Support creating cluster with encryption at host. (#12671)

Co-authored-by: Zhenyu Zhou <zhezhou@microsoft.com>

Author: aim-for-better

src/HDInsight/HDInsight.Test/HDInsight.Test.csproj

@@ -12,7 +12,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Azure.KeyVault" Version="3.0.5" />
-    <PackageReference Include="Microsoft.Azure.Management.HDInsight" Version="5.5.0" />
+    <PackageReference Include="Microsoft.Azure.Management.HDInsight" Version="5.6.0" />
     <PackageReference Include="Microsoft.Azure.Management.HDInsight.Job" Version="2.0.7" />
     <PackageReference Include="Microsoft.Azure.Management.KeyVault" Version="3.0.0" />
     <PackageReference Include="Microsoft.Azure.Management.ManagedServiceIdentity" Version="0.11.0" />

src/HDInsight/HDInsight.Test/ScenarioTests/HDInsightClusterTests.cs

@@ -56,5 +56,12 @@ public void TestCreateClusterWithPrivateLink()
         {
             TestController.NewInstance.RunPowerShellTest(_logger, "Test-CreateClusterWithPrivateLink");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestCreateClusterWithEncryptionAtHost()
+        {
+            TestController.NewInstance.RunPowerShellTest(_logger, "Test-TestCreateClusterWithEncryptionAtHost");
+        }
     }
 }

src/HDInsight/HDInsight.Test/ScenarioTests/HDInsightClusterTests.ps1

@@ -163,3 +163,39 @@ function Test-CreateClusterWithPrivateLink{
 		Remove-AzResourceGroup -ResourceGroupName $cluster.ResourceGroup
 	}
 }
+
+<#
+.SYNOPSIS
+Test Create Azure HDInsight Cluster which Enalbes Encryption At Host
+#>
+
+function Test-TestCreateClusterWithEncryptionAtHost{
+
+	# Create some resources that will be used throughout test
+	try
+	{
+		# prepare parameter for creating parameter
+		$params= Prepare-ClusterCreateParameterForWASB -Location "South Central US"
+		$encryptionAtHost=$true
+		$workerNodeSize="Standard_DS14_v2"
+		$headNodeSize="Standard_DS14_v2"
+		$zookeeperNodeSize="Standard_DS14_v2"
+
+		# create cluster
+		$cluster=New-AzHDInsightCluster -Location $params.location -ResourceGroupName $params.resourceGroupName `
+		-ClusterName $params.clusterName -ClusterSizeInNodes $params.clusterSizeInNodes -ClusterType $params.clusterType `
+		-WorkerNodeSize $workerNodeSize -HeadNodeSize $headNodeSize -ZookeeperNodeSize $zookeeperNodeSize `
+		-DefaultStorageAccountName $params.storageAccountName -DefaultStorageAccountKey $params.storageAccountKey `
+		-HttpCredential $params.httpCredential -SshCredential $params.sshCredential `
+		-MinSupportedTlsVersion $params.minSupportedTlsVersion -EncryptionAtHost $encryptionAtHost
+
+		Assert-AreEqual $cluster.DiskEncryption.EncryptionAtHost $encryptionAtHost
+		
+	}
+	finally
+	{
+		# Delete cluster and resource group
+		Remove-AzHDInsightCluster -ClusterName $cluster.Name
+		Remove-AzResourceGroup -ResourceGroupName $cluster.ResourceGroup
+	}
+}

src/HDInsight/HDInsight.Test/SessionRecords/Commands.HDInsight.Test.ScenarioTests.HDInsightClusterTests/TestCreateClusterWithEncryptionAtHost.json

@@ -18,6 +18,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+Support creating cluster with encryption at host feature.
 
 ## Version 3.4.0
 * Supported creating cluster with encryption in transit feature.

src/HDInsight/HDInsight/ChangeLog.md

@@ -11,7 +11,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Azure.Management.HDInsight" Version="5.5.0" />
+    <PackageReference Include="Microsoft.Azure.Management.HDInsight" Version="5.6.0" />
     <PackageReference Include="Microsoft.Azure.Management.HDInsight.Job" Version="2.0.7" />
     <PackageReference Include="WindowsAzure.Storage" Version="9.3.0" />
   </ItemGroup>

src/HDInsight/HDInsight/HDInsight.csproj

@@ -145,7 +145,8 @@ public AzureHDInsightConfig Config
                     EncryptionVaultUri = EncryptionVaultUri,
                     PublicNetworkAccessType = PublicNetworkAccessType,
                     OutboundPublicNetworkAccessType = OutboundPublicNetworkAccessType,
-                    EncryptionInTransit = EncryptionInTransit
+                    EncryptionInTransit = EncryptionInTransit,
+                    EncryptionAtHost = EncryptionAtHost
                 };
                 foreach (
                     var storageAccount in
@@ -208,6 +209,7 @@ var storageAccount in
                 PublicNetworkAccessType = value.PublicNetworkAccessType;
                 OutboundPublicNetworkAccessType = value.OutboundPublicNetworkAccessType;
                 EncryptionInTransit = value.EncryptionInTransit;
+                EncryptionAtHost = value.EncryptionAtHost;
 
                 foreach (
                     var storageAccount in
@@ -392,14 +394,17 @@ public DateTime RdpAccessExpiry
 
