Deprecate DisableSoftDelete in New-AzKeyVault & EnableSoftDelete in Update-AzKeyVault (#13224)

* deprecate DisableSoftDelete & EnableSoftDelete

* update help markdown

* suppress breaking change issues

Author: BethanyZhou

src/KeyVault/KeyVault.Test/Scripts/ControlPlane/KeyVaultManagementTests.ps1

@@ -127,12 +127,6 @@ function Test-CreateNewVault {
         Assert-AreEqual $true $actual.EnabledForDeployment
         Assert-AreEqual 0 @($actual.AccessPolicies).Count
 
-        # Test disable soft delete
-        $actual = New-AzKeyVault -VaultName $vault3Name -ResourceGroupName $rgName -Location $vaultLocation -Sku standard -DisableSoftDelete
-        Assert-False { $actual.EnableSoftDelete }
-        Assert-Null $actual.EnablePurgeProtection "If -DisableSoftDelete, EnablePurgeProtection should be null"
-        Assert-Null $actual.SoftDeleteRetentionInDays "If -DisableSoftDelete, SoftDeleteRetentionInDays should be null"
-
         # Test enable purge protection & customize retention days
         $actual = New-AzKeyVault -VaultName (getAssetName) -ResourceGroupName $rgName -Location $vaultLocation -Sku standard -EnablePurgeProtection -SoftDeleteRetentionInDays 10
         Assert-True { $actual.EnableSoftDelete } "By default EnableSoftDelete should be true"
@@ -143,9 +137,6 @@ function Test-CreateNewVault {
         $actual = New-AzKeyVault -VaultName (getAssetName) -ResourceGroupName $rgName -Location $vaultLocation -EnableRbacAuthorization
         Assert-True { $actual.EnableRbacAuthorization } "If specified, EnableRbacAuthorization should be true"
 
-        # # Test use -DisableSoftDelete -EnablePurgeProtection together (TODO: uncomment this assert after keyvault team deploys their fix)
-        # Assert-Throws { New-AzKeyVault -VaultName (getAssetName) -ResourceGroupName $rgName -Location $vaultLocation -Sku standard -DisableSoftDelete -EnablePurgeProtection }
-
         # Test positional parameters
         $actual = New-AzKeyVault $vault4Name $rgName $vaultLocation
         Assert-NotNull $actual
@@ -784,32 +775,16 @@ function Test-UpdateKeyVault {
 
     try {
         $rg = New-AzResourceGroup -Name $resourceGroupName -Location $resourceGroupLocation
-        $vault = New-AzKeyVault -VaultName (getAssetName) -ResourceGroupName $resourceGroupName -Location $vaultLocation -DisableSoftDelete
-        Assert-True { $vault.EnableSoftDelete -ne $true } "1. EnableSoftDelete should not be true"
-        Assert-True { $vault.EnablePurgeProtection -ne $true } "1. EnablePurgeProtection should not be true"
-
-        # Enable soft delete first
-        $vault = $vault | Update-AzKeyVault -EnableSoftDelete
-        Assert-True { $vault.EnableSoftDelete } "2. EnableSoftDelete should be true"
-        Assert-True { $vault.EnablePurgeProtection -ne $true } "2. EnablePurgeProtection should not be true"
-        Assert-AreEqual 90 $vault.SoftDeleteRetentionInDays "2. SoftDeleteRetentionInDays should default to 90"
-
-        # Enable again
-        $vault = $vault | Update-AzKeyVault -EnableSoftDelete
-        Assert-True { $vault.EnableSoftDelete } "2.5. EnableSoftDelete should be true"
-        Assert-True { $vault.EnablePurgeProtection -ne $true } "2.5. EnablePurgeProtection should not be true"
+        $originVault = New-AzKeyVault -VaultName (getAssetName) -ResourceGroupName $resourceGroupName -Location $vaultLocation
+        Assert-True { $originVault.EnableSoftDelete } "1. EnableSoftDelete should be true"
+        Assert-True { $originVault.EnablePurgeProtection -ne $true } "1. EnablePurgeProtection should not be true"
+        Assert-AreEqual 90 $originVault.SoftDeleteRetentionInDays "1. SoftDeleteRetentionInDays should default to 90"
 
