Merge pull request #9222 from nivimsft/tdemiPreviewToRelease

New Cmdlets for Management.Sql that supports Managed instance key and…

Author: markcowl

src/Sql/Sql.Test/ScenarioTests/Common.ps1

@@ -305,14 +305,15 @@ Gets the values of the parameters used in the Server Key Vault Key tests
 #>
 function Get-SqlServerKeyVaultKeyTestEnvironmentParameters ()
 {
+	# Create a key vault with soft delete.configured
 	return @{ rgName = Get-ResourceGroupName;
 			  serverName = Get-ServerName;
 			  databaseName = Get-DatabaseName;
-			  keyId = "https://akvtdekeyvault.vault.azure.net/keys/key1/51c2fab9ff3c4a17aab4cd51b932b106";
-			  serverKeyName = "akvtdekeyvault_key1_51c2fab9ff3c4a17aab4cd51b932b106";
-			  vaultName = "akvtdekeyvault";
+			  keyId = "https://akvtdekeyvaultcl.vault.azure.net/keys/key1/738a177a3b0d45e98d366fdf738840e8";
+			  serverKeyName = "akvtdekeyvaultcl_key1_738a177a3b0d45e98d366fdf738840e8";
+			  vaultName = "akvtdekeyvaultcl";
 			  keyName = "key1"
-			  location = "southeastasia";
+			  location = "westcentralus";
 			  }
 }
 
@@ -330,17 +331,42 @@ function Create-ServerKeyVaultKeyTestEnvironment ($params)
 	<#[SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test passwords only valid for the duration of the test")]#>
 	$serverPassword = "t357ingP@s5w0rd!"
 	$credentials = new-object System.Management.Automation.PSCredential($serverLogin, ($serverPassword | ConvertTo-SecureString -asPlainText -Force))
-	$server = New-AzSqlServer -ResourceGroupName  $rg.ResourceGroupName -ServerName $params.serverName -Location $params.location -ServerVersion "12.0" -SqlAdministratorCredentials $credentials
+	$server = New-AzSqlServer -ResourceGroupName  $rg.ResourceGroupName -ServerName $params.serverName -Location $params.location -ServerVersion "12.0" -SqlAdministratorCredentials $credentials -AssignIdentity
 	Assert-AreEqual $server.ServerName $params.serverName
 
 	# Create database
 	$db = New-AzSqlDatabase -ResourceGroupName $rg.ResourceGroupName -ServerName $server.ServerName -DatabaseName $params.databaseName
 	Assert-AreEqual $db.DatabaseName $params.databaseName
 
+	#Set permissions on key Vault
+	Set-AzKeyVaultAccessPolicy -VaultName $params.vaultName -ObjectId $server.Identity.PrincipalId -PermissionsToKeys get, list, wrapKey, unwrapKey
+
 	# Return the created resource group
 	return $rg
 }
 
+
+<#
+.SYNOPSIS
+Creates test managed instance
+#>
+function Get-ManagedInstanceForTdeTest ($params)
+{
+	# Setup
+	$rg = Create-ResourceGroupForTest
+	$vnetName = "cl_initial"
+	$subnetName = "Cool"
+	
+	# Setup VNET 
+	$virtualNetwork1 = CreateAndGetVirtualNetworkForManagedInstance $vnetName $subnetName $rg.Location
+	$subnetId = $virtualNetwork1.Subnets.where({ $_.Name -eq $subnetName })[0].Id
+	
+	$managedInstance = Create-ManagedInstanceForTest $rg $subnetId
+	Set-AzKeyVaultAccessPolicy -VaultName $params.vaultName -ObjectId $managedInstance.Identity.PrincipalId -PermissionsToKeys get, list, wrapKey, unwrapKey
+
+	return $managedInstance
+}
+
 <#
 .SYNOPSIS
 Gets valid resource group name
@@ -705,7 +731,7 @@ function Create-ManagedInstanceForTest ($resourceGroup, $subnetId)
 
