diff --git a/src/KeyVault/KeyVault.Test/LiveTests/TestLiveScenarios.ps1 b/src/KeyVault/KeyVault.Test/LiveTests/TestLiveScenarios.ps1 index f065d688d7d2..0297d0416af0 100644 --- a/src/KeyVault/KeyVault.Test/LiveTests/TestLiveScenarios.ps1 +++ b/src/KeyVault/KeyVault.Test/LiveTests/TestLiveScenarios.ps1 @@ -47,7 +47,7 @@ Invoke-LiveTestScenario -Name "Update key vault" -Description "Test updating pro # Update EnableRbacAuthorization $vault = New-AzKeyVault -VaultName $vaultName -ResourceGroupName $rgName -Location $vaultLocation - $vault = $vault | Update-AzKeyVault -EnableRbacAuthorization $false + $vault = $vault | Update-AzKeyVault -DisableRbacAuthorization $true Assert-False { $vault.EnableRbacAuthorization } "EnableRbacAuthorization should be false" # Update Tags diff --git a/src/KeyVault/KeyVault.Test/ScenarioTests/KeyVaultManagementTests.ps1 b/src/KeyVault/KeyVault.Test/ScenarioTests/KeyVaultManagementTests.ps1 index 9609bde22727..350c954e76b5 100644 --- a/src/KeyVault/KeyVault.Test/ScenarioTests/KeyVaultManagementTests.ps1 +++ b/src/KeyVault/KeyVault.Test/ScenarioTests/KeyVaultManagementTests.ps1 @@ -134,7 +134,7 @@ function Test-CreateNewVault { Assert-AreEqual 10 $actual.SoftDeleteRetentionInDays "SoftDeleteRetentionInDays should be the same value as set" # Test enable RbacAuthorization - $actual = New-AzKeyVault -VaultName (getAssetName) -ResourceGroupName $rgName -Location $vaultLocation -EnableRbacAuthorization + $actual = New-AzKeyVault -VaultName (getAssetName) -ResourceGroupName $rgName -Location $vaultLocation Assert-True { $actual.EnableRbacAuthorization } "If specified, EnableRbacAuthorization should be true" # Test positional parameters @@ -823,11 +823,11 @@ function Test-UpdateKeyVault { # Assert-Throws { $vault = $vault | Update-AzKeyVault -SoftDeleteRetentionInDays 80} #Set EnableRbacAuthorization true - $vault = $vault | Update-AzKeyVault -EnableRbacAuthorization $true + $vault = $vault | Update-AzKeyVault -DisableRbacAuthorization $false Assert-True { $vault.EnableRbacAuthorization } "5. EnableRbacAuthorization should be true" #Set EnableRbacAuthorization false - $vault = $vault | Update-AzKeyVault -EnableRbacAuthorization $false + $vault = $vault | Update-AzKeyVault -DisableRbacAuthorization $true Assert-False { $vault.EnableRbacAuthorization } "6. EnableRbacAuthorization should be false" # Update Tags diff --git a/src/KeyVault/KeyVault/ChangeLog.md b/src/KeyVault/KeyVault/ChangeLog.md index ac237c2d93c9..85d62ba6655e 100644 --- a/src/KeyVault/KeyVault/ChangeLog.md +++ b/src/KeyVault/KeyVault/ChangeLog.md @@ -18,6 +18,8 @@ - Additional information about change #1 --> ## Upcoming Release +* [Breaking Change] Replaced parameter `EnableRbacAuthorization` by `DisableRbacAuthorization` in `New-AzKeyVault` and `Update-AzKeyVault`. + - RBAC will be enabled by default during the process of key vault creation. * Introduced secrets detection feature to safeguard sensitive data. * [Upcoming Breaking Change] Added breaking change warning message for parameter `UseDefaultCVMPolicy` of `Add-AzKeyVaultKey`. - The offline fallback policy will be removed. Key creation will fail if unable to get regional default CVM SKR policy from MAA Service Discovery API. @@ -30,7 +32,7 @@ * [Upcoming Breaking Change] Added breaking change warning message for parameter `EnableRbacAuthorization` of `New-AzKeyVault` and `Update-AzKeyVault`. - RBAC will be enabled by default during the process of key vault creation. To disable RBAC authorization, please use parameter 'DisableRbacAuthorization'. - Parameter `EnableRbacAuthorization` is expected to be removed in Az.KeyVault 6.0.0 and Az 12.0.0. - - Parameter `EnableRbacAuthorization` is expected to be replaced by `DisableRbacAuthorization`. + - Parameter `EnableRbacAuthorization` is expected to be replaced by `DisableRbacAuthorization`. * Upgraded Azure.Core to 1.37.0. ## Version 5.2.1 diff --git a/src/KeyVault/KeyVault/Commands/GetAzureKeyVault.cs b/src/KeyVault/KeyVault/Commands/KeyVault/GetAzureKeyVault.cs similarity index 100% rename from src/KeyVault/KeyVault/Commands/GetAzureKeyVault.cs rename to src/KeyVault/KeyVault/Commands/KeyVault/GetAzureKeyVault.cs diff --git a/src/KeyVault/KeyVault/Commands/NewAzureKeyVault.cs b/src/KeyVault/KeyVault/Commands/KeyVault/NewAzureKeyVault.cs similarity index 92% rename from src/KeyVault/KeyVault/Commands/NewAzureKeyVault.cs rename to src/KeyVault/KeyVault/Commands/KeyVault/NewAzureKeyVault.cs index e2724f6363b8..e6c80edabe6a 100644 --- a/src/KeyVault/KeyVault/Commands/NewAzureKeyVault.cs +++ b/src/KeyVault/KeyVault/Commands/KeyVault/NewAzureKeyVault.cs @@ -88,10 +88,9 @@ public class NewAzureKeyVault : KeyVaultManagementCmdletBase HelpMessage = "If specified, protection against immediate deletion is enabled for this vault; requires soft delete to be enabled as well. Enabling 'purge protection' on a key vault is an irreversible action. Once enabled, it cannot be changed or removed.")] public SwitchParameter EnablePurgeProtection { get; set; } - [CmdletParameterBreakingChangeWithVersion(nameof(EnableRbacAuthorization), "12.0.0", "6.0.0", ReplaceMentCmdletParameterName = "DisableRbacAuthorization", ChangeDescription = "RBAC will be enabled by default during the process of key vault creation. To disable RBAC authorization, please use parameter 'DisableRbacAuthorization'.")] [Parameter(Mandatory = false, - HelpMessage = "If specified, enables to authorize data actions by Role Based Access Control (RBAC), and then the access policies specified in vault properties will be ignored. Note that management actions are always authorized with RBAC.")] - public SwitchParameter EnableRbacAuthorization { get; set; } + HelpMessage = "If specified, disables to authorize data actions by Role Based Access Control (RBAC), and then the access policies specified in vault properties will be ignored. Note that management actions are always authorized with RBAC.")] + public SwitchParameter DisableRbacAuthorization { get; set; } [Parameter(Mandatory = false, HelpMessage = "Specifies how long deleted resources are retained, and how long until a vault or an object in the deleted state can be purged. The default is " + Constants.DefaultSoftDeleteRetentionDaysString + " days.")] [ValidateRange(Constants.MinSoftDeleteRetentionDays, Constants.MaxSoftDeleteRetentionDays)] @@ -169,7 +168,7 @@ public override void ExecuteCmdlet() EnabledForDiskEncryption = EnabledForDiskEncryption.IsPresent ? true : null as bool?, EnableSoftDelete = null, EnablePurgeProtection = EnablePurgeProtection.IsPresent ? true : (bool?)null, // false is not accepted - EnableRbacAuthorization = EnableRbacAuthorization.IsPresent ? true : null as bool?, + EnableRbacAuthorization = DisableRbacAuthorization.IsPresent ? false : true, /* * If retention days is not specified, use the default value, * else use the vault user provides diff --git a/src/KeyVault/KeyVault/Commands/RemoveAzureKeyVault.cs b/src/KeyVault/KeyVault/Commands/KeyVault/RemoveAzureKeyVault.cs similarity index 100% rename from src/KeyVault/KeyVault/Commands/RemoveAzureKeyVault.cs rename to src/KeyVault/KeyVault/Commands/KeyVault/RemoveAzureKeyVault.cs diff --git a/src/KeyVault/KeyVault/Commands/UndoAzureKeyVaultRemoval.cs b/src/KeyVault/KeyVault/Commands/KeyVault/UndoAzureKeyVaultRemoval.cs similarity index 100% rename from src/KeyVault/KeyVault/Commands/UndoAzureKeyVaultRemoval.cs rename to src/KeyVault/KeyVault/Commands/KeyVault/UndoAzureKeyVaultRemoval.cs