         # Then enable purge protection
-        $vault = $vault | Update-AzKeyVault -EnablePurgeProtection
+        $vault = $originVault | Update-AzKeyVault -EnablePurgeProtection
         Assert-True { $vault.EnableSoftDelete } "3. EnableSoftDelete should be true"
         Assert-True { $vault.EnablePurgeProtection } "3. EnablePurgeProtection should be true"
-
-        # Enable both together (& custom retention days)
-        $vault = New-AzKeyVault -VaultName (getAssetName) -ResourceGroupName $resourceGroupName -Location $vaultLocation -DisableSoftDelete
-        $vault = $vault | Update-AzKeyVault -EnableSoftDelete -EnablePurgeProtection -SoftDeleteRetentionInDays 77
-        Assert-True { $vault.EnableSoftDelete } "4. EnableSoftDelete should be true"
-        Assert-True { $vault.EnablePurgeProtection } "4. EnablePurgeProtection should be true"
-        Assert-AreEqual 77 $vault.SoftDeleteRetentionInDays "4. SoftDeleteRetentionInDays should be updated"
+        Assert-True { $vault.SoftDeleteRetentionInDays -eq $originVault.SoftDeleteRetentionInDays }
 
         # # Only enable purge protection (TODO: uncomment this assert after keyvault team deploys their fix)
         # $vault = New-AzKeyVault -VaultName (getAssetName) -ResourceGroupName $resourceGroupName -Location $vaultLocation

src/KeyVault/KeyVault.Test/SessionRecords/Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests.KeyVaultManagementTests/TestUpdateVault.json

@@ -18,6 +18,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Deprecated parameter DisableSoftDelete in `New-AzKeyVault` and EnableSoftDelete in `Update-AzKeyVault`
 * Removed attribute SecretValueText to avoid displaying SecretValue directly [#12266]
 
 ## Version 2.2.1

src/KeyVault/KeyVault/ChangeLog.md

@@ -16,21 +16,16 @@
 using Microsoft.Azure.Commands.KeyVault.Properties;
 using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
 using Microsoft.Azure.Management.KeyVault.Models;
-using Microsoft.WindowsAzure.Commands.Common.CustomAttributes;
 using Microsoft.WindowsAzure.Commands.Utilities.Common;
 using System;
 using System.Collections;
-using System.Linq;
 using System.Management.Automation;
 
 namespace Microsoft.Azure.Commands.KeyVault
 {
     /// <summary>
     /// Create a new key vault.
     /// </summary>
-    [GenericBreakingChange("The ability to create new key vaults with soft delete disabled will be deprecated by December 2020. " +
-        "All key vaults will be required to have soft delete enabled. Please see the following documentation for additional guidance. " +
-        "https://docs.microsoft.com/azure/key-vault/general/soft-delete-change")]
     [Cmdlet("New", ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "KeyVault", SupportsShouldProcess = true)]
     [OutputType(typeof(PSKeyVault))]
     public class NewAzureKeyVault : KeyVaultManagementCmdletBase
@@ -87,13 +82,6 @@ public class NewAzureKeyVault : KeyVaultManagementCmdletBase
             HelpMessage = "If specified, enables secrets to be retrieved from this key vault by Azure Disk Encryption.")]
         public SwitchParameter EnabledForDiskEncryption { get; set; }
 
