constellation/image/upload/upload_azure.sh

195 lines
6.7 KiB
Bash
Raw Normal View History

2022-10-19 07:10:15 -04:00
#!/usr/bin/env bash
2022-10-11 05:34:57 -04:00
# Copyright (c) Edgeless Systems GmbH
#
# SPDX-License-Identifier: AGPL-3.0-only
2022-10-19 07:10:15 -04:00
set -euo pipefail
if [ -z "${CONFIG_FILE-}" ] && [ -f "${CONFIG_FILE-}" ]; then
. "${CONFIG_FILE}"
fi
CREATE_SIG_VERSION=NO
POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do
case $1 in
-g|--gallery)
CREATE_SIG_VERSION=YES
shift # past argument
;;
--disk-name)
AZURE_DISK_NAME="$2"
shift # past argument
shift # past value
;;
-*|--*)
echo "Unknown option $1"
exit 1
;;
*)
POSITIONAL_ARGS+=("$1") # save positional arg
shift # past argument
;;
esac
done
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
if [[ "${AZURE_SECURITY_TYPE}" == "ConfidentialVM" ]]; then
AZURE_DISK_SECURITY_TYPE=ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey
AZURE_SIG_VERSION_ENCRYPTION_TYPE=EncryptedVMGuestStateOnlyWithPmk
elif [[ "${AZURE_SECURITY_TYPE}" == "ConfidentialVMSupported" ]]; then
AZURE_DISK_SECURITY_TYPE=""
elif [[ "${AZURE_SECURITY_TYPE}" == "TrustedLaunch" ]]; then
AZURE_DISK_SECURITY_TYPE=TrustedLaunch
else
echo "Unknown security type: ${AZURE_SECURITY_TYPE}"
exit 1
fi
AZURE_CVM_ENCRYPTION_ARGS=""
if [[ -n "${AZURE_SIG_VERSION_ENCRYPTION_TYPE-}" ]]; then
AZURE_CVM_ENCRYPTION_ARGS=" --target-region-cvm-encryption "
for region in ${AZURE_REPLICATION_REGIONS}; do
AZURE_CVM_ENCRYPTION_ARGS=" ${AZURE_CVM_ENCRYPTION_ARGS} ${AZURE_SIG_VERSION_ENCRYPTION_TYPE}, "
done
fi
echo "Replicating image in ${AZURE_REPLICATION_REGIONS}"
AZURE_VMGS_PATH=$1
if [[ -z "${AZURE_VMGS_PATH}" ]] && [[ "${AZURE_SECURITY_TYPE}" == "ConfidentialVM" ]]; then
echo "No VMGS path provided - using default ConfidentialVM VMGS"
AZURE_VMGS_PATH="${BLOBS_DIR}/cvm-vmgs.vhd"
elif [[ -z "${AZURE_VMGS_PATH}" ]] && [[ "${AZURE_SECURITY_TYPE}" == "TrustedLaunch" ]]; then
echo "No VMGS path provided - using default TrsutedLaunch VMGS"
AZURE_VMGS_PATH="${BLOBS_DIR}/trusted-launch-vmgs.vhd"
fi
SIZE=$(wc -c "${AZURE_IMAGE_PATH}" | cut -d " " -f1)
create_disk_with_vmgs () {
az disk create \
-n "${AZURE_DISK_NAME}" \
-g "${AZURE_RESOURCE_GROUP_NAME}" \
-l "${AZURE_REGION}" \
--hyper-v-generation V2 \
--os-type Linux \
--upload-size-bytes "${SIZE}" \
--sku standard_lrs \
--upload-type UploadWithSecurityData \
--security-type "${AZURE_DISK_SECURITY_TYPE}"
az disk wait --created -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}"
az disk list --output table --query "[?name == '${AZURE_DISK_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}']"
DISK_SAS=$(az disk grant-access -n ${AZURE_DISK_NAME} -g ${AZURE_RESOURCE_GROUP_NAME} \
--access-level Write --duration-in-seconds 86400 \
${AZURE_VMGS_PATH+"--secure-vm-guest-state-sas"})
azcopy copy "${AZURE_IMAGE_PATH}" \
"$(echo $DISK_SAS | jq -r .accessSas)" \
--blob-type PageBlob
if [[ -z "${AZURE_VMGS_PATH}" ]]; then
echo "No VMGS path provided - skipping VMGS upload"
else
azcopy copy "${AZURE_VMGS_PATH}" \