diff --git a/src/KeyVault/KeyVault/Commands/UpdateAzureKeyVault.cs b/src/KeyVault/KeyVault/Commands/KeyVault/UpdateAzureKeyVault.cs similarity index 90% rename from src/KeyVault/KeyVault/Commands/UpdateAzureKeyVault.cs rename to src/KeyVault/KeyVault/Commands/KeyVault/UpdateAzureKeyVault.cs index 6a6ea4b75588..1eb615bd0a9c 100644 --- a/src/KeyVault/KeyVault/Commands/UpdateAzureKeyVault.cs +++ b/src/KeyVault/KeyVault/Commands/KeyVault/UpdateAzureKeyVault.cs @@ -52,9 +52,8 @@ public class UpdateTopLevelResourceCommand : KeyVaultManagementCmdletBase [Parameter(Mandatory = false, HelpMessage = "Enable the purge protection functionality for this key vault. Once enabled it cannot be disabled. It requires soft-delete to be turned on.")] public SwitchParameter EnablePurgeProtection { get; set; } - [CmdletParameterBreakingChangeWithVersion(nameof(EnableRbacAuthorization), "12.0.0", "6.0.0", ReplaceMentCmdletParameterName = "DisableRbacAuthorization", ChangeDescription = "RBAC will be enabled by default during the process of key vault creation. To disable RBAC authorization, please use parameter 'DisableRbacAuthorization'.")] - [Parameter(Mandatory = false, HelpMessage = "Enable or disable this key vault to authorize data actions by Role Based Access Control (RBAC).")] - public bool? EnableRbacAuthorization { get; set; } + [Parameter(Mandatory = false, HelpMessage = "Disable or enable this key vault to authorize data actions by Role Based Access Control (RBAC).")] + public bool? DisableRbacAuthorization { get; set; } [Parameter(Mandatory = false, HelpMessage = "Specifies whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules.")] @@ -105,7 +104,7 @@ public override void ExecuteCmdlet() updatedParamater: new VaultCreationOrUpdateParameters { EnablePurgeProtection = this.EnablePurgeProtection.IsPresent ? (true as bool?) : null, - EnableRbacAuthorization = this.EnableRbacAuthorization, + EnableRbacAuthorization = this.DisableRbacAuthorization == null ? null : !this.DisableRbacAuthorization, PublicNetworkAccess = this.PublicNetworkAccess, Tags = this.Tag } diff --git a/src/KeyVault/KeyVault/help/New-AzKeyVault.md b/src/KeyVault/KeyVault/help/New-AzKeyVault.md index 69c12e99307a..95a3f39c1a48 100644 --- a/src/KeyVault/KeyVault/help/New-AzKeyVault.md +++ b/src/KeyVault/KeyVault/help/New-AzKeyVault.md @@ -16,10 +16,10 @@ Creates a key vault. ``` New-AzKeyVault [-Name] [-ResourceGroupName] [-Location] [-EnabledForDeployment] [-EnabledForTemplateDeployment] [-EnabledForDiskEncryption] [-EnablePurgeProtection] - [-EnableRbacAuthorization] [-SoftDeleteRetentionInDays ] [-PublicNetworkAccess ] + [-DisableRbacAuthorization] [-SoftDeleteRetentionInDays ] [-PublicNetworkAccess ] [-Sku ] [-Tag ] [-NetworkRuleSet ] - [-DefaultProfile ] [-WhatIf] [-Confirm] - [-SubscriptionId ] [] + [-DefaultProfile ] [-WhatIf] [-Confirm] [-SubscriptionId ] + [] ``` ## DESCRIPTION @@ -184,9 +184,8 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -EnabledForDeployment -Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this -key vault is referenced in resource creation, for example when creating a virtual machine. +### -DisableRbacAuthorization +If specified, disables to authorize data actions by Role Based Access Control (RBAC), and then the access policies specified in vault properties will be ignored. Note that management actions are always authorized with RBAC. ```yaml Type: System.Management.Automation.SwitchParameter @@ -196,12 +195,13 @@ Aliases: Required: False Position: Named Default value: None -Accept pipeline input: True (ByPropertyName) +Accept pipeline input: False Accept wildcard characters: False ``` -### -EnabledForDiskEncryption -Enables the Azure disk encryption