From fffb373542a835b2d295de54b7404ac6677f74f8 Mon Sep 17 00:00:00 2001 From: Beisi Zhou Date: Thu, 9 Jun 2022 16:42:49 +0800 Subject: [PATCH 1/3] Supported accepting rotation policy in a JSON file --- .../Resources/rotationpolicy.json | 24 +++ src/KeyVault/KeyVault/ChangeLog.md | 3 + .../SetAzKeyVaultKeyRotationPolicy.cs | 179 +++++++++++++--- .../Commands/Key/UpdateAzureKeyVaultKey.cs | 4 +- .../Models/Key/PSKeyRotationLifetimeAction.cs | 32 +-- .../Models/Key/PSKeyRotationPolicy.cs | 13 +- .../KeyVault/Track2Models/Track2HsmClient.cs | 6 +- .../Track2Models/Track2VaultClient.cs | 6 +- .../help/Get-AzKeyVaultKeyRotationPolicy.md | 2 +- .../help/Set-AzKeyVaultKeyRotationPolicy.md | 199 ++++++++++++------ 10 files changed, 344 insertions(+), 124 deletions(-) create mode 100644 src/KeyVault/KeyVault.Test/Resources/rotationpolicy.json diff --git a/src/KeyVault/KeyVault.Test/Resources/rotationpolicy.json b/src/KeyVault/KeyVault.Test/Resources/rotationpolicy.json new file mode 100644 index 000000000000..23f607467748 --- /dev/null +++ b/src/KeyVault/KeyVault.Test/Resources/rotationpolicy.json @@ -0,0 +1,24 @@ +{ + "lifetimeActions": [ + { + "trigger": { + "timeAfterCreate": "P18M", + "timeBeforeExpiry": null + }, + "action": { + "type": "Rotate" + } + }, + { + "trigger": { + "timeBeforeExpiry": "P30D" + }, + "action": { + "type": "Notify" + } + } + ], + "attributes": { + "expiryTime": "P2Y" + } + } \ No newline at end of file diff --git a/src/KeyVault/KeyVault/ChangeLog.md b/src/KeyVault/KeyVault/ChangeLog.md index 221fc7497976..b3afd31cb0ad 100644 --- a/src/KeyVault/KeyVault/ChangeLog.md +++ b/src/KeyVault/KeyVault/ChangeLog.md @@ -18,6 +18,9 @@ - Additional information about change #1 --> ## Upcoming Release +* Supported accepting rotation policy in a JSON file +* [Breaking Change] Changed parameter `ExpiresIn` in `Set-AzKeyVaultKeyRotationPolicy` from TimeSpan? to string. It must be an ISO 8601 duration like "P30D" for 30 days. +* [Breaking Change] Changed output properties `ExpiresIn`, `TimeAfterCreate` and `TimeBeforeExpiry` of `Set-AzKeyVaultKeyRotationPolicy` and `Get-AzKeyVaultKeyRotationPolicy` from TimeSpan? to string. * Supported creating/updating key with release policy in a Managed HSM ## Version 4.5.0 diff --git a/src/KeyVault/KeyVault/Commands/Key/KeyRotation/SetAzKeyVaultKeyRotationPolicy.cs b/src/KeyVault/KeyVault/Commands/Key/KeyRotation/SetAzKeyVaultKeyRotationPolicy.cs index facfd191c7a4..ac13ea074bca 100644 --- a/src/KeyVault/KeyVault/Commands/Key/KeyRotation/SetAzKeyVaultKeyRotationPolicy.cs +++ b/src/KeyVault/KeyVault/Commands/Key/KeyRotation/SetAzKeyVaultKeyRotationPolicy.cs @@ -1,47 +1,113 @@ -using Microsoft.Azure.Commands.KeyVault.Models; +using Microsoft.Azure.Commands.Common.Exceptions; +using Microsoft.Azure.Commands.KeyVault.Models; using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters; +using Microsoft.WindowsAzure.Commands.Utilities.Common; + +using Newtonsoft.Json; using System; using System.Management.Automation; +using Track2Sdk = Azure.Security.KeyVault.Keys; +using System.IO; +using Microsoft.WindowsAzure.Commands.Common; +using Microsoft.Azure.Commands.KeyVault.Properties; +using System.Collections.Generic; namespace Microsoft.Azure.Commands.KeyVault.Commands.Key { /// /// Updates the KeyRotationPolicy for the specified key in Key Vault. /// - [Cmdlet(VerbsCommon.Set, ResourceManager.Common.AzureRMConstants.AzurePrefix + "KeyVaultKeyRotationPolicy", SupportsShouldProcess = true, DefaultParameterSetName = ByVaultNameParameterSet)] + [Cmdlet(VerbsCommon.Set, ResourceManager.Common.AzureRMConstants.AzurePrefix + "KeyVaultKeyRotationPolicy", SupportsShouldProcess = true, DefaultParameterSetName = SetByExpandedPropertiesViaVaultName)] [OutputType(typeof(PSKeyRotationPolicy))] - public class SetAzKeyVaultKeyRotationPolicy: KeyVaultOnlyKeyCmdletBase + public class SetAzKeyVaultKeyRotationPolicy: KeyVaultCmdletBase { #region Parameter Set Names - internal const string ByKeyRotationPolicyInputObjectParameterSet = "ByKeyRotationPolicyInputObject"; + private const string SetByExpandedPropertiesViaVaultName = "ByVaultName"; + private const string SetByRotationPolicyFileViaVaultName = "SetByRotationPolicyFileViaVaultName"; + + private const string SetByExpandedPropertiesViaKeyInputObject = "ByKeyInputObject"; + private const string SetByRotationPolicyFileViaKeyInputObject = "SetByRotationPolicyFileViaKeyInputObject"; + + private const string ByKeyRotationPolicyInputObjectParameterSet = "ByKeyRotationPolicyInputObject"; #endregion #region Input Parameter Definitions - [Parameter(Mandatory = true, - Position = 0, - ParameterSetName = ByKeyRotationPolicyInputObjectParameterSet, - ValueFromPipeline = true, - HelpMessage = "PSKeyRotationPolicy object.")] + /// + /// Vault name + /// + [Parameter(Mandatory = true, Position = 0, ParameterSetName = SetByExpandedPropertiesViaVaultName, HelpMessage = "Vault name.")] + [Parameter(Mandatory = true, Position = 0, ParameterSetName = SetByRotationPolicyFileViaVaultName)] + [ResourceNameCompleter("Microsoft.KeyVault/vaults", "FakeResourceGroupName")] + [ValidateNotNullOrEmpty] + public string VaultName { get; set; } + + /// + /// Key name. + /// + [Parameter(Mandatory = true, Position = 1, ParameterSetName = SetByExpandedPropertiesViaVaultName, HelpMessage = "Key name.")] + [Parameter(Mandatory = true, Position = 1, ParameterSetName = SetByRotationPolicyFileViaVaultName)] + [ValidateNotNullOrEmpty] + [Alias(Constants.KeyName)] + public string Name { get; set; } + + /// + /// Key object + /// + [Parameter(Mandatory = true, Position = 0, ParameterSetName = SetByExpandedPropertiesViaKeyInputObject, + ValueFromPipeline = true, HelpMessage = "Key object")] + [Parameter(Mandatory = true, Position = 0, ParameterSetName = SetByRotationPolicyFileViaKeyInputObject, + ValueFromPipeline = true)] + [ValidateNotNullOrEmpty] + [Alias("Key")] + public PSKeyVaultKeyIdentityItem InputObject { get; set; } + + [Parameter(Mandatory = true, Position = 0, ParameterSetName = ByKeyRotationPolicyInputObjectParameterSet, + ValueFromPipeline = true, HelpMessage = "PSKeyRotationPolicy object.")] public PSKeyRotationPolicy KeyRotationPolicy { get; set; } - [Parameter(ParameterSetName = ByVaultNameParameterSet, - HelpMessage = "The time span when the key rotation policy will expire. It should be at least 28 days.")] - [Parameter(ParameterSetName = ByKeyInputObjectParameterSet)] - public TimeSpan ExpiresIn { get; set; } + [Parameter(ParameterSetName = SetByExpandedPropertiesViaVaultName, + HelpMessage = "The expiryTime will be applied on the new key version. It should be at least 28 days. It will be in ISO 8601 Format. Examples: 90 days: P90D, 3 months: P3M, 48 hours: PT48H, 1 year and 10 days: P1Y10D")] + [Parameter(ParameterSetName = SetByExpandedPropertiesViaKeyInputObject)] + public string ExpiresIn { get; set; } - [Parameter(ParameterSetName = ByVaultNameParameterSet, + [Parameter(ParameterSetName = SetByExpandedPropertiesViaVaultName, HelpMessage = "PSKeyRotationLifetimeAction object.")] - [Parameter(ParameterSetName = ByKeyInputObjectParameterSet)] + [Parameter(ParameterSetName = SetByExpandedPropertiesViaKeyInputObject)] public PSKeyRotationLifetimeAction[] KeyRotationLifetimeAction { get; set; } + [Parameter(Mandatory = true, ParameterSetName = SetByRotationPolicyFileViaVaultName, + HelpMessage = "A path to the rotation policy file that contains JSON policy definition.")] + [Parameter(Mandatory = true, ParameterSetName = SetByRotationPolicyFileViaKeyInputObject)] + public string PolicyPath { get; set; } #endregion - internal override void NormalizeParameterSets() + protected override void BeginProcessing() + { + PolicyPath = this.TryResolvePath(PolicyPath); + base.BeginProcessing(); + } + + internal void ValidateParameters() + { + if((this.ParameterSetName.Equals(SetByExpandedPropertiesViaVaultName) || + this.ParameterSetName.Equals(SetByExpandedPropertiesViaKeyInputObject)) && + null == ExpiresIn && null == KeyRotationLifetimeAction) + { + throw new ArgumentException(string.Format("Must specify ExpiresIn or KeyRotationLifetimeAction.")); + } + + if(this.IsParameterBound(c => c.PolicyPath) && !File.Exists(PolicyPath)) + { + throw new AzPSFileNotFoundException(string.Format(Resources.FileNotFound, PolicyPath), nameof(PolicyPath)); + } + } + + internal void NormalizeParameterSets() { if (null != InputObject) { @@ -57,33 +123,84 @@ internal override void NormalizeParameterSets() } } - if (!this.ParameterSetName.Equals(ByKeyRotationPolicyInputObjectParameterSet)) + switch (this.ParameterSetName) { - - // Only update specified parameter, others keep same - KeyRotationPolicy = Track2DataClient.GetKeyRotationPolicy(VaultName, Name) ?? - new PSKeyRotationPolicy() - { + case