[HDInsight]-Add disk encryption related cmdlet for hdi cluster (#11761)

* Add disk encryption related cmdlet for hdi cluster.Fix new hdicluster help doc.

* Fix CI failures.

* Update default parameter set for cmdlet.

* Add ShouldProcess  supported.

Author: sunsw1994

src/HDInsight/HDInsight.Test/HDInsight.Test.csproj

@@ -11,8 +11,11 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Microsoft.Azure.KeyVault" Version="3.0.5" />
     <PackageReference Include="Microsoft.Azure.Management.HDInsight" Version="5.3.0" />
     <PackageReference Include="Microsoft.Azure.Management.HDInsight.Job" Version="2.0.7" />
+    <PackageReference Include="Microsoft.Azure.Management.KeyVault" Version="3.0.0" />
+    <PackageReference Include="Microsoft.Azure.Management.ManagedServiceIdentity" Version="0.11.0" />
     <PackageReference Include="Microsoft.Azure.Management.OperationalInsights" Version="0.19.0-preview" />
   </ItemGroup>
 

src/HDInsight/HDInsight.Test/ScenarioTests/Common.ps1

@@ -28,6 +28,29 @@ function Generate-StorageAccountName([string] $prefix="psstorage"){
 	return getAssetName($prefix)
 }
 
+<#
+.SYNOPSIS
+Get service principal id
+#>
+function Get-PrincipalObjectId{
+	return [Commands.HDInsight.Test.ScenarioTests.TestHelper]::GetServicePrincipalObjectId()
+}
+
+<#
+.SYNOPSIS
+Add key to vault.
+#>
+function Create-KeyIdentity{
+	param(
+		[string] $resourceGroupName="group-ps-cmktest",
+		[string] $vaultName="vault-ps-cmktest",
+		[string] $keyName="key-ps-cmktest"
+		)
+	$vault = [Commands.HDInsight.Test.ScenarioTests.TestHelper]::GetVault($resourceGroupName,$vaultName)
+	$keyIdentity = [Commands.HDInsight.Test.ScenarioTests.TestHelper]::GenerateVaultKey($vault,$keyName)
+	return $keyIdentity
+}
+
 <#
 .SYNOPSIS
 Create cluster
@@ -39,7 +62,11 @@ function Create-Cluster{
       [string] $resourceGroupName="group-ps-test",
       [string] $clusterType="Spark",
       [string] $storageAccountName="storagepstest",
-      [string] $minSupportedTlsVersion="1.2"
+      [string] $minSupportedTlsVersion="1.2",
+      [bool] $enableCMK=$false,
+      [string] $assignedIdentityName="ami-ps-cmktest",
+	  [string] $vaultName="vault-ps-cmktest",
+	  [string] $keyName="key-ps-cmktest"
     )
 
     $clusterName=Generate-Name($clusterName)
@@ -64,9 +91,35 @@ function Create-Cluster{
 
     $clusterSizeInNodes=2
 
-    $cluster=New-AzHDInsightCluster -Location $location -ResourceGroupName $resourceGroup.ResourceGroupName -ClusterName $clusterName `
-             -ClusterSizeInNodes $clusterSizeInNodes -ClusterType $clusterType -DefaultStorageAccountName $storageAccountName `
-             -DefaultStorageAccountKey $storageAccountKey -HttpCredential $httpCredential -SshCredential $sshCredential -MinSupportedTlsVersion $minSupportedTlsVersion
+    if($enableCMK)
+    {
+        # new user-assigned identity
+        $assignedIdentity= New-AzUserAssignedIdentity -ResourceGroupName $resourceGroupName -Name $assignedIdentityName
+        $assignedIdentityId=$assignedIdentity.Id
+        # new key-vault 
+        $encryptionKeyVault=New-AzKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName -Location $location
+        $principalId = Get-PrincipalObjectId
+        # add access police for key-vault
+        $encryptionKeyVault=Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ObjectId $principalId -PermissionsToKeys create,import,delete,list -PermissionsToSecrets Get,Set -PermissionsToCertificates Get,List
+        $encryptionKeyVault=Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ObjectId $assignedIdentity.PrincipalId -PermissionsToKeys Get,UnwrapKey,WrapKey -PermissionsToSecrets Get,Set,Delete
+        # new key identity
+        $encryptionKey=Create-KeyIdentity -resourceGroupName $resourceGroupName -vaultName  $vaultName -keyName $keyName
+        $encryptionVaultUri=$encryptionKey.Vault
+        $encryptionKeyVersion=$encryptionKey.Version
+        $encryptionKeyName=$encryptionKey.Name
+        # new hdi cluster with cmk
+        $cluster=New-AzHDInsightCluster -Location $location -ResourceGroupName $resourceGroup.ResourceGroupName -ClusterName $clusterName `
+        -ClusterSizeInNodes $clusterSizeInNodes -ClusterType $clusterType -DefaultStorageAccountName $storageAccountName `
+        -DefaultStorageAccountKey $storageAccountKey -HttpCredential $httpCredential -SshCredential $sshCredential  `
+        -AssignedIdentity $assignedIdentityId -EncryptionKeyName $encryptionKeyName -EncryptionKeyVersion $encryptionKeyVersion `
+        -EncryptionVaultUri $encryptionVaultUri
+    }
+    else
+    {
+        $cluster=New-AzHDInsightCluster -Location $location -ResourceGroupName $resourceGroup.ResourceGroupName -ClusterName $clusterName `
+        -ClusterSizeInNodes $clusterSizeInNodes -ClusterType $clusterType -DefaultStorageAccountName $storageAccountName `
+        -DefaultStorageAccountKey $storageAccountKey -HttpCredential $httpCredential -SshCredential $sshCredential -MinSupportedTlsVersion $minSupportedTlsVersion
+    }
 
