[BACKUP] backup vault: Add support for Customer Managed Keys(CMK)

linter_exclusions.yml

@@ -819,6 +819,11 @@ backup vault backup-properties set:
     cross_region_restore_flag:
       rule_exclusions:
       - option_length_too_long
+backup vault encryption update:
+  parameters:
+    infrastructure_encryption:
+      rule_exclusions:
+      - option_length_too_long
 batch account create:
   parameters:
     encryption_key_identifier:

src/azure-cli/azure/cli/command_modules/backup/_client_factory.py

@@ -170,6 +170,10 @@ def backup_resource_vault_config_cf(cli_ctx, *_):
     return _backup_client_factory(cli_ctx).backup_resource_vault_configs
 
 
+def backup_resource_encryption_config_cf(cli_ctx, *_):
+    return _backup_client_factory(cli_ctx).backup_resource_encryption_configs
+
+
 # Azure Active Directory Client Factories
 def aad_properties_cf(cli_ctx, *_):
     return _backup_client_factory(cli_ctx).aad_properties

src/azure-cli/azure/cli/command_modules/backup/_help.py

@@ -495,3 +495,29 @@
     text: az backup vault show --name MyRecoveryServicesVault --resource-group MyResourceGroup
     crafted: true
 """
+helps['backup vault update'] = """
+type: command
+short-summary: Updates an existing Recovery Services vault.
+examples:
+  - name: Updates an existing Recovery services vault. (autogenerated)
+    text: az backup vault update --identity-type None --resource-group MyResourceGroup --vault-name MyVault
+    crafted: true
+"""
+helps['backup vault encryption'] = """
+type: group
+short-summary: Encryption details of a Recovery Services Vault.
+"""
+helps['backup vault encryption update'] = """
+type: command
+short-summary: Updates encryption properties of a Recovery Services Vault.
+examples:
+  - name: Updates encryption properties of a Recovery Services Vault.
+    text: az backup vault encryption update --encryption-key-id MyEncryptionKeyId --resource-group MyResourceGroup --vault-name MyVault
+"""
+helps['backup vault encryption show'] = """
+type: command
+short-summary: Show details of encryption properties of a Recovery Services Vault.
+examples:
+  - name: Show details of encryption properties of a Recovery Services Vault.
+    text: az backup vault encryption show --resource-group MyResourceGroup --vault-name MyVault
+"""

src/azure-cli/azure/cli/command_modules/backup/_params.py

@@ -28,6 +28,7 @@
 allowed_target_tier_type_chk_archivable = ['VaultArchive']
 allowed_tier_type = ['VaultStandard', 'Snapshot', 'VaultArchive', 'VaultStandardRehydrated', 'SnapshotAndVaultStandard', 'SnapshotAndVaultArchive']
 allowed_rehyd_priority_type = ['Standard', 'High']
+allowed_identity_types = ['systemassigned', 'userassigned', 'none']
 
 backup_management_type_help = """Specifiy the backup management type. Define how Azure Backup manages the backup of entities within the ARM resource. For eg: AzureWorkloads refers to workloads installed within Azure VMs, AzureStorage refers to entities within Storage account. Required only if friendly name is used as Container name."""
 container_name_help = """Name of the backup container. Accepts 'Name' or 'FriendlyName' from the output of az backup container list command. If 'FriendlyName' is passed then BackupManagementType is required."""
@@ -46,6 +47,7 @@
 target_tier_help = """ The destination/target tier to which a particular recovery point has to be moved."""
 tier_help = """ Provide 'tier' parameter to filter recovery points."""
 rehyd_priority_type_help = """The type of priority to be maintained while rehydrating a recovery point """
+infrastructure_encryption_type_help = """Use this parameter to Enable/Disable Infrastructure encryption. This must be set when configuring encryption of the vault for the first time. Once Enabled/Disabled, infrastructure encryption setting cannot be changed. Default value: Disabled. Allowed values: Enabled /Disabled"""
 
 vault_name_type = CLIArgumentType(help='Name of the Recovery services vault.', options_list=['--vault-name', '-v'], completer=get_resource_name_completion_list('Microsoft.RecoveryServices/vaults'))
 container_name_type = CLIArgumentType(help=container_name_help, options_list=['--container-name', '-c'])
@@ -71,6 +73,11 @@
 target_tier_type = CLIArgumentType(help=target_tier_help, arg_type=get_enum_type(allowed_target_tier_type_chk_archivable), options_list=['--target-tier'])
 tier_type = CLIArgumentType(help=tier_help, arg_type=get_enum_type(allowed_tier_type), options_list=['--tier'])
 rehyd_priority_type = CLIArgumentType(help=rehyd_priority_type_help, arg_type=get_enum_type(allowed_rehyd_priority_type), options_list=['--rehydration-priority'])
+identity_type = CLIArgumentType(options_list=['--identity-type'], arg_type=get_enum_type(allowed_identity_types), help="The identity type to be enabled for this vault, whether it is systemassigned, userassigned or none")
+identity_id_type = CLIArgumentType(nargs='+', options_list=['--identity-id'], help="Space-separated list of userassigned identities. This will be applicable only for userassigned identity type")
+user_assigned_identity_id_type = CLIArgumentType(options_list=['--identity-id'], help="UserAssigned Identity Id to be used for CMK encryption, this will be applicable for encryption using userassigned identity")
+encryption_key_id_type = CLIArgumentType(options_list=['--encryption-key-id'], help="The encryption key id you want to use for encryption")
+infrastructure_encryption_type = CLIArgumentType(options_list=['--infrastructure-encryption'], arg_type=get_enum_type(['Enabled', 'Disabled']), help=infrastructure_encryption_type_help)
 
