Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[AppConfig]Add customer managed key when updating stores. #12102

Merged
merged 9 commits into from
Feb 13, 2020
Merged

[AppConfig]Add customer managed key when updating stores. #12102

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
37b2bda
add cmk
shenmuxiaosen Feb 7, 2020
0895dcc
fix feature flag bug
shenmuxiaosen Feb 8, 2020
546ffe4
fix styling
shenmuxiaosen Feb 9, 2020
e8852e9
add tests for encryption key
shenmuxiaosen Feb 12, 2020
371448f
fix styling
shenmuxiaosen Feb 12, 2020
fc73bad
remove whitespace in blank line
shenmuxiaosen Feb 12, 2020
93cb3f5
Merge remote-tracking branch 'upstream/dev' into user/shuai/managedKey
shenmuxiaosen Feb 12, 2020
d45b6f5
Merge remote-tracking branch 'upstream/dev' into user/shuai/managedKey
shenmuxiaosen Feb 12, 2020
219f80a
revise scenario tests
shenmuxiaosen Feb 12, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions src/azure-cli/azure/cli/command_modules/appconfig/_help.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -254,6 +254,10 @@
text: az appconfig update -g MyResourceGroup -n MyAppConfiguration --tags key1=value1 key2=value2
- name: Upgrade sku of an App Configuration to standard
text: az appconfig update -g MyResourceGroup -n MyAppConfiguration --sku Standard
- name: Enable customer encryption key with system assigned identity
text: az appconfig update -g MyResourceGroup -n MyAppConfiguration --encryption-key-name myKey --encryption-key-version keyVersion --encryption-key-vault https://keyVaultName.vault.azure.net
- name: Remove customer encryption key
text: az appconfig update -g MyResourceGroup -n MyAppConfiguration --encryption-key-name ""
"""

helps['appconfig feature'] = """
Expand Down
9 changes: 5 additions & 4 deletions src/azure-cli/azure/cli/command_modules/appconfig/_kv_helpers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -766,10 +766,11 @@ def __convert_feature_dict_to_keyvalue_list(features_dict, enabled_for_keyword):
if filter_param:
new_val["parameters"] = filter_param
feature_flag_value.conditions["client_filters"][idx] = new_val

else:
feature_flag_value.enabled = v
feature_flag_value.conditions = default_conditions
elif isinstance(v, bool):
feature_flag_value.enabled = v
feature_flag_value.conditions = default_conditions
else:
raise ValueError("The type of '{}' should be either boolean or dictionary.".format(v))

set_kv = KeyValue(key=key,
value=json.dumps(feature_flag_value, default=lambda o: o.__dict__, ensure_ascii=False),
Expand Down
6 changes: 6 additions & 0 deletions src/azure-cli/azure/cli/command_modules/appconfig/_params.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,12 @@ def load_arguments(self, _):
with self.argument_context('appconfig update') as c:
c.argument('tags', arg_type=tags_type)

with self.argument_context('appconfig update', arg_group='Customer Managed Key', is_preview=True) as c:
c.argument('encryption_key_name', help='The name of the KeyVault key.')
c.argument('encryption_key_vault', help='The Uri of the KeyVault.')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

URI

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are trying to keep consistent with az storage account update as below https://github.com/Azure/azure-cli/blob/dev/src/azure-cli/azure/cli/command_modules/storage/_params.py#L210 As cmk is kind of new required features for all Azure services, we don't want to invert our own way.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry. I should make my advice clear. I mean usually URI is upper case.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed.

c.argument('encryption_key_version', help='The version of the KeyVault key. Use the latest version by default.')
c.argument('identity_client_id', help='Client id of the managed identity with wrap and unwrap access to encryption key. Use system assigned identity by default.')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ID

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mean just name the argument "--id"? It looks too vague and maybe we can use "--identity" and explain this should be the client of the managed identity?.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry. I should make my advice clear. I mean usually ID is upper case.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed.


with self.argument_context('appconfig identity assign') as c:
c.argument('identities', arg_type=identities_arg_type)

Expand Down
41 changes: 37 additions & 4 deletions src/azure-cli/azure/cli/command_modules/appconfig/custom.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,15 @@

# pylint: disable=line-too-long

from knack.util import CLIError
from knack.log import get_logger
from azure.mgmt.appconfiguration.models import (ConfigurationStoreUpdateParameters,
ConfigurationStore,
Sku,
ResourceIdentity,
UserIdentity)
UserIdentity,
EncryptionProperties,
KeyVaultProperties)

from ._utils import resolve_resource_group, user_confirmation

Expand Down Expand Up @@ -60,12 +63,26 @@ def update_configstore(cmd,
name,
resource_group_name=None,
tags=None,
sku=None):
sku=None,
encryption_key_name=None,
encryption_key_vault=None,
encryption_key_version=None,
identity_client_id=None):
__validate_cmk(encryption_key_name, encryption_key_vault, encryption_key_version, identity_client_id)
if resource_group_name is None:
resource_group_name, _ = resolve_resource_group(cmd, name)

update_params = ConfigurationStoreUpdateParameters(tags=tags,
sku=sku)
update_params = ConfigurationStoreUpdateParameters(tags=tags if tags else None,
sku=Sku(name=sku) if sku else None)

