added CMK migration changes (#25931)

* added CMK migration changes
updated help
updated changelog

Updated test case

* re-recorded tests

Author: hiaga

src/RecoveryServices/RecoveryServices.Backup.Models/VaultModels/VaultProperty.cs

@@ -59,18 +59,11 @@ public VaultProperty(BackupResourceVaultConfig vaultConfig, BackupResourceEncryp
             SoftDeleteFeatureState = vaultConfig.SoftDeleteFeatureState;
 
             // Initialize encryption properties
-            encryptionProperties = new EncryptionConfig();
-            encryptionProperties.EncryptionAtRestType = vaultEncryptionSetting.Properties.EncryptionAtRestType;
-            encryptionProperties.KeyUri = vaultEncryptionSetting.Properties.KeyUri;
-            encryptionProperties.SubscriptionId = vaultEncryptionSetting.Properties.SubscriptionId;
-            encryptionProperties.LastUpdateStatus = vaultEncryptionSetting.Properties.LastUpdateStatus;
-            encryptionProperties.InfrastructureEncryptionState = vaultEncryptionSetting.Properties.InfrastructureEncryptionState;
-            encryptionProperties.Id = vaultEncryptionSetting.Id;
-            encryptionProperties.Name = vaultEncryptionSetting.Name;
-            encryptionProperties.Type = vaultEncryptionSetting.Type;
-            encryptionProperties.Location = vaultEncryptionSetting.Location;
-            encryptionProperties.UseSystemAssignedIdentity = vaultEncryptionSetting.Properties.UseSystemAssignedIdentity;
-            encryptionProperties.UserAssignedIdentity = vaultEncryptionSetting.Properties.UserAssignedIdentity;
+            encryptionProperties = new EncryptionConfig();            
+            encryptionProperties.KeyUri = vaultEncryptionSetting.Properties?.KeyUri;
+            encryptionProperties.InfrastructureEncryptionState = vaultEncryptionSetting.Properties?.InfrastructureEncryptionState;
+            encryptionProperties.UseSystemAssignedIdentity = vaultEncryptionSetting.Properties?.UseSystemAssignedIdentity;
+            encryptionProperties.UserAssignedIdentity = vaultEncryptionSetting.Properties?.UserAssignedIdentity;
         }
     }
 

src/RecoveryServices/RecoveryServices.Backup.ServiceClientAdapter/BMSAPIs/VaultAPIs.cs

@@ -21,7 +21,6 @@
 using Microsoft.Rest.Azure.OData;
 using RestAzureNS = Microsoft.Rest.Azure;
 using System;
-using Newtonsoft.Json;
 using Microsoft.Azure.Commands.RecoveryServices.Backup.Properties;
 
 namespace Microsoft.Azure.Commands.RecoveryServices.Backup.Cmdlets.ServiceClientAdapterNS
@@ -106,8 +105,23 @@ public BackupResourceConfigResource GetVaultStorageType(string resouceGroupName,
         /// <returns>Azure Resource Encryption response object.</returns>  
         public BackupResourceEncryptionConfigExtendedResource GetVaultEncryptionConfig(string resouceGroupName, string vaultName)
         {
-            return BmsAdapter.Client.BackupResourceEncryptionConfigs.GetWithHttpMessagesAsync(
-                vaultName, resouceGroupName).Result.Body;
+            ARSVault vault = GetVault(resouceGroupName, vaultName);
+
+            var vaultEncryptionProperty = vault.Properties.EncryptionProperty;
+            BackupResourceEncryptionConfigExtendedResource encryptionConfig = new BackupResourceEncryptionConfigExtendedResource();
+
+            if (vaultEncryptionProperty != null)
+            {
+                encryptionConfig.Properties = new BackupResourceEncryptionConfigExtended
+                {
+                    KeyUri = vaultEncryptionProperty.KeyVaultProperties?.KeyUri,
+                    InfrastructureEncryptionState = vaultEncryptionProperty.InfrastructureEncryption,
+                    UseSystemAssignedIdentity = vaultEncryptionProperty.KekIdentity?.UseSystemAssignedIdentity,
+                    UserAssignedIdentity = vaultEncryptionProperty.KekIdentity?.UserAssignedIdentity
+                };
+            }
+
+            return encryptionConfig;
         }
 
