feat: Add new parameters for `avm/res/virtual-machine-images/image-te…

…mplate` module (#1849) ## Description Closes #1799 Updated the following: - Move from API version `2022-02-14` to `2023-07-01` to allow usage of the [`optimize`](https://learn.microsoft.com/en-us/azure/virtual-machines/linux/image-builder-json?tabs=bicep%2Cazure-powershell#properties-optimize) feature. - Added support for [`Validate`](https://learn.microsoft.com/en-us/azure/virtual-machines/linux/image-builder-json?tabs=bicep%2Cazure-powershell#properties-validate) and enabled appropriate UDT for it. - Updated description for `vmUserAssignedIdentities`. - Updated version to `0.2`.  ## Pipeline Reference  | Pipeline | | -------- | | [![avm.res.virtual-machine-images.image-template](https://github.com/ahmadabdalla/bicep-registry-modules/actions/workflows/avm.res.virtual-machine-images.image-template.yml/badge.svg?branch=users%2Fahmad%2F1799_ImageTemplateUpdate)](https://github.com/ahmadabdalla/bicep-registry-modules/actions/workflows/avm.res.virtual-machine-images.image-template.yml) | ## Type of Change  - [ ] Update to CI Environment or utlities (Non-module effecting changes) - [ ] Azure Verified Module updates: - [ ] Bugfix containing backwards compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [x] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [x] I have run `Set-AVMModule` locally to generate the supporting module files. - [x] My corresponding pipelines / checks run clean and green without any errors or warnings
Azure · May 11, 2024 · 9880d41 · 9880d41
1 parent dcd987f
commit 9880d41
Show file tree

Hide file tree

Showing 5 changed files with 400 additions and 17 deletions.
diff --git a/avm/res/virtual-machine-images/image-template/README.md b/avm/res/virtual-machine-images/image-template/README.md
@@ -18,7 +18,7 @@ This module deploys a Virtual Machine Image Template that can be consumed by Azu
 | :-- | :-- |
 | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) |
 | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
-| `Microsoft.VirtualMachineImages/imageTemplates` | [2022-02-14](https://learn.microsoft.com/en-us/azure/templates/Microsoft.VirtualMachineImages/2022-02-14/imageTemplates) |
+| `Microsoft.VirtualMachineImages/imageTemplates` | [2023-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.VirtualMachineImages/imageTemplates) |
 
 ## Usage examples
 
@@ -208,6 +208,7 @@ module imageTemplate 'br/public:avm/res/virtual-machine-images/image-template:<v
       kind: 'CanNotDelete'
       name: 'myCustomLockName'
     }
+    optimizeVmBoot: 'Enabled'
     osDiskSizeGB: 127
     roleAssignments: [
       {
@@ -233,6 +234,19 @@ module imageTemplate 'br/public:avm/res/virtual-machine-images/image-template:<v
       'hidden-title': 'This is visible in the resource name'
       Role: 'DeploymentValidation'
     }
+    validationProcess: {
+      continueDistributeOnFailure: true
+      inVMValidations: [
+        {
+          inline: [
+            'echo \'Software validation successful.\''
+          ]
+          name: 'Validate-Software'
+          type: 'Shell'
+        }
+      ]
+      sourceValidationOnly: false
+    }
     vmSize: 'Standard_D2s_v3'
     vmUserAssignedIdentities: [
       '<managedIdentityResourceId>'
@@ -328,6 +342,9 @@ module imageTemplate 'br/public:avm/res/virtual-machine-images/image-template:<v
         "name": "myCustomLockName"
       }
     },
+    "optimizeVmBoot": {
+      "value": "Enabled"
+    },
     "osDiskSizeGB": {
       "value": 127
     },
@@ -363,6 +380,21 @@ module imageTemplate 'br/public:avm/res/virtual-machine-images/image-template:<v
