[Synapse] Support for workspace encrytion managed identity setting (#20010)

yanjungao718 · web-flow · commit 2ce384fbbb09 · 2022-11-07T10:15:18.000+08:00
* workspace encrytion managed identity setting

* update help doc
diff --git a/src/Synapse/Synapse/ChangeLog.md b/src/Synapse/Synapse/ChangeLog.md
@@ -19,6 +19,7 @@
 -->
 
 ## Upcoming Release
+* Updated `Update-AzSynaspeWorkSpace` and `New-AzSynpaseWorkspace` to support for Workspace Encrytion Managed Identity setting
 
 ## Version 2.0.0
 * [Breaking Change] Updated models of Synapse Link for Azure Sql Database
diff --git a/src/Synapse/Synapse/Commands/ManagementCommands/Workspace/NewAzureSynapseWorkspace.cs b/src/Synapse/Synapse/Commands/ManagementCommands/Workspace/NewAzureSynapseWorkspace.cs
@@ -82,6 +82,13 @@ public class NewAzureSynapseWorkspace : SynapseManagementCmdletBase
         [ValidateNotNullOrEmpty]
         public string EncryptionKeyIdentifier { get; set; }
 
+        [Parameter(Mandatory = false, HelpMessage = HelpMessages.UserAssignedIdentityInEncryption)]
+        public string UserAssignedIdentityInEncryption { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = HelpMessages.UseSystemAssignedIdentityInEncryption)]
+        [ValidateNotNullOrEmpty]
+        public object UseSystemAssignedIdentityInEncryption { get; set; }
+
         [Parameter(Mandatory = false, HelpMessage = HelpMessages.AsJob)]
         public SwitchParameter AsJob { get; set; }
 
@@ -156,6 +163,11 @@ public override void ExecuteCmdlet()
                         {
                             Name = this.EncryptionKeyName,
                             KeyVaultUrl = this.EncryptionKeyIdentifier
+                        },
+                        KekIdentity = new KekIdentityProperties
+                        {
+                            UserAssignedIdentity = this.UserAssignedIdentityInEncryption,
+                            UseSystemAssignedIdentity = this.UseSystemAssignedIdentityInEncryption
                         }
                     }
                 } : null,
diff --git a/src/Synapse/Synapse/Commands/ManagementCommands/Workspace/UpdateAzureSynapseWorkspace.cs b/src/Synapse/Synapse/Commands/ManagementCommands/Workspace/UpdateAzureSynapseWorkspace.cs
@@ -22,6 +22,7 @@
 using Microsoft.Azure.Management.Synapse.Models;
 using Microsoft.WindowsAzure.Commands.Common;
 using Microsoft.WindowsAzure.Commands.Utilities.Common;
+using System;
 using System.Collections;
 using System.Collections.Generic;
 using System.Linq;
@@ -79,6 +80,13 @@ public class UpdateAzureSynapseWorkspace : SynapseManagementCmdletBase
         [ValidateNotNullOrEmpty]
         public string EncryptionKeyName { get; set; }
 
