Skip to content

Commit

Permalink
added CMK migration changes (Azure#25931)
Browse files Browse the repository at this point in the history
* added CMK migration changes
updated help
updated changelog

Updated test case

* re-recorded tests
  • Loading branch information
hiaga authored Aug 26, 2024
1 parent 851c8f9 commit 837c0f5
Show file tree
Hide file tree
Showing 12 changed files with 1,620 additions and 1,336 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -59,18 +59,11 @@ public VaultProperty(BackupResourceVaultConfig vaultConfig, BackupResourceEncryp
SoftDeleteFeatureState = vaultConfig.SoftDeleteFeatureState;

// Initialize encryption properties
encryptionProperties = new EncryptionConfig();
encryptionProperties.EncryptionAtRestType = vaultEncryptionSetting.Properties.EncryptionAtRestType;
encryptionProperties.KeyUri = vaultEncryptionSetting.Properties.KeyUri;
encryptionProperties.SubscriptionId = vaultEncryptionSetting.Properties.SubscriptionId;
encryptionProperties.LastUpdateStatus = vaultEncryptionSetting.Properties.LastUpdateStatus;
encryptionProperties.InfrastructureEncryptionState = vaultEncryptionSetting.Properties.InfrastructureEncryptionState;
encryptionProperties.Id = vaultEncryptionSetting.Id;
encryptionProperties.Name = vaultEncryptionSetting.Name;
encryptionProperties.Type = vaultEncryptionSetting.Type;
encryptionProperties.Location = vaultEncryptionSetting.Location;
encryptionProperties.UseSystemAssignedIdentity = vaultEncryptionSetting.Properties.UseSystemAssignedIdentity;
encryptionProperties.UserAssignedIdentity = vaultEncryptionSetting.Properties.UserAssignedIdentity;
encryptionProperties = new EncryptionConfig();
encryptionProperties.KeyUri = vaultEncryptionSetting.Properties?.KeyUri;
encryptionProperties.InfrastructureEncryptionState = vaultEncryptionSetting.Properties?.InfrastructureEncryptionState;
encryptionProperties.UseSystemAssignedIdentity = vaultEncryptionSetting.Properties?.UseSystemAssignedIdentity;
encryptionProperties.UserAssignedIdentity = vaultEncryptionSetting.Properties?.UserAssignedIdentity;
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@
using Microsoft.Rest.Azure.OData;
using RestAzureNS = Microsoft.Rest.Azure;
using System;
using Newtonsoft.Json;
using Microsoft.Azure.Commands.RecoveryServices.Backup.Properties;

namespace Microsoft.Azure.Commands.RecoveryServices.Backup.Cmdlets.ServiceClientAdapterNS
Expand Down Expand Up @@ -106,8 +105,23 @@ public BackupResourceConfigResource GetVaultStorageType(string resouceGroupName,
/// <returns>Azure Resource Encryption response object.</returns>
public BackupResourceEncryptionConfigExtendedResource GetVaultEncryptionConfig(string resouceGroupName, string vaultName)
{
return BmsAdapter.Client.BackupResourceEncryptionConfigs.GetWithHttpMessagesAsync(
vaultName, resouceGroupName).Result.Body;
ARSVault vault = GetVault(resouceGroupName, vaultName);

var vaultEncryptionProperty = vault.Properties.EncryptionProperty;
BackupResourceEncryptionConfigExtendedResource encryptionConfig = new BackupResourceEncryptionConfigExtendedResource();

if (vaultEncryptionProperty != null)
{
encryptionConfig.Properties = new BackupResourceEncryptionConfigExtended
{
KeyUri = vaultEncryptionProperty.KeyVaultProperties?.KeyUri,
InfrastructureEncryptionState = vaultEncryptionProperty.InfrastructureEncryption,
UseSystemAssignedIdentity = vaultEncryptionProperty.KekIdentity?.UseSystemAssignedIdentity,
UserAssignedIdentity = vaultEncryptionProperty.KekIdentity?.UserAssignedIdentity
};
}

return encryptionConfig;
}

/// <summary>
Expand Down Expand Up @@ -156,13 +170,55 @@ public ARSVault GetVault(string resouceGroupName, string vaultName)
/// <summary>
/// Method to create or update Recovery Services Vault.
/// </summary>
/// <param name="resouceGroupName">Name of the resouce group</param>
/// <param name="resourceGroupName">Name of the resouce group</param>
/// <param name="vaultName">Name of the vault</param>
/// <param name="patchVault">patch vault object to patch the recovery services Vault</param>
/// <param name="auxiliaryAccessToken">Auxiliary access token for authorization</param>
/// <param name="isMUAProtected">Flag indicating if the operation is MUA protected</param>
/// <returns>Azure Recovery Services Vault.</returns>
public Vault UpdateRSVault(string resouceGroupName, string vaultName, PatchVault patchVault)
public Vault UpdateRSVault(string resourceGroupName, string vaultName, PatchVault patchVault, string auxiliaryAccessToken = null, bool isMUAProtected = false)
{
var response = RSAdapter.Client.Vaults.UpdateWithHttpMessagesAsync(resouceGroupName, vaultName, patchVault).Result;
Dictionary<string, List<string>> customHeaders = new Dictionary<string, List<string>>();
if (isMUAProtected)
{
List<ResourceGuardProxyBaseResource> resourceGuardMapping = ListResourceGuardMapping(vaultName, resourceGroupName);
string operationRequest = null;

