Proxy Agent support for Gallery (Azure#27987)

Author: grizzlytheodore

src/Compute/Compute.Test/ScenarioTests/GalleryTests.cs

@@ -85,5 +85,13 @@ public void TestGalleryBlockDeletionBeforeEndOfLife()
         {
             TestRunner.RunTestScript("TestGen-BlockDeletionBeforeEndOfLife");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestInVMAccessControlProfileVersion()
+        {
+            TestRunner.RunTestScript("Test-InVMAccessControlProfileVersion");
+        }
+
     }
 }

src/Compute/Compute.Test/ScenarioTests/GalleryTests.ps1

@@ -1110,3 +1110,118 @@ function TestGen-newazgallery
         Remove-AzResourceGroup -Name $rgname -Force -ErrorAction SilentlyContinue;
     }
 }
+
+<#
+.SYNOPSIS
+Tests InVMAccessControlProfileVersions 
+#>
+function Test-InVMAccessControlProfileVersion
+{
+    # Setup
+    $rgname = Get-ComputeTestResourceName;
+    $loc = "westus2"
+    
+    try
+    {
+    
+        $location = $loc;
+        $resourceGroup = $rgname 
+
+        $galleryName = "mspGallery" 
+        $InVMAccessControlProfileName= "testMspCp"
+
+        $inVMAccessControlProfileVersionName= "1.0.0" 
+        $targetLocations= @("EastUS2EUAP", "CentralUSEUAP", "westUS2") 
+
+        # create resource group 
+        New-AzResourceGroup -Name $rgname -Location $loc -Force;
+
+        # gallery creation 
+        New-AzGallery -ResourceGroupName $rgname -GalleryName $galleryName -Location $location -Description "My custom image gallery" 
+ 
+        # CP creation 
+        New-AzGalleryInVMAccessControlProfile -ResourceGroupName $rgname -GalleryName $galleryName   -GalleryInVMAccessControlProfileName $InVMAccessControlProfileName -Location $location -OsType "Windows" -ApplicableHostEndPoint "WireServer" -Description "this test1" 
+        $cp = Get-AzGalleryInVMAccessControlProfile -ResourceGroupName  $resourceGroup  -GalleryName $galleryName   -GalleryInVMAccessControlProfileName $InVMAccessControlProfileName 
+
+        # Validate 
+        Assert-AreEqual $cp.Name $InVMAccessControlProfileName 
+        Assert-AreEqual $cp.Properties.OsType "Windows"  
+        Assert-AreEqual $cp.Properties.ApplicableHostEndPoint "WireServer" 
+        Assert-AreEqual $cp.Properties.Description "this test1" 
+
+        # Update CP
+        Update-AzGalleryInVMAccessControlProfile -ResourceGroupName  $resourceGroup  -GalleryName $galleryName   -GalleryInVMAccessControlProfileName $InVMAccessControlProfileName -Location $location -Description "this test2" 
+
+        # Create CPversion config 
+        $inVMAccessControlProfileVersion = New-AzGalleryInVMAccessControlProfileVersionConfig -Name $inVMAccessControlProfileVersionName  -Location $location -Mode "Audit"  -DefaultAccess "Deny" -TargetLocation $targetLocations  -ExcludeFromLatest 
+
+        # Set AccessRoles
+        ## Add Privilege
+        Add-AzGalleryInVMAccessControlProfileVersionRulesPrivilege -GalleryInVmAccessControlProfileVersion $inVMAccessControlProfileVersion -PrivilegeName "GoalState" -Path "/machine" -QueryParameter @{ comp = "goalstate" } 
+        Add-AzGalleryInVMAccessControlProfileVersionRulesPrivilege -GalleryInVmAccessControlProfileVersion $inVMAccessControlProfileVersion -PrivilegeName "GoalState2" -Path "/machine" -QueryParameter @{ comp = "goalstate" } 
+
+        ## Add Roles 
+        Add-AzGalleryInVMAccessControlProfileVersionRulesRole -GalleryInVmAccessControlProfileVersion $inVMAccessControlProfileVersion -RoleName "Provisioning" -Privilege @("GoalState") 
+        Add-AzGalleryInVMAccessControlProfileVersionRulesRole -GalleryInVmAccessControlProfileVersion $inVMAccessControlProfileVersion -RoleName "Provisioning2" -Privilege @("GoalState") 
+
+        ## Add Identity 
+        Add-AzGalleryInVMAccessControlProfileVersionRulesIdentity -GalleryInVmAccessControlProfileVersion $inVMAccessControlProfileVersion -IdentityName "WinPA" -UserName "SYSTEM" -GroupName "Administrators" -ExePath "C:\Windows\System32\cscript.exe" -ProcessName "cscript" 
