Skip to content

Commit

Permalink
added CMK migration changes (#25931)
Browse files Browse the repository at this point in the history 
* added CMK migration changes
updated help
updated changelog

Updated test case

* re-recorded tests
  • Loading branch information
@hiaga
hiaga authored Aug 26, 2024
1 parent 851c8f9 commit 837c0f5
Show file tree
Hide file tree
Showing 12 changed files with 1,620 additions and 1,336 deletions.
17 changes: 5 additions & 12 deletions src/RecoveryServices/RecoveryServices.Backup.Models/VaultModels/VaultProperty.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,18 +59,11 @@ public VaultProperty(BackupResourceVaultConfig vaultConfig, BackupResourceEncryp
SoftDeleteFeatureState = vaultConfig.SoftDeleteFeatureState;

// Initialize encryption properties
encryptionProperties = new EncryptionConfig();
encryptionProperties.EncryptionAtRestType = vaultEncryptionSetting.Properties.EncryptionAtRestType;
encryptionProperties.KeyUri = vaultEncryptionSetting.Properties.KeyUri;
encryptionProperties.SubscriptionId = vaultEncryptionSetting.Properties.SubscriptionId;
encryptionProperties.LastUpdateStatus = vaultEncryptionSetting.Properties.LastUpdateStatus;
encryptionProperties.InfrastructureEncryptionState = vaultEncryptionSetting.Properties.InfrastructureEncryptionState;
encryptionProperties.Id = vaultEncryptionSetting.Id;
encryptionProperties.Name = vaultEncryptionSetting.Name;
encryptionProperties.Type = vaultEncryptionSetting.Type;
encryptionProperties.Location = vaultEncryptionSetting.Location;
encryptionProperties.UseSystemAssignedIdentity = vaultEncryptionSetting.Properties.UseSystemAssignedIdentity;
encryptionProperties.UserAssignedIdentity = vaultEncryptionSetting.Properties.UserAssignedIdentity;
encryptionProperties = new EncryptionConfig();
encryptionProperties.KeyUri = vaultEncryptionSetting.Properties?.KeyUri;
encryptionProperties.InfrastructureEncryptionState = vaultEncryptionSetting.Properties?.InfrastructureEncryptionState;
encryptionProperties.UseSystemAssignedIdentity = vaultEncryptionSetting.Properties?.UseSystemAssignedIdentity;
encryptionProperties.UserAssignedIdentity = vaultEncryptionSetting.Properties?.UserAssignedIdentity;
}
}

Expand Down
68 changes: 62 additions & 6 deletions src/RecoveryServices/RecoveryServices.Backup.ServiceClientAdapter/BMSAPIs/VaultAPIs.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@
using Microsoft.Rest.Azure.OData;
using RestAzureNS = Microsoft.Rest.Azure;
using System;
using Newtonsoft.Json;
using Microsoft.Azure.Commands.RecoveryServices.Backup.Properties;

namespace Microsoft.Azure.Commands.RecoveryServices.Backup.Cmdlets.ServiceClientAdapterNS
Expand Down Expand Up @@ -106,8 +105,23 @@ public BackupResourceConfigResource GetVaultStorageType(string resouceGroupName,
/// <returns>Azure Resource Encryption response object.</returns>
public BackupResourceEncryptionConfigExtendedResource GetVaultEncryptionConfig(string resouceGroupName, string vaultName)
{
return BmsAdapter.Client.BackupResourceEncryptionConfigs.GetWithHttpMessagesAsync(
vaultName, resouceGroupName).Result.Body;
ARSVault vault = GetVault(resouceGroupName, vaultName);

var vaultEncryptionProperty = vault.Properties.EncryptionProperty;
BackupResourceEncryptionConfigExtendedResource encryptionConfig = new BackupResourceEncryptionConfigExtendedResource();

if (vaultEncryptionProperty != null)
{
encryptionConfig.Properties = new BackupResourceEncryptionConfigExtended
{
KeyUri = vaultEncryptionProperty.KeyVaultProperties?.KeyUri,
InfrastructureEncryptionState = vaultEncryptionProperty.InfrastructureEncryption,
UseSystemAssignedIdentity = vaultEncryptionProperty.KekIdentity?.UseSystemAssignedIdentity,
UserAssignedIdentity = vaultEncryptionProperty.KekIdentity?.UserAssignedIdentity
};
}

return encryptionConfig;
}

/// <summary>
Expand Down Expand Up @@ -156,13 +170,55 @@ public ARSVault GetVault(string resouceGroupName, string vaultName)
/// <summary>
/// Method to create or update Recovery Services Vault.
/// </summary>
/// <param name="resouceGroupName">Name of the resouce group</param>
/// <param name="resourceGroupName">Name of the resouce group</param>
/// <param name="vaultName">Name of the vault</param>
/// <param name="patchVault">patch vault object to patch the recovery services Vault</param>
/// <param name="auxiliaryAccessToken">Auxiliary access token for authorization</param>
/// <param name="isMUAProtected">Flag indicating if the operation is MUA protected</param>
/// <returns>Azure Recovery Services Vault.</returns>
public Vault UpdateRSVault(string resouceGroupName, string vaultName, PatchVault patchVault)
public Vault UpdateRSVault(string resourceGroupName, string vaultName, PatchVault patchVault, string auxiliaryAccessToken = null, bool isMUAProtected = false)
{
var response = RSAdapter.Client.Vaults.UpdateWithHttpMessagesAsync(resouceGroupName, vaultName, patchVault).Result;
Dictionary<string, List<string>> customHeaders = new Dictionary<string, List<string>>();
if (isMUAProtected)
{
List<ResourceGuardProxyBaseResource> resourceGuardMapping = ListResourceGuardMapping(vaultName, resourceGroupName);
string operationRequest = null;

