az disk create; snapshot as source; (BadRequest) Security Type 'TrustedLaunch' is not supported for CreateOption 'Copy'.

[gitzalotl]

Describe the bug

Command Name
az disk create

Errors:

(BadRequest) Security Type 'TrustedLaunch' is not supported for CreateOption 'Copy'. Supported create options are FromImage, Import, ImportSecure, UploadPreparedSecure.
Code: BadRequest
Message: Security Type 'TrustedLaunch' is not supported for CreateOption 'Copy'. Supported create options are FromImage, Import, ImportSecure, UploadPreparedSecure.

To Reproduce:

1. Deploy VM

OS_DISK_ID=$(
az vm create \
        --name $VM_NAME \
        --computer-name $VM_NAME \
        --resource-group $RESOURCE_GROUP \
        --location $REGION_NAME \
        --admin-username $ADMIN_USER \
        --authentication-type ssh \
        --ssh-key-values "$(< $SSH_PUBLIC_KEY_FILE)" \
        --enable-agent true \
        --enable-secure-boot true \
        --enable-vtpm true \
        --encryption-at-host true \
        --nics $NIC_ID \
        --os-disk-encryption-set $DES_ID \
        --image "Canonical:0001-com-ubuntu-server-focal:20_04-lts-gen2:20.04.202203220" \
        --os-disk-name $OS_DISK_NAME \
        --os-disk-size-gb "30" \
        --size "Standard_B1ms" \
        --storage-sku "StandardSSD_LRS" \
        --query "storageProfile.osDisk.managedDisk.id" \
        --output tsv \
        --security-type "TrustedLaunch"
)

2. Create Snapshot of OS disk

OS_DISK_SNAPSHOT_ID=$(
az snapshot create \
        --name $OS_DISK_SNAPSHOT_NAME \
        --resource-group $RESOURCE_GROUP \
        --source $OS_DISK_ID \
        --disk-encryption-set $DES_ID\
        --hyper-v-generation V2 \
        --architecture x64 \
        --size-gb "30" \
        --sku Standard_LRS \
        --encryption-type EncryptionAtRestWithPlatformAndCustomerKeys \
        --query "id" \
        --output tsv
)

3. Attempt to deploy Disk from Snapshot

NEW_OS_DISK_ID=$(
az disk create \
        --name $NEW_OS_DISK_NAME \
        --resource-group $RESOURCE_GROUP \
        --location $REGION_NAME \
        --sku StandardSSD_LRS \
        --source $OS_DISK_SNAPSHOT_ID \
        --encryption-type EncryptionAtRestWithPlatformAndCustomerKeys \
        --disk-encryption-set $DES_ID \
        --hyper-v-generation V2 \
        --query "id" \
        --output tsv \
        --security-type TrustedLaunch
)

Expected Behavior

Disk deployment succeeds with snapshot as source, and enables subsequent VM deployment with argument like --attach-os-disk $NEW_OS_DISK_ID.

Environment Summary

Linux-5.10.102.1-microsoft-standard-WSL2-x86_64-with-glibc2.29, Ubuntu 20.04.4 LTS
Python 3.8.13
Installer: DEB

azure-cli 2.36.0

Additional Context

• The overall objective of this scenario is to deploy a VM, perform some initial setup on the OS disk, and take a snapshot. This archived snapshot would later serve to replace the existing VM's OS disk, or deploy as a new VM.
• Disk deployments with the same parameters, snapshot as source, and securityType "TrustedLaunch" are successful via Azure Portal.
  MS Azure Doc "Trusted launch for Azure virtual machines" also indicates this is possible:

The image source can be an existing Azure VM which is... an existing managed disk or a snapshot...

❓ Is it a bug?

[yonzhan]

Compute

[umesh001]

az disk create threw the same error for me too, so used powershell one and it worked.
New-AzDisk -Disk $diskConfig -ResourceGroupName $resourceGroupName -DiskName $diskName