Add parameter EnableRbcAuthorization for 'New-AzKeyVault' and 'Update-AzKeyVault' (Azure#12459)

* Add parameter EnableRbcAuthorization for 'New-AzKeyVault' and 'Update-AzKeyVault'.

* Update src/KeyVault/KeyVault/ChangeLog.md

Co-authored-by: Yeming Liu <[email protected]>

* Update src/KeyVault/KeyVault/KeyVault.format.ps1xml

Co-authored-by: Yeming Liu <[email protected]>

* Simplify codes in VaultManagementClient.cs.

Co-authored-by: Yeming Liu <[email protected]>

Author: BethanyZhou

src/KeyVault/KeyVault.Test/Scripts/ControlPlane/KeyVaultManagementTests.ps1

@@ -113,6 +113,8 @@ function Test-CreateNewVault {
         # Soft delete and purge protection defaults to true
         Assert-True { $actual.EnableSoftDelete } "By default EnableSoftDelete should be true"
         Assert-Null $actual.EnablePurgeProtection "By default EnablePurgeProtection should be null"
+        # RbacAuthorization defaults to false
+        Assert-False { $actual.EnableRbacAuthorization } "By default EnableRbacAuthorization should be false"
         # Default retention days
         Assert-AreEqual 90 $actual.SoftDeleteRetentionInDays "By default SoftDeleteRetentionInDays should be 90"
 
@@ -137,6 +139,10 @@ function Test-CreateNewVault {
         Assert-True { $actual.EnablePurgeProtection } "If -EnablePurgeProtection, EnablePurgeProtection should be null"
         Assert-AreEqual 10 $actual.SoftDeleteRetentionInDays "SoftDeleteRetentionInDays should be the same value as set"
 
+        # Test enable RbacAuthorization
+        $actual = New-AzKeyVault -VaultName (getAssetName) -ResourceGroupName $rgName -Location $vaultLocation -EnableRbacAuthorization
+        Assert-True { $actual.EnableRbacAuthorization } "If specified, EnableRbacAuthorization should be true"
+
         # # Test use -DisableSoftDelete -EnablePurgeProtection together (TODO: uncomment this assert after keyvault team deploys their fix)
         # Assert-Throws { New-AzKeyVault -VaultName (getAssetName) -ResourceGroupName $rgName -Location $vaultLocation -Sku standard -DisableSoftDelete -EnablePurgeProtection }
 
@@ -810,6 +816,15 @@ function Test-UpdateKeyVault {
         # Assert-Throws { $vault = $vault | Update-AzKeyVault -EnablePurgeProtection }
         # # Retention cannot be updated once set
         # Assert-Throws { $vault = $vault | Update-AzKeyVault -SoftDeleteRetentionInDays 80}
+
+        #Set EnableRbacAuthorization true
+        $vault = $vault | Update-AzKeyVault -EnableRbacAuthorization $true
+        Assert-True { $vault.EnableRbacAuthorization } "5. EnableRbacAuthorization should be true"
+
+        #Set EnableRbacAuthorization false
+        $vault = $vault | Update-AzKeyVault -EnableRbacAuthorization $false
+        Assert-False { $vault.EnableRbacAuthorization } "6. EnableRbacAuthorization should be false"
+
     }
     finally {
         $rg | Remove-AzResourceGroup -Force

src/KeyVault/KeyVault.Test/SessionRecords/Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests.KeyVaultManagementTests/TestCreateNewVault.json

@@ -18,6 +18,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Added support for RBAC authorization [#10557]
 * Enhanced error handling in `Set-AzKeyVaultAccessPolicy` [#4007]
 
 ## Version 2.1.0

src/KeyVault/KeyVault.Test/SessionRecords/Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests.KeyVaultManagementTests/TestUpdateVault.json

@@ -98,6 +98,10 @@ public class NewAzureKeyVault : KeyVaultManagementCmdletBase
             HelpMessage = "If specified, protection against immediate deletion is enabled for this vault; requires soft delete to be enabled as well. Enabling 'purge protection' on a key vault is an irreversible action. Once enabled, it cannot be changed or removed.")]
         public SwitchParameter EnablePurgeProtection { get; set; }
 