SetByRotationPolicyFileViaVaultName: + case SetByRotationPolicyFileViaKeyInputObject: + KeyRotationPolicy = ConstructKeyRotationPolicyFromFile(PolicyPath); + break; + case SetByExpandedPropertiesViaVaultName: + case SetByExpandedPropertiesViaKeyInputObject: + KeyRotationPolicy = new PSKeyRotationPolicy() + { VaultName = VaultName, KeyName = Name, - ExpiresIn = null, - LifetimeActions = null + ExpiresIn = ExpiresIn ?? Track2DataClient.GetKeyRotationPolicy(VaultName, Name).ExpiresIn, + LifetimeActions = KeyRotationLifetimeAction ?? Track2DataClient.GetKeyRotationPolicy(VaultName, Name).LifetimeActions }; + break; + default: + // do nothing + break; + } - if (MyInvocation.BoundParameters.ContainsKey("ExpiresIn")) - { - KeyRotationPolicy.ExpiresIn = ExpiresIn; - } + } + + private PSKeyRotationPolicy ConstructKeyRotationPolicyFromFile(string policyPath) + { + try + { + string content = File.ReadAllText(policyPath); + // first-level dictionary + var dict = JsonUtilities.DeserializeJson(content, true); - if (MyInvocation.BoundParameters.ContainsKey("KeyRotationLifetimeAction")) + // second-level dictionary + var attributes = JsonUtilities.DeserializeJson(JsonConvert.SerializeObject(dict["attributes"]), true); + var lifetimeActionsArray = JsonConvert.DeserializeObject(JsonConvert.SerializeObject(dict["lifetimeActions"])); + + // third-level dictionary + string expiresIn = attributes["expiryTime"].ToString(); + + var lifetimeActions = new List(); + lifetimeActionsArray?.ForEach((lifetimeAction) => { - KeyRotationPolicy.LifetimeActions = KeyRotationLifetimeAction; - } + var lifetimeActionDict = JsonUtilities.DeserializeJson(JsonConvert.SerializeObject(lifetimeAction), true); + var action = JsonUtilities.DeserializeJson(JsonConvert.SerializeObject(lifetimeActionDict["action"]), true); + var trigger = JsonUtilities.DeserializeJson(JsonConvert.SerializeObject(lifetimeActionDict["trigger"]), true); + + // 4th-level dictionary + string actionType = action["type"].ToString(); + + // timeAfterCreate or timeBeforeExpiry may absent + string timeAfterCreate = trigger.ContainsKey("timeAfterCreate") ? trigger["timeAfterCreate"]?.ToString() : null; + string timeBeforeExpiry = trigger.ContainsKey("timeBeforeExpiry") ? trigger["timeBeforeExpiry"]?.ToString() : null; + + lifetimeActions.Add(new PSKeyRotationLifetimeAction() + { + Action = actionType, + TimeAfterCreate = timeAfterCreate, + TimeBeforeExpiry = timeBeforeExpiry + }); + }); + + return new PSKeyRotationPolicy() + { + VaultName = this.VaultName, + KeyName = this.Name, + ExpiresIn = expiresIn, + LifetimeActions = lifetimeActions + }; } + catch + { + throw new AzPSArgumentException(string.Format("Deserialize {0} failed", policyPath), nameof(PolicyPath)); + } + } public override void ExecuteCmdlet() { + ValidateParameters(); NormalizeParameterSets(); ConfirmAction(KeyRotationPolicy.KeyName, Properties.Resources.SetKeyRotationPolicy, () => diff --git a/src/KeyVault/KeyVault/Commands/Key/UpdateAzureKeyVaultKey.cs b/src/KeyVault/KeyVault/Commands/Key/UpdateAzureKeyVaultKey.cs index a28f6d776d6a..3e98d8d3d7c4 100644 --- a/src/KeyVault/KeyVault/Commands/Key/UpdateAzureKeyVaultKey.cs +++ b/src/KeyVault/KeyVault/Commands/Key/UpdateAzureKeyVaultKey.cs @@ -132,11 +132,11 @@ public class UpdateAzureKeyVaultKey : KeyVaultCmdletBase public SwitchParameter Immutable { get; set; } /// - /// A path to a file containing JSON policy definition. The policy rules under which a key can be exported. + /// A path to the release policy file that contains JSON policy definition. The policy rules under which a key can be exported. /// [Parameter(Mandatory = false, ParameterSetName = HsmInteractiveParameterSet, - HelpMessage = "A path to a file containing JSON policy definition. The policy rules under which a key can be exported.")] + HelpMessage = "A path to the release policy file that contains JSON policy definition. The policy rules under which a key can be exported.")] public string ReleasePolicyPath { get; set; } diff --git a/src/KeyVault/KeyVault/Models/Key/PSKeyRotationLifetimeAction.cs b/src/KeyVault/KeyVault/Models/Key/PSKeyRotationLifetimeAction.cs index aa9ae50ef659..91c7aae469b7 100644 --- a/src/KeyVault/KeyVault/Models/Key/PSKeyRotationLifetimeAction.cs +++ b/src/KeyVault/KeyVault/Models/Key/PSKeyRotationLifetimeAction.cs @@ -14,24 +14,32 @@ public class PSKeyRotationLifetimeAction // Gets or sets he Azure.Security.KeyVault.Keys.KeyRotationPolicyAction that will // be executed. public string Action { get; set; } - // - // Summary: - // Gets or sets the System.TimeSpan after creation to attempt to rotate. It only - // applies to Azure.Security.KeyVault.Keys.KeyRotationPolicyAction.Rotate. - public TimeSpan? TimeAfterCreate { get; set; } - // - // Summary: - // Gets or sets the System.TimeSpan before expiry to attempt to Azure.Security.KeyVault.Keys.KeyRotationPolicyAction.Rotate - // or Azure.Security.KeyVault.Keys.KeyRotationPolicyAction.Notify. - public TimeSpan? TimeBeforeExpiry { get; set; } + + /// + /// Gets or sets the ISO 8601 duration after creation to attempt to rotate. It only + /// applies to Azure.Security.KeyVault.Keys.KeyRotationPolicyAction.Rotate. + /// + /// + /// ISO 8601 duration examples: + /// • P90D – 90 days + /// • P3M – 3 months + /// • P1Y10D – 1 year and 10 days + /// + public string TimeAfterCreate { get; set; } + + /// + /// Gets or sets the ISO 8601 duration before expiry to attempt to Azure.Security.KeyVault.Keys.KeyRotationPolicyAction.Rotate + /// or Azure.Security.KeyVault.Keys.KeyRotationPolicyAction.Notify. + /// + public string TimeBeforeExpiry { get; set; } public PSKeyRotationLifetimeAction() { } public PSKeyRotationLifetimeAction(KeyRotationLifetimeAction keyRotationLifetimeAction) { Action = keyRotationLifetimeAction.Action.ToString(); - TimeAfterCreate = string.IsNullOrEmpty(keyRotationLifetimeAction.TimeAfterCreate) ? null : XmlConvert.ToTimeSpan(keyRotationLifetimeAction.TimeAfterCreate) as TimeSpan?; - TimeBeforeExpiry = string.IsNullOrEmpty(keyRotationLifetimeAction.TimeBeforeExpiry) ? null : XmlConvert.ToTimeSpan(keyRotationLifetimeAction.TimeBeforeExpiry) as TimeSpan?; + TimeAfterCreate = keyRotationLifetimeAction.TimeAfterCreate; + TimeBeforeExpiry = keyRotationLifetimeAction.TimeBeforeExpiry; } public override string ToString() diff --git a/src/KeyVault/KeyVault/Models/Key/PSKeyRotationPolicy.cs b/src/KeyVault/KeyVault/Models/Key/PSKeyRotationPolicy.cs index 1e1c45c47f2f..71cbdb3951ca 100644 --- a/src/KeyVault/KeyVault/Models/Key/PSKeyRotationPolicy.cs +++ b/src/KeyVault/KeyVault/Models/Key/PSKeyRotationPolicy.cs @@ -36,11 +36,12 @@ public class PSKeyRotationPolicy // Summary: // Gets the actions that will be performed by Key Vault over the lifetime of a key. public IList LifetimeActions { get; set; } - // - // Summary: - // Gets or sets the System.TimeSpan when the Azure.Security.KeyVault.Keys.KeyRotationPolicy - // will expire. It should be at least 28 days. - public TimeSpan? ExpiresIn { get; set; } + + /// + /// The expiryTime will be applied on the new key version. It should be at least 28 days. + /// It will be in ISO 8601 Format. Examples: 90 days: P90D, 3 months: P3M, 48 hours: PT48H, 1 year and 10 days: P1Y10D" + /// + public string ExpiresIn { get; set; } // // Summary: // Gets a System.DateTimeOffset indicating when the Azure.Security.KeyVault.Keys.KeyRotationPolicy @@ -65,7 +66,7 @@ public PSKeyRotationPolicy(KeyRotationPolicy keyRotationPolicy, string vaultName LifetimeActions.Add(new PSKeyRotationLifetimeAction(action)); } - ExpiresIn = string.IsNullOrEmpty(keyRotationPolicy.ExpiresIn) ? null : XmlConvert.ToTimeSpan(keyRotationPolicy.ExpiresIn) as TimeSpan?; + ExpiresIn = keyRotationPolicy.ExpiresIn; CreatedOn = keyRotationPolicy.CreatedOn; UpdatedOn = keyRotationPolicy.UpdatedOn; } diff --git a/src/KeyVault/KeyVault/Track2Models/Track2HsmClient.cs b/src/KeyVault/KeyVault/Track2Models/Track2HsmClient.cs index 2d431f6a2dcd..618d889b1d13 100644 --- a/src/KeyVault/KeyVault/Track2Models/Track2HsmClient.cs +++ b/src/KeyVault/KeyVault/Track2Models/Track2HsmClient.cs @@ -543,7 +543,7 @@ internal PSKeyRotationPolicy SetKeyRotationPolicy(PSKeyRotationPolicy psKeyRotat var client = CreateKeyClient(psKeyRotationPolicy.VaultName); var policy = new KeyRotationPolicy() { - ExpiresIn = psKeyRotationPolicy.ExpiresIn.HasValue ? XmlConvert.ToString(psKeyRotationPolicy.ExpiresIn.Value) : null, + ExpiresIn = psKeyRotationPolicy.ExpiresIn, LifetimeActions = { } }; @@ -552,8 +552,8 @@ internal PSKeyRotationPolicy SetKeyRotationPolicy(PSKeyRotationPolicy psKeyRotat new KeyRotationLifetimeAction() { Action = psKeyRotationLifetimeAction.Action, - TimeAfterCreate = psKeyRotationLifetimeAction.TimeAfterCreate.HasValue ? XmlConvert.ToString(psKeyRotationLifetimeAction.TimeAfterCreate.Value) : null, - TimeBeforeExpiry = psKeyRotationLifetimeAction.TimeBeforeExpiry.HasValue ? XmlConvert.ToString(psKeyRotationLifetimeAction.TimeBeforeExpiry.Value) : null + TimeAfterCreate = psKeyRotationLifetimeAction.TimeAfterCreate, + TimeBeforeExpiry = psKeyRotationLifetimeAction.TimeBeforeExpiry } )); diff --git a/src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs b/src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs index f17d4919f7c0..c8cda77c1114 100644 --- a/src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs +++ b/src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs @@ -185,7 +185,7 @@ internal PSKeyRotationPolicy SetKeyRotationPolicy(PSKeyRotationPolicy psKeyRotat var client = CreateKeyClient(psKeyRotationPolicy.VaultName); var policy = new KeyRotationPolicy() { - ExpiresIn = psKeyRotationPolicy.ExpiresIn.HasValue ? XmlConvert.ToString(psKeyRotationPolicy.ExpiresIn.Value) : null, + ExpiresIn = psKeyRotationPolicy.ExpiresIn, LifetimeActions = {} }; @@ -194,8 +194,8 @@ internal PSKeyRotationPolicy SetKeyRotationPolicy(PSKeyRotationPolicy psKeyRotat new KeyRotationLifetimeAction() { Action = psKeyRotationLifetimeAction.Action, - TimeAfterCreate = psKeyRotationLifetimeAction.TimeAfterCreate.HasValue ? XmlConvert.ToString(psKeyRotationLifetimeAction.TimeAfterCreate.Value) : null, - TimeBeforeExpiry = psKeyRotationLifetimeAction.TimeBeforeExpiry.HasValue ? XmlConvert.ToString(psKeyRotationLifetimeAction.TimeBeforeExpiry.Value) : null + TimeAfterCreate = psKeyRotationLifetimeAction.TimeAfterCreate, + TimeBeforeExpiry = psKeyRotationLifetimeAction.TimeBeforeExpiry } )); diff --git a/src/KeyVault/KeyVault/help/Get-AzKeyVaultKeyRotationPolicy.md b/src/KeyVault/KeyVault/help/Get-AzKeyVaultKeyRotationPolicy.md index 32a2928b32c1..c434aa5e5ab0 100644 --- a/src/KeyVault/KeyVault/help/Get-AzKeyVaultKeyRotationPolicy.md +++ b/src/KeyVault/KeyVault/help/Get-AzKeyVaultKeyRotationPolicy.md @@ -38,7 +38,7 @@ Get-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key Id : VaultName : test-kv KeyName : test-key -LifetimeActions : {[Action: Notify, TimeAfterCreate: , TimeBeforeExpiry: 30.00:00:00]} +LifetimeActions : {[Action: Notify, TimeAfterCreate: , TimeBeforeExpiry: P30D]} ExpiresIn : CreatedOn : UpdatedOn : diff --git a/src/KeyVault/KeyVault/help/Set-AzKeyVaultKeyRotationPolicy.md b/src/KeyVault/KeyVault/help/Set-AzKeyVaultKeyRotationPolicy.md index b33cfecd9349..97126ae87cb5 100644 --- a/src/KeyVault/KeyVault/help/Set-AzKeyVaultKeyRotationPolicy.md +++ b/src/KeyVault/KeyVault/help/Set-AzKeyVaultKeyRotationPolicy.md @@ -14,21 +14,33 @@ Sets the key rotation policy for the specified key in Key Vault. ### ByVaultName (Default) ``` -Set-AzKeyVaultKeyRotationPolicy [-ExpiresIn ] - [-KeyRotationLifetimeAction ] [-VaultName] [-Name] - [-DefaultProfile ] [-WhatIf] [-Confirm] [] +Set-AzKeyVaultKeyRotationPolicy [-VaultName] [-Name] [-ExpiresIn ] + [-KeyRotationLifetimeAction ] [-DefaultProfile ] + [-WhatIf] [-Confirm] [] ``` -### ByKeyRotationPolicyInputObject +### SetByRotationPolicyFileViaVaultName ``` -Set-AzKeyVaultKeyRotationPolicy [-KeyRotationPolicy] +Set-AzKeyVaultKeyRotationPolicy [-VaultName] [-Name] -PolicyPath [-DefaultProfile ] [-WhatIf] [-Confirm] [] ``` ### ByKeyInputObject ``` -Set-AzKeyVaultKeyRotationPolicy [-ExpiresIn ] - [-KeyRotationLifetimeAction ] [-InputObject] +Set-AzKeyVaultKeyRotationPolicy [-InputObject] [-ExpiresIn ] + [-KeyRotationLifetimeAction ] [-DefaultProfile ] + [-WhatIf] [-Confirm] [] +``` + +### SetByRotationPolicyFileViaKeyInputObject +``` +Set-AzKeyVaultKeyRotationPolicy [-InputObject] -PolicyPath + [-DefaultProfile ] [-WhatIf] [-Confirm] [] +``` + +### ByKeyRotationPolicyInputObject +``` +Set-AzKeyVaultKeyRotationPolicy [-KeyRotationPolicy] [-DefaultProfile ] [-WhatIf] [-Confirm] [] ``` @@ -37,86 +49,112 @@ This cmdlet requires the key update permission. It returns a key rotation policy ## EXAMPLES -### Example 1: Sets key rotation policy expiry time +### Example 1: Sets key rotation policy by JSON file ```powershell -$t = New-TimeSpan -Days 50 -Set-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key -ExpiresIn $t +<# +rotation_policy.json +{ + "lifetimeActions": [ + { + "trigger": { + "timeAfterCreate": "P18M", + "timeBeforeExpiry": null + }, + "action": { + "type": "Rotate" + } + }, + { + "trigger": { + "timeBeforeExpiry": "P30D" + }, + "action": { + "type": "Notify" + } + } + ], + "attributes": { + "expiryTime": "P2Y" + } + } +#> +Set-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key -PolicyPath rotation_policy.json ``` ```output Id : https://test-kv.vault.azure.net/keys/test-key/rotationpolicy VaultName : test-kv -KeyName : test-key -LifetimeActions : {[Action: Notify, TimeAfterCreate: , TimeBeforeExpiry: 30.00:00:00]} -ExpiresIn : 50.00:00:00 +KeyName : test-keyAM +00:00 +LifetimeActions : {[Action: Notify, TimeAfterCreate: , TimeBeforeExpiry: P30D]} +ExpiresIn : P2Y CreatedOn : 12/10/2021 3:21:51 AM +00:00 -UpdatedOn : 12/10/2021 3:22:14 AM +00:00 +UpdatedOn : 6/9/2022 7:43:27 ``` -These cmdlets set the key rotation policy expiry time of test-key as 50 days. +These commands set the rotation policy of key `test-key` by JSON file. -### Example 2: Sets key rotation policy by InputObject +### Example 2: Sets key rotation policy expiry time ```powershell -$key = Get-AzKeyVaultKey -VaultName test-kv -Name test-key -$action = [Microsoft.Azure.Commands.KeyVault.Models.PSKeyRotationLifetimeAction]::new() -$action.Action = "Rotate" -$action.TimeBeforeExpiry = New-TimeSpan -Days 30 -Set-AzKeyVaultKeyRotationPolicy -InputObject $key -KeyRotationLifetimeAction $action +Set-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key -ExpiresIn P2Y ``` ```output Id : https://test-kv.vault.azure.net/keys/test-key/rotationpolicy VaultName : test-kv -KeyName : test-key -LifetimeActions : {[Action: Rotate, TimeAfterCreate: , TimeBeforeExpiry: 30.00:00:00], [Action: Notify, - TimeAfterCreate: , TimeBeforeExpiry: 30.00:00:00]} -ExpiresIn : 50.00:00:00 +KeyName : test-keyAM +00:00 +LifetimeActions : {[Action: Notify, TimeAfterCreate: , TimeBeforeExpiry: P30D]} +ExpiresIn : P2Y CreatedOn : 12/10/2021 3:21:51 AM +00:00 -UpdatedOn : 12/14/2021 5:26:28 AM +00:00 +UpdatedOn : 6/9/2022 7:43:27 ``` -These cmdlets set the key rotation policy expiry time of test-key as 50 days. +These commands set the expiry time will be applied on the new key version of `test-key` as 2 years. -### Example 3: Sets key rotation policy by PSKeyRotationPolicy object +### Example 3: Sets key rotation policy via piping ```powershell -$key = Get-AzKeyVaultKey -VaultName test-kv -Name test-key -$policy = Get-AzKeyVaultKeyRotationPolicy $key -$policy.ExpiresIn = New-TimeSpan -Days 60 -Set-AzKeyVaultKeyRotationPolicy -KeyRotationPolicy $policy +Get-AzKeyVaultKey -VaultName test-kv -Name test-key | Set-AzKeyVaultKeyRotationPolicy -KeyRotationLifetimeAction @{Action = "Rotate"; TimeBeforeExpiry = "P18M"} ``` ```output -LifetimeActions : {[Action: Rotate, TimeAfterCreate: , TimeBeforeExpiry: 30.00:00:00], [Action: Notify, - TimeAfterCreate: , TimeBeforeExpiry: 30.00:00:00]} -ExpiresIn : 60.00:00:00 +Id : https://test-kv.vault.azure.net/keys/test-key/rotationpolicy +VaultName : test-kv +KeyName : test-key +LifetimeActions : {[Action: Rotate, TimeAfterCreate: , TimeBeforeExpiry: P18M], [Action: Notify, TimeAfterCreate: , + TimeBeforeExpiry: P30D]} +ExpiresIn : P2Y CreatedOn : 12/10/2021 3:21:51 AM +00:00 -UpdatedOn : 12/14/2021 5:34:00 AM +00:00 +UpdatedOn : 6/9/2022 8:10:43 AM +00:00 ``` -These cmdlets set the key rotation policy expiry time of test-key as 50 days. +These commands set the duration before expiry to attempt to rotate `test-key` as 18 months. -## PARAMETERS +### Example 4: Copy key rotation policy to another key via PSKeyRotationPolicy object +```powershell +$policy = Get-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key1 +$policy.KeyName = "test-key2" +$policy | Set-AzKeyVaultKeyRotationPolicy +``` -### -Confirm -Prompts you for confirmation before running the cmdlet. +```output +Id : https://test-kv.vault.azure.net/keys/test-key2/rotationpolicy +VaultName : test-kv +KeyName : test-key2 +LifetimeActions : {[Action: Rotate, TimeAfterCreate: , TimeBeforeExpiry: P18M], [Action: Notify, TimeAfterCreate: , + TimeBeforeExpiry: P30D]} +ExpiresIn : P2Y +CreatedOn : 6/9/2022 8:26:35 AM +00:00 +UpdatedOn : 6/9/2022 8:26:35 AM +00:00 +``` -```yaml -Type: SwitchParameter -Parameter Sets: (All) -Aliases: cf +These commands copy the key rotation policy `test-key1` to key `test-key2`. -Required: False -Position: Named -Default value: None -Accept pipeline input: False -Accept wildcard characters: False -``` +## PARAMETERS ### -DefaultProfile The credentials, account, tenant, and subscription