_set
     if support_hibernation is not None:
         disk.supports_hibernation = support_hibernation
     if public_network_access is not None:

@@ -0,0 +1,57 @@
+{
+    "anyOf": [
+        {
+            "allOf": [
+                {
+                    "claim": "x-ms-attestation-type",
+                    "equals": "sevsnpvm"
+                },
+                {
+                    "claim": "x-ms-compliance-status",
+                    "equals": "azure-compliant-cvm"
+                }
+            ],
+            "authority": "https://sharedeus.eus.attest.azure.net/"
+        },
+        {
+            "allOf": [
+                {
+                    "claim": "x-ms-attestation-type",
+                    "equals": "sevsnpvm"
+                },
+                {
+                    "claim": "x-ms-compliance-status",
+                    "equals": "azure-compliant-cvm"
+                }
+            ],
+            "authority": "https://sharedwus.wus.attest.azure.net/"
+        },
+        {
+            "allOf": [
+                {
+                    "claim": "x-ms-attestation-type",
+                    "equals": "sevsnpvm"
+                },
+                {
+                    "claim": "x-ms-compliance-status",
+                    "equals": "azure-compliant-cvm"
+                }
+            ],
+            "authority": "https://sharedneu.neu.attest.azure.net/"
+        },
+        {
+            "allOf": [
+                {
+                    "claim": "x-ms-attestation-type",
+                    "equals": "sevsnpvm"
+                },
+                {
+                    "claim": "x-ms-compliance-status",
+                    "equals": "azure-compliant-cvm"
+                }
+            ],
+            "authority": "https://sharedweu.weu.attest.azure.net/"
+        }
+    ],
+    "version": "1.0.0"
+}