[BACKUP] Added support for Customer Managed Keys(CMK) for Recovery Services Vault (Azure#18733)

* Merged with commit added support for CMK feature

* Merged with commit Changes made

* Merged with commit More changes

* Changes with new version

* Linter file changed

* Changed test file

* encryption test changed

* Help Text Changed

* Changes in command

* help_text changed again

* modified param names based on review comments

* Encryption examples added

Co-authored-by: Vidhi Katyal <[email protected]>
Co-authored-by: Himanshu Agarwal <[email protected]>

Author: 3 people

linter_exclusions.yml

@@ -819,6 +819,11 @@ backup vault backup-properties set:
     cross_region_restore_flag:
       rule_exclusions:
       - option_length_too_long
+backup vault encryption update:
+  parameters:
+    infrastructure_encryption:
+      rule_exclusions:
+      - option_length_too_long
 batch account create:
   parameters:
     encryption_key_identifier:

src/azure-cli/azure/cli/command_modules/backup/_client_factory.py

@@ -170,6 +170,10 @@ def backup_resource_vault_config_cf(cli_ctx, *_):
     return _backup_client_factory(cli_ctx).backup_resource_vault_configs
 
 
+def backup_resource_encryption_config_cf(cli_ctx, *_):
+    return _backup_client_factory(cli_ctx).backup_resource_encryption_configs
+
+
 # Azure Active Directory Client Factories
 def aad_properties_cf(cli_ctx, *_):
     return _backup_client_factory(cli_ctx).aad_properties

src/azure-cli/azure/cli/command_modules/backup/_help.py

@@ -495,3 +495,51 @@
     text: az backup vault show --name MyRecoveryServicesVault --resource-group MyResourceGroup
     crafted: true
 """
+helps['backup vault identity'] = """
+type: group
+short-summary: Identity details of a Recovery Services Vault.
+"""
+helps['backup vault identity assign'] = """
+type: command
+short-summary: Assign Identities to Recovery Services vault.
+examples:
+  - name: Assign Identities to Recovery Services vault. (autogenerated)
+    text: az backup vault identity assign --system-assigned --user-assigned MyIdentityId1 --resource-group MyResourceGroup --vault-name MyVault
+    crafted: true
+"""
+helps['backup vault identity remove'] = """
+type: command
+short-summary: Remove Identities of Recovery Services vault.
+examples:
+  - name: Remove Identities of Recovery Services vault. (autogenerated)
+    text: az backup vault identity remove --system-assigned --user-assigned MyIdentityId1 --resource-group MyResourceGroup --vault-name MyVault
+    crafted: true
+"""
+helps['backup vault identity show'] = """
+type: command
+short-summary: Show Identities of Recovery Services vault.
+examples:
+  - name: Show Identities of Recovery Services vault. (autogenerated)
+    text: az backup vault identity show --resource-group MyResourceGroup --vault-name MyVault
+    crafted: true
+"""
+helps['backup vault encryption'] = """
+type: group
+short-summary: Encryption details of a Recovery Services Vault.
+"""
+helps['backup vault encryption update'] = """
+type: command
+short-summary: Update encryption properties of a Recovery Services Vault.
+examples:
+  - name: Update encryption properties to use user assigned identity of a Recovery Services Vault.
+    text: az backup vault encryption update --encryption-key-id MyEncryptionKeyId --mi-user-assigned MyUserAssignedIdentityId --resource-group MyResourceGroup --vault-name MyVault
+  - name: Update encryption properties to use system assigned identity of a Recovery Services Vault.
+    text: az backup vault encryption update --encryption-key-id MyEncryptionKeyId --mi-system-assigned --resource-group MyResourceGroup --vault-name MyVault
+"""
+helps['backup vault encryption show'] = """
+type: command
+short-summary: Show details of encryption properties of a Recovery Services Vault.
+examples:
+  - name: Show details of encryption properties of a Recovery Services Vault.
+    text: az backup vault encryption show --resource-group MyResourceGroup --vault-name MyVault
+"""

src/azure-cli/azure/cli/command_modules/backup/_params.py

@@ -46,6 +46,7 @@
 target_tier_help = """ The destination/target tier to which a particular recovery point has to be moved."""
 tier_help = """ Provide 'tier' parameter to filter recovery points."""
 rehyd_priority_type_help = """The type of priority to be maintained while rehydrating a recovery point """
+infrastructure_encryption_type_help = """Use this parameter to enable/disable infrastructure encryption. This must be set when configuring encryption of the vault for the first time. Once enabled/disabled, infrastructure encryption setting cannot be changed. Default value: Disabled. Allowed values: Enabled, Disabled"""
 