+        Add-AzGalleryInVMAccessControlProfileVersionRulesIdentity -GalleryInVmAccessControlProfileVersion $inVMAccessControlProfileVersion -IdentityName "WinPA2" -UserName "SYSTEM" -GroupName "Administrators" -ExePath "C:\Windows\System32\cscript.exe" -ProcessName "cscript" 
+
+        ## Add Role Assignment
+        Add-AzGalleryInVMAccessControlProfileVersionRulesRoleAssignment -GalleryInVmAccessControlProfileVersion $inVMAccessControlProfileVersion -Role "Provisioning" -Identity @("WinPA") 
+        Add-AzGalleryInVMAccessControlProfileVersionRulesRoleAssignment -GalleryInVmAccessControlProfileVersion $inVMAccessControlProfileVersion -Role "Provisioning2" -Identity @("WinPA") 
+
+        # Validate CP Version Config 
+        Assert-AreEqual $inVMAccessControlProfileVersion.TargetLocations.count 3
+        Assert-AreEqual $inVMAccessControlProfileVersion.ExcludeFromLatest $true
+        Assert-AreEqual $inVMAccessControlProfileVersion.Rules.Roles.count 2 
+        Assert-AreEqual $inVMAccessControlProfileVersion.Rules.Identities.count 2 
+        Assert-AreEqual $inVMAccessControlProfileVersion.Rules.Privileges.count 2 
+        Assert-AreEqual $inVMAccessControlProfileVersion.Rules.RoleAssignments.count 2 
+
+        # Create CP Version 
+        New-AzGalleryInVMAccessControlProfileVersion -ResourceGroupName $resourceGroup -GalleryName $galleryName -GalleryInVMAccessControlProfileName   $InVMAccessControlProfileName   -GalleryInVmAccessControlProfileVersion $inVMAccessControlProfileVersion  
+
+        # Get CP version 
+        $ver = Get-AzGalleryInVMAccessControlProfileVersion -ResourceGroupName  $resourceGroup -GalleryName $galleryName -GalleryInVMAccessControlProfileName $InVMAccessControlProfileName -GalleryInVMAccessControlProfileVersionName  $inVMAccessControlProfileVersionName 
+
+        # validate CP version 
+        Assert-AreEqual $ver.TargetLocations.count 3
+        Assert-AreEqual $ver.ExcludeFromLatest $true
+        Assert-AreEqual $ver.Rules.Roles.count 2 
+        Assert-AreEqual $ver.Rules.Identities.count 2 
+        Assert-AreEqual $ver.Rules.Privileges.count 2 
+        Assert-AreEqual $ver.Rules.RoleAssignments.count 2 
+
+        # update CP version 
+        $targetLocations = @("westus2") 
+        Update-AzGalleryInVMAccessControlProfileVersion -GalleryInVMAccessControlProfileVersion $ver -TargetLocation $targetLocations -ExcludeFromLatest $false 
+
+        # validate
+        $ver = Get-AzGalleryInVMAccessControlProfileVersion -ResourceGroupName  $resourceGroup -GalleryName $galleryName -GalleryInVMAccessControlProfileName $InVMAccessControlProfileName -GalleryInVMAccessControlProfileVersionName  $inVMAccessControlProfileVersionName 
+        Assert-AreEqual $ver.TargetLocations.count 1
+        Assert-AreEqual $ver.ExcludeFromLatest $false
+
+
+        # remove CP version 
+        Remove-AzGalleryInVMAccessControlProfileVersion -ResourceGroupName $resourceGroup -GalleryName $galleryName -GalleryInVMAccessControlProfileName $InVMAccessControlProfileName -GalleryInVMAccessControlProfileVersionName  $inVMAccessControlProfileVersionName -Force
+        $ver = Get-AzGalleryInVMAccessControlProfileVersion -ResourceGroupName  $resourceGroup -GalleryName $galleryName -GalleryInVMAccessControlProfileName $InVMAccessControlProfileName
+
+        # validate 
+        Assert-AreEqual $ver.count 0 
+
+        # remove CP
+        Remove-AzGalleryInVMAccessControlProfile -ResourceGroupName  $resourceGroup  -GalleryName $galleryName   -GalleryInVMAccessControlProfileName $InVMAccessControlProfileName -Force
+        $profile = Get-AzGalleryInVMAccessControlProfile -ResourceGroupName  $resourceGroup  -GalleryName $galleryName  
+
+        # validate
+        Assert-AreEqual $profile.count 0
+
+    }
+    finally 
+    {
+        # Cleanup
+        Clean-ResourceGroup $rgname;
+    }
+}

