-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_batch_pool
- support for new block security_profile
#28069
Conversation
azurerm_batch_pool
- support new block security_profile
azurerm_batch_pool
- support for new block security_profile
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this @liuwuliuyun - I've had a look through and left some suggestions inline but once those are addressed I can take another look. Thanks!
@@ -740,6 +740,24 @@ func TestAccBatchPool_interNodeCommunicationWithTaskSchedulingPolicy(t *testing. | |||
}) | |||
} | |||
|
|||
func TestAccBatchPool_securityProfileWithUEFISettings(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we add additional steps to this test to test updating the properties in the block and to test adding/removing the block?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh I have just recalled that the security_profile
can only be specified during creation and does not support updates. I will ensure this information is added to the documentation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Plus I will mark this block as forceNew
if config.SecurityProfile != nil { | ||
securityProfile := make([]interface{}, 0) | ||
securityConfig := make(map[string]interface{}) | ||
securityConfig["host_encryption_enabled"] = pointer.ToBool(config.SecurityProfile.EncryptionAtHost) | ||
if config.SecurityProfile.SecurityType != nil { | ||
securityConfig["security_type"] = string(*config.SecurityProfile.SecurityType) | ||
} | ||
if config.SecurityProfile.UefiSettings != nil { | ||
securityConfig["secure_boot_enabled"] = pointer.ToBool(config.SecurityProfile.UefiSettings.SecureBootEnabled) | ||
securityConfig["vtpm_enabled"] = pointer.ToBool(config.SecurityProfile.UefiSettings.VTpmEnabled) | ||
} | ||
securityProfile = append(securityProfile, securityConfig) | ||
d.Set("security_profile", securityProfile) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we move this into a flatten func?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, will do
Co-authored-by: catriona-m <86247157+catriona-m@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for updating this @liuwuliuyun - I left a couple more suggestions inline but can take another look after those are addressed. Thanks!
if configProfile.EncryptionAtHost != nil { | ||
securityConfig["host_encryption_enabled"] = *configProfile.EncryptionAtHost | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if configProfile.EncryptionAtHost != nil { | |
securityConfig["host_encryption_enabled"] = *configProfile.EncryptionAtHost | |
} | |
securityConfig["host_encryption_enabled"] = pointer.From(configProfile.EncryptionAtHost) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
if configProfile.SecurityType != nil { | ||
securityConfig["security_type"] = string(*configProfile.SecurityType) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if configProfile.SecurityType != nil { | |
securityConfig["security_type"] = string(*configProfile.SecurityType) | |
} | |
securityConfig["security_type"] = pointer.From(*configProfile.SecurityType) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
if configProfile.UefiSettings.SecureBootEnabled != nil { | ||
securityConfig["secure_boot_enabled"] = pointer.ToBool(configProfile.UefiSettings.SecureBootEnabled) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if configProfile.UefiSettings.SecureBootEnabled != nil { | |
securityConfig["secure_boot_enabled"] = pointer.ToBool(configProfile.UefiSettings.SecureBootEnabled) | |
} | |
securityConfig["secure_boot_enabled"] = pointer.From(configProfile.UefiSettings.SecureBootEnabled) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
if configProfile.UefiSettings.VTpmEnabled != nil { | ||
securityConfig["vtpm_enabled"] = pointer.ToBool(configProfile.UefiSettings.VTpmEnabled) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if configProfile.UefiSettings.VTpmEnabled != nil { | |
securityConfig["vtpm_enabled"] = pointer.ToBool(configProfile.UefiSettings.VTpmEnabled) | |
} | |
securityConfig["vtpm_enabled"] = pointer.From(configProfile.UefiSettings.VTpmEnabled) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
} | ||
|
||
if v, ok := item["host_encryption_enabled"]; ok { | ||
securityProfile.EncryptionAtHost = pointer.FromBool(v.(bool)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
securityProfile.EncryptionAtHost = pointer.FromBool(v.(bool)) | |
securityProfile.EncryptionAtHost = pointer.To(v.(bool)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
} | ||
|
||
if v, ok := item["secure_boot_enabled"]; ok { | ||
securityProfile.UefiSettings.SecureBootEnabled = pointer.FromBool(v.(bool)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
securityProfile.UefiSettings.SecureBootEnabled = pointer.FromBool(v.(bool)) | |
securityProfile.UefiSettings.SecureBootEnabled = pointer.To(v.(bool)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
} | ||
|
||
if v, ok := item["vtpm_enabled"]; ok { | ||
securityProfile.UefiSettings.VTpmEnabled = pointer.FromBool(v.(bool)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
securityProfile.UefiSettings.VTpmEnabled = pointer.FromBool(v.(bool)) | |
securityProfile.UefiSettings.VTpmEnabled = pointer.To(v.(bool)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
@@ -165,6 +165,8 @@ The following arguments are supported: | |||
|
|||
* `os_disk_placement` - (Optional) Specifies the ephemeral disk placement for operating system disk for all VMs in the pool. This property can be used by user in the request to choose which location the operating system should be in. e.g., cache disk space for Ephemeral OS disk provisioning. For more information on Ephemeral OS disk size requirements, please refer to Ephemeral OS disk size requirements for Windows VMs at <https://docs.microsoft.com/en-us/azure/virtual-machines/windows/ephemeral-os-disks#size-requirements> and Linux VMs at <https://docs.microsoft.com/en-us/azure/virtual-machines/linux/ephemeral-os-disks#size-requirements>. The only possible value is `CacheDisk`. | |||
|
|||
* `security_profile` - (Optional) A `security_profile` block that describes the security settings for the Batch pool as defined below. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we add here that Changing this forces a new resource to be created.
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure
* `host_encryption_enabled` - (Optional) Whether to enable host encryption for the Virtual Machine or Virtual Machine Scale Set. This will enable the encryption for all the disks including Resource/Temp disk at host itself. Possible values are `true` and `false`. Changing this forces a new resource to be created. | ||
|
||
* `security_type` - (Optional) The security type of the Virtual Machine. Possible values are `confidentialVM` and `trustedLaunch`. Changing this forces a new resource to be created. | ||
|
||
* `secure_boot_enabled` - (Optional) Whether to enable secure boot for the Virtual Machine or Virtual Machine Scale Set. Possible values are `true` and `false`. Changing this forces a new resource to be created. | ||
|
||
* `vtpm_enabled` - (Optional) Whether to enable virtual trusted platform module (vTPM) for the Virtual Machine or Virtual Machine Scale Set. Possible values are `true` and `false`. Changing this forces a new resource to be created. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if the properties within the block cannot be updated once it's been created as well, we should add ForceNew to these properties in the schema too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @liuwuliuyun LGTM!
Community Note
Description
For resource
azurerm_batch_pool
security_profile
security_profile
PR Checklist
For example: “
resource_name_here
- description of change e.g. adding propertynew_property_name_here
”Changes to existing Resource / Data Source
Testing
Change Log
Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.
azurerm_batch_pool
- support for new blocksecurity_profile
[azurerm_batch_pool
- support for new blocksecurity_profile
#28069]This is a (please select all that apply):
Related Issue(s)
Fixes #27952