[AI Generated] BugFix: add securityProfile to ephemeral OS disk for ConfidentialVM deployments#4442
[AI Generated] BugFix: add securityProfile to ephemeral OS disk for ConfidentialVM deployments#4442lubaihua33 wants to merge 1 commit intomainfrom
Conversation
…onfidentialVM deployments
There was a problem hiding this comment.
Pull request overview
Fixes Azure Confidential VM (CVM) deployments with ephemeral OS disks by ensuring the OS disk payload includes managedDisk.securityProfile (matching the standard OS disk path), and updates the generated ARM artifact accordingly.
Changes:
- Add
managedDisk.securityProfileto the ephemeral OS disk path inarm_template.bicep. - Regenerate
autogen_arm_template.jsonto reflect the Bicep change. - Remove the temporary
CvmDisabled()restriction from the ephemeral-disk provisioning smoke test.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| lisa/sut_orchestrator/azure/autogen_arm_template.json | Regenerated ARM JSON to include managedDisk.securityProfile for ephemeral OS disk scenario. |
| lisa/sut_orchestrator/azure/arm_template.bicep | Adds null-safe managedDisk.securityProfile emission for ephemeral OS disk when security_type == 'ConfidentialVM'. |
| lisa/microsoft/testsuites/core/provisioning.py | Allows the ephemeral-disk provisioning test to run without forcing CVM-disabled environments. |
| managedDisk: { | ||
| securityProfile: (empty(node.security_profile) || (node.security_profile.security_type != 'ConfidentialVM')) ? null : getSecurityProfileForOSDisk(node) | ||
| } |
There was a problem hiding this comment.
getEphemeralOSImage now always emits a managedDisk object, and for non-ConfidentialVM nodes it can end up as an empty object (because securityProfile evaluates to null). To avoid unexpected payload shape changes (and potential ARM schema/Compute API validation issues), consider making the entire managedDisk property conditional so it is omitted unless a ConfidentialVM security profile is required.
| managedDisk: { | |
| securityProfile: (empty(node.security_profile) || (node.security_profile.security_type != 'ConfidentialVM')) ? null : getSecurityProfileForOSDisk(node) | |
| } | |
| ...((empty(node.security_profile) || (node.security_profile.security_type != 'ConfidentialVM')) ? {} : { | |
| managedDisk: { | |
| securityProfile: getSecurityProfileForOSDisk(node) | |
| } | |
| }) |
| requirement=simple_requirement( | ||
| environment_status=EnvironmentStatus.Deployed, | ||
| disk=DiskEphemeral(), | ||
| supported_features=[CvmDisabled()], # TODO: Fix disk deployment for CVM | ||
| ), |
There was a problem hiding this comment.
Removing the CvmDisabled() constraint means this provisioning smoke test no longer guarantees coverage of the original failing scenario (CVM + ephemeral OS disk) in automated runs—selection may still choose a non-CVM security profile. Consider adding a dedicated test case (or adjusting this one) that explicitly requires CvmEnabled() along with DiskEphemeral() so the regression is continuously exercised.
| requirement=simple_requirement( | ||
| environment_status=EnvironmentStatus.Deployed, | ||
| disk=DiskEphemeral(), | ||
| supported_features=[CvmDisabled()], # TODO: Fix disk deployment for CVM | ||
| ), |
There was a problem hiding this comment.
This is a bug fix PR but there’s no linked issue/work item in the PR description. Consider linking the related issue for traceability (or add a short note that there isn’t one).
✅ AI Test Selection — PASSED13 test case(s) selected (view run) Marketplace image: canonical 0001-com-ubuntu-server-jammy 22_04-lts-gen2 latest
Test case details
|
Confidential VM deployments failed with an error indicating that managedDisk.securityProfile.securityEncryptionType was missing for the OS disk.
Root cause
There was an inconsistency in the Azure template logic:
The standard OS disk path included managedDisk.securityProfile.
The ephemeral OS disk path did not include it.
As a result, CVM + ephemeral OS disk deployments generated an invalid disk payload for Azure.
What this PR changes
Added managedDisk.securityProfile handling to the ephemeral OS disk path in the Bicep template.
Kept the same null-safe logic pattern used by the standard OS disk path.
Regenerated the corresponding ARM JSON template to keep generated artifacts in sync.
Validation
The fix was validated with 3 runs:
CVM + ephemeral OS disk: Passed (original failing scenario).
Standard SSD provisioning regression: Passed.
Non-CVM + ephemeral OS disk regression: Passed.