[IoT Hub] Track 2 updates and managed identity implementation (#18098)

* IoT Hub track 2 updates and managed identity implementation (#2)

* Updates to use track 2 Hub GA SDK

* Added user-assigned identity functionality

* Added routing endpoint identity

* Add DeviceConnectionStateEvents as a routing source type

* RoutingSource test updates

* SDK version update to 2.0.0

Co-authored-by: Ryan Kelly <[email protected]>

* Test recording updates with 2.0.0 SDK

* Fixes for hyrid profile commands / tests and iot_security tests

* String fixes from code review

Co-authored-by: Xing Zhou <[email protected]>

* Updated CLIErrors for missing params to use RequiredArgumentMissingError

* Fix CLIError -> ArgumentUsageError

* PR feedback and test updates

* New format for managed identity parameters

Updated params and help

Test recording updates

* Fix wrong parameter in error description

* Removed identity update command

Added support for 
emove --user-assigned to remove all user-assigned identities

Co-authored-by: Ryan Kelly <[email protected]>
Co-authored-by: Xing Zhou <[email protected]>

src/azure-cli-core/azure/cli/core/profiles/_shared.py

@@ -208,7 +208,7 @@ def default_api_version(self):
             'subscription_diagnostic_settings': '2017-05-01-preview'
         }),
         ResourceType.MGMT_APPSERVICE: '2020-09-01',
-        ResourceType.MGMT_IOTHUB: '2020-03-01',
+        ResourceType.MGMT_IOTHUB: '2021-03-31',
         ResourceType.MGMT_ARO: '2020-04-30',
         ResourceType.MGMT_DATABOXEDGE: '2019-08-01'
     },

src/azure-cli/azure/cli/command_modules/iot/_constants.py

@@ -5,3 +5,4 @@
 
 certificate_help = """For a detailed explanation of CA certificates in Azure IoT Hub,
                       see https://docs.microsoft.com/azure/iot-hub/iot-hub-x509ca-overview """
+SYSTEM_ASSIGNED_IDENTITY = '[system]'

src/azure-cli/azure/cli/command_modules/iot/_help.py

@@ -402,6 +402,9 @@
   - name: Create an IoT Hub with the standard pricing tier S1 and 4 partitions, in the 'westus' region, with tags.
     text: >
         az iot hub create --resource-group MyResourceGroup --name MyIotHub --location westus --tags a=b c=d
+  - name: Create an IoT Hub with a system-assigned managed identity, and assign a role and scope to a storage account for the created identity.
+    text: >
+        az iot hub create --resource-group MyResourceGroup --name MyIotHub --location westus --mi-system-assigned --role "Storage Blob Data Contributor" --scopes {resourceId}
 """
 
 helps['iot hub delete'] = """
@@ -428,6 +431,47 @@
         az iot hub devicestream show -n MyIotHub
 """
 