-        public const String DisableSoftDeleteChangeDesc = "DisableSoftDelete will be deprecated without being replaced.";
-
-        [CmdletParameterBreakingChange("DisableSoftDelete", "3.0.0", ChangeDescription = DisableSoftDeleteChangeDesc)]
-        [Parameter(Mandatory = false,
-            HelpMessage = "If specified, 'soft delete' functionality is disabled for this key vault.")]
-        public SwitchParameter DisableSoftDelete { get; set; }
-
         [Parameter(Mandatory = false,
             HelpMessage = "If specified, protection against immediate deletion is enabled for this vault; requires soft delete to be enabled as well. Enabling 'purge protection' on a key vault is an irreversible action. Once enabled, it cannot be changed or removed.")]
         public SwitchParameter EnablePurgeProtection { get; set; }
@@ -170,20 +158,16 @@ public override void ExecuteCmdlet()
                     EnabledForDeployment = this.EnabledForDeployment.IsPresent,
                     EnabledForTemplateDeployment = EnabledForTemplateDeployment.IsPresent,
                     EnabledForDiskEncryption = EnabledForDiskEncryption.IsPresent,
-                    EnableSoftDelete = !DisableSoftDelete.IsPresent,
+                    EnableSoftDelete = null,
                     EnablePurgeProtection = EnablePurgeProtection.IsPresent ? true : (bool?)null, // false is not accepted
                     EnableRbacAuthorization = EnableRbacAuthorization.IsPresent,
-
                     /*
-                     * If soft delete is enabled, but retention days is not specified, use the default value,
-                     * else use the vault user provides,
-                     * else use null
+                     * If retention days is not specified, use the default value,
+                     * else use the vault user provides
                      */
-                    SoftDeleteRetentionInDays = DisableSoftDelete.IsPresent
-                        ? null as int?
-                        : (this.IsParameterBound(c => c.SoftDeleteRetentionInDays)
+                    SoftDeleteRetentionInDays = this.IsParameterBound(c => c.SoftDeleteRetentionInDays)
                             ? SoftDeleteRetentionInDays
-                            : Constants.DefaultSoftDeleteRetentionDays),
+                            : Constants.DefaultSoftDeleteRetentionDays,
                     SkuFamilyName = DefaultSkuFamily,
                     SkuName = this.Sku,
                     TenantId = GetTenantId(),

src/KeyVault/KeyVault/Commands/NewAzureKeyVault.cs

@@ -16,15 +16,12 @@
 using Microsoft.Azure.Commands.KeyVault.Properties;
 using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
 using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
-using Microsoft.WindowsAzure.Commands.Common.CustomAttributes;
 using System;
 using System.Globalization;
 using System.Management.Automation;
 
 namespace Microsoft.Azure.Commands.KeyVault
 {
-    [GenericBreakingChange("If you have soft-delete protection enabled on this key vault, you will not be able to reuse this key vault name until the key vault has been purged from the soft deleted state. " +
-        "Please see the following documentation for additional guidance. https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview")]
     [Cmdlet("Remove", ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "KeyVault",SupportsShouldProcess = true,DefaultParameterSetName = RemoveVaultParameterSet)]
     [OutputType(typeof(bool))]
     public class RemoveAzureKeyVault : KeyVaultManagementCmdletBase

src/KeyVault/KeyVault/Commands/RemoveAzureKeyVault.cs

@@ -12,21 +12,17 @@
 // limitations under the License.
 // ----------------------------------------------------------------------------------
 
-using System.Globalization;
-using System.Management.Automation;
 using Microsoft.Azure.Commands.KeyVault.Models;
 using Microsoft.Azure.Commands.KeyVault.Properties;
 using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
-using Microsoft.WindowsAzure.Commands.Common.CustomAttributes;
+using System.Globalization;
+using System.Management.Automation;
 
 namespace Microsoft.Azure.Commands.KeyVault
 {
     /// <summary>
     /// The Remove-AzKeyVaultCertificate cmdlet deletes a certificate in an Azure Key Vault. 
     /// </summary>
-    [GenericBreakingChange("If you have soft-delete protection enabled on this key vault, this certificate will be moved to the soft deleted state. " +
-        "You will not be able to create a certificate with the same name within this key vault until the certificate has been purged from the soft-deleted state. " +
-        "Please see the following documentation for additional guidance. https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview")]
     [Cmdlet("Remove", ResourceManager.Common.AzureRMConstants.AzurePrefix + "KeyVaultCertificate",SupportsShouldProcess = true,DefaultParameterSetName = ByVaultNameAndNameParameterSet)]
     [OutputType(typeof(PSDeletedKeyVaultCertificate))]
     public class RemoveAzureKeyVaultCertificate : KeyVaultCmdletBase

src/KeyVault/KeyVault/Commands/RemoveAzureKeyVaultCertificate.cs

@@ -13,17 +13,13 @@
 // ----------------------------------------------------------------------------------
 
 using Microsoft.Azure.Commands.KeyVault.Models;
-using System.Globalization;
-using System.Management.Automation;
 using Microsoft.Azure.Commands.KeyVault.Properties;
 using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
-using Microsoft.WindowsAzure.Commands.Common.CustomAttributes;
+using System.Globalization;
+using System.Management.Automation;
 