         "Role": "DeploymentValidation"
       }
     },
+    "validationProcess": {
+      "value": {
+        "continueDistributeOnFailure": true,
+        "inVMValidations": [
+          {
+            "inline": [
+              "echo \"Software validation successful.\""
+            ],
+            "name": "Validate-Software",
+            "type": "Shell"
+          }
+        ],
+        "sourceValidationOnly": false
+      }
+    },
     "vmSize": {
       "value": "Standard_D2s_v3"
     },
@@ -519,13 +551,15 @@ module imageTemplate 'br/public:avm/res/virtual-machine-images/image-template:<v
 | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. |
 | [`location`](#parameter-location) | string | Location for all resources. |
 | [`lock`](#parameter-lock) | object | The lock settings of the service. |
+| [`optimizeVmBoot`](#parameter-optimizevmboot) | string | The optimize property can be enabled while creating a VM image and allows VM optimization to improve image creation time. |
 | [`osDiskSizeGB`](#parameter-osdisksizegb) | int | Specifies the size of OS disk. |
 | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
 | [`stagingResourceGroup`](#parameter-stagingresourcegroup) | string | Resource ID of the staging resource group in the same subscription and location as the image template that will be used to build the image.</p>If this field is empty, a resource group with a random name will be created.</p>If the resource group specified in this field doesn't exist, it will be created with the same name.</p>If the resource group specified exists, it must be empty and in the same region as the image template.</p>The resource group created will be deleted during template deletion if this field is empty or the resource group specified doesn't exist,</p>but if the resource group specified exists the resources created in the resource group will be deleted during template deletion and the resource group itself will remain. |
 | [`subnetResourceId`](#parameter-subnetresourceid) | string | Resource ID of an already existing subnet, e.g.: /subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>/subnets/<subnetName>.</p>If no value is provided, a new temporary VNET and subnet will be created in the staging resource group and will be deleted along with the remaining temporary resources. |
 | [`tags`](#parameter-tags) | object | Tags of the resource. |
+| [`validationProcess`](#parameter-validationprocess) | object | Configuration options and list of validations to be performed on the resulting image. |
 | [`vmSize`](#parameter-vmsize) | string | Specifies the size for the VM. |
-| [`vmUserAssignedIdentities`](#parameter-vmuserassignedidentities) | array | List of User-Assigned Identities associated to the Build VM for accessing Azure resources such as Key Vaults from your customizer scripts.<p>Be aware, the user assigned identities specified in the \'managedIdentities\' parameter must have the \'Managed Identity Operator\' role assignment on all the user assigned identities specified in this parameter for Azure Image Builder to be able to associate them to the build VM.<p> |
+| [`vmUserAssignedIdentities`](#parameter-vmuserassignedidentities) | array | List of User-Assigned Identities associated to the Build VM for accessing Azure resources such as Key Vaults from your customizer scripts. Be aware, the user assigned identities specified in the 'managedIdentities' parameter must have the 'Managed Identity Operator' role assignment on all the user assigned identities specified in this parameter for Azure Image Builder to be able to associate them to the build VM. |
 
