Skip to content

ci: add --min-tls-version TLS1_2 to storage account creation in VHD build scripts#8210

Merged
djsly merged 4 commits into
mainfrom
copilot/fix-minimum-tls-version-policy
Mar 31, 2026
Merged

ci: add --min-tls-version TLS1_2 to storage account creation in VHD build scripts#8210
djsly merged 4 commits into
mainfrom
copilot/fix-minimum-tls-version-policy

Conversation

Copilot AI commented Mar 31, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

The CloudGov_MinTLSStorAccnt_DENY policy (enforced at management group level ~March 31, 2026) denies creation of storage accounts without minimumTlsVersion set to TLS1_2+, breaking VHD prefetch and Windows VHD builds.

Changes

  • vhdbuilder/prefetch/scripts/optimize.sh — Add --min-tls-version TLS1_2 to az storage account create in create_temp_storage (called by packer.mk prefetch target)
  • vhdbuilder/packer/produce-packer-settings-functions.sh — Add --min-tls-version TLS1_2 to az storage account create in create_windows_storage_account
-az storage account create -n "${storage_account_name}" -g "${IMAGE_BUILDER_RG_NAME}" --sku "Standard_RAGRS" --allow-shared-key-access false --location "${LOCATION}"
+az storage account create -n "${storage_account_name}" -g "${IMAGE_BUILDER_RG_NAME}" --sku "Standard_RAGRS" --allow-shared-key-access false --min-tls-version TLS1_2 --location "${LOCATION}"

e2e/config/azure.go already had MinimumTLSVersion: TLS1_2 set and required no changes.

Copilot AI linked an issue Mar 31, 2026 that may be closed by this pull request
[P0] CloudGov_MinTLSStorAccnt_DENY policy blocks VHD prefetch and E2E storage account creation #8209
Closed
Copilot AI changed the title [WIP] Fix CloudGov_MinTLSStorAccnt_DENY policy for storage accounts Add --min-tls-version TLS1_2 to storage account creation in VHD build scripts Mar 31, 2026
Copilot AI requested a review from djsly March 31, 2026 19:00
@djsly djsly marked this pull request as ready for review March 31, 2026 19:01
Copilot AI review requested due to automatic review settings March 31, 2026 19:01
@djsly djsly changed the title Add --min-tls-version TLS1_2 to storage account creation in VHD build scripts fix(e2e): Add --min-tls-version TLS1_2 to storage account creation in VHD build scripts Mar 31, 2026
Copilot AI reviewed Mar 31, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates VHD build helper scripts to ensure newly created temporary storage accounts comply with the CloudGov_MinTLSStorAccnt_DENY Azure Policy by explicitly setting the minimum TLS version to TLS 1.2 during creation, preventing VHD prefetch and Windows VHD build failures.

Changes:

  • Add --min-tls-version TLS1_2 to the temp storage account creation in the prefetch optimization flow.
  • Add --min-tls-version TLS1_2 to the Windows base-image import storage account creation used by Packer settings generation.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
vhdbuilder/prefetch/scripts/optimize.sh Sets --min-tls-version TLS1_2 when creating the prefetch temporary storage account.
vhdbuilder/packer/produce-packer-settings-functions.sh Sets --min-tls-version TLS1_2 when creating the Windows build storage account.

Comment thread vhdbuilder/prefetch/scripts/optimize.sh Outdated
Comment thread vhdbuilder/packer/produce-packer-settings-functions.sh Outdated
@djsly
Update vhdbuilder/packer/produce-packer-settings-functions.sh
f7636e2 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@djsly
Update vhdbuilder/prefetch/scripts/optimize.sh
d966ef7 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@djsly djsly changed the title fix(e2e): Add --min-tls-version TLS1_2 to storage account creation in VHD build scripts ci(e2e): Add --min-tls-version TLS1_2 to storage account creation in VHD build scripts Mar 31, 2026
@djsly djsly changed the title ci(e2e): Add --min-tls-version TLS1_2 to storage account creation in VHD build scripts ci: Add --min-tls-version TLS1_2 to storage account creation in VHD build scripts Mar 31, 2026
@djsly djsly changed the title ci: Add --min-tls-version TLS1_2 to storage account creation in VHD build scripts ci: add --min-tls-version TLS1_2 to storage account creation in VHD build scripts Mar 31, 2026
@djsly djsly enabled auto-merge (squash) March 31, 2026 20:52
@djsly djsly merged commit c76a30e into main Mar 31, 2026
31 of 34 checks passed
@djsly djsly deleted the copilot/fix-minimum-tls-version-policy branch March 31, 2026 20:52
timmy-wright pushed a commit that referenced this pull request Apr 2, 2026
@djsly
@timmy-wright
ci: add --min-tls-version TLS1_2 to storage account creation in VHD b…
2695b5e 
…uild scripts (#8210)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: djsly <4981802+djsly@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
r2k1 pushed a commit that referenced this pull request Apr 8, 2026
@djsly
ci: add --min-tls-version TLS1_2 to storage account creation in VHD b…
d53820a 
…uild scripts (#8210)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: djsly <4981802+djsly@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cameronmeissner cameronmeissner cameronmeissner approved these changes

@ganeshkumarashok ganeshkumarashok Awaiting requested review from ganeshkumarashok ganeshkumarashok is a code owner

@Devinwong Devinwong Awaiting requested review from Devinwong Devinwong is a code owner

@lilypan26 lilypan26 Awaiting requested review from lilypan26 lilypan26 is a code owner

@AbelHu AbelHu Awaiting requested review from AbelHu AbelHu is a code owner

@junjiezhang1997 junjiezhang1997 Awaiting requested review from junjiezhang1997

@phealy phealy Awaiting requested review from phealy phealy is a code owner

@r2k1 r2k1 Awaiting requested review from r2k1 r2k1 is a code owner

@timmy-wright timmy-wright Awaiting requested review from timmy-wright timmy-wright is a code owner

@zachary-bailey zachary-bailey Awaiting requested review from zachary-bailey zachary-bailey is a code owner

@awesomenix awesomenix Awaiting requested review from awesomenix awesomenix is a code owner

@mxj220 mxj220 Awaiting requested review from mxj220 mxj220 is a code owner

@pdamianov-dev pdamianov-dev Awaiting requested review from pdamianov-dev pdamianov-dev is a code owner

@calvin197 calvin197 Awaiting requested review from calvin197 calvin197 is a code owner

@sulixu sulixu Awaiting requested review from sulixu sulixu is a code owner

@surajssd surajssd Awaiting requested review from surajssd surajssd is a code owner

@SriHarsha001 SriHarsha001 Awaiting requested review from SriHarsha001 SriHarsha001 is a code owner

+1 more reviewer

@djsly djsly djsly approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@djsly djsly

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[P0] CloudGov_MinTLSStorAccnt_DENY policy blocks VHD prefetch and E2E storage account creation

4 participants

@djsly @cameronmeissner