Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trusted Launch SSE+CMK Azure Compute Gallery confusing error #29280

Open
JenGoldstrich opened this issue May 30, 2024 · 1 comment
Open

Trusted Launch SSE+CMK Azure Compute Gallery confusing error #29280

JenGoldstrich opened this issue May 30, 2024 · 1 comment
Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. Gallery Mgmt This issue is related to a management-plane library. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team.

Comments

@JenGoldstrich
Copy link

JenGoldstrich commented May 30, 2024
edited
Loading

API Spec link

compute/galleryimageversions

API Spec version

any that supports disk encryption set ids

Question/Query

When trying to capture a Trusted Launch VM using dobule encryption to ACG I get a very long error with a stack trace, this happens on any API client to any galleryimageversions version.

$ az sig image-version create --resource-group jennatest \
        --gallery-name test --gallery-image-definition testt \            
        --gallery-image-version 1.0.5 \
        --virtual-machine {secret} \
        --target-regions westus  \
        --target-region-encryption {double-encrypted-key}  --location westus

Code: InternalOperationError
Message: Replication failed in this region due to 'Contract.Assert failed: Data model DiskEncryptionSetId '' does not match DiskRP returned DiskEncryptionSetId '/subscriptions/secret/resourceGroups/SHARED/providers/Microsoft.Compute/diskEncryptionSets/blah'

Call stack:
   at Microsoft.Windows.Azure.GCM.Contract.Assert(Boolean condition, String userMessage) in X:\bt\1257000\repo\src\Shared\Lib\Common\Contracts.cs:line 82
   at Microsoft.WindowsAzure.PlatformImageRepository.ArtifactService.GoalSeeking.ReplicationBlockBase`3.ValidateDiskRPEncryptionResult(Encryption dmEncryption, Encryption resultEncryption) in X:\bt\1253263\repo\src\CRP-PIR\ArtifactService\GoalSeeking\Blocks\ReplicationBlockBase.cs:line 357
   at Microsoft.WindowsAzure.PlatformImageRepository.ArtifactService.GoalSeeking.AllocateSnapshotsBlock.ProcessSingleAllocateSnapshotResult(ReplicatedArtifact replicatedArtifact, VMImageSnapshotResult snapshotResult, Int32 maximumSourceDiskSizeInGb) in X:\bt\1253263\repo\src\CRP-PIR\ArtifactService\GoalSeeking\Blocks\AllocateSnapshotsBlock.cs:line 722
   at 
   ... (see github issue from Packer Azure plugin for full trace)

This was reported on a repo I maintain here hashicorp/packer-plugin-azure#418 and originally here hashicorp/packer-plugin-azure#304, the Packer Azure plugin invokes the API and runs into the same error.

The documentation for Trusted Launch and double encryption does not make it clear that this is not supported, however an Azure engineer who previously engaged on this issue let me know that the ACG product team says its not supported and there are no plans to support it. I've spent quite a bit of time trying to gather this information and understand that this just isn't supported on Azure.

Can we please update this error message in the API to make it clearer that this functionality is not supported, something simple like "Azure Compute Gallery does not support Trusted Launch images using Disk Encryption Sets" and document it. Users currently do not clearly know from reading the error and the Azure docs that ACG does not support this type of image.

Environment

No response
@JenGoldstrich JenGoldstrich added the question The issue doesn't require a change to the product in order to be resolved. Most issues start as that label May 30, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the customer-reported Issues that are reported by GitHub users external to the Azure organization. label May 30, 2024
@zzhxiaofeng zzhxiaofeng added Service Attention Workflow: This issue is responsible by Azure service team. Gallery Mgmt This issue is related to a management-plane library. labels Jun 3, 2024
@JenGoldstrich
Copy link
Author

Hey @zzhxiaofeng do you have an update on this issue? It's something that has confused several of my team's users so it'd be great for the Azure API to return a more user friendly error here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. Gallery Mgmt This issue is related to a management-plane library. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zzhxiaofeng @JenGoldstrich