Skip to content

[Gallery Image Versions - Update] can't scale up replicas when there is an Azure Policy requiring disk encryption set #31937

Description

@grace-liang

This is a customer reported issue.

Sample command that is used to scale up replicas of GalleryImageVersion resource:
az sig image-version update --resource-group acgtest --gallery-name acgrt --gallery-image-definition dew --gallery-image-version 2.0.0 --target-regions uksouth=2

When an Azure Policy requiring disk encryption sets is applied, this update command fails on GalleryImageVersion resources already utilizing a disk encryption set.

error: {

code: 'RequestDisallowedByPolicy',

target: '22631.5476.250610',

message: 'Resource '22631.5476.250610' was disallowed by policy. Policy identifiers: '[{\\'policyAssignment\\':{\\'name\\':\\'Ensure secure-by-default azurediskstorage for Financial Services Industry\\',\\'id\\':\\'/providers/Microsoft.Management/managementGroups/ace-alpha-01-landingzones/providers/Microsoft.Authorization/policyAssignments/APF-Compliant-AzDisk\\'},\\'policyDefinition\\':{\\'name\\':\\'OS and data disks should be encrypted with a customer-managed key\\',\\'id\\':\\'/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\\',\\'version\\':\\'3.0.0\\'},\\'policySetDefinition\\':{\\'name\\':\\'Ensure secure-by-default azurediskstorage for Financial Services Industry\\',\\'id\\':\\'/providers/Microsoft.Management/managementGroups/ace-alpha-575Lab-01/providers/Microsoft.Authorization/policySetDefinitions/APF-Compliant-AzDisk\\',\\'version\\':\\'1.0.0\\'}}]'.',

This policy is enforced at the ARM level - meaning the API call does not make it to the Compute RP.

Proposed fix:

  1. If the GalleryImageVersion resource has a disk encryption set and the az sig image-version update is used, CLI client should do a GET GalleryImageVersion call and merge disk encryption set payload for the region into the PATCH request.
  2. az sig image-version update should take [--target-region-encryption] as input so the customer can pass the same disk encryption set for updates

Metadata

Metadata

Labels

Auto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamComputeaz vm/vmss/image/disk/snapshotact-observability-squadquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions