Merge pull request Azure#3490 from mihymel/dev

Adding new cmdlets for Sql Transparent Data Encryption with Azure Key…

Author: cormacpayne

src/ResourceManager/Sql/AzureRM.Sql.psd1

@@ -154,8 +154,13 @@ CmdletsToExport = 'Get-AzureRmSqlDatabaseTransparentDataEncryption',
                'Set-AzureRmSqlElasticPoolAdvisorAutoExecuteStatus', 
                'Set-AzureRmSqlServerAdvisorAutoExecuteStatus', 
                'Get-AzureRmSqlDatabaseAdvisor', 
-               'Set-AzureRmSqlDatabaseAdvisorAutoExecuteStatus'
-
+               'Set-AzureRmSqlDatabaseAdvisorAutoExecuteStatus',
+               'Get-AzureRmSqlServerTransparentDataEncryptionProtector',
+               'Set-AzureRmSqlServerTransparentDataEncryptionProtector',
+               'Add-AzureRmSqlServerKeyVaultKey',
+               'Get-AzureRmSqlServerKeyVaultKey',
+               'Remove-AzureRmSqlServerKeyVaultKey'
+               
 # Variables to export from this module
 # VariablesToExport = @()
 

src/ResourceManager/Sql/ChangeLog.md

@@ -18,6 +18,13 @@
         - Additional information about change #1
 -->
 ## Current Release
+* Adding new cmdlets for support for Azure SQL feature Transparent Data Encryption (TDE) with Bring Your Own Key (BYOK) Support
+	- TDE with BYOK support is a new feature in Azure SQL, which allows users to encrypt their database with a key from Azure Key Vault. This feature is currently in private preview.
+	- Get-AzureRmSqlServerKeyVaultKey : This cmdlet returns a list of Azure Key Vault keys added to a Sql Server.
+	- Add-AzureRmSqlServerKeyVaultKey : This cmdlet adds an Azure Key Vault key to a Sql Server.
+	- Remove-AzureRmSqlServerKeyVaultKey : This cmdlet removes an Azure Key Vault key from a Sql Server.
+	- Get-AzureRmSqlServerTransparentDataEncryptionProtector : This cmdlet returns the current encryption protector for a Sql Server.
+	- Set-AzureRmSqlServerTransparentDataEncryptionProtector : This cmdlet sets the encryption protector for a Sql Server. The encryption protector can be set to a key from Azure Key Vault or a key that is managed by Azure Sql.
 
 ## Version 2.5.0
 * Added new return parameter "AuditType" to Get-AzureRmSqlDatabaseAuditingPolicy and Get-AzureRmSqlServerAuditingPolicy returned object

src/ResourceManager/Sql/Commands.Sql.Test/Commands.Sql.Test.csproj

@@ -71,7 +71,7 @@
     </Reference>
     <Reference Include="Microsoft.Azure.Management.Sql">
       <SpecificVersion>False</SpecificVersion>
-      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Sql.0.51.0-prerelease\lib\net40\Microsoft.Azure.Management.Sql.dll</HintPath>
+      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Sql.0.52.0-prerelease\lib\net40\Microsoft.Azure.Management.Sql.dll</HintPath>
     </Reference>
     <Reference Include="Microsoft.Azure.Management.Storage">
       <HintPath>..\..\..\packages\Microsoft.Azure.Management.Storage.2.4.0-preview\lib\net40\Microsoft.Azure.Management.Storage.dll</HintPath>
@@ -274,6 +274,7 @@
     <Compile Include="ScenarioTests\SqlEvnSetupHelper.cs" />
     <Compile Include="ScenarioTests\SqlTestsBase.cs" />
     <Compile Include="ScenarioTests\TransparentDataEncryptionCrudTests.cs" />
+	<Compile Include="ScenarioTests\ServerKeyVaultKeyTests.cs" />
     <Compile Include="ScenarioTests\IndexRecommendationTests.cs" />
     <Compile Include="ScenarioTests\ImportExportTests.cs" />
     <Compile Include="UnitTests\AzureSqlDatabaseImportExportTests.cs" />
@@ -362,6 +363,9 @@
     </None>
     <None Include="ScenarioTests\TransparentDataEncryptionCrudTests.ps1">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
+	<None Include="ScenarioTests\ServerKeyVaultKeyTests.ps1">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </None>
     <None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.AdvisorTests\TestGetElasticPoolAdvisor.json">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
@@ -719,6 +723,21 @@
     </None>
     <None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.TransparentDataEncryptionCrudTests\TestDatabaseTransparentDataEncryptionUpdate.json">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
+	<None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.TransparentDataEncryptionCrudTests\TestServerTransparentDataEncryptionProtectorGet.json">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
+	<None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.TransparentDataEncryptionCrudTests\TestServerTransparentDataEncryptionProtectorSet.json">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
+	<None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.ServerKeyVaultKeyTests\TestServerKeyVaultKeyAdd.json">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
+	<None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.ServerKeyVaultKeyTests\TestServerKeyVaultKeyGet.json">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
+	<None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.ServerKeyVaultKeyTests\TestServerKeyVaultKeyRemove.json">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </None>
     <None Include="SessionRecords\Microsoft.Azure.Commands.Sql.Test.ScenarioTests.ServerUpgradeTests\TestServerUpgradeAndCancel.json">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>