src/Compute/Compute.Test/SessionRecords/Microsoft.Azure.Commands.Compute.Test.ScenarioTests.GalleryTests/TestInVMAccessControlProfileVersion.json

@@ -200,6 +200,15 @@ CmdletsToExport = 'Add-AzImageDataDisk', 'Add-AzVhd',
                'Update-AzHost', 'Update-AzImage', 'Update-AzRestorePointCollection', 
                'Update-AzSnapshot', 'Update-AzSshKey', 'Update-AzVM', 'Update-AzVmss', 
                'Update-AzVmssInstance', 'Update-AzVmssVM', 
+               'New-AzGalleryInVMAccessControlProfile', 'Remove-AzGalleryInVMAccessControlProfile', 
+               'Get-AzGalleryInVMAccessControlProfile',
+               'New-AzGalleryInVMAccessControlProfileVersion', 'New-AzGalleryInVMAccessControlProfileVersionConfig', 
+               'Remove-AzGalleryInVMAccessControlProfileVersion', 'Get-AzGalleryInVMAccessControlProfileVersion',
+               'Add-AzGalleryInVMAccessControlProfileVersionRulesPrivilege', 'Remove-AzGalleryInVMAccessControlProfileVersionRulesPrivilege',
+               'Add-AzGalleryInVMAccessControlProfileVersionRulesRole', 'Remove-AzGalleryInVmAccessControlProfileVersionRulesRole',
+               'Add-AzGalleryInVMAccessControlProfileVersionRulesIdentity', 'Remove-AzGalleryInVMAccessControlProfileVersionRulesIdentity',
+               'Add-AzGalleryInVMAccessControlProfileVersionRulesRoleAssignment', 'Remove-AzGalleryInVMAccessControlProfileVersionRulesRoleAssignment',
+               'Update-AzGalleryInVMAccessControlProfileVersion', 'Update-AzGalleryInVMAccessControlProfile',
                'Set-AzVMProxyAgentSetting', 'Set-AzVmssProxyAgentSetting'
 
 # Variables to export from this module

src/Compute/Compute/Az.Compute.psd1

@@ -20,6 +20,14 @@
 
 -->
 ## Upcoming Release
+* Support for Metadata Security Protocol (MSP) support for Gallery
+    - Added new cmdlets `New-AzGalleryInVmAccessControlProfile`, `Get-AzGalleryInVmAccessControlProfile`, `Update-AzGalleryInVmAccessControlProfile`, and `Remove-AzGalleryInVmAccessControlProfile` to manage In-VM Access Control Profiles in Azure Compute Gallery.
+    - Added new cmdlets `New-AzGalleryInVmAccessControlProfileVersion`, `Get-AzGalleryInVmAccessControlProfileVersion`, `Update-AzGalleryInVmAccessControlProfileVersion`, and `Remove-AzGalleryInVmAccessControlProfileVersion` to manage In-VM Access Control Profile Versions in Azure Compute Gallery.
+    - Added new cmdlet `New0AzGalleryInVmAccessControlProfileVersionConfig` to create a local configuration object for In-VM Access Control Profile Version.
+    - Added new cmdlets `Add-AzGalleryInVmAccessControlProfileVersionRulesPrivilege` and `Remove-AzGalleryInVmAccessControlProfileVersionRulesPrivilege` to manage privileges in In-VM Access Control Profile Version.
+    - Added new cmdlets `Add-AzGalleryInVmAccessControlProfileVersionRulesRole` and `Remove-AzGalleryInVmAccessControlProfileVersionRulesRole` to manage roles in In-VM Access Control Profile Version.
+    - Added new cmdlets `Add-AzGalleryInVmAccessControlProfileVersionRulesIdentity` and `Remove-AzGalleryInVmAccessControlProfileVersionRulesIdentity` to manage identities in In-VM Access Control Profile Version.
+    - Added new cmdlets `Add-AzGalleryInVmAccessControlProfileVersionRulesRoleAssignment` and `Remove-AzGalleryInVmAccessControlProfileVersionRulesRoleAssignment` to manage role assignments in In-VM Access Control Profile Version.
 * Added `-EnableProxyAgent` parameter to `New-AzVM` and `New-AzVmss` simple parameter sets.
 * Added `-ProxyAgentKeyIncarnationId`parameter to `Update-AzVmssVM` cmdlet.
 * Added new cmdlets `Set-AzVmssProxyAgent` and `Set-AzVMProxyAgent` to set the proxy agent settings for VM and VMSS.`

