From 31c2c05ee315ef0aa2094247b0c77750ced4b82d Mon Sep 17 00:00:00 2001 From: Beisi Zhou Date: Tue, 28 Jun 2022 13:25:23 +0800 Subject: [PATCH] Removed some properties' default values during the process of key vault creation (#18767) * Removed default value for key vault creation * Update New-AzKeyVault.md * Changed default access policies for Key Vault secret, certificate and storage as All * update change log * Update src/KeyVault/KeyVault/ChangeLog.md --- src/KeyVault/KeyVault/ChangeLog.md | 2 + .../KeyVault/Commands/NewAzureKeyVault.cs | 8 +- .../Models/KeyVaultManagementCmdletBase.cs | 38 +-------- .../Models/VaultCreationOrUpdateParameters.cs | 6 +- src/KeyVault/KeyVault/help/New-AzKeyVault.md | 85 +++++++++++++------ 5 files changed, 72 insertions(+), 67 deletions(-) diff --git a/src/KeyVault/KeyVault/ChangeLog.md b/src/KeyVault/KeyVault/ChangeLog.md index b3afd31cb0ad..ebb844cfe2f9 100644 --- a/src/KeyVault/KeyVault/ChangeLog.md +++ b/src/KeyVault/KeyVault/ChangeLog.md @@ -22,6 +22,8 @@ * [Breaking Change] Changed parameter `ExpiresIn` in `Set-AzKeyVaultKeyRotationPolicy` from TimeSpan? to string. It must be an ISO 8601 duration like "P30D" for 30 days. * [Breaking Change] Changed output properties `ExpiresIn`, `TimeAfterCreate` and `TimeBeforeExpiry` of `Set-AzKeyVaultKeyRotationPolicy` and `Get-AzKeyVaultKeyRotationPolicy` from TimeSpan? to string. * Supported creating/updating key with release policy in a Managed HSM +* Removed default value for `EnabledForDeployment`, `EnabledForTemplateDeployment`, `EnabledForDiskEncryption` and `EnableRbacAuthorization` during the process of key vault creation +* Changed default access policies for Key Vault secret, certificate and storage as `All` ## Version 4.5.0 * Added `Rotate` into the list of permissions to keys [#17970] diff --git a/src/KeyVault/KeyVault/Commands/NewAzureKeyVault.cs b/src/KeyVault/KeyVault/Commands/NewAzureKeyVault.cs index a2f5fa8d5b4a..35cfe36629d9 100644 --- a/src/KeyVault/KeyVault/Commands/NewAzureKeyVault.cs +++ b/src/KeyVault/KeyVault/Commands/NewAzureKeyVault.cs @@ -165,12 +165,12 @@ public override void ExecuteCmdlet() Name = this.Name, ResourceGroupName = this.ResourceGroupName, Location = this.Location, - EnabledForDeployment = this.EnabledForDeployment.IsPresent, - EnabledForTemplateDeployment = EnabledForTemplateDeployment.IsPresent, - EnabledForDiskEncryption = EnabledForDiskEncryption.IsPresent, + EnabledForDeployment = this.EnabledForDeployment.IsPresent ? true : null as bool?, + EnabledForTemplateDeployment = EnabledForTemplateDeployment.IsPresent ? true : null as bool?, + EnabledForDiskEncryption = EnabledForDiskEncryption.IsPresent ? true : null as bool?, EnableSoftDelete = null, EnablePurgeProtection = EnablePurgeProtection.IsPresent ? true : (bool?)null, // false is not accepted - EnableRbacAuthorization = EnableRbacAuthorization.IsPresent, + EnableRbacAuthorization = EnableRbacAuthorization.IsPresent ? true : null as bool?, /* * If retention days is not specified, use the default value, * else use the vault user provides diff --git a/src/KeyVault/KeyVault/Models/KeyVaultManagementCmdletBase.cs b/src/KeyVault/KeyVault/Models/KeyVaultManagementCmdletBase.cs index 3382b313d106..980e12edc9ac 100644 --- a/src/KeyVault/KeyVault/Models/KeyVaultManagementCmdletBase.cs +++ b/src/KeyVault/KeyVault/Models/KeyVaultManagementCmdletBase.cs @@ -374,49 +374,17 @@ protected bool IsValidObjectIdSyntax(string objectId) protected readonly string[] DefaultPermissionsToSecrets = { - SecretPerms.Get, - SecretPerms.List, - SecretPerms.Set, - SecretPerms.Delete, - SecretPerms.Backup, - SecretPerms.Restore, - SecretPerms.Recover + SecretPerms.All }; protected readonly string[] DefaultPermissionsToCertificates = { - CertPerms.Get, - CertPerms.Delete, - CertPerms.List, - CertPerms.Create, - CertPerms.Import, - CertPerms.Update, - CertPerms.Deleteissuers, - CertPerms.Getissuers, - CertPerms.Listissuers, - CertPerms.Managecontacts, - CertPerms.Manageissuers, - CertPerms.Setissuers, - CertPerms.Recover, - CertPerms.Backup, - CertPerms.Restore + CertPerms.All }; protected readonly string[] DefaultPermissionsToStorage = { - StoragePerms.Delete, - StoragePerms.Deletesas, - StoragePerms.Get, - StoragePerms.Getsas, - StoragePerms.List, - StoragePerms.Listsas, - StoragePerms.Regeneratekey, - StoragePerms.Set, - StoragePerms.Setsas, - StoragePerms.Update, - StoragePerms.Recover, - StoragePerms.Backup, - StoragePerms.Restore + StoragePerms.All }; protected readonly string DefaultSkuFamily = "A"; diff --git a/src/KeyVault/KeyVault/Models/VaultCreationOrUpdateParameters.cs b/src/KeyVault/KeyVault/Models/VaultCreationOrUpdateParameters.cs index 4fdd46220413..c00bd806ceff 100644 --- a/src/KeyVault/KeyVault/Models/VaultCreationOrUpdateParameters.cs +++ b/src/KeyVault/KeyVault/Models/VaultCreationOrUpdateParameters.cs @@ -26,9 +26,9 @@ public class VaultCreationOrUpdateParameters public Hashtable Tags { get; set; } public string SkuName { get; set; } public string SkuFamilyName { get; set; } - public bool EnabledForDeployment { get; set; } - public bool