Added UserIndentity support for Customer Managed Keys (#15859)

added test cases

updated changeLog

updated help files

re-recorded tests

Author: hiaga

src/RecoveryServices/RecoveryServices.Backup.Models/Properties/Resources.Designer.cs

@@ -658,4 +658,19 @@ Please contact Microsoft for further assistance.</value>
   <data name="MultipleMSIProvidedForRestore" xml:space="preserve">
     <value>MSI based Restore can't use both SystemAssigned and UserAssigned identities</value>
   </data>
+  <data name="IdentityIdRequired" xml:space="preserve">
+    <value>IdentityId can't be empty for UserAssigned Identities</value>
+  </data>
+  <data name="IdentityIdRequiredForCMK" xml:space="preserve">
+    <value>Please input a valid UserAssignedIdentity</value>
+  </data>
+  <data name="InvalidIdentityId" xml:space="preserve">
+    <value>IdentityId '{0}' is invalid</value>
+  </data>
+  <data name="InvalidIdentityRemove" xml:space="preserve">
+    <value>UserAssigned and SystemAssigned identities can't be removed together</value>
+  </data>
+  <data name="InvalidParameterIdentityId" xml:space="preserve">
+    <value>Invalid parameter IdentityId. IdentityId can't be set for SystemAssigned Identities</value>
+  </data>
 </root>

src/RecoveryServices/RecoveryServices.Backup.Models/Properties/Resources.resx

@@ -82,7 +82,21 @@ public RestAzureNS.AzureOperationResponse UpdateVaultEncryptionConfig(string res
             return BmsAdapter.Client.BackupResourceEncryptionConfigs.UpdateWithHttpMessagesAsync(
                 vaultName, resouceGroupName, encryptionConfigResource).Result;
         }
-        
+
+        /// <summary>  
+        /// Method to Update Azure Recovery Services Vault Encryption Properties  
+        /// </summary>  
+        /// <param name="resouceGroupName">Name of the resouce group</param>  
+        /// <param name="vaultName">Name of the vault</param>  
+        /// <param name="encryptionConfigResource">update encryption config</param>  
+        /// <returns>Azure Resource Encryption response object.</returns>  
+        public RestAzureNS.AzureOperationResponse UpdateVaultEncryption(string resouceGroupName, string vaultName,
+            BackupResourceEncryptionConfigResource encryptionConfigResource)
+        {
+            return BmsAdapter.Client.BackupResourceEncryptionConfigs.UpdateWithHttpMessagesAsync(
+                vaultName, resouceGroupName, encryptionConfigResource).Result;
+        }
+
         /// <summary>  
         /// Method to get Recovery Services Vault.
         /// </summary>  
@@ -98,6 +112,19 @@ public ARSVault GetVault(string resouceGroupName, string vaultName)
             return vault;
         }
 
+        /// <summary>  
+        /// Method to create or update Recovery Services Vault.
+        /// </summary>  
+        /// <param name="resouceGroupName">Name of the resouce group</param>  
+        /// <param name="vaultName">Name of the vault</param>  
+        /// <param name="patchVault">patch vault object to patch the recovery services Vault</param>
+        /// <returns>Azure Recovery Services Vault.</returns> 
+        public Vault UpdateRSVault(string resouceGroupName, string vaultName, PatchVault patchVault)
+        {
+            var response = RSAdapter.Client.Vaults.UpdateWithHttpMessagesAsync(resouceGroupName, vaultName, patchVault).Result;
+            return response.Body;
+        }
+
         /// <summary>
         /// Method to get secondary region AAD properties
         /// </summary>

src/RecoveryServices/RecoveryServices.Backup.ServiceClientAdapter/BMSAPIs/VaultAPIs.cs

@@ -12,7 +12,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-	  <PackageReference Include="Microsoft.Azure.Management.RecoveryServices" Version="4.3.1-preview" />
+	  <PackageReference Include="Microsoft.Azure.Management.RecoveryServices" Version="4.3.2-preview" />
 	  <PackageReference Include="Microsoft.Azure.Management.RecoveryServices.Backup" Version="4.1.9-preview" />
 	  <PackageReference Include="System.Configuration.ConfigurationManager" Version="4.4.1" />
   </ItemGroup>

src/RecoveryServices/RecoveryServices.Backup.ServiceClientAdapter/RecoveryServices.Backup.ServiceClientAdapter.csproj