 vault_name_type = CLIArgumentType(help='Name of the Recovery services vault.', options_list=['--vault-name', '-v'], completer=get_resource_name_completion_list('Microsoft.RecoveryServices/vaults'))
 container_name_type = CLIArgumentType(help=container_name_help, options_list=['--container-name', '-c'])
@@ -71,6 +72,14 @@
 target_tier_type = CLIArgumentType(help=target_tier_help, arg_type=get_enum_type(allowed_target_tier_type_chk_archivable), options_list=['--target-tier'])
 tier_type = CLIArgumentType(help=tier_help, arg_type=get_enum_type(allowed_tier_type), options_list=['--tier'])
 rehyd_priority_type = CLIArgumentType(help=rehyd_priority_type_help, arg_type=get_enum_type(allowed_rehyd_priority_type), options_list=['--rehydration-priority'])
+mi_user_assigned_type = CLIArgumentType(options_list=['--mi-user-assigned'], help="UserAssigned Identity Id to be used for CMK encryption, this will be applicable for encryption using userassigned identity")
+mi_system_assigned_type = CLIArgumentType(action='store_true', options_list=['--mi-system-assigned'], help="Provide this flag to use system assigned identity for encryption.")
+encryption_key_id_type = CLIArgumentType(options_list=['--encryption-key-id'], help="The encryption key id you want to use for encryption")
+infrastructure_encryption_type = CLIArgumentType(options_list=['--infrastructure-encryption'], arg_type=get_enum_type(['Enabled', 'Disabled']), help=infrastructure_encryption_type_help)
+user_assigned_type = CLIArgumentType(nargs='+', options_list=['--user-assigned'], help="Space-separated list of userassigned identities to be assigned to Recovery Services Vault.")
+user_assigned_remove_type = CLIArgumentType(nargs='*', options_list=['--user-assigned'], help="Space-separated list of userassigned identities to be removed from Recovery Services Vault.")
+system_assigned_remove_type = CLIArgumentType(action='store_true', options_list=['--system-assigned'], help="Provide this flag to remove system assigned identity for Recovery Services Vault.")
+system_assigned_type = CLIArgumentType(action='store_true', options_list=['--system-assigned'], help="Provide this flag to enable system assigned identity for Recovery Services Vault.")
 
 
 # pylint: disable=too-many-statements
@@ -92,6 +101,33 @@ def load_arguments(self, _):
         c.argument('soft_delete_feature_state', arg_type=get_enum_type(['Enable', 'Disable']), help='Set soft-delete feature state for a Recovery Services Vault.')
         c.argument('cross_region_restore_flag', arg_type=get_enum_type(['True', 'False']), help='Set cross-region-restore feature state for a Recovery Services Vault. Default: False.')
 
+    # Identity
+    with self.argument_context('backup vault identity assign') as c:
+        c.argument('vault_name', vault_name_type)
+        c.argument('system_assigned', system_assigned_type)
+        c.argument('user_assigned', user_assigned_type)
+
+    with self.argument_context('backup vault identity remove') as c:
+        c.argument('vault_name', vault_name_type)
+        c.argument('system_assigned', system_assigned_remove_type)
+        c.argument('user_assigned', user_assigned_remove_type)
+
+    with self.argument_context('backup vault identity show') as c:
+        c.argument('vault_name', vault_name_type)
+
+    # Encryption
+    with self.argument_context('backup vault encryption') as c:
+        c.argument('vault_name', vault_name_type)
+
+    with self.argument_context('backup vault encryption update') as c:
+        c.argument('encryption_key_id', encryption_key_id_type)
+        c.argument('infrastructure_encryption', infrastructure_encryption_type)
+        c.argument('mi_user_assigned', mi_user_assigned_type)
+        c.argument('mi_system_assigned', mi_system_assigned_type)
+
+    with self.argument_context('backup vault encryption show') as c:
+        c.argument('vault_name', vault_name_type)
+
     # Container
     with self.argument_context('backup container') as c:
         c.argument('vault_name', vault_name_type, id_part='name')
@@ -308,6 +344,7 @@ def load_arguments(self, _):
         c.argument('use_secondary_region', action='store_true', help='Use this flag to show recoverypoints in secondary region.')
         c.argument('rehydration_duration', type=int, help='Set the maximum time, in days (between 10-30, both inclusive) for which the recovery point stays in hydrated state. Default: 15')
         c.argument('rehydration_priority', rehyd_priority_type)
+        c.argument('disk_encryption_set_id', options_list=['--disk-encryption-set-id'], help='The disk encryption set id is used for encrypting restored disks. Please ensure access to disk encryption set id that is specified here.')
 
     with self.argument_context('backup restore restore-azurefileshare') as c:
         c.argument('resolve_conflict', resolve_conflict_type)

src/azure-cli/azure/cli/command_modules/backup/commands.py

@@ -8,8 +8,7 @@
     protection_policies_cf, backup_policies_cf, protected_items_cf, backups_cf, backup_jobs_cf, \
     job_details_cf, job_cancellations_cf, recovery_points_cf, restores_cf, backup_storage_configs_cf, \
     item_level_recovery_connections_cf, backup_protected_items_cf, backup_protectable_items_cf, \
-    protection_containers_cf, protection_intent_cf  # pylint: disable=unused-variable
-
+    protection_containers_cf, protection_intent_cf, backup_resource_encryption_config_cf  # pylint: disable=unused-variable
 from azure.cli.command_modules.backup._format import (
     transform_container_list, transform_policy_list, transform_item_list, transform_job_list,
     transform_recovery_point_list, transform_container, transform_item, transform_protectable_item_list, transform_job,
@@ -35,6 +34,11 @@ def load_command_table(self, _):
         g.custom_command('backup-properties show', 'get_backup_properties', client_factory=backup_storage_configs_cf)
         g.custom_command('backup-properties set', 'set_backup_properties', client_factory=backup_storage_configs_cf)
         g.custom_command('delete', 'delete_vault', confirmation=True)
+        g.custom_command('identity assign', 'assign_identity')
+        g.custom_command('identity remove', 'remove_identity')
+        g.custom_command('identity show', 'show_identity')
+        g.custom_command('encryption update', 'update_encryption')
+        g.custom_command('encryption show', 'show_encryption', client_factory=backup_resource_encryption_config_cf)
 
     with self.command_group('backup container', backup_custom_base, client_factory=protection_containers_cf) as g:
         g.show_command('show', 'show_container', client_factory=backup_protection_containers_cf, table_transformer=transform_container)