+helps['iot hub identity'] = """
+type: group
+short-summary: Manage identities of an Azure IoT hub.
+"""
+
+helps['iot hub identity assign'] = """
+type: command
+short-summary: Assign managed identities to an IoT Hub
+examples:
+  - name: Assign user-assigned managed identities to an IoT Hub
+    text: >
+        az iot hub identity assign --name MyIoTHub --resource-group MyResourceGroup --user-assigned {resourceId1} {resourceId2}
+  - name: Assign a system-assigned managed identity to an IoT Hub and assign a role to that identity.
+    text: >
+        az iot hub identity assign --name MyIoTHub --resource-group MyResourceGroup --system-assigned --role "Storage Blob Data Contributor" --scopes {resourceId}
+"""
+
+helps['iot hub identity show'] = """
+type: command
+short-summary: Show the identity properties of an IoT Hub
+examples:
+  - name: Show identity properties of an IoT Hub
+    text: >
+        az iot hub identity show --name MyIoTHub --resource-group MyResourceGroup
+"""
+
+helps['iot hub identity remove'] = """
+type: command
+short-summary: Remove managed identities from an IoT Hub
+examples:
+  - name: Remove a user-assigned managed identity from an IoT Hub
+    text: >
+        az iot hub identity remove --name MyIoTHub --resource-group MyResourceGroup --user-assigned {resourceId}
+  - name: Remove a system-assigned managed identity from an IoT Hub.
+    text: >
+        az iot hub identity remove --name MyIoTHub --resource-group MyResourceGroup --system-assigned
+  - name: Remove all identities from an IoT Hub.
+    text: >
+        az iot hub identity remove --name MyIoTHub --resource-group MyResourceGroup --system-assigned --user-assigned
+"""
+
 helps['iot hub list'] = """
 type: command
 short-summary: List IoT hubs.
@@ -653,9 +697,9 @@
         --endpoint-subscription-id {SubscriptionId} --connection-string {ConnectionString} \\
         --container-name {ContainerName} --batch-frequency 100 --chunk-size 100 \\
         --ff {iothub}-{partition}-{YYYY}-{MM}-{DD}-{HH}-{mm}
-  - name: Add a new identity-based EventHub endpoint named "EventHubIdentity"
+  - name: Add a new identity-based EventHub endpoint named "EventHubIdentity" and authenticate using a user-assigned managed identity
     text: >
-        az iot hub routing-endpoint create --resource-group MyResourceGroup --hub-name MyIotHub --endpoint-name EventHubIdentity --endpoint-type eventhub --endpoint-resource-group {ResourceGroup} --endpoint-subscription-id {SubscriptionId} --auth-type identityBased --endpoint-uri {EventHubEndpointUri} --entity-path {EntityPath}
+        az iot hub routing-endpoint create --resource-group MyResourceGroup --hub-name MyIotHub --endpoint-name EventHubIdentity --endpoint-type eventhub --endpoint-resource-group {ResourceGroup} --endpoint-subscription-id {SubscriptionId} --auth-type identityBased --identity {userIdentityResourceId} --endpoint-uri {EventHubEndpointUri} --entity-path {EntityPath}
 """
 
 helps['iot hub routing-endpoint delete'] = """
@@ -779,9 +823,9 @@
   - name: Update the IoT Hub feedback queue settings
     text: >
         az iot hub update --name MyIoTHub --feedback-max-delivery-count 20 --feedback-lock-duration 100 --feedback-ttl 4
-  - name: Update the IoT Hub file upload settings
+  - name: Update the IoT Hub file upload settings, and assign a managed identity to user for file upload
     text: >
-        az iot hub update -n MyIoTHub --fileupload-sas-ttl 5 --fileupload-storage-auth-type identityBased
+        az iot hub update -n MyIoTHub --fileupload-sas-ttl 5 --fileupload-storage-auth-type identityBased --fileupload-storage-identity [system]
   - name: Update the IoT Hub file upload notification settings
     text: >
         az iot hub update -n MyIoTHub --fileupload-notification-max-delivery-count 50