used for communication with Azure. ```yaml -Type: IAzureContextContainer +Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer Parameter Sets: (All) Aliases: AzContext, AzureRmContext, AzureCredential @@ -128,11 +166,10 @@ Accept wildcard characters: False ``` ### -ExpiresIn -The time span when the key rotation policy will expire. -It should be at least 28 days. +The expiryTime will be applied on the new key version. It should be at least 28 days. It will be in ISO 8601 Format. Examples: 90 days: P90D, 3 months: P3M, 48 hours: PT48H, 1 year and 10 days: P1Y10D. ```yaml -Type: TimeSpan +Type: System.String Parameter Sets: ByVaultName, ByKeyInputObject Aliases: @@ -147,8 +184,8 @@ Accept wildcard characters: False Key object ```yaml -Type: PSKeyVaultKeyIdentityItem -Parameter Sets: ByKeyInputObject +Type: Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultKeyIdentityItem +Parameter Sets: ByKeyInputObject, SetByRotationPolicyFileViaKeyInputObject Aliases: Key Required: True @@ -162,7 +199,7 @@ Accept wildcard characters: False PSKeyRotationLifetimeAction object. ```yaml -Type: PSKeyRotationLifetimeAction[] +Type: Microsoft.Azure.Commands.KeyVault.Models.PSKeyRotationLifetimeAction[] Parameter Sets: ByVaultName, ByKeyInputObject Aliases: @@ -177,8 +214,8 @@ Accept wildcard characters: False PSKeyRotationPolicy object. ```yaml -Type: PSKeyRotationPolicy -Parameter Sets: ByKeyRotationPolicyInputObject +Type: Microsoft.Azure.Commands.KeyVault.Models.PSKeyRotationPolicy +Parameter Sets: ByKeyRotationPolicyInputObject Aliases: Required: True @@ -192,8 +229,8 @@ Accept wildcard characters: False Key name. ```yaml -Type: String -Parameter Sets: ByVaultName +Type: System.String +Parameter Sets: ByVaultName, SetByRotationPolicyFileViaVaultName Aliases: KeyName Required: True @@ -203,12 +240,27 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -PolicyPath +A path to the rotation policy file that contains JSON policy definition. + +```yaml +Type: System.String +Parameter Sets: SetByRotationPolicyFileViaVaultName, SetByRotationPolicyFileViaKeyInputObject +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -VaultName Vault name. ```yaml -Type: String -Parameter Sets: ByVaultName +Type: System.String +Parameter Sets: ByVaultName, SetByRotationPolicyFileViaVaultName Aliases: Required: True @@ -218,12 +270,27 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -WhatIf Shows what would happen if the cmdlet runs. The cmdlet is not run. ```yaml -Type: SwitchParameter +Type: System.Management.Automation.SwitchParameter Parameter Sets: (All) Aliases: wi @@ -251,6 +318,6 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable ## RELATED LINKS -[Get-AzKeyVaultKeyRotationPolicy.md](./Get-AzKeyVaultKeyRotationPolicy.md) +[Get-AzKeyVaultKeyRotationPolicy](./Get-AzKeyVaultKeyRotationPolicy.md) -[Invoke-AzKeyVaultKeyRotation.md](./Invoke-AzKeyVaultKeyRotation.md) \ No newline at end of file +[Invoke-AzKeyVaultKeyRotation](./Invoke-AzKeyVaultKeyRotation.md) \ No newline at end of file From edb5eece922f787580eed94b07d9515483c0495d Mon Sep 17 00:00:00 2001 From: Beisi Zhou Date: Thu, 9 Jun 2022 18:47:25 +0800 Subject: [PATCH 2/3] suppress breaking change issues --- .../Exceptions/Az.KeyVault/BreakingChangeIssues.csv | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 tools/StaticAnalysis/Exceptions/Az.KeyVault/BreakingChangeIssues.csv diff --git a/tools/StaticAnalysis/Exceptions/Az.KeyVault/BreakingChangeIssues.csv b/tools/StaticAnalysis/Exceptions/Az.KeyVault/BreakingChangeIssues.csv new file mode 100644 index 000000000000..18ab68cdd864 --- /dev/null +++ b/tools/StaticAnalysis/Exceptions/Az.KeyVault/BreakingChangeIssues.csv @@ -0,0 +1,7 @@ +"AssemblyFileName","ClassName","Target","Severity","ProblemId","Description","Remediation" +"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.Commands.Key.GetAzKeyVaultKeyRotationPolicy","Get-AzKeyVaultKeyRotationPolicy","0","3000","The type of property 'TimeAfterCreate' of type 'Microsoft.Azure.Commands.KeyVault.Models.PSKeyRotationLifetimeAction' has changed from 'System.Nullable`1[System.TimeSpan]' to 'System.String'.","Change the type of property 'TimeAfterCreate' back to 'System.Nullable`1[System.TimeSpan]'." +"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.Commands.Key.GetAzKeyVaultKeyRotationPolicy","Get-AzKeyVaultKeyRotationPolicy","0","3000","The type of property 