 
 # pylint: disable=too-many-statements
@@ -92,6 +99,27 @@ def load_arguments(self, _):
         c.argument('soft_delete_feature_state', arg_type=get_enum_type(['Enable', 'Disable']), help='Set soft-delete feature state for a Recovery Services Vault.')
         c.argument('cross_region_restore_flag', arg_type=get_enum_type(['True', 'False']), help='Set cross-region-restore feature state for a Recovery Services Vault. Default: False.')
 
+    # Identity
+    with self.argument_context('backup vault update') as c:
+        c.argument('vault_name', vault_name_type)
+        c.argument('identity_type', identity_type)
+        c.argument('identity_id', identity_id_type)
+        c.argument('remove_user_assigned', action='store_true', help="Use this flag to remove user assigned identity")
+        c.argument('remove_system_assigned', action='store_true', help="Use this flag to remove system assigned identity")
+
+    # Encryption
+    with self.argument_context('backup vault encryption') as c:
+        c.argument('vault_name', vault_name_type)
+
+    with self.argument_context('backup vault encryption update') as c:
+        c.argument('encryption_key_id', encryption_key_id_type)
+        c.argument('infrastructure_encryption', infrastructure_encryption_type)
+        c.argument('identity_id', user_assigned_identity_id_type)
+        c.argument('use_systemassigned_identity', action='store_true', options_list=['--use-system-assigned'], help="Provide this flag to use system assigned identity for encryption.")
+
+    with self.argument_context('backup vault encryption show') as c:
+        c.argument('vault_name', vault_name_type)
+
     # Container
     with self.argument_context('backup container') as c:
         c.argument('vault_name', vault_name_type, id_part='name')
@@ -308,6 +336,7 @@ def load_arguments(self, _):
         c.argument('use_secondary_region', action='store_true', help='Use this flag to show recoverypoints in secondary region.')
         c.argument('rehydration_duration', type=int, help='Set the maximum time, in days (between 10-30, both inclusive) for which the recovery point stays in hydrated state. Default: 15')
         c.argument('rehydration_priority', rehyd_priority_type)
+        c.argument('disk_encryption_set_id', options_list=['--disk-encryption-set-id'], help='The disk encryption set id is used for encrypting restored disks. Please ensure access to disk encryption set id that is specified here.')
 
     with self.argument_context('backup restore restore-azurefileshare') as c:
         c.argument('resolve_conflict', resolve_conflict_type)

src/azure-cli/azure/cli/command_modules/backup/commands.py

@@ -8,8 +8,7 @@
     protection_policies_cf, backup_policies_cf, protected_items_cf, backups_cf, backup_jobs_cf, \
     job_details_cf, job_cancellations_cf, recovery_points_cf, restores_cf, backup_storage_configs_cf, \
     item_level_recovery_connections_cf, backup_protected_items_cf, backup_protectable_items_cf, \
-    protection_containers_cf, protection_intent_cf  # pylint: disable=unused-variable
-
+    protection_containers_cf, protection_intent_cf, backup_resource_encryption_config_cf  # pylint: disable=unused-variable
 from azure.cli.command_modules.backup._format import (
     transform_container_list, transform_policy_list, transform_item_list, transform_job_list,
     transform_recovery_point_list, transform_container, transform_item, transform_protectable_item_list, transform_job,
@@ -35,6 +34,9 @@ def load_command_table(self, _):
         g.custom_command('backup-properties show', 'get_backup_properties', client_factory=backup_storage_configs_cf)
         g.custom_command('backup-properties set', 'set_backup_properties', client_factory=backup_storage_configs_cf)
         g.custom_command('delete', 'delete_vault', confirmation=True)
+        g.custom_command('update', 'update_vault')
+        g.custom_command('encryption update', 'update_encryption')
+        g.custom_command('encryption show', 'show_encryption', client_factory=backup_resource_encryption_config_cf)
 
     with self.command_group('backup container', backup_custom_base, client_factory=protection_containers_cf) as g:
         g.show_command('show', 'show_container', client_factory=backup_protection_containers_cf, table_transformer=transform_container)