Dependency Pipeline does not successfully complete because of the virtual machine module (encryptionAtHost feature)

[ahmadabdalla]

Description

Running the dependency pipeline on the main branch fails at the virtual machine module. There seems to be a change on the default parameters for the module, which requires certain features to be enabled, or a specific pre-requisite to happen before that deployment triggers.

The feature in particular is the securityProfile.encryptionAtHost. It needs two things so it can work:

• The Azure subscription needs to have Microsoft.Compute/EncryptionAtHost enabled as a feature. If that is not there this is the error you would expect:

• The Azure virtual machine must be unallocated so that the change can be applied to the VM. If the VM is running, this is the error you would expect:

Steps to reproduce

1. Run the dependency pipeline.

Potential Fix

Inside the virtual machine deploy.bicep

The parameter encryptionAtHost is set to true by default. This may need to be set to false and modify the logic to not having the property in the VM, unless it is required. Another thing to look out for is that, if someone sets this true, this might fail the template if a VM is running, so it needs to be called out, as updating extensions might not work if the VM is not running.

[AlexanderSehr]

We have to discuss this @mblant

[eriqua]

@AlexanderSehr Can this be closed?

[AlexanderSehr]

This bug was already resolved.

The issue back in the day was that EncryptionAtHost used to be disabled until we enabled it following the NIST review. This failed however our dependency pipeline on the first run as there was already a VM and you cannot update the property post-deployment. emoving the VM and redeploying resolved the issue and it was idempotent ever since.

So our action was no-action but to recommend the re-deployment