EnabledForTemplateDeployment { get; set; } - public bool EnabledForDiskEncryption { get; set; } + public bool? EnabledForDeployment { get; set; } + public bool? EnabledForTemplateDeployment { get; set; } + public bool? EnabledForDiskEncryption { get; set; } public bool? EnableSoftDelete { get; set; } public bool? EnablePurgeProtection { get; set; } public bool? EnableRbacAuthorization { get; set; } diff --git a/src/KeyVault/KeyVault/help/New-AzKeyVault.md b/src/KeyVault/KeyVault/help/New-AzKeyVault.md index 43b82e371bbf..31819d65828c 100644 --- a/src/KeyVault/KeyVault/help/New-AzKeyVault.md +++ b/src/KeyVault/KeyVault/help/New-AzKeyVault.md @@ -55,25 +55,26 @@ Resource ID : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxx Vault URI : https://contoso03vault.vault.azure.net/ Tenant ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx SKU : Standard -Enabled For Deployment? : False -Enabled For Template Deployment? : False -Enabled For Disk Encryption? : False -Soft Delete Enabled? : +Enabled For Deployment? : +Enabled For Template Deployment? : +Enabled For Disk Encryption? : +Soft Delete Enabled? : True Access Policies : Tenant ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx Object ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx Application ID : Display Name : User Name (username@microsoft.com) - Permissions to Keys : get, create, delete, list, update, - import, backup, restore, recover - Permissions to Secrets : get, list, set, delete, backup, - restore, recover - Permissions to Certificates : get, delete, list, create, import, - update, deleteissuers, getissuers, listissuers, managecontacts, manageissuers, - setissuers, recover, backup, restore - Permissions to (Key Vault Managed) Storage : delete, deletesas, get, getsas, list, - listsas, regeneratekey, set, setsas, update, recover, backup, restore - + Permissions to Keys : all + Permissions to Secrets : all + Permissions to Certificates : all + Permissions to (Key Vault Managed) Storage : all + +Network Rule Set : + Default Action : Allow + Bypass : AzureServices + IP Rules : + Virtual Network Rules : + Tags : ``` @@ -104,16 +105,17 @@ Access Policies : Object ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx Application ID : Display Name : User Name (username@microsoft.com) - Permissions to Keys : get, create, delete, list, update, - import, backup, restore, recover - Permissions to Secrets : get, list, set, delete, backup, - restore, recover - Permissions to Certificates : get, delete, list, create, import, - update, deleteissuers, getissuers, listissuers, managecontacts, manageissuers, - setissuers, recover, backup, restore - Permissions to (Key Vault Managed) Storage : delete, deletesas, get, getsas, list, - listsas, regeneratekey, set, setsas, update, recover, backup, restore - + Permissions to Keys : all + Permissions to Secrets : all + Permissions to Certificates : all + Permissions to (Key Vault Managed) Storage : all + +Network Rule Set : + Default Action : Allow + Bypass : AzureServices + IP Rules : + Virtual Network Rules : + Tags : ``` @@ -126,9 +128,42 @@ $frontendSubnet = New-AzVirtualNetworkSubnetConfig -Name frontendSubnet -Address $virtualNetwork = New-AzVirtualNetwork -Name myVNet -ResourceGroupName myRG -Location westus -AddressPrefix "110.0.0.0/16" -Subnet $frontendSubnet $myNetworkResId = (Get-AzVirtualNetwork -Name myVNet -ResourceGroupName myRG).Subnets[0].Id $ruleSet = New-AzKeyVaultNetworkRuleSetObject -DefaultAction Allow -Bypass AzureServices -IpAddressRange "110.0.1.0/24" -VirtualNetworkResourceId $myNetworkResId -New-AzKeyVault -ResourceGroupName "myRg" -VaultName "myVault" -NetworkRuleSet $ruleSet +New-AzKeyVault -ResourceGroupName "myRg" -VaultName "myVault" -NetworkRuleSet $ruleSet -Location westus ``` +```output +Vault Name : myVault +Resource Group Name : myRg +Location : East US +Resource ID : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/myRg/providers + /Microsoft.KeyVault/vaults/myVault +Vault URI : https://myVault.vault.azure.net/ +Tenant ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx +SKU : Premium +Enabled For Deployment? : False +Enabled For Template Deployment? : False +Enabled For Disk Encryption? : False +Soft Delete Enabled? : +Access Policies : + Tenant ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx + Object ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx + Application ID : + Display Name : User Name (username@microsoft.com) + Permissions to Keys : all + Permissions to Secrets : all + Permissions to Certificates : all + Permissions to (Key Vault Managed) Storage : all + +Network Rule Set : + Default Action : Allow + Bypass : AzureServices + IP Rules : 110.0.1.0/24 + Virtual Network Rules : /subscriptions/0b1f6471-1bf0-4dda-ae + c3-cb9272f09590/resourcegroups/myRg/providers/microsoft.network/virtualnetworks + /myvnet/subnets/frontendsubnet + +Tags : +``` Creating a key vault and specifies network rules to allow access to the specified IP address from the virtual network identified by $myNetworkResId. See `New-AzKeyVaultNetworkRuleSetObject` for more information. ## PARAMETERS