@@ -13,7 +13,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.Azure.Management.Compute" Version="49.1.0" />
     <PackageReference Include="Microsoft.Azure.Management.Network" Version="20.6.0" />
-    <PackageReference Include="Microsoft.Azure.Management.RecoveryServices" Version="4.3.1-preview" />
+    <PackageReference Include="Microsoft.Azure.Management.RecoveryServices" Version="4.3.2-preview" />
     <PackageReference Include="Microsoft.Azure.Management.RecoveryServices.Backup" Version="4.1.9-preview" />
   </ItemGroup>
 

src/RecoveryServices/RecoveryServices.Backup.Test/RecoveryServices.Backup.Test.csproj

@@ -19,6 +19,11 @@ $resourceId = "/subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourceGroup
 
 function Get-AzureVmWorkloadContainer
 {
+   $resourceGroupName = "pstestwlRG1bca8"
+   $vaultName = "pstestwlRSV1bca8"
+   $containerName = "PSTestVM235870"
+   $resourceId = "/subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourceGroups/PSTestRG235879ba/providers/Microsoft.Compute/virtualMachines/PSTestVM235870"
+    
    try
    {
       $vault = Get-AzRecoveryServicesVault -ResourceGroupName $resourceGroupName -Name $vaultName

src/RecoveryServices/RecoveryServices.Backup.Test/ScenarioTests/AzureWorkload/ContainerTests.ps1

@@ -166,5 +166,14 @@ public void TestAzureVMRestoreWithMSI()
             TestController.NewInstance.RunPsTest(
                 _logger, PsBackupProviderTypes.IaasVm, "Test-AzureVMRestoreWithMSI");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(TestConstants.Workload, TestConstants.AzureVM)]
+        public void TestAzureRSVaultCMK()
+        {
+            TestController.NewInstance.RunPsTest(
+                _logger, PsBackupProviderTypes.IaasVm, "Test-AzureRSVaultCMK");
+        }
     }
 }

src/RecoveryServices/RecoveryServices.Backup.Test/ScenarioTests/IaasVm/ItemTests.cs

@@ -12,6 +12,42 @@
 # limitations under the License.
 # ----------------------------------------------------------------------------------
 
+
+function Test-AzureRSVaultCMK
+{
+	$location = "centraluseuap"
+	$resourceGroupName = "hiagarg"
+	$vaultName = "cmk-pstest-vault"
+	$keyVault = "cmk-pstest-keyvault"
+	$encryptionKeyId = "https://cmk-pstest-keyvault.vault.azure.net/keys/cmk-pstest-key/5569d5a163ee474cad2da4ac334af9d7"
+
+	try
+	{	
+		# Setup
+		$vault = Get-AzRecoveryServicesVault -ResourceGroupName $resourceGroupName -Name $vaultName
+
+		# error scenario
+		Assert-ThrowsContains { Set-AzRecoveryServicesVaultProperty -EncryptionKeyId $encryptionKeyId -VaultId $vault.ID -InfrastructureEncryption -UseSystemAssignedIdentity $false } `
+		"Please input a valid UserAssignedIdentity";	
+
+		# set and verify - CMK encryption property to UAI 
+		Set-AzRecoveryServicesVaultProperty -EncryptionKeyId $encryptionKeyId -VaultId $vault.ID -InfrastructureEncryption -UseSystemAssignedIdentity $false  -UserAssignedIdentity $vault.Identity.UserAssignedIdentities.Keys[0]
+		$prop = Get-AzRecoveryServicesVaultProperty -VaultId $vault.ID
+		Assert-True { $prop.encryptionProperties.UserAssignedIdentity -eq $vault.Identity.UserAssignedIdentities.Keys[0] }
+
+		Start-TestSleep 10000
+
+		# set and verify - CMK encryption property to system identity 	
+		Set-AzRecoveryServicesVaultProperty -EncryptionKeyId $encryptionKeyId -VaultId $vault.ID -UseSystemAssignedIdentity $true
+		$prop = Get-AzRecoveryServicesVaultProperty -VaultId $vault.ID
+		Assert-True { $prop.encryptionProperties.UseSystemAssignedIdentity }
+	}
+	finally
+	{
+		# no Cleanup		
+	}
+}
+
 function Test-AzureVMRestoreWithMSI
 {
 	$location = "centraluseuap"
@@ -82,31 +118,63 @@ function Test-AzureVMCrossRegionRestore
 