 namespace Microsoft.Azure.Commands.KeyVault
 {
-    [GenericBreakingChange("If you have soft - delete protection enabled on this key vault, this key will be moved to the soft deleted state. " +
-        "You will not be able to create a key with the same name within this key vault until the key has been purged from the soft-deleted state. " +
-        "Please see the following documentation for additional guidance.https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview")]
     [Cmdlet("Remove", ResourceManager.Common.AzureRMConstants.AzurePrefix + "KeyVaultKey",SupportsShouldProcess = true,DefaultParameterSetName = ByVaultNameParameterSet)]
     [OutputType(typeof(PSDeletedKeyVaultKey))]
     public class RemoveAzureKeyVaultKey : KeyVaultCmdletBase

src/KeyVault/KeyVault/Commands/RemoveAzureKeyVaultKey.cs

@@ -49,24 +49,13 @@ public class UpdateTopLevelResourceCommand : KeyVaultManagementCmdletBase
         [Parameter(Mandatory = true, ValueFromPipelineByPropertyName = true, ParameterSetName = UpdateByResourceIdParameterSet, HelpMessage = "Resource ID of the key vault.")]
         [ValidateNotNullOrEmpty]
         public string ResourceId { get; set; }
-        
-        public const String EnableSoftDeleteChangeDesc = "EnableSoftDelete will be deprecated without being replaced.";
-
-        [CmdletParameterBreakingChange("EnableSoftDelete", "3.0.0", ChangeDescription = EnableSoftDeleteChangeDesc)]
-        [Parameter(Mandatory = false, HelpMessage = "Enable the soft-delete functionality for this key vault. Once enabled it cannot be disabled.")]
-        public SwitchParameter EnableSoftDelete { get; set; }
-
+       
         [Parameter(Mandatory = false, HelpMessage = "Enable the purge protection functionality for this key vault. Once enabled it cannot be disabled. It requires soft-delete to be turned on.")]
         public SwitchParameter EnablePurgeProtection { get; set; }
 
         [Parameter(Mandatory = false, HelpMessage = "Enable or disable this key vault to authorize data actions by Role Based Access Control (RBAC).")]
         public bool? EnableRbacAuthorization { get; set; }
 
-        [Parameter(Mandatory = false, HelpMessage = "Specifies how long deleted resources are retained, and how long until a vault or an object in the deleted state can be purged. The default is " + Constants.DefaultSoftDeleteRetentionDaysString + " days.")]
-        [ValidateRange(Constants.MinSoftDeleteRetentionDays, Constants.MaxSoftDeleteRetentionDays)]
-        [ValidateNotNullOrEmpty]
-        public int SoftDeleteRetentionInDays { get; set; }
-
         public override void ExecuteCmdlet()
         {
             if (this.IsParameterBound(c => c.InputObject))
@@ -104,12 +93,10 @@ public override void ExecuteCmdlet()
                     existingResource.EnabledForDeployment,
                     existingResource.EnabledForTemplateDeployment,
                     existingResource.EnabledForDiskEncryption,
-                    EnableSoftDelete.IsPresent ? (true as bool?) : null,
+                    null,
                     EnablePurgeProtection.IsPresent ? (true as bool?) : null,
                     EnableRbacAuthorization,
-                    this.IsParameterBound(c => c.SoftDeleteRetentionInDays)
-                        ? (SoftDeleteRetentionInDays as int?)
-                        : (existingResource.SoftDeleteRetentionInDays ?? Constants.DefaultSoftDeleteRetentionDays),
+                    null,
                     existingResource.NetworkAcls
                 );
 

src/KeyVault/KeyVault/Commands/UpdateAzureKeyVault.cs

@@ -378,6 +378,10 @@
                 <Label>Soft Delete Retention Period (days)</Label>
                 <PropertyName>SoftDeleteRetentionInDays</PropertyName>
               </ListItem>
+              <ListItem>
+                <Label>Enabled Purge Protection?</Label>
+                <PropertyName>EnablePurgeProtection</PropertyName>
+              </ListItem>
               <ListItem>
                 <Label>Access Policies</Label>
                 <PropertyName>AccessPoliciesText</PropertyName>