     return $cluster
 }

src/HDInsight/HDInsight.Test/ScenarioTests/HDInsightClusterTests.cs

@@ -35,5 +35,12 @@ public void TestClusterRelatedCommands()
         {
             TestController.NewInstance.RunPowerShellTest(_logger, "Test-ClusterRelatedCommands");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestCmkClusterRelatedCommands()
+        {
+            TestController.NewInstance.RunPowerShellTest(_logger, "Test-CmkClusterRelatedCommands");
+        }
     }
 }

src/HDInsight/HDInsight.Test/ScenarioTests/HDInsightClusterTests.ps1

@@ -43,3 +43,48 @@ function Test-ClusterRelatedCommands{
 	}
 
 }
+
+
+<#
+.SYNOPSIS
+Test Create and Rotate Azure HDInsight Cluster with CMK
+#>
+function Test-CmkClusterRelatedCommands{
+
+	# Create some resources that will be used throughout test
+	try
+	{
+		$location="East US"
+		$clusterName="hdi-ps-cmktest"
+		$clusterName=Generate-Name($clusterName)
+		$vaultName="vault-ps-cmktest"
+		$vaultName=Generate-Name($vaultName)
+		$keyName="key-ps-cmktest"
+		$keyName=Generate-Name($keyName)
+		$assignedIdentityName="ami-ps-cmktest"
+		$assignedIdentityName=Generate-Name($assignedIdentityName)
+		$newKeyName="newkey-ps-cmktest"
+		$newKeyName=Generate-Name($newKeyName)
+
+		# test create cluster
+		$cluster = Create-Cluster -clusterName $clusterName -location $location -enableCMK $true -vaultName $vaultName -KeyName $keyName -assignedIdentityName $assignedIdentityName
+		Assert-NotNull $cluster
+		Assert-AreEqual $cluster.DiskEncryption.KeyName $keyName
+
+		#test Set-AzHDInsightClusterDiskEncryptionKey
+		$encryptionKey=Create-KeyIdentity -resourceGroupName $cluster.ResourceGroup -vaultName $vaultName -keyName $newKeyName
+		$rotateKeyCluster = Set-AzHDInsightClusterDiskEncryptionKey -ClusterName $cluster.Name -ResourceGroupName $cluster.ResourceGroup `
+		-EncryptionKeyName $encryptionKey.Name -EncryptionKeyVersion $encryptionKey.Version -EncryptionVaultUri $encryptionKey.Vault
+		Assert-AreEqual $rotateKeyCluster.DiskEncryption.KeyVersion $encryptionKey.Version
+		Assert-AreEqual $rotateKeyCluster.DiskEncryption.KeyName $encryptionKey.Name
+	}
+	finally
+	{
+		# Delete cluster and resource group
+		Remove-AzHDInsightCluster -ClusterName $cluster.Name
+		Remove-AzResourceGroup -ResourceGroupName $cluster.ResourceGroup
+	}
+
+}
+
+

src/HDInsight/HDInsight.Test/ScenarioTests/TestController.cs

@@ -16,12 +16,15 @@
 using Microsoft.Azure.Management.HDInsight;
 using Microsoft.Azure.Management.Internal.Resources;
 using Microsoft.Azure.Management.OperationalInsights;
+using Microsoft.Azure.Management.ManagedServiceIdentity;
+using Microsoft.Azure.Management.KeyVault;
 using Microsoft.Azure.Management.Storage.Version2017_10_01;
 using Microsoft.Azure.ServiceManagement.Common.Models;
 using Microsoft.Azure.Test.HttpRecorder;
 using Microsoft.Rest.ClientRuntime.Azure.TestFramework;
 using Microsoft.WindowsAzure.Commands.ScenarioTest;
 using Microsoft.WindowsAzure.Commands.Test.Utilities.Common;
+using Microsoft.Azure.KeyVault;
 using System;
 using System.Collections.Generic;
 using System.Diagnostics;
@@ -35,13 +38,15 @@ public class TestController : RMTestBase
         private readonly EnvironmentSetupHelper _helper;
 