"$(echo $DISK_SAS | jq -r .securityDataAccessSas)" \
--blob-type PageBlob
fi
az disk revoke-access -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}"
}
create_disk_without_vmgs () {
az disk create \
-n "${AZURE_DISK_NAME}" \
-g "${AZURE_RESOURCE_GROUP_NAME}" \
-l "${AZURE_REGION}" \
--hyper-v-generation V2 \
--os-type Linux \
--upload-size-bytes "${SIZE}" \
--sku standard_lrs \
--upload-type Upload
az disk wait --created -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}"
az disk list --output table --query "[?name == '${AZURE_DISK_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}']"
DISK_SAS=$(az disk grant-access -n ${AZURE_DISK_NAME} -g ${AZURE_RESOURCE_GROUP_NAME} \
--access-level Write --duration-in-seconds 86400)
azcopy copy "${AZURE_IMAGE_PATH}" \
"$(echo $DISK_SAS | jq -r .accessSas)" \
--blob-type PageBlob
az disk revoke-access -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}"
}
create_disk () {
if [[ -z "${AZURE_VMGS_PATH}" ]]; then
create_disk_without_vmgs
else
create_disk_with_vmgs
fi
}
delete_disk () {
az disk delete -y -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}"
}
create_image () {
if [[ -n "${AZURE_VMGS_PATH}" ]]; then
return
fi
az image create \
--resource-group ${AZURE_RESOURCE_GROUP_NAME} \
-l ${AZURE_REGION} \
-n ${AZURE_DISK_NAME} \
--hyper-v-generation V2 \
--os-type Linux \
--source "$(az disk list --query "[?name == '${AZURE_DISK_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" --output tsv)"
}
delete_image () {
if [[ -n "${AZURE_VMGS_PATH}" ]]; then
return
fi
az image delete -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}"
}
create_sig_version () {
if [[ -n "${AZURE_VMGS_PATH}" ]]; then
local DISK="$(az disk list --query "[?name == '${AZURE_DISK_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" --output tsv)"
local SOURCE="--os-snapshot ${DISK}"
else
local IMAGE="$(az image list --query "[?name == '${AZURE_DISK_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" --output tsv)"
local SOURCE="--managed-image ${IMAGE}"
fi
az sig create -l "${AZURE_REGION}" --gallery-name "${AZURE_GALLERY_NAME}" --resource-group "${AZURE_RESOURCE_GROUP_NAME}" || true
az sig image-definition create \
--resource-group "${AZURE_RESOURCE_GROUP_NAME}" \
-l "${AZURE_REGION}" \
--gallery-name "${AZURE_GALLERY_NAME}" \
--gallery-image-definition "${AZURE_IMAGE_DEFINITION}" \
--publisher "${AZURE_PUBLISHER}" \
--offer "${AZURE_IMAGE_OFFER}" \
--sku "${AZURE_SKU}" \
--os-type Linux \
--os-state generalized \
--hyper-v-generation V2 \
--features SecurityType="${AZURE_SECURITY_TYPE}" || true
az sig image-version create \
--resource-group "${AZURE_RESOURCE_GROUP_NAME}" \
-l "${AZURE_REGION}" \
--gallery-name "${AZURE_GALLERY_NAME}" \
--gallery-image-definition "${AZURE_IMAGE_DEFINITION}" \
--gallery-image-version "${AZURE_IMAGE_VERSION}" \
--target-regions ${AZURE_REPLICATION_REGIONS} \
${AZURE_CVM_ENCRYPTION_ARGS} \
--replica-count 1 \
--replication-mode Full \
${SOURCE}
}
create_disk
if [ "$CREATE_SIG_VERSION" = "YES" ]; then
create_image
create_sig_version
delete_image
delete_disk
fi