Hgs with Certificate Stored in keyvault #2685
Conversation
Adding ARM Template to deploy Host Guardian Service in Azure. The “Host Guardian Service” (HGS) is a new server role introduced in Windows Server 2016. HGS provides Attestation and Key Protection services that enable Hyper-V to run Shielded virtual machines. A Hyper-V host is known as a “guarded host” once the Attestation service affirmatively validates its identity & configuration. Once affirmatively attested, the Key Protection service provides the transport key (TK) needed to unlock & run Shielded VMs.
updating title
adding medata.json
edit readme.md
…"maxLength" criteria AssertionError: hgs/metadata.json - #/itemDisplayName:Failed "maxLength" criteria
# Conflicts: # hgs/metadata.json
fix metadata.json
hgs-keyvault
|
Hi @uday31in, I'm your friendly neighborhood Azure Pull Request Bot (You can call me AZPRBOT). Thanks for your contribution!
TTYL, AZPRBOT; |
|
@bmoore-msft - please integrate it in main repo. |
| @@ -0,0 +1,16 @@ | |||
| # Deploy Host Guardian Service (HGS) + KeyVault For Shielded VM in Windows Server 2016 in Standalone or High Availability mode using Failover Clustering. | |||
|
|
|||
| <a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fuday31in%2Fazure-quickstart-templates%2Fmaster%2Fhgs%2Fazuredeploy.json" target="_blank"> | |||
There was a problem hiding this comment.
shouldn't this link point to hgs-keyvault instead of hgs?
| <a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fuday31in%2Fazure-quickstart-templates%2Fmaster%2Fhgs%2Fazuredeploy.json" target="_blank"> | ||
| <img src="http://azuredeploy.net/deploybutton.png"/> | ||
| </a> | ||
| <a href="http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2Fuday31in%2Fazure-quickstart-templates%2Fmaster%2Fhgs%2Fazuredeploy.json" target="_blank"> |
| "description": "Resource Group of Key Vault that has a secret" | ||
| } | ||
| }, | ||
| "httpsCertificateUrl": { |
There was a problem hiding this comment.
are any of these urls supposed to be secret? If so, please use securestring instead of string; if they don't need to be secret, then this is fine as is
| { | ||
| "type": "Microsoft.Storage/storageAccounts", | ||
| "name": "[variables('storageAccountName')]", | ||
| "apiVersion": "2015-05-01-preview", |
There was a problem hiding this comment.
can we use a non-preview api version?
| "dhcpOptions": { | ||
| "dnsServers": [ | ||
| "[variables('subnetdns')]", | ||
| "8.8.8.8" |
There was a problem hiding this comment.
why use google DNS? Is the built-in DNS not sufficient?
| "settings": { | ||
|
|
||
| "fileUris": [ | ||
| "https://udayvw.blob.core.windows.net/artefacts/dscinit.ps1" |
There was a problem hiding this comment.
Please see #2 in the best practices checklist: https://github.com/Azure/azure-quickstart-templates/blob/master/1-CONTRIBUTION-GUIDE/bp-checklist.md
| "fileUris": [ | ||
| "https://udayvw.blob.core.windows.net/artefacts/dscinit.ps1" | ||
| ], | ||
| "commandToExecute": "[concat('powershell -ExecutionPolicy Unrestricted -File ', variables('DSCInitScriptFileName') , ' -NodeType:' , concat('', copyindex()) ,' -HgsServerPrimaryIPAddress:10.0.0.4 -GenerateSelfSignedCertificate:false', concat(' -HgsServerPrimaryAdminUsername:', parameters('adminUsername')), concat(' -HgsServerPrimaryAdminPassword:', parameters('adminPassword')) )]" |
There was a problem hiding this comment.
this contains a password, so the commandToExecute should go into "protectedSettings" instead of "settings"
| "contentVersion": "1.0.0.0", | ||
| "parameters": { | ||
| "adminUsername": { | ||
| "value": "uday" |
There was a problem hiding this comment.
can we use a more generic username here, like 'azureuser'?
| "value": "GEN-UNIQUE-13" | ||
| }, | ||
|
|
||
| "vaultName": { |
There was a problem hiding this comment.
it seems the indenting is inconsistent in this file; could we run this through a json formatter?
| "value": "UdayKeyVault" | ||
| }, | ||
| "httpsCertificateUrl": { | ||
| "value": "https://hgskeyvault.vault.azure.net:443/secrets/HTTPSCert/8ee99c94155749e5804fb373502565dd" |
There was a problem hiding this comment.
should probably replace urls with fake values
|
Left comments on hgs-keyvault, but most of the comments also apply to hgs. Could you make the changes in both? |
|
No activity; closing |
3 participants
Hgs keyvault