src/KeyVault/KeyVault/KeyVault.format.ps1xml

@@ -15,7 +15,7 @@ Creates a key vault.
 
 ```
 New-AzKeyVault [-Name] <String> [-ResourceGroupName] <String> [-Location] <String> [-EnabledForDeployment]
- [-EnabledForTemplateDeployment] [-EnabledForDiskEncryption] [-DisableSoftDelete] [-EnablePurgeProtection]
+ [-EnabledForTemplateDeployment] [-EnabledForDiskEncryption] [-EnablePurgeProtection]
  [-EnableRbacAuthorization] [-SoftDeleteRetentionInDays <Int32>] [-Sku <SkuName>] [-Tag <Hashtable>]
  [-NetworkRuleSet <PSKeyVaultNetworkRuleSet>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
@@ -135,21 +135,6 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
-### -DisableSoftDelete
-If specified, 'soft delete' functionality is disabled for this key vault.
-
-```yaml
-Type: System.Management.Automation.SwitchParameter
-Parameter Sets: (All)
-Aliases:
-
-Required: False
-Position: Named
-Default value: None
-Accept pipeline input: False
-Accept wildcard characters: False
-```
-
 ### -EnabledForDeployment
 Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this
 key vault is referenced in resource creation, for example when creating a virtual machine.

src/KeyVault/KeyVault/help/New-AzKeyVault.md

@@ -14,37 +14,28 @@ Update the state of an Azure key vault.
 
 ### UpdateByNameParameterSet (Default)
 ```
-Update-AzKeyVault -ResourceGroupName <String> -VaultName <String> [-EnableSoftDelete] [-EnablePurgeProtection]
- [-EnableRbacAuthorization <Boolean>] [-SoftDeleteRetentionInDays <Int32>]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
+Update-AzKeyVault -ResourceGroupName <String> -VaultName <String> [-EnablePurgeProtection]
+ [-EnableRbacAuthorization <Boolean>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
+ [<CommonParameters>]
 ```
 
 ### UpdateByInputObjectParameterSet
 ```
-Update-AzKeyVault -InputObject <PSKeyVault> [-EnableSoftDelete] [-EnablePurgeProtection]
- [-EnableRbacAuthorization <Boolean>] [-SoftDeleteRetentionInDays <Int32>]
+Update-AzKeyVault -InputObject <PSKeyVault> [-EnablePurgeProtection] [-EnableRbacAuthorization <Boolean>]
  [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ### UpdateByResourceIdParameterSet
 ```
-Update-AzKeyVault -ResourceId <String> [-EnableSoftDelete] [-EnablePurgeProtection]
- [-EnableRbacAuthorization <Boolean>] [-SoftDeleteRetentionInDays <Int32>]
+Update-AzKeyVault -ResourceId <String> [-EnablePurgeProtection] [-EnableRbacAuthorization <Boolean>]
  [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
 This cmdlet updates the state of an Azure key vault.
-Please note updating some of the properties is an irreversible action, for example once soft delete has been enabled, it cannot be disabled anymore.
 
 ## EXAMPLES
 
-### Example 1
-```powershell
-PS C:\> Update-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -EnableSoftDelete
-```
-
-Enables soft delete on the key vault named `$keyVaultName` in resource group `$resourceGroupName`.
 
 ### Example 1
 ```powershell
@@ -102,22 +93,6 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
-### -EnableSoftDelete
-Enable the soft-delete functionality for this key vault.
-Once enabled it cannot be disabled.
-
-```yaml
-Type: System.Management.Automation.SwitchParameter
-Parameter Sets: (All)
-Aliases:
-
-Required: False
-Position: Named
-Default value: None
-Accept pipeline input: False
-Accept wildcard characters: False
-```
-
 ### -InputObject
 Key vault object.
 
@@ -163,21 +138,6 @@ Accept pipeline input: True (ByPropertyName)
 Accept wildcard characters: False
 ```
 
-### -SoftDeleteRetentionInDays
-Specifies how long deleted resources are retained, and how long until a vault or an object in the deleted state can be purged. The default is 90 days.
-
-```yaml
-Type: System.Int32
-Parameter Sets: (All)
-Aliases:
-
-Required: False
-Position: Named
-Default value: None
-Accept pipeline input: False
-Accept wildcard characters: False
-```
-
 ### -VaultName
 Name of the key vault.