 	$managedInstance = New-AzSqlInstance -ResourceGroupName $resourceGroup.ResourceGroupName -Name $managedInstanceName `
  			-Location $resourceGroup.Location -AdministratorCredential $credentials -SubnetId $subnetId `
-  			-Vcore $vCore -SkuName $skuName
+  			-Vcore $vCore -SkuName $skuName -AssignIdentity
 
 	return $managedInstance
 }

src/Sql/Sql.Test/ScenarioTests/ManagedInstanceKeyVaultKeyTests.cs

@@ -0,0 +1,74 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.ScenarioTest.SqlTests;
+using Microsoft.WindowsAzure.Commands.ScenarioTest;
+using Xunit;
+using Xunit.Abstractions;
+using RestTestFramework = Microsoft.Rest.ClientRuntime.Azure.TestFramework;
+
+namespace Microsoft.Azure.Commands.Sql.Test.ScenarioTests
+{
+    public class ManagedInstanceKeyVaultKeyTests : SqlTestsBase
+    {
+        public ManagedInstanceKeyVaultKeyTests(ITestOutputHelper output) : base(output)
+        {
+        }
+
+        protected override void SetupManagementClients(RestTestFramework.MockContext context)
+        {
+            var sqlClient = GetSqlClient(context);
+            var newResourcesClient = GetResourcesClient(context);
+            var graphClient = GetGraphClient(context);
+            var networkClient = GetNetworkClient(context);
+            var keyVaultClient = GetKeyVaultClient(context);
+            Helper.SetupSomeOfManagementClients(sqlClient, newResourcesClient, networkClient, graphClient, keyVaultClient);
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestManagedInstanceKeyVaultKeyCI()
+        {
+            RunPowerShellTest("Test-ManagedInstanceKeyVaultKeyCI");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestManagedInstanceKeyVaultKey()
+        {
+            RunPowerShellTest("Test-ManagedInstanceKeyVaultKey");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestManagedInstanceKeyVaultKeyInputObject()
+        {
+            RunPowerShellTest("Test-ManagedInstanceKeyVaultKeyInputObject");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestManagedInstanceKeyVaultKeyResourceId()
+        {
+            RunPowerShellTest("Test-ManagedInstanceKeyVaultKeyResourceId");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestManagedInstanceKeyVaultKeyPiping()
+        {
+            RunPowerShellTest("Test-ManagedInstanceKeyVaultKeyPiping");
+        }
+    }
+}

