confluentinc
diff --git a/‎internal/byok/command.go‎
Lines changed: 12 additions & 6 deletions b/‎internal/byok/command.go‎
Lines changed: 12 additions & 6 deletions
diff --git a/‎internal/byok/command_create.go‎
Lines changed: 26 additions & 8 deletions b/‎internal/byok/command_create.go‎
Lines changed: 26 additions & 8 deletions
diff --git a/‎internal/byok/command_describe.go‎
Lines changed: 11 additions & 6 deletions b/‎internal/byok/command_describe.go‎
Lines changed: 11 additions & 6 deletions
diff --git a/‎internal/byok/command_list.go‎
Lines changed: 36 additions & 7 deletions b/‎internal/byok/command_list.go‎
Lines changed: 36 additions & 7 deletions
diff --git a/‎internal/byok/command_update.go‎
Lines changed: 56 additions & 0 deletions b/‎internal/byok/command_update.go‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎pkg/ccloudv2/byok.go‎
Lines changed: 19 additions & 3 deletions b/‎pkg/ccloudv2/byok.go‎
Lines changed: 19 additions & 3 deletions
diff --git a/‎pkg/cmd/flags.go‎
Lines changed: 1 addition & 1 deletion b/‎pkg/cmd/flags.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎test/byok_test.go‎
Lines changed: 18 additions & 0 deletions b/‎test/byok_test.go‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎test/fixtures/output/byok/create_1.golden‎
Lines changed: 11 additions & 9 deletions b/‎test/fixtures/output/byok/create_1.golden‎
Lines changed: 11 additions & 9 deletions
@@ -13,12 +13,17 @@ type command struct {
 }
 
 type out struct {
-	Id        string   `human:"ID" serialized:"id"`
-	Key       string   `human:"Key" serialized:"key"`
-	Roles     []string `human:"Roles" serialized:"roles"`
-	Cloud     string   `human:"Cloud" serialized:"cloud"`
-	State     string   `human:"State" serialized:"state"`
-	CreatedAt string   `human:"Created At" serialized:"created_at"`
+	Id                string   `human:"ID" serialized:"id"`
+	DisplayName       string   `human:"Display Name,omitempty" serialized:"display_name,omitempty"`
+	Key               string   `human:"Key" serialized:"key"`
+	Roles             []string `human:"Roles" serialized:"roles"`
+	Cloud             string   `human:"Cloud" serialized:"cloud"`
+	State             string   `human:"State" serialized:"state"`
+	CreatedAt         string   `human:"Created At" serialized:"created_at"`
+	ValidationPhase   string   `human:"Validation Phase" serialized:"validation_phase"`
+	ValidationSince   string   `human:"Validation Since" serialized:"validation_since"`
+	ValidationRegion  string   `human:"Validation Region,omitempty" serialized:"validation_region,omitempty"`
+	ValidationMessage string   `human:"Validation Message,omitempty" serialized:"validation_message,omitempty"`
 }
 
 func New(prerunner pcmd.PreRunner) *cobra.Command {
@@ -34,6 +39,7 @@ func New(prerunner pcmd.PreRunner) *cobra.Command {
 	cmd.AddCommand(c.newDeleteCommand())
 	cmd.AddCommand(c.newDescribeCommand())
 	cmd.AddCommand(c.newListCommand())
+	cmd.AddCommand(c.newUpdateCommand())
 
 	return cmd
 }
 
@@ -74,21 +74,26 @@ func (c *command) newCreateCommand() *cobra.Command {
 
 	cmd.Flags().String("key-vault", "", "The ID of the Azure Key Vault where the key is stored.")
 	cmd.Flags().String("tenant", "", "The ID of the Azure Active Directory tenant that the key vault belongs to.")
+	cmd.Flags().String("display-name", "", "A human-readable name for the self-managed key.")
 	pcmd.AddOutputFlag(cmd)
 
 	cmd.MarkFlagsRequiredTogether("key-vault", "tenant")
 
 	return cmd
 }
 
-func (c *command) createAwsKeyRequest(keyArn string) byokv1.ByokV1Key {
-	return byokv1.ByokV1Key{Key: &byokv1.ByokV1KeyKeyOneOf{ByokV1AwsKey: &byokv1.ByokV1AwsKey{
+func (c *command) createAwsKeyRequest(keyArn, displayName string) byokv1.ByokV1Key {
+	key := byokv1.ByokV1Key{Key: &byokv1.ByokV1KeyKeyOneOf{ByokV1AwsKey: &byokv1.ByokV1AwsKey{
 		KeyArn: keyArn,
 		Kind:   "AwsKey",
 	}}}
+	if displayName != "" {
+		key.SetDisplayName(displayName)
+	}
+	return key
 }
 