+        [Parameter(Mandatory = false,
+            HelpMessage = "If specified, enables to authorize data actions by Role Based Access Control (RBAC), and then the access policies specified in vault properties will be ignored. Note that management actions are always authorized with RBAC.")]
+        public SwitchParameter EnableRbacAuthorization { get; set; }
+
         [Parameter(Mandatory = false, HelpMessage = "Specifies how long deleted resources are retained, and how long until a vault or an object in the deleted state can be purged. The default is " + Constants.DefaultSoftDeleteRetentionDaysString + " days.")]
         [ValidateRange(Constants.MinSoftDeleteRetentionDays, Constants.MaxSoftDeleteRetentionDays)]
         [ValidateNotNullOrEmpty]
@@ -168,6 +172,8 @@ public override void ExecuteCmdlet()
                     EnabledForDiskEncryption = EnabledForDiskEncryption.IsPresent,
                     EnableSoftDelete = !DisableSoftDelete.IsPresent,
                     EnablePurgeProtection = EnablePurgeProtection.IsPresent ? true : (bool?)null, // false is not accepted
+                    EnableRbacAuthorization = EnableRbacAuthorization.IsPresent,
+
                     /*
                      * If soft delete is enabled, but retention days is not specified, use the default value,
                      * else use the vault user provides,

src/KeyVault/KeyVault/ChangeLog.md

@@ -350,6 +350,7 @@ public override void ExecuteCmdlet()
                     EnabledForDiskEncryption.IsPresent ? false : existingVault.EnabledForDiskEncryption,
                     existingVault.EnableSoftDelete,
                     existingVault.EnablePurgeProtection,
+                    existingVault.EnableRbacAuthorization,
                     existingVault.SoftDeleteRetentionInDays,
                     existingVault.NetworkAcls,
                     ActiveDirectoryClient);

src/KeyVault/KeyVault/Commands/NewAzureKeyVault.cs

@@ -570,6 +570,7 @@ public override void ExecuteCmdlet()
                     EnabledForDiskEncryption.IsPresent ? true : vault.EnabledForDiskEncryption,
                     vault.EnableSoftDelete,
                     vault.EnablePurgeProtection,
+                    vault.EnableRbacAuthorization,
                     vault.SoftDeleteRetentionInDays,
                     vault.NetworkAcls,
                     ActiveDirectoryClient);

src/KeyVault/KeyVault/Commands/RemoveAzureKeyVaultAccessPolicy.cs

@@ -59,6 +59,9 @@ public class UpdateTopLevelResourceCommand : KeyVaultManagementCmdletBase
         [Parameter(Mandatory = false, HelpMessage = "Enable the purge protection functionality for this key vault. Once enabled it cannot be disabled. It requires soft-delete to be turned on.")]
         public SwitchParameter EnablePurgeProtection { get; set; }
 
+        [Parameter(Mandatory = false, HelpMessage = "Enable or disable this key vault to authorize data actions by Role Based Access Control (RBAC).")]
+        public bool? EnableRbacAuthorization { get; set; }
+
         [Parameter(Mandatory = false, HelpMessage = "Specifies how long deleted resources are retained, and how long until a vault or an object in the deleted state can be purged. The default is " + Constants.DefaultSoftDeleteRetentionDaysString + " days.")]
         [ValidateRange(Constants.MinSoftDeleteRetentionDays, Constants.MaxSoftDeleteRetentionDays)]
         [ValidateNotNullOrEmpty]
@@ -103,11 +106,13 @@ public override void ExecuteCmdlet()
                     existingResource.EnabledForDiskEncryption,
                     EnableSoftDelete.IsPresent ? (true as bool?) : null,
                     EnablePurgeProtection.IsPresent ? (true as bool?) : null,
+                    EnableRbacAuthorization,
                     this.IsParameterBound(c => c.SoftDeleteRetentionInDays)
                         ? (SoftDeleteRetentionInDays as int?)
                         : (existingResource.SoftDeleteRetentionInDays ?? Constants.DefaultSoftDeleteRetentionDays),
                     existingResource.NetworkAcls
                 );
+                
                 WriteObject(result);
             }
         }