src/ResourceManager/Sql/Commands.Sql.Test/ScenarioTests/Common.ps1

@@ -217,6 +217,47 @@ function Create-DataMaskingTestEnvironment ($testSuffix)
 	}
 }
 
+<#
+.SYNOPSIS
+Gets the values of the parameters used in the Server Key Vault Key tests
+#>
+function Get-SqlServerKeyVaultKeyTestEnvironmentParameters ()
+{
+	return @{ rgName = Get-ResourceGroupName;
+			  serverName = Get-ServerName;
+			  databaseName = Get-DatabaseName;
+			  keyId = "https://akvtdekeyvault.vault.azure.net/keys/key1/51c2fab9ff3c4a17aab4cd51b932b106";
+			  serverKeyName = "akvtdekeyvault_key1_51c2fab9ff3c4a17aab4cd51b932b106";
+			  vaultName = "akvtdekeyvault";
+			  keyName = "key1"
+			  location = "Southeast Asia";
+			  }
+}
+
+<#
+.SYNOPSIS
+Creates the test environment needed to perform the Server Key Vault Key tests
+#>
+function Create-ServerKeyVaultKeyTestEnvironment ($params)
+{
+	# Create Resource Group
+	$rg = New-AzureRmResourceGroup -Name $params.rgname -Location $params.location -Force
+
+	# Create Server
+	$serverLogin = "testusername"
+	$serverPassword = "t357ingP@s5w0rd!"
+	$credentials = new-object System.Management.Automation.PSCredential($serverLogin, ($serverPassword | ConvertTo-SecureString -asPlainText -Force)) 
+	$server = New-AzureRmSqlServer -ResourceGroupName  $rg.ResourceGroupName -ServerName $params.serverName -Location $params.location -ServerVersion "12.0" -SqlAdministratorCredentials $credentials
+	Assert-AreEqual $server.ServerName $params.serverName
+
+	# Create database
+	$db = New-AzureRmSqlDatabase -ResourceGroupName $rg.ResourceGroupName -ServerName $server.ServerName -DatabaseName $params.databaseName
+	Assert-AreEqual $db.DatabaseName $params.databaseName
+
+	# Return the created resource group
+	return $rg
+}
+
 <#
 .SYNOPSIS
 Gets valid resource group name

src/ResourceManager/Sql/Commands.Sql.Test/ScenarioTests/ServerKeyVaultKeyTests.cs