service to get secrets and unwrap keys from this key vault. +### -EnabledForDeployment +Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this +key vault is referenced in resource creation, for example when creating a virtual machine. ```yaml Type: System.Management.Automation.SwitchParameter @@ -215,8 +215,8 @@ Accept pipeline input: True (ByPropertyName) Accept wildcard characters: False ``` -### -EnabledForTemplateDeployment -Enables Azure Resource Manager to get secrets from this key vault when this key vault is referenced in a template deployment. +### -EnabledForDiskEncryption +Enables the Azure disk encryption service to get secrets and unwrap keys from this key vault. ```yaml Type: System.Management.Automation.SwitchParameter @@ -230,8 +230,8 @@ Accept pipeline input: True (ByPropertyName) Accept wildcard characters: False ``` -### -EnablePurgeProtection -If specified, protection against immediate deletion is enabled for this vault; requires soft delete to be enabled as well. +### -EnabledForTemplateDeployment +Enables Azure Resource Manager to get secrets from this key vault when this key vault is referenced in a template deployment. ```yaml Type: System.Management.Automation.SwitchParameter @@ -241,12 +241,12 @@ Aliases: Required: False Position: Named Default value: None -Accept pipeline input: False +Accept pipeline input: True (ByPropertyName) Accept wildcard characters: False ``` -### -EnableRbacAuthorization -If specified, enables to authorize data actions by Role Based Access Control (RBAC), and then the access policies specified in vault properties will be ignored. Note that management actions are always authorized with RBAC. +### -EnablePurgeProtection +If specified, protection against immediate deletion is enabled for this vault; requires soft delete to be enabled as well. ```yaml Type: System.Management.Automation.SwitchParameter diff --git a/src/KeyVault/KeyVault/help/Update-AzKeyVault.md b/src/KeyVault/KeyVault/help/Update-AzKeyVault.md index 7940f03e2b4d..fa3052db0f5f 100644 --- a/src/KeyVault/KeyVault/help/Update-AzKeyVault.md +++ b/src/KeyVault/KeyVault/help/Update-AzKeyVault.md @@ -15,23 +15,23 @@ Update the state of an Azure key vault. ### UpdateByNameParameterSet (Default) ``` Update-AzKeyVault -ResourceGroupName -VaultName [-EnablePurgeProtection] - [-EnableRbacAuthorization ] [-PublicNetworkAccess ] [-Tag ] - [-DefaultProfile ] [-WhatIf] [-Confirm] - [-SubscriptionId ] [] + [-DisableRbacAuthorization ] [-PublicNetworkAccess ] [-Tag ] + [-DefaultProfile ] [-WhatIf] [-Confirm] [-SubscriptionId ] + [] ``` ### UpdateByInputObjectParameterSet ``` -Update-AzKeyVault -InputObject [-EnablePurgeProtection] [-EnableRbacAuthorization ] - [-PublicNetworkAccess ] [-Tag ] [-DefaultProfile ] - [-WhatIf] [-Confirm] [-SubscriptionId ] [] +Update-AzKeyVault -InputObject [-EnablePurgeProtection] [-DisableRbacAuthorization ] + [-PublicNetworkAccess ] [-Tag ] [-DefaultProfile ] [-WhatIf] + [-Confirm] [-SubscriptionId ] [] ``` ### UpdateByResourceIdParameterSet ``` -Update-AzKeyVault -ResourceId [-EnablePurgeProtection] [-EnableRbacAuthorization ] - [-PublicNetworkAccess ] [-Tag ] [-DefaultProfile ] - [-WhatIf] [-Confirm] [-SubscriptionId ] [] +Update-AzKeyVault -ResourceId [-EnablePurgeProtection] [-DisableRbacAuthorization ] + [-PublicNetworkAccess ] [-Tag ] [-DefaultProfile ] [-WhatIf] + [-Confirm] [-SubscriptionId ] [] ``` ## DESCRIPTION @@ -48,7 +48,7 @@ Enables purge protection using piping syntax. ### Example 2: Enable RBAC Authorization ```powershell -Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName | Update-AzKeyVault -EnableRbacAuthorization $true +Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName | Update-AzKeyVault -DisableRbacAuthorization $false ``` Enables RBAC Authorization using piping syntax. @@ -84,13 +84,11 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -EnablePurgeProtection -Enable the purge protection functionality for this key vault. -Once enabled it cannot be disabled. -It requires soft-delete to be turned on. +### -DisableRbacAuthorization +Disable or enable this key vault to authorize data actions by Role Based Access Control (RBAC). ```yaml -Type: System.Management.Automation.SwitchParameter +Type: System.Nullable`1[System.Boolean] Parameter Sets: (All) Aliases: @@ -101,11 +99,13 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -EnableRbacAuthorization -Enable or disable this key vault to authorize data actions by Role Based Access Control (RBAC). +### -EnablePurgeProtection +Enable the purge protection functionality for this key vault. +Once enabled it cannot be disabled. +It requires soft-delete to be turned on. ```yaml -Type: System.Nullable`1[System.Boolean] +Type: System.Management.Automation.SwitchParameter Parameter Sets: (All) Aliases: diff --git a/tools/StaticAnalysis/Exceptions/Az.KeyVault/BreakingChangeIssues.csv b/tools/StaticAnalysis/Exceptions/Az.KeyVault/BreakingChangeIssues.csv new file mode 100644 index 000000000000..b1ff8148df08 --- /dev/null +++ b/tools/StaticAnalysis/Exceptions/Az.KeyVault/BreakingChangeIssues.csv @@ -0,0 +1,8 @@ +"Module","ClassName","Target","Severity","ProblemId","Description","Remediation" +"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.NewAzureKeyVault","New-AzKeyVault","0","2000","The cmdlet 'New-AzKeyVault' no longer supports the parameter 'EnableRbacAuthorization' and no alias was found for the original parameter name.","Add the parameter 'EnableRbacAuthorization' back to the cmdlet 'New-AzKeyVault', or add an alias to the original parameter name." +"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.NewAzureKeyVault","New-AzKeyVault","0","1050","The parameter set '__AllParameterSets' for cmdlet 'New-AzKeyVault' has been removed.","Add parameter set '__AllParameterSets' back to cmdlet 'New-AzKeyVault'." +"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.UpdateTopLevelResourceCommand","Update-AzKeyVault","0","2000","The cmdlet 'Update-AzKeyVault' no longer supports the parameter 'EnableRbacAuthorization' and no alias was found for the original parameter name.","Add the parameter 'EnableRbacAuthorization' back to the cmdlet 'Update-AzKeyVault', or add an alias to the original parameter name." +"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.UpdateTopLevelResourceCommand","Update-AzKeyVault","0","1050","The parameter set 'UpdateByNameParameterSet' for cmdlet 'Update-AzKeyVault' has been removed.","Add parameter set 'UpdateByNameParameterSet' back to cmdlet 'Update-AzKeyVault'." +"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.UpdateTopLevelResourceCommand","Update-AzKeyVault","0","1050","The parameter set 'UpdateByInputObjectParameterSet' for cmdlet 'Update-AzKeyVault' has been removed.","Add parameter set 'UpdateByInputObjectParameterSet' back to cmdlet 'Update-AzKeyVault'." +"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.UpdateTopLevelResourceCommand","Update-AzKeyVault","0","1050","The parameter set 'UpdateByResourceIdParameterSet' for cmdlet 'Update-AzKeyVault' has been removed.","Add parameter set 'UpdateByResourceIdParameterSet' back to cmdlet 'Update-AzKeyVault'." +"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.UpdateTopLevelResourceCommand","Update-AzKeyVault","0","1050","The parameter set '__AllParameterSets' for cmdlet 'Update-AzKeyVault' has been removed.","Add parameter set '__AllParameterSets' back to cmdlet 'Update-AzKeyVault'." \ No newline at end of file