src/KeyVault/KeyVault/Commands/SetAzureKeyVaultAccessPolicy.cs

@@ -114,6 +114,7 @@ protected PSKeyVault UpdateCurrentVault(PSKeyVault existingVault, PSKeyVaultNetw
                 existingVault.EnabledForDiskEncryption,
                 existingVault.EnableSoftDelete,
                 existingVault.EnablePurgeProtection,
+                existingVault.EnableRbacAuthorization,
                 existingVault.SoftDeleteRetentionInDays,
                 updatedNetworkAcls,
                 ActiveDirectoryClient);

src/KeyVault/KeyVault/Commands/UpdateAzureKeyVault.cs

@@ -366,6 +366,10 @@
                 <Label>Enabled For Disk Encryption?</Label>
                 <PropertyName>EnabledForDiskEncryption</PropertyName>
               </ListItem>
+              <ListItem>
+                <Label>Enabled For RBAC Authorization?</Label>
+                <PropertyName>EnableRbacAuthorization</PropertyName>
+              </ListItem>
               <ListItem>
                 <Label>Soft Delete Enabled?</Label>
                 <PropertyName>EnableSoftDelete</PropertyName>

src/KeyVault/KeyVault/Commands/VirtualNetworkRuleSet/KeyVaultNetworkRuleSetBase.cs

@@ -50,6 +50,7 @@ public PSKeyVault(Vault vault, ActiveDirectoryClient adClient)
             EnabledForDiskEncryption = vault.Properties.EnabledForDiskEncryption;
             EnableSoftDelete = vault.Properties.EnableSoftDelete;
             EnablePurgeProtection = vault.Properties.EnablePurgeProtection;
+            EnableRbacAuthorization = vault.Properties.EnableRbacAuthorization;
             SoftDeleteRetentionInDays = vault.Properties.SoftDeleteRetentionInDays;
             AccessPolicies = vault.Properties.AccessPolicies.Select(s => new PSKeyVaultAccessPolicy(s, adClient)).ToArray();
             NetworkAcls = InitNetworkRuleSet(vault.Properties);
@@ -72,6 +73,8 @@ public PSKeyVault(Vault vault, ActiveDirectoryClient adClient)
         public bool? EnableSoftDelete { get; private set; }
 
         public bool? EnablePurgeProtection { get; private set; }
+        
+        public bool? EnableRbacAuthorization { get; private set; }
 
         public int? SoftDeleteRetentionInDays { get; private set; }
 

src/KeyVault/KeyVault/KeyVault.format.ps1xml

@@ -31,6 +31,7 @@ public class VaultCreationParameters
         public bool EnabledForDiskEncryption { get; set; }
         public bool? EnableSoftDelete { get; set; }
         public bool? EnablePurgeProtection { get; set; }
+        public bool? EnableRbacAuthorization { get; set; }
         public int? SoftDeleteRetentionInDays { get; set; }
         public Guid TenantId { get; set; }
         public AccessPolicyEntry AccessPolicy { get; set; }