@@ -0,0 +1,51 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.ScenarioTest.SqlTests;
+using Microsoft.Azure.ServiceManagemenet.Common.Models;
+using Microsoft.WindowsAzure.Commands.ScenarioTest;
+using Xunit;
+using Xunit.Abstractions;
+
+namespace Microsoft.Azure.Commands.Sql.Test.ScenarioTests
+{
+    public class ServerKeyVaultKeyTests : SqlTestsBase
+    {
+        public ServerKeyVaultKeyTests(ITestOutputHelper output)
+        {
+            XunitTracingInterceptor.AddToContext(new XunitTracingInterceptor(output));
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestServerKeyVaultKeyAdd()
+        {
+            RunPowerShellTest("Test-AddServerKeyVaultKey");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestServerKeyVaultKeyGet()
+        {
+            RunPowerShellTest("Test-GetServerKeyVaultKey");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestServerKeyVaultKeyRemove()
+        {
+            RunPowerShellTest("Test-RemoveServerKeyVaultKey");
+        }
+    }
+}

src/ResourceManager/Sql/Commands.Sql.Test/ScenarioTests/ServerKeyVaultKeyTests.ps1

@@ -0,0 +1,88 @@
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+	.SYNOPSIS
+	Tests creating a server key vault key
+#>
+function Test-AddServerKeyVaultKey
+{
+	$params = Get-SqlServerKeyVaultKeyTestEnvironmentParameters
+	$rg = Create-ServerKeyVaultKeyTestEnvironment $params
+
+	try
+	{
+		$keyResult = Add-AzureRmSqlServerKeyVaultKey -ServerName $params.serverName -ResourceGroupName $params.rgName -KeyId $params.keyId
+		Assert-AreEqual $params.keyId $keyResult.Uri 
+		Assert-AreEqual $params.serverKeyName $keyResult.ServerKeyName 
+	}
+	finally
+	{
+		Remove-ResourceGroupForTest $rg
+	}
+}
+
+<#
+	.SYNOPSIS
+	Tests getting a server key vault key
+#>
+function Test-GetServerKeyVaultKey
+{
+	$params = Get-SqlServerKeyVaultKeyTestEnvironmentParameters
+	$rg = Create-ServerKeyVaultKeyTestEnvironment $params
+
+	try
+	{
+		$keyResult = Add-AzureRmSqlServerKeyVaultKey -ServerName $params.serverName -ResourceGroupName $params.rgName -KeyId $params.keyId
+		Assert-AreEqual $params.keyId $keyResult.Uri
+		Assert-AreEqual $params.serverKeyName $keyResult.ServerKeyName 
+
+		$keyGet = Get-AzureRmSqlServerKeyVaultKey -ServerName $params.serverName -ResourceGroupName $params.rgName -KeyId $params.keyId
+		Assert-AreEqual $params.keyId $keyGet.Uri
+		Assert-AreEqual $params.serverKeyName $keyGet.ServerKeyName
+	}
+	finally
+	{
+		Remove-ResourceGroupForTest $rg
+	}
+}
+
+<#
+	.SYNOPSIS
+	Tests removing a server key vault key
+#>
+function Test-RemoveServerKeyVaultKey
+{
+	$params = Get-SqlServerKeyVaultKeyTestEnvironmentParameters
+	$rg = Create-ServerKeyVaultKeyTestEnvironment $params
+
+	try
+	{
+		$keyResult = Add-AzureRmSqlServerKeyVaultKey -ServerName $params.serverName -ResourceGroupName $params.rgName -KeyId $params.keyId
+		Assert-AreEqual $params.keyId $keyResult.Uri 
+		Assert-AreEqual $params.serverKeyName $keyResult.ServerKeyName 
+
+		$keyGet = Get-AzureRmSqlServerKeyVaultKey -ServerName $params.serverName -ResourceGroupName $params.rgName -KeyId $params.keyId
+		Assert-AreEqual $params.keyId $keyGet.Uri
+		Assert-AreEqual $params.serverKeyName $keyGet.ServerKeyName
+
+		$keyRemove = Remove-AzureRmSqlServerKeyVaultKey -ServerName $params.serverName -ResourceGroupName $params.rgName -KeyId $params.keyId
+		Assert-AreEqual $params.keyId $keyRemove.Uri
+		Assert-AreEqual $params.serverKeyName $keyRemove.ServerKeyName
+	}
+	finally
+	{
+		Remove-ResourceGroupForTest $rg
+	}
+}

src/ResourceManager/Sql/Commands.Sql.Test/ScenarioTests/TransparentDataEncryptionCrudTests.cs

