Forum Discussion

isotonic_uk's avatar
isotonic_uk
Brass Contributor
Sep 28, 2023

Source image is not created for trusted boot but it is turned on the VM.

Hi 

 

New to Bicep and learning it by deploying a mini environment in my lab. I am using the same code base as defined here: https://rozemuller.com/avd-automation-cocktail-avd-with-bicep-and-azure-cli/#azure-compute-gallery but I have made some alterations to it as I am trying to create a gen2 Trusted Launch VM to be used instead of a standard SecurityType defined in this blog. 

  1. I create my initial image version of Windows 11 using Securitytype trusted launch. This was just a standard Microsoft gallery image, which I then sysprep and generalise. That all seem to well and my base image has the security Type that I want. Defined in my BICEP file under
resource vm 'Microsoft.Compute/virtualMachines@2023-03-01' = {
  // Security profile properties...
  securityProfile: {
    uefiSettings: {
      secureBootEnabled: true
      vTpmEnabled: true
    }
    securityType: 'TrustedLaunch'
  }
  diagnosticsProfile: {
    bootDiagnostics: {
      enabled: true
    }
  }
}

When I come to run the main.bicep file alongside the parameters which then pulls the various modules depending on where it is in the build it goes through the process of deploying the gallery image but fails with the error:

 

The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'. (Code: ResourceDeploymentFailure, Target: /subscriptions/<mysubscriptionID>/resourceGroups/uks-rb81-vdi-avd-hpl-priv-001-01/providers/Microsoft.Compute/galleries/uksbldglbssvgal01/images/uks-img-Windows-desktop-11-gen2-22h2-priv-tl-001/versions/2023.09.26) The source 'subscriptions/<mysubscriptionID>/resourceGroups/rg-Win11-template/providers/Microsoft.Compute/virtualMachines/i4xsd3rrtnobm-vm' has security type 'TrustedLaunch' and cannot be used as a source for an image definition with SecurityType feature set to 'None'. (Code: Conflict)

 

I am really confused where I need to set this, I thought it would be under the bicep file deploy-shared-image-gallery.bicep but then when I declare the params and resource as 

 

}
//Create VM with Security type
resource virtualMachine 'Microsoft.Compute/virtualMachines@2023-07-01' = {
  name: imageDefinitionName
  location: location
  securityType: 'TrustedLaunch'
}
 
It just says The property "securityType" is not allowed on objects of type "Microsoft.Compute/virtualMachines". Permissible properties include "asserts", "dependsOn", "extendedLocation", "identity", "plan", "properties", "tags", "zones". If this is an inaccuracy in the documentation, please report it to the Bicep Team.
 
Could it be an expression that I need to define:? Param and var value?
 
Any help on this would be most appreciated.

Thanks
  •  

    Thought I would add, managed to resolve in the end. I needed to add features into the deploy-shared-image-gallery.bicep file

    features: [
    {
    name: 'SecurityType'
    value: 'TrustedLaunch'
    }
    ]

    at the point when it creates the resource galleryDefinition after it declares the hyperVGeneration. What I found is its not well documented at the moment.

    isotonic_uk 

  • isotonic_uk's avatar
    isotonic_uk
    Brass Contributor

     

    Thought I would add, managed to resolve in the end. I needed to add features into the deploy-shared-image-gallery.bicep file

    features: [
    {
    name: 'SecurityType'
    value: 'TrustedLaunch'
    }
    ]

    at the point when it creates the resource galleryDefinition after it declares the hyperVGeneration. What I found is its not well documented at the moment.

    isotonic_uk 

Resources