         public ResourceManagementClient ResourceManagementClient { get; private set; }
-
         public HDInsightManagementClient HDInsightManagementClient { get; private set; }
         public StorageManagementClient StorageManagementClient { get; private set; }
         public OperationalInsightsManagementClient OperationalInsightsManagementClient { get; private set; }
-
+        public KeyVaultManagementClient KeyVaultManagementClient { get; private set; }
+        public KeyVaultClient KeyVaultClient { get; private set; }
+        public ManagedServiceIdentityClient ManagedServiceIdentityClient { get; private set; }
+        public static TestHelper TestHelper { get; private set; }
         public static TestController NewInstance => new TestController();
-
+        
         protected TestController()
         {
             _helper = new EnvironmentSetupHelper();
@@ -53,8 +58,9 @@ protected void SetupManagementClient(MockContext context)
             HDInsightManagementClient = GetHDInsightManagementClient(context);
             StorageManagementClient = GetStorageManagementClient(context);
             OperationalInsightsManagementClient = GetOperationalInsightsManagementClient(context);
-
-            _helper.SetupManagementClients(ResourceManagementClient, HDInsightManagementClient, StorageManagementClient, OperationalInsightsManagementClient);
+            KeyVaultManagementClient = GetKeyVaultManagementClient(context);
+            ManagedServiceIdentityClient = GetManagedServiceIdentityClient(context);
+            _helper.SetupManagementClients(ResourceManagementClient, HDInsightManagementClient, StorageManagementClient, OperationalInsightsManagementClient, KeyVaultManagementClient, ManagedServiceIdentityClient);
         }
 
         public void RunPowerShellTest(XunitTracingInterceptor logger, params string[] scripts)
@@ -74,7 +80,7 @@ public void RunPowerShellTest(XunitTracingInterceptor logger, params string[] sc
                 mockName);
         }
 
-        public void RunPsTestWorkFlow(Func<string[]> scriptBuilder, Action cleanup, string callingClassType, string mockName)
+        public void RunPsTestWorkFlow(Func<string[]> scriptBuilder, System.Action cleanup, string callingClassType, string mockName)
         {
             var d = new Dictionary<string, string>
             {
@@ -95,6 +101,8 @@ public void RunPsTestWorkFlow(Func<string[]> scriptBuilder, Action cleanup, stri
             {
                 SetupManagementClient(context);
                 _helper.SetupEnvironment(AzureModule.AzureResourceManager);
+                KeyVaultClient = GetKeyVaultClient();
+                TestHelper = GetTestHelper();
 
                 var callingClassName = callingClassType.Split(new[] { "." }, StringSplitOptions.RemoveEmptyEntries).Last();
 
@@ -104,6 +112,8 @@ public void RunPsTestWorkFlow(Func<string[]> scriptBuilder, Action cleanup, stri
                     _helper.RMProfileModule,
                     _helper.GetRMModulePath(@"AzureRM.HDInsight.psd1"),
                     _helper.GetRMModulePath("AzureRM.OperationalInsights.psd1"),
+                    _helper.GetRMModulePath("AzureRM.ManagedServiceIdentity.psd1"),
+                    _helper.RMKeyVaultModule,
                     "AzureRM.Storage.ps1",
                     "AzureRM.Resources.ps1");
                 try
@@ -140,5 +150,25 @@ private static OperationalInsightsManagementClient GetOperationalInsightsManagem
         {
             return context.GetServiceClient<OperationalInsightsManagementClient>(TestEnvironmentFactory.GetTestEnvironment());
         }
+
+        private static KeyVaultManagementClient GetKeyVaultManagementClient(MockContext context)
+        {
+            return context.GetServiceClient<KeyVaultManagementClient>(TestEnvironmentFactory.GetTestEnvironment());
+        }
+
+        private static KeyVaultClient GetKeyVaultClient()
+        {
+            return new KeyVaultClient(TestHelper.GetAccessToken, TestHelper.GetHandlers());
+        }
+
+        private static ManagedServiceIdentityClient GetManagedServiceIdentityClient(MockContext context)
+        {
+            return context.GetServiceClient<ManagedServiceIdentityClient>(TestEnvironmentFactory.GetTestEnvironment());
+        }
+
+        private TestHelper GetTestHelper()
+        {
+            return new TestHelper(KeyVaultManagementClient, KeyVaultClient);
+        }
     }
 }