Azure · BethanyZhou · Jun 21, 2021 · Jun 16, 2021 · Jun 16, 2021 · Jun 16, 2021
diff --git a/....Websites.Test.ScenarioTests.CertificatesTests/TestImportAzWebAppKeyVaultCertificate.json b/....Websites.Test.ScenarioTests.CertificatesTests/TestImportAzWebAppKeyVaultCertificate.json
diff --git a/src/Websites/Websites/ChangeLog.md b/src/Websites/Websites/ChangeLog.md
@@ -18,6 +18,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Fixed `Import-AzWebAppKeyVaultCertificate` to support ServerFarmId [#15091] 
 
 ## Version 2.7.0
 * Fixed issue that prevented removing rules by name and unique identifier in `Remove-AzWebAppAccessRestrictionRule`

diff --git a/src/Websites/Websites/Cmdlets/Certificates/ImportAzWebAppKeyVaultCertificate.cs b/src/Websites/Websites/Cmdlets/Certificates/ImportAzWebAppKeyVaultCertificate.cs
@@ -19,7 +19,7 @@ public class ImportAzWebAppKeyVaultCertificate : WebAppBaseClientCmdLet
     {
         const string ParameterSet1Name = "S1";
 
-        [Parameter(ParameterSetName = ParameterSet1Name, Position = 0, Mandatory = true, HelpMessage = "The name of the keyvault.")]
+        [Parameter(ParameterSetName = ParameterSet1Name, Position = 0, Mandatory = true, HelpMessage = "The name of the keyvault or Id of the KeyVault.")]
         [ValidateNotNullOrEmpty]
         public string KeyVaultName { get; set; }
 
@@ -44,11 +44,10 @@ public override void ExecuteCmdlet()
         {
             if (!string.IsNullOrWhiteSpace(ResourceGroupName) && !string.IsNullOrWhiteSpace(WebAppName))
             {
+                string kvId = string.Empty, kvRgName = string.Empty, kvSubscriptionId = string.Empty;
                 var webApp = new PSSite(WebsitesClient.GetWebApp(ResourceGroupName, WebAppName, Slot));
                 var location = webApp.Location;
                 var serverFarmId = webApp.ServerFarmId;
-                string kvid = string.Empty;
-                string kvresourcegrpname = string.Empty;
                 var keyvaultResources = this.ResourcesClient.ResourceManagementClient.FilterResources(new FilterResourcesOptions
                 {
                     ResourceType = "Microsoft.KeyVault/Vaults"
@@ -58,19 +57,29 @@ public override void ExecuteCmdlet()
                 {
                     if (kv.Name == KeyVaultName)
                     {
-                        kvid = kv.Id;
-                        kvresourcegrpname = kv.ResourceGroupName;
+                        kvId = kv.Id;
+                        kvRgName = kv.ResourceGroupName;
                         break;
                     }
                 }
-                if (string.IsNullOrEmpty(kvid))
+                if (string.IsNullOrEmpty(kvId))
                 {
-                    kvid = KeyVaultName;
+                    kvId = KeyVaultName;
+                    if (CmdletHelpers.IsValidAKVResourceId(kvId))
+                    {
+                        var details = CmdletHelpers.GetResourceDetailsFromResourceId(kvId);
+                        kvRgName = details.ResourceGroupName;
+                        KeyVaultName = details.ResourceName;
+                        kvSubscriptionId = details.Subscription;
+                    }
+                    else //default to AppService RG 
+                    {
+                        kvRgName = ResourceGroupName;
+                    }
                 }
-                string keyvaultperm;
-                keyvaultperm = CmdletHelpers.CheckServicePrincipalPermissions(this.ResourcesClient, this.KeyvaultClient,kvresourcegrpname, KeyVaultName);
+                var kvpermission = CmdletHelpers.CheckServicePrincipalPermissions(this.ResourcesClient, this.KeyvaultClient, kvRgName, KeyVaultName, kvSubscriptionId);
                 var lnk = "https://azure.github.io/AppService/2016/05/24/Deploying-Azure-Web-App-Certificate-through-Key-Vault.html";
-                if ((keyvaultperm != "Get") & (keyvaultperm != "get"))
+                if (kvpermission.ToLower() != "get")
                 {
                     WriteWarning("Unable to verify Key Vault permissions.");
                     WriteWarning("You may need to grant Microsoft.Azure.WebSites service principal the Secret:Get permission");
@@ -80,7 +89,7 @@ public override void ExecuteCmdlet()
                 Certificate kvc = null;
                 var certificate = new Certificate(
                     location: location,
-                    keyVaultId: kvid,
+                    keyVaultId: kvId,
                     password: "",
                     keyVaultSecretName: CertName,
                     serverFarmId: serverFarmId

diff --git a/src/Websites/Websites/Utilities/CmdletHelpers.cs b/src/Websites/Websites/Utilities/CmdletHelpers.cs
@@ -54,6 +54,9 @@ public static class CmdletHelpers
         private static readonly Regex AppServicePlanResourceIdRegex =
            new Regex(@"^\/subscriptions\/(?<subscriptionName>[^\/]+)\/resourceGroups\/(?<resourceGroupName>[^\/]+)\/providers\/Microsoft.Web\/serverFarms\/(?<serverFarmName>[^\/]+)$", RegexOptions.IgnoreCase);
 