+        [Parameter(Mandatory = false, HelpMessage = HelpMessages.UserAssignedIdentityInEncryption)]
+        public string UserAssignedIdentityInEncryption { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = HelpMessages.UseSystemAssignedIdentityInEncryption)]
+        [ValidateNotNullOrEmpty]
+        public object UseSystemAssignedIdentityInEncryption { get; set; }        
+
         [Parameter(Mandatory = false, HelpMessage = HelpMessages.GitRepository)]
         [ValidateNotNull]
         public PSWorkspaceRepositoryConfiguration GitRepository { get; set; }
@@ -137,14 +145,21 @@ public override void ExecuteCmdlet()
             patchInfo.Tags = this.IsParameterBound(c => c.Tag) ? TagsConversionHelper.CreateTagDictionary(this.Tag, validate: true) : TagsConversionHelper.CreateTagDictionary(this.InputObject?.Tags, validate:true);
             patchInfo.SqlAdministratorLoginPassword = this.IsParameterBound(c => c.SqlAdministratorLoginPassword) ? this.SqlAdministratorLoginPassword.ConvertToString() : null;
             patchInfo.ManagedVirtualNetworkSettings = this.IsParameterBound(c => c.ManagedVirtualNetwork) ? this.ManagedVirtualNetwork?.ToSdkObject() : this.InputObject?.ManagedVirtualNetworkSettings?.ToSdkObject();           
-            string encrptionKeyName = this.IsParameterBound(c => c.EncryptionKeyName) ? this.EncryptionKeyName : this.InputObject?.Encryption?.CustomerManagedKeyDetails?.Key?.Name;
-            patchInfo.Encryption = !string.IsNullOrEmpty(encrptionKeyName) ? new EncryptionDetails
+            string encrptionKeyName = this.IsParameterBound(c => c.EncryptionKeyName) ? this.EncryptionKeyName : this.InputObject?.Encryption?.CustomerManagedKeyDetails?.Key?.Name;           
+            string userAssignedIdentityInEncryption = this.IsParameterBound(c => c.UserAssignedIdentityInEncryption) ? this.UserAssignedIdentityInEncryption : this.InputObject?.Encryption?.CustomerManagedKeyDetails?.KekIdentity?.UserAssignedIdentity;
+            object useSystemAssignedIdentityInEncryption = this.IsParameterBound(c => c.UseSystemAssignedIdentityInEncryption) ? this.UseSystemAssignedIdentityInEncryption : this.InputObject?.Encryption?.CustomerManagedKeyDetails?.KekIdentity?.UseSystemAssignedIdentity;
+            patchInfo.Encryption = !string.IsNullOrEmpty(encrptionKeyName) || this.IsParameterBound(c => c.UseSystemAssignedIdentityInEncryption) ? new EncryptionDetails
             {
                 Cmk = new CustomerManagedKeyDetails
                 {
                     Key = new WorkspaceKeyDetails
                     {
                         Name = encrptionKeyName
+                    },
+                    KekIdentity = new KekIdentityProperties
+                    {
+                        UserAssignedIdentity = userAssignedIdentityInEncryption,
+                        UseSystemAssignedIdentity = useSystemAssignedIdentityInEncryption
                     }
                 }
             } : null;
diff --git a/src/Synapse/Synapse/Common/HelpMessages.cs b/src/Synapse/Synapse/Common/HelpMessages.cs
@@ -497,6 +497,10 @@ SELECT on dbo.myTable by public
 
         public const string EncryptionKeyIdentifier = "Key identifier should be in the format of: https://{keyvaultname}.vault.azure.net/keys/{keyname}.";
 
+        public const string UserAssignedIdentityInEncryption = "User assigned identity resource Id used in Workspace Encryption";
+
+        public const string UseSystemAssignedIdentityInEncryption = "specifying whether to use system assigned identity in Workspace Encryption or not";
+
         public const string WorkspaceKeyName = "The name of the workspace key.";
 
         public const string WorkspaceItemType = "The workspace item type.";
diff --git a/src/Synapse/Synapse/help/New-AzSynapseWorkspace.md b/src/Synapse/Synapse/help/New-AzSynapseWorkspace.md
@@ -16,9 +16,10 @@ Creates a Synapse Analytics workspace.
 New-AzSynapseWorkspace -ResourceGroupName <String> -Name <String> -Location <String> [-Tag <Hashtable>]
  -DefaultDataLakeStorageAccountName <String> -DefaultDataLakeStorageFilesystem <String>
  -SqlAdministratorLoginCredential <PSCredential> [-ManagedVirtualNetwork <PSManagedVirtualNetworkSettings>]
- [-EncryptionKeyName <String>] [-EncryptionKeyIdentifier <String>] [-AsJob]
- [-ManagedResourceGroupName <String>] [-GitRepository <PSWorkspaceRepositoryConfiguration>]
- [-EnablePublicNetworkAccess <Boolean>] [-UserAssignedIdentityId <System.Collections.Generic.List`1[System.String]>]
+ [-EncryptionKeyName <String>] [-EncryptionKeyIdentifier <String>] [-UserAssignedIdentityInEncryption <String>]
+ [-UseSystemAssignedIdentityInEncryption <Object>] [-AsJob] [-ManagedResourceGroupName <String>]
+ [-GitRepository <PSWorkspaceRepositoryConfiguration>] [-EnablePublicNetworkAccess <Boolean>]
+ [-UserAssignedIdentityId <System.Collections.Generic.List`1[System.String]>]
  [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
@@ -80,6 +81,32 @@ New-AzSynapseWorkspace -ResourceGroupName ContosoResourceGroup -Name ContosoWork
 
 This command creates a Synapse Analytics workspace named ContosoWorkspace that uses the ContosoAdlGenStorage Data Store, in the resource group named ContosoResourceGroup, and add user assigned managed identities that get from ResourceGroup ContosoResourceGroup to workspace.
 