-func (c *command) createAzureKeyRequest(cmd *cobra.Command, keyString string) (byokv1.ByokV1Key, error) {
+func (c *command) createAzureKeyRequest(cmd *cobra.Command, keyString, displayName string) (byokv1.ByokV1Key, error) {
 	keyVault, err := cmd.Flags().GetString("key-vault")
 	if err != nil {
 		return byokv1.ByokV1Key{}, err
@@ -106,33 +111,46 @@ func (c *command) createAzureKeyRequest(cmd *cobra.Command, keyString string) (b
 		Kind:       "AzureKey",
 	}}}
 
+	if displayName != "" {
+		keyReq.SetDisplayName(displayName)
+	}
+
 	return keyReq, nil
 }
 
-func (c *command) createGcpKeyRequest(keyString string) byokv1.ByokV1Key {
-	return byokv1.ByokV1Key{Key: &byokv1.ByokV1KeyKeyOneOf{ByokV1GcpKey: &byokv1.ByokV1GcpKey{
+func (c *command) createGcpKeyRequest(keyString, displayName string) byokv1.ByokV1Key {
+	key := byokv1.ByokV1Key{Key: &byokv1.ByokV1KeyKeyOneOf{ByokV1GcpKey: &byokv1.ByokV1GcpKey{
 		KeyId: keyString,
 		Kind:  "GcpKey",
 	}}}
+	if displayName != "" {
+		key.SetDisplayName(displayName)
+	}
+	return key
 }
 
 func (c *command) create(cmd *cobra.Command, args []string) error {
 	keyString := args[0]
 	var keyReq byokv1.ByokV1Key
 
+	displayName, err := cmd.Flags().GetString("display-name")
+	if err != nil {
+		return err
+	}
+
 	switch {
 	case cmd.Flags().Changed("key-vault") && cmd.Flags().Changed("tenant"):
 		keyString = removeKeyVersionFromAzureKeyId(keyString)
 
-		request, err := c.createAzureKeyRequest(cmd, keyString)
+		request, err := c.createAzureKeyRequest(cmd, keyString, displayName)
 		if err != nil {
 			return err
 		}
 		keyReq = request
 	case isAWSKey(keyString):
-		keyReq = c.createAwsKeyRequest(keyString)
+		keyReq = c.createAwsKeyRequest(keyString, displayName)
 	case isGcpKey(keyString):
-		keyReq = c.createGcpKeyRequest(keyString)
+		keyReq = c.createGcpKeyRequest(keyString, displayName)
 	default:
 		return fmt.Errorf("invalid key format: %s", keyString)
 	}
 
@@ -53,12 +53,17 @@ func (c *command) outputByokKeyDescription(cmd *cobra.Command, key byokv1.ByokV1
 
 	table := output.NewTable(cmd)
 	table.Add(&out{
-		Id:        key.GetId(),
-		Key:       keyString,
-		Roles:     roles,
-		Cloud:     key.GetProvider(),
-		State:     key.GetState(),
-		CreatedAt: key.Metadata.CreatedAt.String(),
+		Id:                key.GetId(),
+		DisplayName:       key.GetDisplayName(),
+		Key:               keyString,
+		Roles:             roles,
+		Cloud:             key.GetProvider(),
+		State:             key.GetState(),
+		CreatedAt:         key.Metadata.CreatedAt.String(),
+		ValidationPhase:   key.Validation.GetPhase(),
+		ValidationSince:   key.Validation.GetSince().String(),
+		ValidationRegion:  key.Validation.GetRegion(),
+		ValidationMessage: key.Validation.GetMessage(),
 	})
 	table.Print()
 