+        private static readonly Regex KeyVaultResourceIdRegex =
+            new Regex(@"^\/subscriptions\/(?<subscriptionName>[^\/]+)\/resourceGroups\/(?<resourceGroupName>[^\/]+)\/providers\/Microsoft.KeyVault\/vaults\/(?<vaultName>[^\/]+)$", RegexOptions.IgnoreCase);
+
         private static readonly Dictionary<string, int> WorkerSizes = new Dictionary<string, int>(StringComparer.OrdinalIgnoreCase) { { "Small", 1 }, { "Medium", 2 }, { "Large", 3 }, { "ExtraLarge", 4 } };
 
         private const string ProductionSlotName = "Production";
@@ -178,7 +181,7 @@ internal static bool ShouldUseDeploymentSlot(string webSiteName, string slotName
 
             return result;
         }
-                
+
         internal static HostingEnvironmentProfile CreateHostingEnvironmentProfile(string subscriptionId, string resourceGroupName, string aseResourceGroupName, string aseName)
         {
             var rg = string.IsNullOrEmpty(aseResourceGroupName) ? resourceGroupName : aseResourceGroupName;
@@ -222,7 +225,7 @@ internal static string BuildMetricFilter(DateTime? startTime, DateTime? endTime,
 
             return filter;
         }
-                
+
         internal static bool TryParseWebAppMetadataFromResourceId(string resourceId, out string resourceGroupName,
             out string webAppName, out string slotName, bool failIfSlot = false)
         {
@@ -271,6 +274,10 @@ internal static bool TryParseAppServicePlanMetadataFromResourceId(string resourc
             return false;
         }
 
+        internal static bool IsValidAKVResourceId(string resourceId)
+        {
+            return KeyVaultResourceIdRegex.Match(resourceId).Success;
+        }
         internal static string GetSkuName(string tier, int workerSize)
         {
             string sku;
@@ -309,7 +316,7 @@ internal static string GetSkuName(string tier, int workerSize)
 
         internal static string GetSkuName(string tier, string workerSize)
         {
-            return GetSkuName(tier, WorkerSizes[workerSize]);            
+            return GetSkuName(tier, WorkerSizes[workerSize]);
         }
 
         internal static bool IsDeploymentSlot(string name)
@@ -373,6 +380,11 @@ internal static string GetSubscriptionIdFromResourceId(string resourceId)
             return new ResourceIdentifier(resourceId).Subscription;
         }
 
+        internal static ResourceIdentifier GetResourceDetailsFromResourceId(string resourceId)
+        {
+            return new ResourceIdentifier(resourceId);
+        }
+
         internal static void ExtractWebAppPropertiesFromWebApp(Site webapp, out string resourceGroupName, out string webAppName, out string slot)
         {
             resourceGroupName = GetResourceGroupFromResourceId(webapp.Id);
@@ -414,26 +426,23 @@ internal static Certificate[] GetCertificates(ResourceClient resourceClient, Web
             return certificates.ToArray();
         }
 
-        internal static string CheckServicePrincipalPermissions(ResourceClient resourceClient, KeyVaultClient keyVaultClient, string resourceGroupName, string keyVault)
+        internal static string CheckServicePrincipalPermissions(ResourceClient resourceClient, KeyVaultClient keyVaultClient, string resourceGroupName, string keyVault, string kvSubscriptionId)
         {
-            var perm1 = " ";
-            var kv2 = keyVaultClient.GetKeyVault(resourceGroupName, keyVault);
-            foreach (var policy in kv2.Properties.AccessPolicies)
+            var kv = keyVaultClient.GetKeyVault(resourceGroupName, keyVault, kvSubscriptionId);
+            foreach (var policy in kv.Properties.AccessPolicies)
             {
                 if (policy.ObjectId == ("f8daea97-62e7-4026-becf-13c2ea98e8b4"))
                 {
                     foreach (var perm in policy.Permissions.Secrets)
                     {
-                        if ((perm == "Get") || (perm == "get"))
+                        if (perm.ToLower() == "get")
                         {
-                            perm1 = perm;
-                            Console.WriteLine("Success");
-                            break;
+                            return perm;
                         }
                     }
                 }
             }
-            return perm1.ToString();
+            return string.Empty;
         }
 
         internal static SiteConfigResource ConvertToSiteConfigResource(this SiteConfig config)

diff --git a/src/Websites/Websites/Utilities/KeyVaultClient.cs b/src/Websites/Websites/Utilities/KeyVaultClient.cs
@@ -25,11 +25,21 @@ public KeyVaultManagementClient WrappedKeyVaultClient
             private set;
         }
 
-        public Vault GetKeyVault(string resourceGroupName, string vaultName)
+        public Vault GetKeyVault(string resourceGroupName, string vaultName, string kvSubscriptionId = null)
         {
             try
             {
-                return this.WrappedKeyVaultClient.Vaults.Get(resourceGroupName, vaultName);
+                string originalSubscreptionId = this.WrappedKeyVaultClient.SubscriptionId;
+
+                // Replacing the actual Subscription to fetch the Vaults from other Subscriptions.
+                if (!String.IsNullOrEmpty(kvSubscriptionId) && originalSubscreptionId != kvSubscriptionId)
+                    this.WrappedKeyVaultClient.SubscriptionId = kvSubscriptionId;
+
+                var vault = this.WrappedKeyVaultClient.Vaults.Get(resourceGroupName, vaultName);
+                // Replacing back to the original Subscription after fetching Vault.
+                this.WrappedKeyVaultClient.SubscriptionId = originalSubscreptionId;
+
+                return vault;
             }
             catch (Exception ex)
             {

diff --git a/src/Websites/Websites/help/Import-AzWebAppKeyVaultCertificate.md b/src/Websites/Websites/help/Import-AzWebAppKeyVaultCertificate.md
@@ -73,7 +73,7 @@ Accept wildcard characters: False
 ```
 
 ### -KeyVaultName
-The name of the keyvault.
+The name of the keyvault or Id of the KeyVault.
 
 ```yaml
 Type: System.String