src/Compute/Compute/ChangeLog.md

@@ -18,6 +18,138 @@
         </CustomEntries>
       </CustomControl>
     </View>
+    <View>
+      <Name>Microsoft.Azure.Commands.Compute.Automation.Models.PSGalleryInVMAccessControlProfile</Name>
+      <ViewSelectedBy>
+        <TypeName>Microsoft.Azure.Commands.Compute.Automation.Models.PSGalleryInVMAccessControlProfile</TypeName>
+      </ViewSelectedBy>
+      <ListControl>
+        <ListEntries>
+          <ListEntry>
+            <ListItems>
+              <ListItem>
+                <Label>Id</Label>
+                <PropertyName>Id</PropertyName>
+              </ListItem>
+              <ListItem>
+                <Label>Name</Label>
+                <PropertyName>Name</PropertyName>
+              </ListItem>
+              <ListItem>
+                <Label>Type</Label>
+                <PropertyName>Type</PropertyName>
+              </ListItem>
+              <ListItem>
+                <Label>Location</Label>
+                <PropertyName>Location</PropertyName>
+              </ListItem>
+              <ListItem>
+                <Label>Tags</Label>
+                <PropertyName>Tags</PropertyName>
+              </ListItem>
+              <ListItem>
+                <Label>Description</Label>
+                <ScriptBlock>$_.Properties.Description</ScriptBlock>
+              </ListItem>
+              <ListItem>
+                <Label>OsType</Label>
+                <ScriptBlock>$_.Properties.OsType</ScriptBlock>
+              </ListItem>
+              <ListItem>
+                <Label>ApplicableHostEndpoint</Label>
+                <ScriptBlock>$_.Properties.ApplicableHostEndpoint</ScriptBlock>
+              </ListItem>
+              <ListItem>
+                <Label>ProvisioningState</Label>
+                <ScriptBlock>$_.Properties.ProvisioningState</ScriptBlock>
+              </ListItem>
+            </ListItems>
+          </ListEntry>
+        </ListEntries>
+      </ListControl>
+    </View>
+    <View>
+      <Name>Microsoft.Azure.Commands.Compute.Automation.Models.PSGalleryInVMAccessControlProfileVersion</Name>
+      <ViewSelectedBy>
+        <TypeName>Microsoft.Azure.Commands.Compute.Automation.Models.PSGalleryInVMAccessControlProfileVersion</TypeName>
+      </ViewSelectedBy>
+      <ListControl>
+        <ListEntries>
+          <ListEntry>
+            <ListItems>
+              <ListItem>
+                <Label>Id</Label>
+                <PropertyName>Id</PropertyName>
+              </ListItem>
+              <ListItem>
+                <Label>Name</Label>
+                <PropertyName>Name</PropertyName>
+              </ListItem>
+              <ListItem>
+                <Label>Type</Label>
+                <PropertyName>Type</PropertyName>
+              </ListItem>
+              <ListItem>
+                <Label>Location</Label>
+                <PropertyName>Location</PropertyName>
+              </ListItem>
+              <ListItem>
+                <Label>Tags</Label>
+                <PropertyName>Tags</PropertyName>
+              </ListItem>
+              <ListItem>
+                <Label>TargetLocations</Label>
+                <PropertyName>TargetLocations</PropertyName>
+              </ListItem>
+              <ListItem>
+                <Label>ExcludeFromLatest</Label>
+                <PropertyName>ExcludeFromLatest</PropertyName>
+              </ListItem>
+              <ListItem>
+                <Label>PublishedDate</Label>
+                <PropertyName>PublishedDate</PropertyName>
+              </ListItem>
+              <ListItem>
+                <Label>ProvisioningState</Label>
+                <PropertyName>ProvisioningState</PropertyName>
+              </ListItem>
+              <ListItem>
+                <Label>ReplicationStatus</Label>
+                <PropertyName>ReplicationStatus</PropertyName>
+              </ListItem>
+              <ListItem>
+                <Label>Mode</Label>
+                <PropertyName>Mode</PropertyName>
+              </ListItem>
+              <ListItem>
+                <Label>DefaultAccess</Label>
+                <PropertyName>DefaultAccess</PropertyName>
+              </ListItem>
+              <ListItem>
+                <Label>Rules</Label>
+                <ScriptBlock>""</ScriptBlock>
+              </ListItem>
+              <ListItem>
+                <Label>    Privileges</Label>
+                <ScriptBlock>$_.Rules.Privileges</ScriptBlock>
+              </ListItem>
+              <ListItem>
+                <Label>    Roles</Label>
+                <ScriptBlock>$_.Rules.Roles</ScriptBlock>
+              </ListItem>
+              <ListItem>
+                <Label>    Identities</Label>
+                <ScriptBlock>$_.Rules.Identities</ScriptBlock>
+              </ListItem>
+              <ListItem>
+                <Label>    RoleAssignments</Label>
+                <ScriptBlock>$_.Rules.RoleAssignments</ScriptBlock>
+              </ListItem>
+            </ListItems>
+          </ListEntry>
+        </ListEntries>
+      </ListControl>
+    </View>
     <View>
       <Name>Microsoft.Azure.Commands.Compute.Models.PSComputeLongRunningOperation</Name>
       <ViewSelectedBy>