 
@@ -19,6 +19,10 @@ func (c *command) newListCommand() *cobra.Command {
 
 	pcmd.AddCloudFlag(cmd)
 	pcmd.AddByokStateFlag(cmd)
+	cmd.Flags().String("region", "", "Filter by region.")
+	cmd.Flags().String("phase", "", "Filter by validation phase.")
+	cmd.Flags().String("display-name", "", "Filter by display name.")
+	cmd.Flags().String("key", "", "Filter by key identifier.")
 	pcmd.AddOutputFlag(cmd)
 
 	return cmd
@@ -49,7 +53,27 @@ func (c *command) list(cmd *cobra.Command, _ []string) error {
 		state = "AVAILABLE"
 	}
 
-	keys, err := c.V2Client.ListByokKeys(cloud, state)
+	region, err := cmd.Flags().GetString("region")
+	if err != nil {
+		return err
+	}
+
+	phase, err := cmd.Flags().GetString("phase")
+	if err != nil {
+		return err
+	}
+
+	displayName, err := cmd.Flags().GetString("display-name")
+	if err != nil {
+		return err
+	}
+
+	key, err := cmd.Flags().GetString("key")
+	if err != nil {
+		return err
+	}
+
+	keys, err := c.V2Client.ListByokKeys(cloud, state, region, phase, displayName, key)
 	if err != nil {
 		return err
 	}
@@ -69,17 +93,22 @@ func (c *command) list(cmd *cobra.Command, _ []string) error {
 		}
 
 		list.Add(&out{
-			Id:        key.GetId(),
-			Key:       keyString,
-			Cloud:     key.GetProvider(),
-			State:     key.GetState(),
-			CreatedAt: key.Metadata.CreatedAt.String(),
+			Id:                key.GetId(),
+			DisplayName:       key.GetDisplayName(),
+			Key:               keyString,
+			Cloud:             key.GetProvider(),
+			State:             key.GetState(),
+			CreatedAt:         key.Metadata.CreatedAt.String(),
+			ValidationPhase:   key.Validation.GetPhase(),
+			ValidationSince:   key.Validation.GetSince().String(),
+			ValidationRegion:  key.Validation.GetRegion(),
+			ValidationMessage: key.Validation.GetMessage(),
 		})
 	}
 
 	// The API returns a list sorted by creation date already
 	list.Sort(false)
-	list.Filter([]string{"Id", "Key", "Cloud", "State", "CreatedAt"})
+	list.Filter([]string{"Id", "DisplayName", "Key", "Cloud", "State", "CreatedAt"})
 
 	return list.Print()
 }
@@ -0,0 +1,56 @@
+package byok
+
+import (
+	"github.com/spf13/cobra"
+
+	byokv1 "github.com/confluentinc/ccloud-sdk-go-v2/byok/v1"
+
+	pcmd "github.com/confluentinc/cli/v4/pkg/cmd"
+	"github.com/confluentinc/cli/v4/pkg/errors"
+	"github.com/confluentinc/cli/v4/pkg/examples"
+)
+
+func (c *command) newUpdateCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:               "update <id>",
+		Short:             "Update a self-managed key.",
+		Long:              "Update a self-managed key in Confluent Cloud.",
+		Args:              cobra.ExactArgs(1),
+		ValidArgsFunction: pcmd.NewValidArgsFunction(c.validArgs),
+		RunE:              c.update,
+		Example: examples.BuildExampleString(
+			examples.Example{
+				Text: `Update the display name of self-managed key "cck-12345".`,
+				Code: `confluent byok update cck-12345 --display-name "My production key"`,
+			},
+		),
+	}
+
+	cmd.Flags().String("display-name", "", "A human-readable name for the self-managed key.")
+	pcmd.AddOutputFlag(cmd)
+
+	cobra.CheckErr(cmd.MarkFlagRequired("display-name"))
+
+	return cmd
+}
+
+func (c *command) update(cmd *cobra.Command, args []string) error {
+	keyId := args[0]
+
+	displayName, err := cmd.Flags().GetString("display-name")
+	if err != nil {
+		return err
+	}
+
+	// Use dedicated update struct following the pattern from API Keys
+	updateReq := byokv1.ByokV1KeyUpdate{
+		DisplayName: byokv1.PtrString(displayName),
+	}
+
+	key, httpResp, err := c.V2Client.UpdateByokKey(keyId, updateReq)
+	if err != nil {
+		return errors.CatchByokKeyNotFoundError(err, httpResp)
+	}
+
+	return c.outputByokKeyDescription(cmd, key)
+}
@@ -31,17 +31,21 @@ func (c *Client) GetByokKey(keyId string) (byokv1.ByokV1Key, *http.Response, err
 	return c.ByokClient.KeysByokV1Api.GetByokV1Key(c.byokApiContext(), keyId).Execute()
 }
 