         [Parameter(HelpMessage = "Gets or sets the public network access type.")]
         [ValidateSet(PublicNetworkAccess.InboundAndOutbound, PublicNetworkAccess.OutboundOnly, IgnoreCase = true)]
-        public string PublicNetworkAccessType;
+        public string PublicNetworkAccessType { get; set; }
 
         [Parameter(HelpMessage = "Gets or sets the outbound access type to the public network.")]
         [ValidateSet(OutboundOnlyPublicNetworkAccessType.PublicLoadBalancer, OutboundOnlyPublicNetworkAccessType.UDR, IgnoreCase = true)]
-        public string OutboundPublicNetworkAccessType;
+        public string OutboundPublicNetworkAccessType { get; set; }
 
         [Parameter(HelpMessage = "Gets or sets the flag which indicates whether enable encryption in transit or not.")]
-        public bool? EncryptionInTransit;
+        public bool? EncryptionInTransit { get; set; }
+
+        [Parameter(HelpMessage = "Gets or sets the flag which indicates whether enable encryption at host or not.")]
+        public bool? EncryptionAtHost { get; set; }
 
         #endregion
 
@@ -540,6 +545,21 @@ var storageAccount in
                 };
             }
 
+            if (EncryptionAtHost != null)
+            {
+                if (parameters.DiskEncryptionProperties != null)
+                {
+                    parameters.DiskEncryptionProperties.EncryptionAtHost = EncryptionAtHost;
+                }
+                else
+                {
+                    parameters.DiskEncryptionProperties = new DiskEncryptionProperties()
+                    {
+                        EncryptionAtHost = EncryptionAtHost
+                    };
+                }
+            }
+
             var cluster = HDInsightManagementClient.CreateNewCluster(ResourceGroupName, ClusterName, OSType, parameters, MinSupportedTlsVersion, this.DefaultContext.Environment.ActiveDirectoryAuthority, this.DefaultContext.Environment.DataLakeEndpointResourceId, PublicNetworkAccessType, OutboundPublicNetworkAccessType, EncryptionInTransit);
 
             if (cluster != null)

src/HDInsight/HDInsight/ManagementCommands/NewAzureHDInsightClusterCommand.cs

@@ -214,6 +214,13 @@ public bool? EncryptionInTransit
             set { _config.EncryptionInTransit = value; }
         }
 
+        [Parameter(HelpMessage = "Gets or sets the flag which indicates whether enable encryption at host or not.")]
+        public bool? EncryptionAtHost
+        {
+            get { return _config.EncryptionAtHost; }
+            set { _config.EncryptionAtHost = value; }
+        }
+
         #endregion
 
         public NewAzureHDInsightClusterConfigCommand()

src/HDInsight/HDInsight/ManagementCommands/NewAzureHDInsightClusterConfigCommand.cs

@@ -185,6 +185,11 @@ public class AzureHDInsightConfig
         /// </summary>
         public bool? EncryptionInTransit;
 
+        /// <summary>
+        /// Gets or sets the flag which indicates whether enable encryption at host or not.
+        /// </summary>
+        public bool? EncryptionAtHost;
+
         public AzureHDInsightConfig()
         {
             ClusterType = Constants.Hadoop;

src/HDInsight/HDInsight/Models/Management/AzureHDInsightConfig.cs

@@ -33,8 +33,9 @@ New-AzHDInsightCluster [-Location] <String> [-ResourceGroupName] <String> [-Clus
  [-AadTenantId <Guid>] [-SecurityProfile <AzureHDInsightSecurityProfile>] [-DisksPerWorkerNode <Int32>]
  [-MinSupportedTlsVersion <String>] [-AssignedIdentity <String>] [-EncryptionAlgorithm <String>]
  [-EncryptionKeyName <String>] [-EncryptionKeyVersion <String>] [-EncryptionVaultUri <String>]
- [-DefaultProfile <IAzureContextContainer>] [-PublicNetworkAccessType <String>]
- [-OutboundPublicNetworkAccessType <String>] [-EncryptionInTransit <Boolean>] [<CommonParameters>]
+ [-PublicNetworkAccessType <String>] [-OutboundPublicNetworkAccessType <String>]
+ [-EncryptionInTransit <Boolean>] [-EncryptionAtHost <Boolean>] [-DefaultProfile <IAzureContextContainer>]
+ [<CommonParameters>]
 ```
 
 ### CertificateFilePath
@@ -57,8 +58,9 @@ New-AzHDInsightCluster [-Location] <String> [-ResourceGroupName] <String> [-Clus
  [-CertificatePassword <String>] [-AadTenantId <Guid>] [-SecurityProfile <AzureHDInsightSecurityProfile>]
  [-DisksPerWorkerNode <Int32>] [-MinSupportedTlsVersion <String>] [-AssignedIdentity <String>]
  [-EncryptionAlgorithm <String>] [-EncryptionKeyName <String>] [-EncryptionKeyVersion <String>]
- [-EncryptionVaultUri <String>] [-DefaultProfile <IAzureContextContainer>] [-PublicNetworkAccessType <String>]
- [-OutboundPublicNetworkAccessType <String>] [-EncryptionInTransit <Boolean>] [<CommonParameters>]
+ [-EncryptionVaultUri <String>] [-PublicNetworkAccessType <String>] [-OutboundPublicNetworkAccessType <String>]
+ [-EncryptionInTransit <Boolean>] [-EncryptionAtHost <Boolean>] [-DefaultProfile <IAzureContextContainer>]
+ [<CommonParameters>]
 ```
 