src/Compute/Compute/Compute.format.ps1xml

@@ -333,6 +333,20 @@ public IRestorePointsOperations RestorePointClient
                 return ComputeClient.ComputeManagementClient.RestorePoints;
             }
         }
+        public IGalleryInVMAccessControlProfilesOperations GalleryInVMAccessControlProfileClient
+        {
+            get
+            {
+                return ComputeClient.ComputeManagementClient.GalleryInVMAccessControlProfiles;
+            }
+        }
+        public IGalleryInVMAccessControlProfileVersionsOperations GalleryInVMAccessControlProfileVersionClient
+        {
+            get
+            {
+                return ComputeClient.ComputeManagementClient.GalleryInVMAccessControlProfileVersions;
+            }
+        }
 
         public static string FormatObject(Object obj)
         {
@@ -484,6 +498,31 @@ public static string GetVersion(string resourceId, string resourceName, string i
             Match m = r.Match(resourceId);
             return m.Success ? m.Groups["version"].Value : null;
         }
+
+        public static string GetGalleryNameFromInVMAccessControlProfileResourceId(string InVMAccessControlProfileResourceId)
+        {
+            if (string.IsNullOrEmpty(InVMAccessControlProfileResourceId)) { return null; }
+            Regex r = new Regex(@"(.*?)/galleries/(?<galleryName>[^/]+)", RegexOptions.IgnoreCase);
+            Match m = r.Match(InVMAccessControlProfileResourceId);
+            return m.Success ? m.Groups["galleryName"].Value : null;
+        }
+
+        public static string GetInVMAccessControlProfileNameFromInVMAccessControlProfileResourceId(string InVMAccessControlProfileResourceId)
+        {
+            if (string.IsNullOrEmpty(InVMAccessControlProfileResourceId)) { return null; }
+            Regex r = new Regex(@"(.*?)/galleries/(?<galleryName>[^/]+)/inVMAccessControlProfiles/(?<profileName>[^/]+)", RegexOptions.IgnoreCase);
+            Match m = r.Match(InVMAccessControlProfileResourceId);
+            return m.Success ? m.Groups["profileName"].Value : null;
+        }
+
+        public static string GetInVMAccessControlProfileVersionNameFromInVMAccessControlProfileVersionResourceId(string InVMAccessControlProfileVersionResourceId)
+        {
+            if (string.IsNullOrEmpty(InVMAccessControlProfileVersionResourceId)) { return null; }
+            Regex r = new Regex(@"(.*?)/galleries/(?<galleryName>[^/]+)/inVMAccessControlProfiles/(?<profileName>[^/]+)/versions/(?<versionName>[^/]+)", RegexOptions.IgnoreCase);
+            Match m = r.Match(InVMAccessControlProfileVersionResourceId);
+            return m.Success ? m.Groups["versionName"].Value : null;
+        }
+
     }
     public static class LocationStringExtensions
     {