@@ -40,5 +40,19 @@ public void TestDatabaseTransparentDataEncryptionGet()
         {
             RunPowerShellTest("Test-GetTransparentDataEncryption");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestServerTransparentDataEncryptionProtectorGet()
+        {
+            RunPowerShellTest("Test-GetTransparentDataEncryptionProtector");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestServerTransparentDataEncryptionProtectorSet()
+        {
+            RunPowerShellTest("Test-SetTransparentDataEncryptionProtector");
+        }
     }
 }

src/ResourceManager/Sql/Commands.Sql.Test/ScenarioTests/TransparentDataEncryptionCrudTests.ps1

@@ -82,3 +82,70 @@ function Test-GetTransparentDataEncryption
 		Remove-ResourceGroupForTest $rg
 	}
 }
+
+<#
+	.SYNOPSIS
+	Tests Getting a server transparent data encryption protector
+#>
+function Test-GetTransparentDataEncryptionProtector
+{
+	# Setup
+	$location = "Southeast Asia"
+	$rgName = Get-ResourceGroupName
+	$rg = New-AzureRmResourceGroup -Name $rgName -Location $location -Force
+	$serverName = Get-ServerName
+	$serverLogin = "testusername"
+	$serverPassword = "t357ingP@s5w0rd!"
+	$credentials = new-object System.Management.Automation.PSCredential($serverLogin, ($serverPassword | ConvertTo-SecureString -asPlainText -Force)) 
+	
+	$server = New-AzureRmSqlServer -ResourceGroupName  $rg.ResourceGroupName -ServerName $serverName -Location $location -ServerVersion "12.0" -SqlAdministratorCredentials $credentials
+
+	try
+	{
+		# Encryption Protector should be set to Service Managed initially
+		$encProtector1 = Get-AzureRmSqlServerTransparentDataEncryptionProtector -ResourceGroupName $server.ResourceGroupName -ServerName $server.ServerName
+		Assert-AreEqual ServiceManaged $encProtector1.Type 
+		Assert-AreEqual ServiceManaged $encProtector1.ServerKeyVaultKeyName 
+	}
+	finally
+	{
+		Remove-ResourceGroupForTest $rg
+	}
+}
+
+<#
+	.SYNOPSIS
+	Tests Setting a server transparent data encryption protector
+#>
+function Test-SetTransparentDataEncryptionProtector
+{
+	# Setup
+	$params = Get-SqlServerKeyVaultKeyTestEnvironmentParameters
+	$rg = Create-ServerKeyVaultKeyTestEnvironment $params
+
+	try
+	{
+		# Encryption Protector should be set to Service Managed initially
+		$encProtector1 = Get-AzureRmSqlServerTransparentDataEncryptionProtector -ResourceGroupName $params.rgName -ServerName $params.serverName
+		Assert-AreEqual ServiceManaged $encProtector1.Type 
+		Assert-AreEqual ServiceManaged $encProtector1.ServerKeyVaultKeyName 
+
+		# Add server key
+		$keyResult = Add-AzureRmSqlServerKeyVaultKey -ServerName $params.serverName -ResourceGroupName $params.rgName -KeyId $params.keyId
+		Assert-AreEqual $params.keyId $keyResult.Uri
+
+		# Rotate to AKV
+		$encProtector2 = Set-AzureRmSqlServerTransparentDataEncryptionProtector -ResourceGroupName $params.rgName -ServerName $params.serverName -Type AzureKeyVault -KeyId $params.keyId
+		Assert-AreEqual AzureKeyVault $encProtector2.Type 
+		Assert-AreEqual $params.serverKeyName $encProtector2.ServerKeyVaultKeyName 
+
+		# Rotate back to Service Managed
+		$encProtector3 = Set-AzureRmSqlServerTransparentDataEncryptionProtector -ResourceGroupName $params.rgName -ServerName $params.serverName -Type ServiceManaged
+		Assert-AreEqual ServiceManaged $encProtector3.Type 
+		Assert-AreEqual ServiceManaged $encProtector3.ServerKeyVaultKeyName 
+	}
+	finally
+	{
+		Remove-ResourceGroupForTest $rg
+	}
+}