 function Test-AzureRSVaultMSI
 {
+	$location = "centraluseuap"
+	$resourceGroupName = "msi-pstest-rg"
+	$vaultName = "msi-pstest-vault"
+
+	$identityId1 = "/subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourceGroups/msi-pstest-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/pstest-msi1"
+	$identityId2 = "/subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourceGroups/msi-pstest-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/pstest-msi2"
+	$identityId3 = "/subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourceGroups/msi-pstest-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/pstest-msi3"
+
 	try
-	{		
-		$location = "southeastasia"
-		$resourceGroupName = Create-ResourceGroup $location 22	
-		$vault = Create-RecoveryServicesVault $resourceGroupName $location
-	
-		# disable soft delete for successful cleanup
-		Set-AzRecoveryServicesVaultProperty -VaultId $vault.ID -SoftDeleteFeatureState "Disable"
-	
+	{	
 		# get Identity - verify Empty 
-		$vault = Get-AzRecoveryServicesVault -Name $vault.Name -ResourceGroupName $vault.ResourceGroupName
-		Assert-True { $vault.Identity -eq $null }
+		$vault = Get-AzRecoveryServicesVault -Name $vaultName -ResourceGroupName $resourceGroupName
 
 		# set Identity - verify System assigned
+		$updatedVault = Update-AzRecoveryServicesVault -ResourceGroupName $vault.ResourceGroupName -Name $vault.Name -IdentityType "None"
 		$updatedVault = Update-AzRecoveryServicesVault -ResourceGroupName $vault.ResourceGroupName -Name $vault.Name -IdentityType "SystemAssigned"
 		Assert-True { $updatedVault.Identity.Type -eq "SystemAssigned" }
-	
+
+		# add UAI 1, 2 and 3 to the vault 
+		$updatedVault = Update-AzRecoveryServicesVault -ResourceGroupName $vault.ResourceGroupName -Name $vault.Name -IdentityType UserAssigned -IdentityId $identityId1, $identityId2, $identityId3
+		
+		# verify that UAI 1, 2 and 3 are added to vault 
+		Assert-True { $updatedVault.Identity.UserAssignedIdentities.Keys.Contains($identityId1) }
+		Assert-True { $updatedVault.Identity.UserAssignedIdentities.Keys.Contains($identityId2) }
+		Assert-True { $updatedVault.Identity.UserAssignedIdentities.Keys.Contains($identityId3) }
+
+		# remove UAI 1 and 214 (should throw error)
+		$identityId = $identityId2 + "14"
+		
+		Assert-ThrowsContains { $updatedVault = Update-AzRecoveryServicesVault -ResourceGroupName $vault.ResourceGroupName -Name $vault.Name -RemoveUserAssigned -IdentityId $identityId1, $identityId } `
+		"IdentityId '" + $identityId +  "' is invalid";
+		
+		# remove UAI 1 from vault
+		$updatedVault = Update-AzRecoveryServicesVault -ResourceGroupName $vault.ResourceGroupName -Name $vault.Name -RemoveUserAssigned -IdentityId $identityId1
+		
+		# Remove both SystemAssigned and UserAssigned identities simultaneously (would throw error)	
+		Assert-ThrowsContains { $updatedVault = Update-AzRecoveryServicesVault -ResourceGroupName $vault.ResourceGroupName -Name $vault.Name -RemoveUserAssigned -IdentityId $identityId2 -RemoveSystemAssigned } `
+		"UserAssigned and SystemAssigned identities can't be removed together";		
+		
+		# remove all present UAI from vault 
+		$updatedVault = Update-AzRecoveryServicesVault -ResourceGroupName $vault.ResourceGroupName -Name $vault.Name -RemoveUserAssigned -IdentityId $identityId2, $identityId3
+		Assert-True { $updatedVault.Identity.Type -eq "SystemAssigned" }
+		
+		# remove SystemAssigned identity from the vault 
+		$updatedVault = Update-AzRecoveryServicesVault -ResourceGroupName $vault.ResourceGroupName -Name $vault.Name -RemoveSystemAssigned
+		Assert-True { $updatedVault.Identity.Type -eq "None" }
+		
+		# add UAI 3 to the vault
+		$updatedVault = Update-AzRecoveryServicesVault -ResourceGroupName $vault.ResourceGroupName -Name $vault.Name -IdentityType UserAssigned -IdentityId $identityId3
+		
 		# remove Identity - verify empty again 
-		$rm = Update-AzRecoveryServicesVault -ResourceGroupName $vault.ResourceGroupName -Name $vault.Name -IdentityType "None"
-		Assert-True { $rm.Identity.Type -eq "None" }	
+		$updatedVault = Update-AzRecoveryServicesVault -ResourceGroupName $vault.ResourceGroupName -Name $vault.Name -IdentityType "None"
+		Assert-True { $updatedVault.Identity.Type -eq "None" }
 	}
 	finally
 	{
-		# Cleanup
-		Cleanup-ResourceGroup $resourceGroupName
+		# no cleanup		
 	}
 }