+### Example 6
+```powershell
+New-AzSynapseWorkspace -ResourceGroupName ContosoResourceGroup -Name ContosoWorkspace -Location northeurope -DefaultDataLakeStorageAccountName ContosoAdlGen2Storage -DefaultDataLakeStorageFilesystem ContosoFileSystem -SqlAdministratorLoginCredential $creds -EncryptionKeyIdentifier $identifier -UseSystemAssignedIdentityInEncryption $true
+$ws = Get-AzSynapseWorkspace -name ContosoWorkspace
+$ws.Encryption.CustomerManagedKeyDetails.Key
+```
+
+```output
+Name    KeyVaultUrl
+----    -----------
+default https://contosoKeyValut.vault.azure.net/keys/testkey
+```
+
+```powershell
+$ws = Get-AzSynapseWorkspace -name ContosoWorkspace
+$ws.Encryption.CustomerManagedKeyDetails.KekIdentity
+```
+
+```output
+UserAssignedIdentity UseSystemAssignedIdentity
+-------------------- -------------------------
+                                          True
+```
+
+This command creates a Synapse Analytics workspace named ContosoWorkspace that uses the ContosoAdlGenStorage Data Store, in the resource group named ContosoResourceGroup, and enable double encryption with customer-managed key with specified key identifier and set Managed Identity as System Assigned. After creation, we can call `Get-AzSynapseWorkspace` to get Encryption properties of workspace.
+
 ## PARAMETERS
 
 ### -AsJob
@@ -322,6 +349,36 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -UserAssignedIdentityInEncryption
+User assigned identity resource Id used in Workspace Encryption
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UseSystemAssignedIdentityInEncryption
+specifying whether to use system assigned identity in Workspace Encryption or not
+
+```yaml
+Type: System.Object
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -Confirm
 Prompts you for confirmation before running the cmdlet.
 
diff --git a/src/Synapse/Synapse/help/Update-AzSynapseWorkspace.md b/src/Synapse/Synapse/help/Update-AzSynapseWorkspace.md
@@ -16,30 +16,36 @@ Updates a Synapse Analytics workspace.
 ```
 Update-AzSynapseWorkspace [-ResourceGroupName <String>] -Name <String> [-Tag <Hashtable>]
  [-SqlAdministratorLoginPassword <SecureString>] [-ManagedVirtualNetwork <PSManagedVirtualNetworkSettings>]
- [-EncryptionKeyName <String>] [-GitRepository <PSWorkspaceRepositoryConfiguration>]
- [-EnablePublicNetworkAccess <Boolean>] [-UserAssignedIdentityAction <UserAssignedManagedIdentityActionType>]
- [-UserAssignedIdentityId <System.Collections.Generic.List`1[System.String]>] [-AsJob]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
+ [-EncryptionKeyName <String>] [-UserAssignedIdentityInEncryption <String>]
+ [-UseSystemAssignedIdentityInEncryption <Object>] [-GitRepository <PSWorkspaceRepositoryConfiguration>]
+ [-UserAssignedIdentityAction <UserAssignedManagedIdentityActionType>]
+ [-UserAssignedIdentityId <System.Collections.Generic.List`1[System.String]>]
+ [-EnablePublicNetworkAccess <Boolean>] [-AsJob] [-DefaultProfile <IAzureContextContainer>] [-WhatIf]
+ [-Confirm] [<CommonParameters>]
 ```
 
 ### SetByInputObjectParameterSet
 ```
 Update-AzSynapseWorkspace -InputObject <PSSynapseWorkspace> [-Tag <Hashtable>]
  [-SqlAdministratorLoginPassword <SecureString>] [-ManagedVirtualNetwork <PSManagedVirtualNetworkSettings>]
- [-EncryptionKeyName <String>] [-GitRepository <PSWorkspaceRepositoryConfiguration>]
- [-EnablePublicNetworkAccess <Boolean>] [-UserAssignedIdentityAction <UserAssignedManagedIdentityActionType>]
- [-UserAssignedIdentityId <System.Collections.Generic.List`1[System.String]>] [-AsJob]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
+ [-EncryptionKeyName <String>] [-UserAssignedIdentityInEncryption <String>]
+ [-UseSystemAssignedIdentityInEncryption <Object>] [-GitRepository <PSWorkspaceRepositoryConfiguration>]
+ [-UserAssignedIdentityAction <UserAssignedManagedIdentityActionType>]
+ [-UserAssignedIdentityId <System.Collections.Generic.List`1[System.String]>]
+ [-EnablePublicNetworkAccess <Boolean>] [-AsJob] [-DefaultProfile <IAzureContextContainer>] [-WhatIf]
+ [-Confirm] [<CommonParameters>]
 ```
 