if (resourceGuardMapping != null && resourceGuardMapping.Count != 0)
{
// todo: CMK_MUA - check the op value correctly
string criticalOp = "Microsoft.RecoveryServices/vaults/write#reduceImmutabilityState";

foreach (ResourceGuardOperationDetail operationDetail in resourceGuardMapping[0].Properties.ResourceGuardOperationDetails)
{
if (operationDetail.VaultCriticalOperation == criticalOp)
{
operationRequest = operationDetail.DefaultResourceRequest;
}
}

if (operationRequest != null)
{
patchVault.Properties.ResourceGuardOperationRequests = new List<string>();
patchVault.Properties.ResourceGuardOperationRequests.Add(operationRequest);
}
}

if (auxiliaryAccessToken != null && auxiliaryAccessToken != "")
{
if (operationRequest != null)
{
customHeaders.Add("x-ms-authorization-auxiliary", new List<string> { "Bearer " + auxiliaryAccessToken });
}
else
{
// resx
throw new ArgumentException(String.Format(Resources.UnexpectedParameterToken, "modify encryption settings for recovery services vault"));
}
}
}

var response = RSAdapter.Client.Vaults.UpdateWithHttpMessagesAsync(resourceGroupName, vaultName, patchVault, default(string), customHeaders).Result;
return response.Body;
}

Expand Down
2 changes: 1 addition & 1 deletion src/RecoveryServices/RecoveryServices.Backup.Test/ScenarioTests/IaasVm/ItemTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -208,7 +208,7 @@ public void TestAzureVMRestoreWithMSI()
);
}

[Fact(Skip = "to be re-recorded in next release")]
[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
[Trait(TestConstants.Workload, TestConstants.AzureVM)]
public void TestAzureRSVaultCMK()
Expand Down
9 changes: 7 additions & 2 deletions src/RecoveryServices/RecoveryServices.Backup.Test/ScenarioTests/IaasVm/ItemTests.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -381,21 +381,26 @@ function Test-AzureRSVaultCMK
$vaultName = "cmk-pstest-vault"
$keyVault = "cmk-pstest-keyvault"
$encryptionKeyId = "https://cmk-pstest-keyvault.vault.azure.net/keys/cmk-pstest-key/5569d5a163ee474cad2da4ac334af9d7"
$encryptionKeyId2 = "https://oss-pstest-keyvault.vault.azure.net/keys/cmk-pstest-key2"

try
{
# Setup
$vault = Get-AzRecoveryServicesVault -ResourceGroupName $resourceGroupName -Name $vaultName

# error scenario
Assert-ThrowsContains { Set-AzRecoveryServicesVaultProperty -EncryptionKeyId $encryptionKeyId -VaultId $vault.ID -InfrastructureEncryption -UseSystemAssignedIdentity $false } `
Assert-ThrowsContains { Set-AzRecoveryServicesVaultProperty -EncryptionKeyId $encryptionKeyId2 -VaultId $vault.ID -InfrastructureEncryption -UseSystemAssignedIdentity $false } `
"Please input a valid UserAssignedIdentity";

# set and verify - CMK encryption property to UAI
Set-AzRecoveryServicesVaultProperty -EncryptionKeyId $encryptionKeyId -VaultId $vault.ID -InfrastructureEncryption -UseSystemAssignedIdentity $false -UserAssignedIdentity $vault.Identity.UserAssignedIdentities.Keys[0]
Set-AzRecoveryServicesVaultProperty -EncryptionKeyId $encryptionKeyId2 -VaultId $vault.ID -InfrastructureEncryption -UseSystemAssignedIdentity $false -UserAssignedIdentity $vault.Identity.UserAssignedIdentities.Keys[0]
$prop = Get-AzRecoveryServicesVaultProperty -VaultId $vault.ID
Assert-True { $prop.encryptionProperties.UserAssignedIdentity -eq $vault.Identity.UserAssignedIdentities.Keys[0] }

$vault = Get-AzRecoveryServicesVault -ResourceGroupName $resourceGroupName -Name $vaultName
Assert-True { $vault.Properties.EncryptionProperty.KekIdentity.UserAssignedIdentity -eq $vault.Identity.UserAssignedIdentities.Keys[0] }
Assert-True { $vault.Properties.EncryptionProperty.KeyVaultProperties.KeyUri -eq $encryptionKeyId2 }

Start-TestSleep -Seconds 10

# set and verify - CMK encryption property to system identity
Expand Down
Loading

0 comments on commit 837c0f5

Please sign in to comment.