+func (c *Client) UpdateByokKey(keyId string, keyUpdate byokv1.ByokV1KeyUpdate) (byokv1.ByokV1Key, *http.Response, error) {
+	return c.ByokClient.KeysByokV1Api.UpdateByokV1Key(c.byokApiContext(), keyId).ByokV1KeyUpdate(keyUpdate).Execute()
+}
+
 func (c *Client) DeleteByokKey(keyId string) (*http.Response, error) {
 	return c.ByokClient.KeysByokV1Api.DeleteByokV1Key(c.byokApiContext(), keyId).Execute()
 }
 
-func (c *Client) ListByokKeys(provider, state string) ([]byokv1.ByokV1Key, error) {
+func (c *Client) ListByokKeys(provider, state, region, phase, displayName, key string) ([]byokv1.ByokV1Key, error) {
 	var list []byokv1.ByokV1Key
 
 	done := false
 	pageToken := ""
 	for !done {
-		page, httpResp, err := c.executeListByokKeys(pageToken, provider, state)
+		page, httpResp, err := c.executeListByokKeys(pageToken, provider, state, region, phase, displayName, key)
 		if err != nil {
 			return nil, errors.CatchCCloudV2Error(err, httpResp)
 		}
@@ -55,14 +59,26 @@ func (c *Client) ListByokKeys(provider, state string) ([]byokv1.ByokV1Key, error
 	return list, nil
 }
 
-func (c *Client) executeListByokKeys(pageToken, provider, state string) (byokv1.ByokV1KeyList, *http.Response, error) {
+func (c *Client) executeListByokKeys(pageToken, provider, state, region, phase, displayName, key string) (byokv1.ByokV1KeyList, *http.Response, error) {
 	req := c.ByokClient.KeysByokV1Api.ListByokV1Keys(c.byokApiContext()).PageSize(ccloudV2ListPageSize)
 	if provider != "" {
 		req = req.Provider(provider)
 	}
 	if state != "" {
 		req = req.State(state)
 	}
+	if region != "" {
+		req = req.ValidationRegion(region)
+	}
+	if phase != "" {
+		req = req.ValidationPhase(phase)
+	}
+	if displayName != "" {
+		req = req.DisplayName(displayName)
+	}
+	if key != "" {
+		req = req.Key(key)
+	}
 	if pageToken != "" {
 		req = req.PageToken(pageToken)
 	}
 
@@ -67,7 +67,7 @@ func AddByokKeyFlag(cmd *cobra.Command, command *AuthenticatedCLICommand) {
 }
 
 func AutocompleteByokKeyIds(client *ccloudv2.Client) []string {
-	keys, err := client.ListByokKeys("", "")
+	keys, err := client.ListByokKeys("", "", "", "", "", "")
 	if err != nil {
 		return nil
 	}
 