 ### SetByResourceIdParameterSet
 ```
 Update-AzSynapseWorkspace -ResourceId <String> [-Tag <Hashtable>]
  [-SqlAdministratorLoginPassword <SecureString>] [-ManagedVirtualNetwork <PSManagedVirtualNetworkSettings>]
- [-EncryptionKeyName <String>] [-GitRepository <PSWorkspaceRepositoryConfiguration>]
- [-EnablePublicNetworkAccess <Boolean>] [-UserAssignedIdentityAction <UserAssignedManagedIdentityActionType>]
- [-UserAssignedIdentityId <System.Collections.Generic.List`1[System.String]>] [-AsJob]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
+ [-EncryptionKeyName <String>] [-UserAssignedIdentityInEncryption <String>]
+ [-UseSystemAssignedIdentityInEncryption <Object>] [-GitRepository <PSWorkspaceRepositoryConfiguration>]
+ [-UserAssignedIdentityAction <UserAssignedManagedIdentityActionType>]
+ [-UserAssignedIdentityId <System.Collections.Generic.List`1[System.String]>]
+ [-EnablePublicNetworkAccess <Boolean>] [-AsJob] [-DefaultProfile <IAzureContextContainer>] [-WhatIf]
+ [-Confirm] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -86,7 +92,7 @@ This commands updates the specififed Azure Synapse Analytics workspace to enable
 
 ### Example 6
 ```powershell
-$uamis = Get-AzUserAssignedIdentity -ResourceGroupName bigdataqa
+$uamis = Get-AzUserAssignedIdentity -ResourceGroupName ContosoResourceGroup
 $uamilist = New-Object System.Collections.Generic.List[string]
 foreach($uami in $uamis){
 	$uamilist.Add($uami.Id)
@@ -99,7 +105,7 @@ This commands updates workspace to add user assigned managed identites in $uamil
 
 ### Example 7
 ```powershell
-$uamis = Get-AzUserAssignedIdentity -ResourceGroupName bigdataqa
+$uamis = Get-AzUserAssignedIdentity -ResourceGroupName ContosoResourceGroup
 $uamilist = New-Object System.Collections.Generic.List[string]
 foreach($uami in $uamis){
 	$uamilist.Add($uami.Id)
@@ -112,7 +118,7 @@ This commands removes user assigned managed identites $uamilist[0] from workspac
 
 ### Example 8
 ```powershell
-$uamis = Get-AzUserAssignedIdentity -ResourceGroupName bigdataqa
+$uamis = Get-AzUserAssignedIdentity -ResourceGroupName ContosoResourceGroup
 $uamilist = New-Object System.Collections.Generic.List[string]
 foreach($uami in $uamis){
 	$uamilist.Add($uami.Id)
@@ -123,6 +129,35 @@ Update-AzSynapseWorkspace -Name ContosoWorkspace -UserAssignedIdentityAction Set
 
 This commands updates workspace with user assigned managed identites $uamilist that will cover current identities.
 
+### Example 9
+```powershell
+$uamis = Get-AzUserAssignedIdentity -ResourceGroupName ContosoResourceGroup
+$identityId = $uamis[0].Id
+$ws = Get-AzSynapseWorkspace -Name ContosoWorkspace
+$ws | Update-AzSynapseWorkspace -UseSystemAssignedIdentityInEncryption $false -UserAssignedIdentityInEncryption $identityId
+$ws = Get-AzSynapseWorkspace -Name ContosoWorkspace
+$ws.Encryption.CustomerManagedKeyDetails.Key
+```
+
+```output
+Name    KeyVaultUrl
+----    -----------
+default https://contosoKeyValut.vault.azure.net/keys/testkey
+```
+
+```powershell
+$ws = Get-AzSynapseWorkspace -name ContosoWorkspace
+$ws.Encryption.CustomerManagedKeyDetails.KekIdentity
+```
+
+```output
+UserAssignedIdentity                                                                                                                                        UseSystemAssignedIdentity
+--------------------                                                                                                                                        -------------------------
+/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/ContosoResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/uaminame                     False
+```
+
+This commands updates workspace Encryption Managed Identity as User Assigned and specify an user assigned identity Id to access your customer-managed key stored in key vault. After updating, we can call `Get-AzSynapseWorkspace` to get Encryption properties of workspace.
+
 ## PARAMETERS
 
 ### -AsJob
@@ -341,6 +376,36 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -UserAssignedIdentityInEncryption
+User assigned identity resource Id used in Workspace Encryption
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UseSystemAssignedIdentityInEncryption
+specifying whether to use system assigned identity in Workspace Encryption or not
+
+```yaml
+Type: System.Object
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -Confirm
 Prompts you for confirmation before running the cmdlet.
 