 ### CertificateFileContents
@@ -81,8 +83,9 @@ New-AzHDInsightCluster [-Location] <String> [-ResourceGroupName] <String> [-Clus
  [-CertificatePassword <String>] [-AadTenantId <Guid>] [-SecurityProfile <AzureHDInsightSecurityProfile>]
  [-DisksPerWorkerNode <Int32>] [-MinSupportedTlsVersion <String>] [-AssignedIdentity <String>]
  [-EncryptionAlgorithm <String>] [-EncryptionKeyName <String>] [-EncryptionKeyVersion <String>]
- [-EncryptionVaultUri <String>] [-DefaultProfile <IAzureContextContainer>] [-PublicNetworkAccessType <String>]
- [-OutboundPublicNetworkAccessType <String>] [-EncryptionInTransit <Boolean>] [<CommonParameters>]
+ [-EncryptionVaultUri <String>] [-PublicNetworkAccessType <String>] [-OutboundPublicNetworkAccessType <String>]
+ [-EncryptionInTransit <Boolean>] [-EncryptionAtHost <Boolean>] [-DefaultProfile <IAzureContextContainer>]
+ [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -107,7 +110,7 @@ PS C:\&gt; # Primary storage account info
         $clusterCreds = Get-Credential
 
         # If the cluster's resource group doesn't exist yet, run:
-        #   New-AzResourceGroup -Name $clusterResourceGroupName -Location $location
+        # New-AzResourceGroup -Name $clusterResourceGroupName -Location $location
 
         # Create the cluster
         New-AzHDInsightCluster `
@@ -185,7 +188,7 @@ PS C:\&gt; # Primary storage account info
         $clusterCreds = Get-Credential
 
         # If the cluster's resource group doesn't exist yet, run:
-        #   New-AzResourceGroup -Name $clusterResourceGroupName -Location $location
+        # New-AzResourceGroup -Name $clusterResourceGroupName -Location $location
 
         # Create the cluster
         New-AzHDInsightCluster `
@@ -239,7 +242,40 @@ PS C:\&gt; # Primary storage account info
             -SshCredential $clusterCreds `
             -VirtualNetworkId $virtualNetworkId -SubnetName $subnetName `
             -PublicNetworkAccessType OutboundOnly -OutboundPublicNetworkAccessType PublicLoadBalancer `
+```
+
+### Example 5: Create an Azure HDInsight cluster which enables encryption at host
+```
+PS C:\&gt; # Primary storage account info
+        $storageAccountResourceGroupName = "Group"
+        $storageAccountName = "yourstorageacct001"
+        $storageAccountKey = Get-AzStorageAccountKey `
+            -ResourceGroupName $storageAccountResourceGroupName `
+            -Name $storageAccountName | %{ $_.Key1 }
+        $storageContainer = "container002"
 
+        # Cluster configuration info
+        $location = "East US 2"
+        $clusterResourceGroupName = "Group"
+        $clusterName = "your-hadoop-002"
+        $clusterCreds = Get-Credential
+
+        # If the cluster's resource group doesn't exist yet, run:
+        # New-AzResourceGroup -Name $clusterResourceGroupName -Location $location
+
+        # Create the cluster
+        New-AzHDInsightCluster `
+            -ClusterType Hadoop `
+            -ClusterSizeInNodes 4 `
+            -ResourceGroupName $clusterResourceGroupName `
+            -ClusterName $clusterName `
+            -HttpCredential $clusterCreds `
+            -Location $location `
+            -DefaultStorageAccountName "$storageAccountName.blob.core.contoso.net" `
+            -DefaultStorageAccountKey $storageAccountKey `
+            -DefaultStorageContainer $storageContainer `
+            -SshCredential $clusterCreds `
+            -EncryptionAtHost $true `
 ```
 
 ## PARAMETERS
@@ -601,6 +637,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -EncryptionAtHost
+Gets or sets the flag which indicates whether enable encryption at host or not.
+
+```yaml
+Type: System.Nullable`1[System.Boolean]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -EncryptionInTransit
 Gets or sets the flag which indicates whether enable encryption in transit or not.