 **Generated parameters**
 
@@ -641,6 +675,20 @@ Specify the name of lock.
 - Required: No
 - Type: string
 
+### Parameter: `optimizeVmBoot`
+
+The optimize property can be enabled while creating a VM image and allows VM optimization to improve image creation time.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Disabled'
+    'Enabled'
+  ]
+  ```
+
 ### Parameter: `osDiskSizeGB`
 
 Specifies the size of OS disk.
@@ -759,6 +807,140 @@ Tags of the resource.
 - Required: No
 - Type: object
 
+### Parameter: `validationProcess`
+
+Configuration options and list of validations to be performed on the resulting image.
+
+- Required: No
+- Type: object
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`continueDistributeOnFailure`](#parameter-validationprocesscontinuedistributeonfailure) | bool | If validation fails and this field is set to false, output image(s) will not be distributed. This is the default behavior. If validation fails and this field is set to true, output image(s) will still be distributed. Please use this option with caution as it may result in bad images being distributed for use. In either case (true or false), the end to end image run will be reported as having failed in case of a validation failure. [Note: This field has no effect if validation succeeds.]. |
+| [`inVMValidations`](#parameter-validationprocessinvmvalidations) | array | A list of validators that will be performed on the image. Azure Image Builder supports File, PowerShell and Shell validators. |
+| [`sourceValidationOnly`](#parameter-validationprocesssourcevalidationonly) | bool | If this field is set to true, the image specified in the 'source' section will directly be validated. No separate build will be run to generate and then validate a customized image. Not supported when performing customizations, validations or distributions on the image. |
+
+### Parameter: `validationProcess.continueDistributeOnFailure`
+
+If validation fails and this field is set to false, output image(s) will not be distributed. This is the default behavior. If validation fails and this field is set to true, output image(s) will still be distributed. Please use this option with caution as it may result in bad images being distributed for use. In either case (true or false), the end to end image run will be reported as having failed in case of a validation failure. [Note: This field has no effect if validation succeeds.].
+
+- Required: No
+- Type: bool
+
+### Parameter: `validationProcess.inVMValidations`
+
+A list of validators that will be performed on the image. Azure Image Builder supports File, PowerShell and Shell validators.
+
+- Required: No
+- Type: array
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`type`](#parameter-validationprocessinvmvalidationstype) | string | The type of validation. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`destination`](#parameter-validationprocessinvmvalidationsdestination) | string | Destination of the file. |
+| [`inline`](#parameter-validationprocessinvmvalidationsinline) | array | Array of commands to be run, separated by commas. |
+| [`name`](#parameter-validationprocessinvmvalidationsname) | string | Friendly Name to provide context on what this validation step does. |
+| [`runAsSystem`](#parameter-validationprocessinvmvalidationsrunassystem) | bool | If specified, the PowerShell script will be run with elevated privileges using the Local System user. Can only be true when the runElevated field above is set to true. |
+| [`runElevated`](#parameter-validationprocessinvmvalidationsrunelevated) | bool | If specified, the PowerShell script will be run with elevated privileges. |
+| [`scriptUri`](#parameter-validationprocessinvmvalidationsscripturi) | string | URI of the PowerShell script to be run for validation. It can be a github link, Azure Storage URI, etc. |
+| [`sha256Checksum`](#parameter-validationprocessinvmvalidationssha256checksum) | string | Value of sha256 checksum of the file, you generate this locally, and then Image Builder will checksum and validate. |
+| [`sourceUri`](#parameter-validationprocessinvmvalidationssourceuri) | string | The source URI of the file. |
+| [`validExitCodes`](#parameter-validationprocessinvmvalidationsvalidexitcodes) | array | Valid codes that can be returned from the script/inline command, this avoids reported failure of the script/inline command. |
+
+### Parameter: `validationProcess.inVMValidations.type`
+
+The type of validation.
+
+- Required: Yes
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'File'
+    'PowerShell'
+    'Shell'
+  ]
+  ```
+
+### Parameter: `validationProcess.inVMValidations.destination`
+
+Destination of the file.
+
+- Required: No
+- Type: string
+
+### Parameter: `validationProcess.inVMValidations.inline`
+
+Array of commands to be run, separated by commas.
+
+- Required: No
+- Type: array
+
+### Parameter: `validationProcess.inVMValidations.name`
+
+Friendly Name to provide context on what this validation step does.
+
+- Required: No
+- Type: string
+
+### Parameter: `validationProcess.inVMValidations.runAsSystem`
+
+If specified, the PowerShell script will be run with elevated privileges using the Local System user. Can only be true when the runElevated field above is set to true.
+
+- Required: No
+- Type: bool
+
+### Parameter: `validationProcess.inVMValidations.runElevated`
+
+If specified, the PowerShell script will be run with elevated privileges.
+
+- Required: No
+- Type: bool
+
+### Parameter: `validationProcess.inVMValidations.scriptUri`
+
+URI of the PowerShell script to be run for validation. It can be a github link, Azure Storage URI, etc.
+
+- Required: No
+- Type: string
+
+### Parameter: `validationProcess.inVMValidations.sha256Checksum`
+
+Value of sha256 checksum of the file, you generate this locally, and then Image Builder will checksum and validate.
+
+- Required: No
+- Type: string
+
+### Parameter: `validationProcess.inVMValidations.sourceUri`
+
+The source URI of the file.
+
+- Required: No
+- Type: string
+
+### Parameter: `validationProcess.inVMValidations.validExitCodes`
+
+Valid codes that can be returned from the script/inline command, this avoids reported failure of the script/inline command.
+
+- Required: No
+- Type: array
+
+### Parameter: `validationProcess.sourceValidationOnly`
+
+If this field is set to true, the image specified in the 'source' section will directly be validated. No separate build will be run to generate and then validate a customized image. Not supported when performing customizations, validations or distributions on the image.
+
+- Required: No
+- Type: bool
+
 ### Parameter: `vmSize`
 
 Specifies the size for the VM.
@@ -769,7 +951,7 @@ Specifies the size for the VM.
 
 ### Parameter: `vmUserAssignedIdentities`
 
-List of User-Assigned Identities associated to the Build VM for accessing Azure resources such as Key Vaults from your customizer scripts.<p>Be aware, the user assigned identities specified in the \'managedIdentities\' parameter must have the \'Managed Identity Operator\' role assignment on all the user assigned identities specified in this parameter for Azure Image Builder to be able to associate them to the build VM.<p>
+List of User-Assigned Identities associated to the Build VM for accessing Azure resources such as Key Vaults from your customizer scripts. Be aware, the user assigned identities specified in the 'managedIdentities' parameter must have the 'Managed Identity Operator' role assignment on all the user assigned identities specified in this parameter for Azure Image Builder to be able to associate them to the build VM.
 