src/azure-cli/azure/cli/command_modules/iot/_params.py

@@ -165,7 +165,7 @@ def load_arguments(self, _):  # pylint: disable=too-many-statements
                    help='The connection string for the Azure Storage account to which files are uploaded.')
         c.argument('fileupload_storage_authentication_type',
                    options_list=['--fileupload-storage-auth-type', '--fsa'],
-                   help='The authentication type for the Azure Storage account to which files are uploaded.'
+                   help='The authentication type for the Azure Storage account to which files are uploaded. '
                         'Possible values are keyBased and identityBased')
         c.argument('fileupload_storage_container_uri',
                    options_list=['--fileupload-storage-container-uri', '--fcu'],
@@ -178,10 +178,42 @@ def load_arguments(self, _):  # pylint: disable=too-many-statements
                    type=int, validator=validate_fileupload_sas_ttl,
                    help='The amount of time a SAS URI generated by IoT Hub is valid before it expires,'
                         ' between 1 and 24 hours.')
+        c.argument('fileupload_storage_identity',
+                   options_list=['--fileupload-storage-identity', '--fsi'],
+                   help="The managed identity to use for file upload authentication. Use '[system]' to "
+                        "refer to the system-assigned managed identity or a resource ID to refer to a "
+                        "user-assigned managed identity.")
         c.argument('min_tls_version', options_list=['--min-tls-version', '--mintls'],
                    type=str, help='Specify the minimum TLS version to support for this hub. Can be set to'
                                   ' "1.2" to have clients that use a TLS version below 1.2 to be rejected.')
         c.argument('tags', tags_type)
+        c.argument('system_identity', options_list=['--mi-system-assigned'],
+                   arg_type=get_three_state_flag(),
+                   help="Enable system-assigned managed identity for this hub")
+        c.argument('user_identities', options_list=['--mi-user-assigned'],
+                   nargs='*', help="Enable user-assigned managed identities for this hub. "
+                   "Accept space-separated list of identity resource IDs.")
+        c.argument('identity_role', options_list=['--role'],
+                   help="Role to assign to the hub's system-assigned managed identity.")
+        c.argument('identity_scopes', options_list=['--scopes'], nargs='*',
+                   help="Space separated list of scopes to assign the role (--role) "
+                   "for the system-assigned managed identity.")
+
+    with self.argument_context('iot hub identity assign') as c:
+        c.argument('system_identity', options_list=['--system-assigned', '--system'],
+                   arg_type=get_three_state_flag(),
+                   nargs='*', help="Assign a system-assigned managed identity to this hub.")
+        c.argument('user_identities', options_list=['--user-assigned', '--user'],
+                   nargs='+', help="Assign user-assigned managed identities to this hub. "
+                   "Accept space-separated list of identity resource IDs.")
+
+    with self.argument_context('iot hub identity remove') as c:
+        c.argument('system_identity', options_list=['--system-assigned', '--system'],
+                   arg_type=get_three_state_flag(),
+                   nargs='*', help="Remove a system-assigned managed identity from this hub.")
+        c.argument('user_identities', options_list=['--user-assigned', '--user'],
+                   nargs='*', help="Remove user-assigned managed identities from this hub. "
+                   "Accept space-separated list of identity resource IDs.")
 
     for subgroup in ['consumer-group', 'policy', 'certificate', 'routing-endpoint', 'route']:
         with self.argument_context('iot hub {}'.format(subgroup)) as c:
@@ -238,6 +270,10 @@ def load_arguments(self, _):  # pylint: disable=too-many-statements
                         ' mandatory but can be reordered with or without delimiters.')
         c.argument('authentication_type', options_list=['--auth-type'], arg_type=get_enum_type(AuthenticationType),
                    help='Authentication type for the endpoint. The default is keyBased.')
+        c.argument('identity', help='Use a system-assigned or user-assigned managed identity for endpoint '
+                   'authentication. Use "[system]" to refer to the system-assigned identity or a resource ID '
+                   'to refer to a user-assigned identity. If you use --auth-type without this parameter, '
+                   'system-assigned managed identity is assumed.')
 
     with self.argument_context('iot hub certificate') as c:
         c.argument('certificate_path', options_list=['--path', '-p'], type=file_type,

src/azure-cli/azure/cli/command_modules/iot/commands.py

@@ -117,6 +117,12 @@ def load_command_table(self, _):  # pylint: disable=too-many-statements
         g.custom_show_command('show', 'iot_hub_consumer_group_get')
         g.custom_command('delete', 'iot_hub_consumer_group_delete')
 
+    # iot hub identity commands
+    with self.command_group('iot hub identity', client_factory=iot_hub_service_factory) as g:
+        g.custom_command('assign', 'iot_hub_identity_assign')
+        g.custom_show_command('show', 'iot_hub_identity_show')
+        g.custom_command('remove', 'iot_hub_identity_remove')
+
     # iot hub policy commands
     with self.command_group('iot hub policy', client_factory=iot_hub_service_factory) as g:
         g.custom_command('list', 'iot_hub_policy_list')