diff --git a/vmm/src/vmm-cli.py b/vmm/src/vmm-cli.py index 347f1795..2828d1f7 100755 --- a/vmm/src/vmm-cli.py +++ b/vmm/src/vmm-cli.py @@ -520,6 +520,11 @@ def calc_app_id(self, compose_file: str) -> str: def create_app_compose(self, args) -> None: """Create a new app compose file""" envs = parse_env_file(args.env_file) or {} + + # Validate: --env-file requires --kms + if envs and not args.kms: + raise Exception("--env-file requires --kms to enable KMS for environment variable decryption") + app_compose = { "manifest_version": 2, "name": args.name, @@ -565,6 +570,17 @@ def create_vm(self, args) -> None: envs = parse_env_file(args.env_file) + # Validate: --env-file requires --kms-url and kms_enabled in compose + if envs: + if not args.kms_url: + raise Exception("--env-file requires --kms-url to encrypt environment variables") + try: + compose_json = json.loads(compose_content) + if not compose_json.get('kms_enabled', False): + raise Exception("--env-file requires kms_enabled=true in the compose file (use --kms when creating compose)") + except json.JSONDecodeError: + pass # Let the server handle invalid JSON + # Read user config file if provided user_config = "" if args.user_config: @@ -620,6 +636,10 @@ def create_vm(self, args) -> None: def update_vm_env(self, vm_id: str, envs: Dict[str, str], kms_urls: Optional[List[str]] = None) -> None: """Update environment variables for a VM""" + # Validate: requires --kms-url + if not kms_urls: + raise Exception("--kms-url is required to encrypt environment variables") + envs = envs or {} # First get the VM info to retrieve the app_id vm_info_response = self.rpc_call('GetInfo', {'id': vm_id}) @@ -709,6 +729,10 @@ def update_vm( no_tee: Optional[bool] = None, ) -> None: """Update multiple aspects of a VM in one command""" + # Validate: --env-file requires --kms-url + if env_file and not kms_urls: + raise Exception("--env-file requires --kms-url to encrypt environment variables") + updates = [] # handle resize operations (vcpu, memory, disk, image)