 - Required: No
 - Type: array

diff --git a/avm/res/virtual-machine-images/image-template/main.bicep b/avm/res/virtual-machine-images/image-template/main.bicep
@@ -49,15 +49,22 @@ param roleAssignments roleAssignmentType
 @description('Required. The distribution targets where the image output needs to go to.')
 param distributions distributionType[]
 
-@description('''
-Optional. List of User-Assigned Identities associated to the Build VM for accessing Azure resources such as Key Vaults from your customizer scripts.
-Be aware, the user assigned identities specified in the \'managedIdentities\' parameter must have the \'Managed Identity Operator\' role assignment on all the user assigned identities specified in this parameter for Azure Image Builder to be able to associate them to the build VM.
-''')
+@description('Optional. List of User-Assigned Identities associated to the Build VM for accessing Azure resources such as Key Vaults from your customizer scripts. Be aware, the user assigned identities specified in the \'managedIdentities\' parameter must have the \'Managed Identity Operator\' role assignment on all the user assigned identities specified in this parameter for Azure Image Builder to be able to associate them to the build VM.')
 param vmUserAssignedIdentities array = []
 
 @description('Required. The managed identity definition for this resource.')
 param managedIdentities managedIdentitiesType
 
+@description('Optional. Configuration options and list of validations to be performed on the resulting image.')
+param validationProcess validationProcessType
+
+@allowed([
+  'Enabled'
+  'Disabled'
+])
+@description('Optional. The optimize property can be enabled while creating a VM image and allows VM optimization to improve image creation time.')
+param optimizeVmBoot string?
+
 var identity = {
   type: 'UserAssigned'
   userAssignedIdentities: reduce(
@@ -100,7 +107,7 @@ resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' =
     }
   }
 
-resource imageTemplate 'Microsoft.VirtualMachineImages/imageTemplates@2022-02-14' = {
+resource imageTemplate 'Microsoft.VirtualMachineImages/imageTemplates@2023-07-01' = {
   #disable-next-line use-stable-resource-identifiers // Disabling as ImageTemplates are not idempotent and hence always must have new name
   name: '${name}-${baseTime}'
   location: location
@@ -164,6 +171,14 @@ resource imageTemplate 'Microsoft.VirtualMachineImages/imageTemplates@2022-02-14
           : {})
       )
     ]
+    validate: validationProcess
+    optimize: optimizeVmBoot != null
+      ? {
+          vmBoot: {
+            state: optimizeVmBoot
+          }
+        }
+      : null
   }
 }
 
@@ -316,6 +331,47 @@ type managedImageDistributionType = {
   @description('Required. The resource ID of the managed image. Defaults to a compute image with name \'imageName-baseTime\' in the current resource group.')
   imageResourceId: string?
 
-  @description('Conditional. Name of the managed or unmanaged image that will be created..')
+  @description('Conditional. Name of the managed or unmanaged image that will be created.')
   imageName: string
 }
+
+type validationProcessType = {
+  @description('Optional. If validation fails and this field is set to false, output image(s) will not be distributed. This is the default behavior. If validation fails and this field is set to true, output image(s) will still be distributed. Please use this option with caution as it may result in bad images being distributed for use. In either case (true or false), the end to end image run will be reported as having failed in case of a validation failure. [Note: This field has no effect if validation succeeds.].')
+  continueDistributeOnFailure: bool?
+
+  @description('Optional. A list of validators that will be performed on the image. Azure Image Builder supports File, PowerShell and Shell validators.')
+  inVMValidations: {
+    @description('Required. The type of validation.')
+    type: ('PowerShell' | 'Shell' | 'File')
+
+    @description('Optional. Friendly Name to provide context on what this validation step does.')
+    name: string?
+
+    @description('Optional. URI of the PowerShell script to be run for validation. It can be a github link, Azure Storage URI, etc.')
+    scriptUri: string?
+
+    @description('Optional. Array of commands to be run, separated by commas.')
+    inline: string[]?
+
+    @description('Optional. Valid codes that can be returned from the script/inline command, this avoids reported failure of the script/inline command.')
+    validExitCodes: int[]?
+
+    @description('Optional. Value of sha256 checksum of the file, you generate this locally, and then Image Builder will checksum and validate.')
+    sha256Checksum: string?
+
+    @description('Optional. The source URI of the file.')
+    sourceUri: string?
+
+    @description('Optional. Destination of the file.')
+    destination: string?
+
+    @description('Optional. If specified, the PowerShell script will be run with elevated privileges using the Local System user. Can only be true when the runElevated field above is set to true.')
+    runAsSystem: bool?
+
+    @description('Optional. If specified, the PowerShell script will be run with elevated privileges.')
+    runElevated: bool?
+  }[]?
+
+  @description('Optional. If this field is set to true, the image specified in the \'source\' section will directly be validated. No separate build will be run to generate and then validate a customized image. Not supported when performing customizations, validations or distributions on the image.')
+  sourceValidationOnly: bool?
+}?