src/Sql/Sql.Test/ScenarioTests/ManagedInstanceKeyVaultKeyTests.ps1

@@ -0,0 +1,169 @@
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+	.SYNOPSIS
+	Tests for managing TDE keyVaultKey in managed instance for continuous validation
+#>
+function Test-ManagedInstanceKeyVaultKeyCI
+{
+	$params = Get-SqlServerKeyVaultKeyTestEnvironmentParameters
+	$managedInstance = Get-ManagedInstanceForTdeTest $params
+	$mangedInstanceRg = $managedInstance.ResourceGroupName
+	$managedInstanceName = $managedInstance.ManagedInstanceName
+	$managedInstanceResourceId = $managedInstance.Id
+
+	# Test Add
+	$keyResult = Add-AzSqlInstanceKeyVaultKey -ResourceGroupName $mangedInstanceRg -InstanceName $managedInstanceName -KeyId $params.keyId
+
+	Assert-AreEqual $params.keyId $keyResult.KeyId "KeyId mismatch after calling Add-AzSqlInstanceKeyVaultKey"
+	Assert-AreEqual $params.serverKeyName $keyResult.ManagedInstanceKeyName "ManagedInstanceKeyName mismatch after calling Add-AzSqlInstanceKeyVaultKey"
+
+	
+	# Test Get
+	$keyResult2 = $managedInstance | Get-AzSqlInstanceKeyVaultKey -KeyId $params.keyId
+
+	Assert-AreEqual $params.keyId $keyResult2.KeyId "KeyId mismatch after calling Get-AzSqlInstanceKeyVaultKey"
+	Assert-AreEqual $params.serverKeyName $keyResult2.ManagedInstanceKeyName "ManagedInstanceKeyName mismatch after calling Get-AzSqlInstanceKeyVaultKey"
+		
+	# Test List
+	$keyResults = Get-AzSqlInstanceKeyVaultKey -InstanceResourceId $managedInstanceResourceId
+	Assert-True {$keyResults.Count -gt 0} "List count <= 0 after calling (List) Get-AzSqlInstanceKeyVaultKey without KeyId"
+}
+
+<#
+	.SYNOPSIS
+	Tests for managing TDE keyVaultKey in managed instance 
+#>
+function Test-ManagedInstanceKeyVaultKey
+{
+	$params = Get-SqlServerKeyVaultKeyTestEnvironmentParameters
+	$managedInstance = Get-ManagedInstanceForTdeTest $params
+	$mangedInstanceRg = $managedInstance.ResourceGroupName
+	$managedInstanceName = $managedInstance.ManagedInstanceName
+
+	# Test Add
+	$keyResult = Add-AzSqlInstanceKeyVaultKey -ResourceGroupName $mangedInstanceRg -InstanceName $managedInstanceName -KeyId $params.keyId
+
+	Assert-AreEqual $params.keyId $keyResult.KeyId "KeyId mismatch after calling Add-AzSqlInstanceKeyVaultKey"
+	Assert-AreEqual $params.serverKeyName $keyResult.ManagedInstanceKeyName "ManagedInstanceKeyName mismatch after calling Add-AzSqlInstanceKeyVaultKey"
+
+	
+	# Test Get
+	$keyResult2 = Get-AzSqlInstanceKeyVaultKey -ResourceGroupName $mangedInstanceRg -InstanceName $managedInstanceName -KeyId $params.keyId
+
+	Assert-AreEqual $params.keyId $keyResult2.KeyId "KeyId mismatch after calling Get-AzSqlInstanceKeyVaultKey"
+	Assert-AreEqual $params.serverKeyName $keyResult2.ManagedInstanceKeyName "ManagedInstanceKeyName mismatch after calling Get-AzSqlInstanceKeyVaultKey"
+		
+	# Test List
+	$keyResults = Get-AzSqlInstanceKeyVaultKey -ResourceGroupName $mangedInstanceRg -InstanceName $managedInstanceName
+	Assert-True {$keyResults.Count -gt 0} "List count <= 0 after calling (List) Get-AzSqlInstanceKeyVaultKey without KeyId"
+}
+
+
+<#
+	.SYNOPSIS
+	Tests for managing TDE keyVaultKey in managed instance using input object parameter set
+#>
+function Test-ManagedInstanceKeyVaultKeyInputObject
+{
+	$params = Get-SqlServerKeyVaultKeyTestEnvironmentParameters
+	$managedInstance = Get-ManagedInstanceForTdeTest $params
+	$mangedInstanceRg = $managedInstance.ResourceGroupName
+	$managedInstanceName = $managedInstance.ManagedInstanceName
+
+	# Test Add
+	$keyResult = Add-AzSqlInstanceKeyVaultKey -Instance $managedInstance -KeyId $params.keyId
+