'TimeBeforeExpiry' of type 'Microsoft.Azure.Commands.KeyVault.Models.PSKeyRotationLifetimeAction' has changed from 'System.Nullable`1[System.TimeSpan]' to 'System.String'.","Change the type of property 'TimeBeforeExpiry' back to 'System.Nullable`1[System.TimeSpan]'." +"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.Commands.Key.GetAzKeyVaultKeyRotationPolicy","Get-AzKeyVaultKeyRotationPolicy","0","3000","The type of property 'ExpiresIn' of type 'Microsoft.Azure.Commands.KeyVault.Models.PSKeyRotationPolicy' has changed from 'System.Nullable`1[System.TimeSpan]' to 'System.String'.","Change the type of property 'ExpiresIn' back to 'System.Nullable`1[System.TimeSpan]'." +"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.Commands.Key.SetAzKeyVaultKeyRotationPolicy","Set-AzKeyVaultKeyRotationPolicy","0","3000","The type of property 'ExpiresIn' of type 'Microsoft.Azure.Commands.KeyVault.Models.PSKeyRotationPolicy' has changed from 'System.Nullable`1[System.TimeSpan]' to 'System.String'.","Change the type of property 'ExpiresIn' back to 'System.Nullable`1[System.TimeSpan]'." +"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.Commands.Key.SetAzKeyVaultKeyRotationPolicy","Set-AzKeyVaultKeyRotationPolicy","0","3000","The type of property 'ExpiresIn' of type 'Microsoft.Azure.Commands.KeyVault.Models.PSKeyRotationPolicy' has changed from 'System.Nullable`1[System.TimeSpan]' to 'System.String'.","Change the type of property 'ExpiresIn' back to 'System.Nullable`1[System.TimeSpan]'." +"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.Commands.Key.SetAzKeyVaultKeyRotationPolicy","Set-AzKeyVaultKeyRotationPolicy","0","2020","The cmdlet 'Set-AzKeyVaultKeyRotationPolicy' no longer supports the type 'System.TimeSpan' for parameter 'ExpiresIn'.","Change the type for parameter 'ExpiresIn' back to 'System.TimeSpan'." \ No newline at end of file From 25d63e9bc0610d180ae481ff05eb182d00f8f791 Mon Sep 17 00:00:00 2001 From: Beisi Zhou Date: Thu, 9 Jun 2022 19:03:13 +0800 Subject: [PATCH 3/3] upgrade Azure.Security.KeyVault.Keys to 4.3.0 --- src/CosmosDB/CosmosDB/CosmosDB.csproj | 2 +- src/KeyVault/KeyVault/KeyVault.csproj | 2 +- src/KeyVault/KeyVault/Track2Models/Track2HsmClient.cs | 3 +-- src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs | 3 +-- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/src/CosmosDB/CosmosDB/CosmosDB.csproj b/src/CosmosDB/CosmosDB/CosmosDB.csproj index c2064331a71a..7793d9804c5b 100644 --- a/src/CosmosDB/CosmosDB/CosmosDB.csproj +++ b/src/CosmosDB/CosmosDB/CosmosDB.csproj @@ -6,7 +6,7 @@ - + diff --git a/src/KeyVault/KeyVault/KeyVault.csproj b/src/KeyVault/KeyVault/KeyVault.csproj index 3a56c8925fa1..ad0b036683a4 100644 --- a/src/KeyVault/KeyVault/KeyVault.csproj +++ b/src/KeyVault/KeyVault/KeyVault.csproj @@ -13,7 +13,7 @@ - + diff --git a/src/KeyVault/KeyVault/Track2Models/Track2HsmClient.cs b/src/KeyVault/KeyVault/Track2Models/Track2HsmClient.cs index 618d889b1d13..c8e26844e464 100644 --- a/src/KeyVault/KeyVault/Track2Models/Track2HsmClient.cs +++ b/src/KeyVault/KeyVault/Track2Models/Track2HsmClient.cs @@ -549,9 +549,8 @@ internal PSKeyRotationPolicy SetKeyRotationPolicy(PSKeyRotationPolicy psKeyRotat psKeyRotationPolicy.LifetimeActions?.ForEach( psKeyRotationLifetimeAction => policy.LifetimeActions.Add( - new KeyRotationLifetimeAction() + new KeyRotationLifetimeAction(new KeyRotationPolicyAction(psKeyRotationLifetimeAction.Action)) { - Action = psKeyRotationLifetimeAction.Action, TimeAfterCreate = psKeyRotationLifetimeAction.TimeAfterCreate, TimeBeforeExpiry = psKeyRotationLifetimeAction.TimeBeforeExpiry } diff --git a/src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs b/src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs index c8cda77c1114..705bfa5c9f17 100644 --- a/src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs +++ b/src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs @@ -191,9 +191,8 @@ internal PSKeyRotationPolicy SetKeyRotationPolicy(PSKeyRotationPolicy psKeyRotat psKeyRotationPolicy.LifetimeActions?.ForEach( psKeyRotationLifetimeAction => policy.LifetimeActions.Add( - new KeyRotationLifetimeAction() + new KeyRotationLifetimeAction(psKeyRotationLifetimeAction.Action) { - Action = psKeyRotationLifetimeAction.Action, TimeAfterCreate = psKeyRotationLifetimeAction.TimeAfterCreate, TimeBeforeExpiry = psKeyRotationLifetimeAction.TimeBeforeExpiry }