src/KeyVault/KeyVault/Models/PSKeyVault.cs

@@ -86,6 +86,7 @@ public PSKeyVault CreateNewVault(VaultCreationParameters parameters, ActiveDirec
                 properties.EnabledForDiskEncryption = parameters.EnabledForDiskEncryption;
                 properties.EnableSoftDelete = parameters.EnableSoftDelete;
                 properties.EnablePurgeProtection = parameters.EnablePurgeProtection;
+                properties.EnableRbacAuthorization = parameters.EnableRbacAuthorization;
                 properties.SoftDeleteRetentionInDays = parameters.SoftDeleteRetentionInDays;
                 properties.TenantId = parameters.TenantId;
                 properties.VaultUri = "";
@@ -164,6 +165,7 @@ public PSKeyVault UpdateVault(
             bool? updatedEnabledForDiskEncryption,
             bool? updatedSoftDeleteSwitch,
             bool? updatedPurgeProtectionSwitch,
+            bool? updatedRbacAuthorization,
             int? softDeleteRetentionInDays,
             PSKeyVaultNetworkRuleSet updatedNetworkAcls,
             ActiveDirectoryClient adClient = null)
@@ -193,6 +195,9 @@ public PSKeyVault UpdateVault(
                 && updatedPurgeProtectionSwitch.Value)
                 properties.EnablePurgeProtection = updatedPurgeProtectionSwitch;
 
+            // Update EnableRbacAuthorization when specified, otherwise stay current value 
+            properties.EnableRbacAuthorization = updatedRbacAuthorization;
+
             properties.AccessPolicies = (updatedPolicies == null) ?
                 new List<AccessPolicyEntry>() :
                 updatedPolicies.Select(a => new AccessPolicyEntry

src/KeyVault/KeyVault/Models/VaultCreationParameters.cs

@@ -16,7 +16,7 @@ Creates a key vault.
 ```
 New-AzKeyVault [-Name] <String> [-ResourceGroupName] <String> [-Location] <String> [-EnabledForDeployment]
  [-EnabledForTemplateDeployment] [-EnabledForDiskEncryption] [-DisableSoftDelete] [-EnablePurgeProtection]
- [-SoftDeleteRetentionInDays <Int32>] [-Sku <SkuName>] [-Tag <Hashtable>]
+ [-EnableRbacAuthorization] [-SoftDeleteRetentionInDays <Int32>] [-Sku <SkuName>] [-Tag <Hashtable>]
  [-NetworkRuleSet <PSKeyVaultNetworkRuleSet>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
 ```
@@ -211,6 +211,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -EnableRbacAuthorization
+If specified, enables to authorize data actions by Role Based Access Control (RBAC), and then the access policies specified in vault properties will be ignored. Note that management actions are always authorized with RBAC.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -Location
 Specifies the Azure region in which to create the key vault. Use the command [Get-AzLocation](https://docs.microsoft.com/powershell/module/Azure/Get-AzLocation) to see your choices.
 

src/KeyVault/KeyVault/Models/VaultManagementClient.cs

@@ -15,22 +15,22 @@ Update the state of an Azure key vault.
 ### UpdateByNameParameterSet (Default)
 ```
 Update-AzKeyVault -ResourceGroupName <String> -VaultName <String> [-EnableSoftDelete] [-EnablePurgeProtection]
- [-SoftDeleteRetentionInDays <Int32>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
- [<CommonParameters>]
+ [-EnableRbacAuthorization <Boolean>] [-SoftDeleteRetentionInDays <Int32>]
+ [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ### UpdateByInputObjectParameterSet
 ```
 Update-AzKeyVault -InputObject <PSKeyVault> [-EnableSoftDelete] [-EnablePurgeProtection]
- [-SoftDeleteRetentionInDays <Int32>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
- [<CommonParameters>]
+ [-EnableRbacAuthorization <Boolean>] [-SoftDeleteRetentionInDays <Int32>]
+ [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ### UpdateByResourceIdParameterSet
 ```
 Update-AzKeyVault -ResourceId <String> [-EnableSoftDelete] [-EnablePurgeProtection]
- [-SoftDeleteRetentionInDays <Int32>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
- [<CommonParameters>]
+ [-EnableRbacAuthorization <Boolean>] [-SoftDeleteRetentionInDays <Int32>]
+ [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -87,6 +87,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -EnableRbacAuthorization
+Enable or disable this key vault to authorize data actions by Role Based Access Control (RBAC).
+
+```yaml
+Type: System.Nullable`1[System.Boolean]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -EnableSoftDelete
 Enable the soft-delete functionality for this key vault.
 Once enabled it cannot be disabled.