         /// <summary>  
@@ -156,13 +170,55 @@ public ARSVault GetVault(string resouceGroupName, string vaultName)
         /// <summary>  
         /// Method to create or update Recovery Services Vault.
         /// </summary>  
-        /// <param name="resouceGroupName">Name of the resouce group</param>  
+        /// <param name="resourceGroupName">Name of the resouce group</param>  
         /// <param name="vaultName">Name of the vault</param>  
         /// <param name="patchVault">patch vault object to patch the recovery services Vault</param>
+        /// <param name="auxiliaryAccessToken">Auxiliary access token for authorization</param>  
+        /// <param name="isMUAProtected">Flag indicating if the operation is MUA protected</param>  
         /// <returns>Azure Recovery Services Vault.</returns> 
-        public Vault UpdateRSVault(string resouceGroupName, string vaultName, PatchVault patchVault)
+        public Vault UpdateRSVault(string resourceGroupName, string vaultName, PatchVault patchVault, string auxiliaryAccessToken = null, bool isMUAProtected = false)
         {
-            var response = RSAdapter.Client.Vaults.UpdateWithHttpMessagesAsync(resouceGroupName, vaultName, patchVault).Result;
+            Dictionary<string, List<string>> customHeaders = new Dictionary<string, List<string>>();
+            if (isMUAProtected)
+            {
+                List<ResourceGuardProxyBaseResource> resourceGuardMapping = ListResourceGuardMapping(vaultName, resourceGroupName);
+                string operationRequest = null;
+
+                if (resourceGuardMapping != null && resourceGuardMapping.Count != 0)
+                {
+                    // todo: CMK_MUA - check the op value correctly
+                    string criticalOp = "Microsoft.RecoveryServices/vaults/write#reduceImmutabilityState";
+
+                    foreach (ResourceGuardOperationDetail operationDetail in resourceGuardMapping[0].Properties.ResourceGuardOperationDetails)
+                    {
+                        if (operationDetail.VaultCriticalOperation == criticalOp)
+                        {
+                            operationRequest = operationDetail.DefaultResourceRequest;
+                        }
+                    }
+
+                    if (operationRequest != null)
+                    {
+                        patchVault.Properties.ResourceGuardOperationRequests = new List<string>();
+                        patchVault.Properties.ResourceGuardOperationRequests.Add(operationRequest);
+                    }
+                }
+
+                if (auxiliaryAccessToken != null && auxiliaryAccessToken != "")
+                {
+                    if (operationRequest != null)
+                    {
+                        customHeaders.Add("x-ms-authorization-auxiliary", new List<string> { "Bearer " + auxiliaryAccessToken });
+                    }
+                    else
+                    {
+                        // resx
+                        throw new ArgumentException(String.Format(Resources.UnexpectedParameterToken, "modify encryption settings for recovery services vault"));
+                    }
+                }
+            }
+
+            var response = RSAdapter.Client.Vaults.UpdateWithHttpMessagesAsync(resourceGroupName, vaultName, patchVault, default(string), customHeaders).Result;
             return response.Body;
         }
 

src/RecoveryServices/RecoveryServices.Backup.Test/ScenarioTests/IaasVm/ItemTests.cs

@@ -208,7 +208,7 @@ public void TestAzureVMRestoreWithMSI()
             );
         }
 
-        [Fact(Skip = "to be re-recorded in next release")]
+        [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         [Trait(TestConstants.Workload, TestConstants.AzureVM)]
         public void TestAzureRSVaultCMK()

src/RecoveryServices/RecoveryServices.Backup.Test/ScenarioTests/IaasVm/ItemTests.ps1

@@ -381,21 +381,26 @@ function Test-AzureRSVaultCMK
 	$vaultName = "cmk-pstest-vault"
 	$keyVault = "cmk-pstest-keyvault"
 	$encryptionKeyId = "https://cmk-pstest-keyvault.vault.azure.net/keys/cmk-pstest-key/5569d5a163ee474cad2da4ac334af9d7"
+	$encryptionKeyId2 = "https://oss-pstest-keyvault.vault.azure.net/keys/cmk-pstest-key2"
 
 	try
 	{	
 		# Setup
 		$vault = Get-AzRecoveryServicesVault -ResourceGroupName $resourceGroupName -Name $vaultName
 
 		# error scenario
-		Assert-ThrowsContains { Set-AzRecoveryServicesVaultProperty -EncryptionKeyId $encryptionKeyId -VaultId $vault.ID -InfrastructureEncryption -UseSystemAssignedIdentity $false } `
+		Assert-ThrowsContains { Set-AzRecoveryServicesVaultProperty -EncryptionKeyId $encryptionKeyId2 -VaultId $vault.ID -InfrastructureEncryption -UseSystemAssignedIdentity $false } `
 		"Please input a valid UserAssignedIdentity";	
 
 		# set and verify - CMK encryption property to UAI 
-		Set-AzRecoveryServicesVaultProperty -EncryptionKeyId $encryptionKeyId -VaultId $vault.ID -InfrastructureEncryption -UseSystemAssignedIdentity $false  -UserAssignedIdentity $vault.Identity.UserAssignedIdentities.Keys[0]
+		Set-AzRecoveryServicesVaultProperty -EncryptionKeyId $encryptionKeyId2 -VaultId $vault.ID -InfrastructureEncryption -UseSystemAssignedIdentity $false  -UserAssignedIdentity $vault.Identity.UserAssignedIdentities.Keys[0]
 		$prop = Get-AzRecoveryServicesVaultProperty -VaultId $vault.ID
 		Assert-True { $prop.encryptionProperties.UserAssignedIdentity -eq $vault.Identity.UserAssignedIdentities.Keys[0] }
 
+		$vault = Get-AzRecoveryServicesVault -ResourceGroupName $resourceGroupName -Name $vaultName
+		Assert-True { $vault.Properties.EncryptionProperty.KekIdentity.UserAssignedIdentity -eq $vault.Identity.UserAssignedIdentities.Keys[0] }
+		Assert-True { $vault.Properties.EncryptionProperty.KeyVaultProperties.KeyUri -eq $encryptionKeyId2 }
+
 		Start-TestSleep -Seconds 10
 
 		# set and verify - CMK encryption property to system identity