if encryption_key_name is not None:
key_vault_properties = KeyVaultProperties()
if encryption_key_name:
# key identifier schema https://keyvaultname.vault-int.azure-int.net/keys/keyname/keyversion
key_identifier = "{}/keys/{}/{}".format(encryption_key_vault, encryption_key_name, encryption_key_version if encryption_key_version else "")
key_vault_properties = KeyVaultProperties(key_identifier=key_identifier, identity_client_id=identity_client_id)

update_params.encryption = EncryptionProperties(key_vault_properties=key_vault_properties)

return client.update(resource_group_name=resource_group_name,
config_store_name=name,
Expand Down Expand Up @@ -189,6 +206,22 @@ def __get_resource_identity(assign_identity):
user_assigned_identities=user_assigned if user_assigned else None)


def __validate_cmk(encryption_key_name=None,
encryption_key_vault=None,
encryption_key_version=None,
identity_client_id=None):
if encryption_key_name is None:
if any(arg is not None for arg in [encryption_key_vault, encryption_key_version, identity_client_id]):
raise CLIError("To modify customer encryption key --encryption-key-name is required")
else:
if encryption_key_name:
if encryption_key_vault is None:
raise CLIError("To modify customer encryption key --encryption-key-vault is required")
else:
if any(arg is not None for arg in [encryption_key_vault, encryption_key_version, identity_client_id]):
logger.warning("Removing the customer encryption key. Key vault related arguments are ignored.")


def __convert_api_key_to_json(credentail, endpoint):
augmented_credential = {}
augmented_credential['id'] = credentail.id
Expand Down
18 changes: 9 additions & 9 deletions src/azure-cli/azure/cli/command_modules/appconfig/tests/latest/export_features.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,26 @@
{
"Color": "Red",
"Region": "West US",
"FeatureManagement": {
"Beta": false,
"Percentage": true,
"Timestamp": {
"EnabledFor": [
{
"Parameters": {
"EndTime": "2019-09-01T00:00:00Z",
"StartTime": "2019-01-01T00:00:00Z"
"StartTime": "2019-01-01T00:00:00Z",
"EndTime": "2019-09-01T00:00:00Z"
},
"Name": "Local Tests"
},
{
"Parameters": {
"EndTime": "2019-11-01T00:00:00Z",
"StartTime": "2019-09-02T00:00:00Z"
"StartTime": "2019-09-02T00:00:00Z",
"EndTime": "2019-11-01T00:00:00Z"
},
"Name": "Production Tests"
}
]
}
},
"Color": "Red",
"Region": "West US"
},
"Beta": false
}
}
16 changes: 8 additions & 8 deletions src/azure-cli/azure/cli/command_modules/appconfig/tests/latest/export_features_prop.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
#Mon Feb 03 18:35:05 Pacific Standard Time 2020
feature-management.FeatureSample.enabled-for[2].Name=Filter@3
feature-management.FeatureSample.enabled-for[3].Name=filter.4
#Fri Feb 07 17:46:38 Pacific Standard Time 2020
feature-management.TrueFeature=true
Region=West US
feature-management.FalseFeature=false
feature-management.FeatureSample.enabled-for[3].Parameters.dotInFilter.Param=?
feature-management.FeatureSample.enabled-for[0].Name=Filter1
feature-management.FeatureSample.enabled-for[0].Parameters.paramforfilter1=value1
Color=Red
feature-management.FeatureSample.enabled-for[0].Name=Filter1
feature-management.FeatureSample.enabled-for[3].Parameters.EmptyValue=
feature-management.FeatureSample.enabled-for[0].Parameters.paramforfilter1=value1
feature-management.TrueFeature=true
feature-management.FeatureSample.enabled-for[3].Parameters.dotInFilter.Param=?
feature-management.FeatureSample.enabled-for[2].Name=Filter@3
feature-management.FeatureSample.enabled-for[1].Name=Filter2
feature-management.FeatureSample.enabled-for[3].Name=filter.4
feature-management.FalseFeature=false
4 changes: 2 additions & 2 deletions src/azure-cli/azure/cli/command_modules/appconfig/tests/latest/export_features_yaml.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
Color: Red
Region: West US
feature-management:
Beta: false
Timestamp:
Expand All @@ -10,5 +12,3 @@ feature-management:
Parameters:
EndTime: '2019-11-01T00:00:00Z'
StartTime: '2019-09-02T00:00:00Z'
Color: Red
Region: West US
2,696 changes: 1,101 additions & 1,595 deletions ..._modules/appconfig/tests/latest/recordings/test_appconfig_to_appconfig_import_export.yaml
View file
Open in desktop

Large diffs are not rendered by default.

242 changes: 138 additions & 104 deletions ...azure/cli/command_modules/appconfig/tests/latest/recordings/test_azconfig_credential.yaml
View file
Open in desktop

Large diffs are not rendered by default.

4,829 changes: 1,993 additions & 2,836 deletions ...li/azure/cli/command_modules/appconfig/tests/latest/recordings/test_azconfig_feature.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2,437 changes: 1,255 additions & 1,182 deletions ...e/cli/command_modules/appconfig/tests/latest/recordings/test_azconfig_feature_filter.yaml
View file
Open in desktop

Large diffs are not rendered by default.

Loading