@@ -9,12 +9,17 @@ func (s *CLITestSuite) TestByok() {
 		{args: "byok list --state in-use", fixture: "byok/list_2.golden"},
 		{args: "byok list --cloud aws", fixture: "byok/list_3.golden"},
 		{args: "byok list --state in-use --cloud azure", fixture: "byok/list_4.golden"},
+		{args: "byok list --region us-east-1", fixture: "byok/list_5.golden"},
+		{args: "byok list --phase VALID", fixture: "byok/list_6.golden"},
+		{args: "byok list --display-name 'Development AWS Key'", fixture: "byok/list_7.golden"},
+		{args: "byok list --key 'a-vault'", fixture: "byok/list_8.golden"},
 		// create tests
 		{args: "byok create arn:aws:kms:us-west-2:037803949979:key/0e2609e3-a0bf-4f39-aedf-8b1f63b16d81", fixture: "byok/create_1.golden"},
 		{args: "byok create https://a-vault.vault.azure.net/keys/a-key/00000000000000000000000000000000 --tenant 00000000-0000-0000-0000-000000000000 --key-vault /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/a-resourcegroups/providers/Microsoft.KeyVault/vaults/a-vault", fixture: "byok/create_2.golden"},
 		{args: "byok create https://a-vault.vault.azure.net/keys/a-key/00000000000000000000000000000000 --tenant 00000000-0000-0000-0000-000000000000", fixture: "byok/create_3.golden", exitCode: 1},
 		{args: "byok create https://a-vault.vault.azure.net/keys/a-key/00000000000000000000000000000000", fixture: "byok/create_4.golden", exitCode: 1},
 		{args: "byok create projects/exampleproject/locations/us-central1/keyRings/testkeyring/cryptoKeys/testbyokkey/cryptoKeyVersions/3", fixture: "byok/create_5.golden"},
+		{args: "byok create projects/exampleproject/locations/us-central1/keyRings/testkeyring/cryptoKeys/testbyokkey/cryptoKeyVersions/4 --display-name 'Test GCP Key'", fixture: "byok/create_6.golden"},
 	}
 
 	resetConfiguration(s.T(), false)
@@ -58,6 +63,19 @@ func (s *CLITestSuite) TestByokDescribe() {
 	}
 }
 
+func (s *CLITestSuite) TestByokUpdate() {
+	tests := []CLITest{
+		{args: `byok update cck-001 --display-name "Updated Production Key"`, fixture: "byok/update-success.golden"},
+		{args: `byok update cck-001 --display-name "Updated Production Key" -o json`, fixture: "byok/update-success-json.golden"},
+		{args: "byok update cck-404 --display-name \"Non-existent Key\"", fixture: "byok/update-fail.golden", exitCode: 1},
+	}
+
+	for _, test := range tests {
+		test.login = "cloud"
+		s.runIntegrationTest(test)
+	}
+}
+
 func (s *CLITestSuite) TestByok_Autocomplete() {
 	test := CLITest{args: `__complete byok describe ""`, login: "cloud", fixture: "byok/describe-autocomplete.golden"}
 	s.runIntegrationTest(test)
 
@@ -1,12 +1,14 @@
-+------------+-----------------------------------------------------------------------------+
-| ID         | cck-004                                                                     |
-| Key        | arn:aws:kms:us-west-2:037803949979:key/0e2609e3-a0bf-4f39-aedf-8b1f63b16d81 |
-| Roles      | arn:aws:iam::123456789012:role/role1,                                       |
-|            | arn:aws:iam::123456789012:role/role2                                        |
-| Cloud      | AWS                                                                         |
-| State      | AVAILABLE                                                                   |
-| Created At | 2022-12-24 00:00:00 +0000 UTC                                               |
-+------------+-----------------------------------------------------------------------------+
++------------------+-----------------------------------------------------------------------------+
+| ID               | cck-004                                                                     |
+| Key              | arn:aws:kms:us-west-2:037803949979:key/0e2609e3-a0bf-4f39-aedf-8b1f63b16d81 |
+| Roles            | arn:aws:iam::123456789012:role/role1,                                       |
+|                  | arn:aws:iam::123456789012:role/role2                                        |
+| Cloud            | AWS                                                                         |
+| State            | AVAILABLE                                                                   |
+| Created At       | 2022-12-24 00:00:00 +0000 UTC                                               |
+| Validation Phase | INITIALIZING                                                                |
+| Validation Since | 2022-12-24 00:00:00 +0000 UTC                                               |
++------------------+-----------------------------------------------------------------------------+
 
 Copy and append these permissions into the key policy "Statements" field of the ARN in your AWS key management system to authorize access for your Confluent Cloud cluster.
Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,7 @@ func AddByokKeyFlag(cmd cobra.Command, command AuthenticatedCLICommand) {`
`67`	`67`	`}`
`68`	`68`
`69`	`69`	`func AutocompleteByokKeyIds(client *ccloudv2.Client) []string {`
`70`		`- keys, err := client.ListByokKeys("", "")`
	`70`	`+ keys, err := client.ListByokKeys("", "", "", "", "", "")`
`71`	`71`	`if err != nil {`
`72`	`72`	`return nil`
`73`	`73`	`}`