+	Assert-AreEqual $params.keyId $keyResult.KeyId "KeyId mismatch after calling Add-AzSqlInstanceKeyVaultKey"
+	Assert-AreEqual $params.serverKeyName $keyResult.ManagedInstanceKeyName "ManagedInstanceKeyName mismatch after calling Add-AzSqlInstanceKeyVaultKey"
+
+	
+	# Test Get
+	$keyResult2 = Get-AzSqlInstanceKeyVaultKey -Instance $managedInstance -KeyId $params.keyId
+
+	Assert-AreEqual $params.keyId $keyResult2.KeyId "KeyId mismatch after calling Get-AzSqlInstanceKeyVaultKey"
+	Assert-AreEqual $params.serverKeyName $keyResult2.ManagedInstanceKeyName "ManagedInstanceKeyName mismatch after calling Get-AzSqlInstanceKeyVaultKey"
+
+	
+	# Test List
+	$keyResults = Get-AzSqlInstanceKeyVaultKey -Instance $managedInstance 
+	
+	Assert-True {$keyResults.Count -gt 0} "List count <= 0 after calling (List) Get-AzSqlInstanceKeyVaultKey without KeyId"
+}
+
+
+<#
+	.SYNOPSIS
+	Tests for managing TDE keyVaultKey in managed instance using resource id parameter set
+#>
+function Test-ManagedInstanceKeyVaultKeyResourceId
+{
+	$params = Get-SqlServerKeyVaultKeyTestEnvironmentParameters
+	$managedInstance = Get-ManagedInstanceForTdeTest $params
+	$mangedInstanceRg = $managedInstance.ResourceGroupName
+	$managedInstanceName = $managedInstance.ManagedInstanceName
+	$managedInstanceResourceId = $managedInstance.Id
+
+	# Test Add
+	$keyResult = Add-AzSqlInstanceKeyVaultKey -InstanceResourceId $managedInstanceResourceId -KeyId $params.keyId
+
+	Assert-AreEqual $params.keyId $keyResult.KeyId "KeyId mismatch after calling Add-AzSqlInstanceKeyVaultKey"
+	Assert-AreEqual $params.serverKeyName $keyResult.ManagedInstanceKeyName "ManagedInstanceKeyName mismatch after calling Add-AzSqlInstanceKeyVaultKey"
+
+	
+	# Test Get
+	$keyResult2 = Get-AzSqlInstanceKeyVaultKey -InstanceResourceId $managedInstanceResourceId -KeyId $params.keyId
+
+	Assert-AreEqual $params.keyId $keyResult2.KeyId "KeyId mismatch after calling Get-AzSqlInstanceKeyVaultKey"
+	Assert-AreEqual $params.serverKeyName $keyResult2.ManagedInstanceKeyName "ManagedInstanceKeyName mismatch after calling Get-AzSqlInstanceKeyVaultKey"
+
+	
+	# Test List
+	$keyResults = Get-AzSqlInstanceKeyVaultKey -InstanceResourceId $managedInstanceResourceId 
+	
+	Assert-True {$keyResults.Count -gt 0} "List count <= 0 after calling (List) Get-AzSqlInstanceKeyVaultKey without KeyId"
+}
+
+
+<#
+	.SYNOPSIS
+	Tests for managing TDE keyVaultKey in managed instance using piping
+#>
+function Test-ManagedInstanceKeyVaultKeyPiping
+{
+	$params = Get-SqlServerKeyVaultKeyTestEnvironmentParameters
+	$managedInstance = Get-ManagedInstanceForTdeTest $params
+	$mangedInstanceRg = $managedInstance.ResourceGroupName
+	$managedInstanceName = $managedInstance.ManagedInstanceName
+
+	# Test Add
+	$keyResult = $managedInstance | Add-AzSqlInstanceKeyVaultKey -KeyId $params.keyId
+
+	Assert-AreEqual $params.keyId $keyResult.KeyId "KeyId mismatch after calling Add-AzSqlInstanceKeyVaultKey"
+	Assert-AreEqual $params.serverKeyName $keyResult.ManagedInstanceKeyName "ManagedInstanceKeyName mismatch after calling Add-AzSqlInstanceKeyVaultKey"
+
+	
+	# Test Get
+	$keyResult2 = $managedInstance | Get-AzSqlInstanceKeyVaultKey -KeyId $params.keyId
+
+	Assert-AreEqual $params.keyId $keyResult2.KeyId "KeyId mismatch after calling Get-AzSqlInstanceKeyVaultKey"
+	Assert-AreEqual $params.serverKeyName $keyResult2.ManagedInstanceKeyName "ManagedInstanceKeyName mismatch after calling Get-AzSqlInstanceKeyVaultKey"
+
+	
+	# Test List
+	$keyResults = $managedInstance | Get-AzSqlInstanceKeyVaultKey
+	
+	Assert-True {$keyResults.Count -gt 0} "List count <= 0 after calling (List) Get-AzSqlInstanceKeyVaultKey without KeyId"
+}