if (resourceGuardMapping != null && resourceGuardMapping.Count != 0)
{
// todo: CMK_MUA - check the op value correctly
string criticalOp = "Microsoft.RecoveryServices/vaults/write#reduceImmutabilityState";

foreach (ResourceGuardOperationDetail operationDetail in resourceGuardMapping[0].Properties.ResourceGuardOperationDetails)
{
if (operationDetail.VaultCriticalOperation == criticalOp)
{
operationRequest = operationDetail.DefaultResourceRequest;
}
}

if (operationRequest != null)
{
patchVault.Properties.ResourceGuardOperationRequests = new List<string>();
patchVault.Properties.ResourceGuardOperationRequests.Add(operationRequest);
}
}

if (auxiliaryAccessToken != null && auxiliaryAccessToken != "")
{
if (operationRequest != null)
{
customHeaders.Add("x-ms-authorization-auxiliary", new List<string> { "Bearer " + auxiliaryAccessToken });
}
else
{
// resx
throw new ArgumentException(String.Format(Resources.UnexpectedParameterToken, "modify encryption settings for recovery services vault"));
}
}
}

var response = RSAdapter.Client.Vaults.UpdateWithHttpMessagesAsync(resourceGroupName, vaultName, patchVault, default(string), customHeaders).Result;
return response.Body;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -208,7 +208,7 @@ public void TestAzureVMRestoreWithMSI()
);
}

[Fact(Skip = "to be re-recorded in next release")]
[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
[Trait(TestConstants.Workload, TestConstants.AzureVM)]
public void TestAzureRSVaultCMK()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -381,21 +381,26 @@ function Test-AzureRSVaultCMK
$vaultName = "cmk-pstest-vault"
$keyVault = "cmk-pstest-keyvault"
$encryptionKeyId = "https://cmk-pstest-keyvault.vault.azure.net/keys/cmk-pstest-key/5569d5a163ee474cad2da4ac334af9d7"
$encryptionKeyId2 = "https://oss-pstest-keyvault.vault.azure.net/keys/cmk-pstest-key2"

try
{
# Setup
$vault = Get-AzRecoveryServicesVault -ResourceGroupName $resourceGroupName -Name $vaultName

# error scenario
Assert-ThrowsContains { Set-AzRecoveryServicesVaultProperty -EncryptionKeyId $encryptionKeyId -VaultId $vault.ID -InfrastructureEncryption -UseSystemAssignedIdentity $false } `
Assert-ThrowsContains { Set-AzRecoveryServicesVaultProperty -EncryptionKeyId $encryptionKeyId2 -VaultId $vault.ID -InfrastructureEncryption -UseSystemAssignedIdentity $false } `
"Please input a valid UserAssignedIdentity";

# set and verify - CMK encryption property to UAI
Set-AzRecoveryServicesVaultProperty -EncryptionKeyId $encryptionKeyId -VaultId $vault.ID -InfrastructureEncryption -UseSystemAssignedIdentity $false -UserAssignedIdentity $vault.Identity.UserAssignedIdentities.Keys[0]
Set-AzRecoveryServicesVaultProperty -EncryptionKeyId $encryptionKeyId2 -VaultId $vault.ID -InfrastructureEncryption -UseSystemAssignedIdentity $false -UserAssignedIdentity $vault.Identity.UserAssignedIdentities.Keys[0]
$prop = Get-AzRecoveryServicesVaultProperty -VaultId $vault.ID
Assert-True { $prop.encryptionProperties.UserAssignedIdentity -eq $vault.Identity.UserAssignedIdentities.Keys[0] }

$vault = Get-AzRecoveryServicesVault -ResourceGroupName $resourceGroupName -Name $vaultName
Assert-True { $vault.Properties.EncryptionProperty.KekIdentity.UserAssignedIdentity -eq $vault.Identity.UserAssignedIdentities.Keys[0] }
Assert-True { $vault.Properties.EncryptionProperty.KeyVaultProperties.KeyUri -eq $encryptionKeyId2 }

Start-TestSleep -Seconds 10

# set and verify - CMK encryption property to system identity
Expand Down
Loading

0 comments on commit 837c0f5

Please sign in to comment.