From 779cdfeb45694745afd29f8a75a78c7c45e664ed Mon Sep 17 00:00:00 2001 From: Shahar Avital Date: Mon, 8 Aug 2022 12:34:31 +0300 Subject: [PATCH 1/3] add cmk payload to common types --- .../v4/customermanagedkeys.json | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 specification/common-types/resource-management/v4/customermanagedkeys.json diff --git a/specification/common-types/resource-management/v4/customermanagedkeys.json b/specification/common-types/resource-management/v4/customermanagedkeys.json new file mode 100644 index 000000000000..4f425bb90744 --- /dev/null +++ b/specification/common-types/resource-management/v4/customermanagedkeys.json @@ -0,0 +1,70 @@ +{ + "swagger": "2.0", + "info": { + "version": "4.0", + "title": "Common types" + }, + "paths": {}, + "definitions": { + "encryption": { + "type": "object", + "description": "(Optional) Discouraged to include in resource definition. Only needed where it is possible to disable platform (AKA infrastructure) encryption. Azure SQL TDE is an example of this. Values are enabled and disabled.", + "properties": { + "infrastructureEncryption": { + "type": "string", + "enum": [ + "enabled", + "disabled" + ], + "x-ms-enum": { + "name": "InfrastructureEncryption", + "modelAsString": true + }, + "description": "Values are enabled and disabled." + }, + "customerManagedKeyEncryption": { + "description": "All Customer-managed key encryption properties for the resource.", + "$ref": "#/definitions/customerManagedKeyEncryption" + } + } + }, + "customerManagedKeyEncryption": { + "type": "object", + "description": "All Customer-managed key encryption properties for the resource.", + "properties": { + "keyEncryptionKeyIdentity": { + "type": "object", + "description": "All identity configuration for Customer-managed key settings defining which identity should be used to auth to Key Vault.", + "properties": { + "identityType": { + "type": "string", + "enum": [ + "systemAssignedIdentity", + "userAssignedIdentity", + "none" + ], + "x-ms-enum": { + "name": "IdentityType", + "modelAsString": true + }, + "description": "Values can be systemAssignedIdentity or userAssignedIdentity" + }, + "userAssignedIdentityResourceId": { + "type": "string", + "description": "user assigned identity to use for accessing key encryption key Url. Ex: /subscriptions/fa5fc227-a624-475e-b696-cdd604c735bc/resourceGroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/myId. Mutually exclusive with identityType systemAssignedIdentity and none." + }, + "delegatedIdentityClientId": { + "type": "string", + "format": "uuid", + "description": "delegated identity to use for accessing key encryption key Url. Ex: /subscriptions/fa5fc227-a624-475e-b696-cdd604c735bc/resourceGroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/myId. Mutually exclusive with identityType systemAssignedIdentity and userAssignedIdentity - internal use only." + } + } + }, + "keyEncryptionKeyUrl": { + "type": "string", + "description": "key encryption key Url, versioned or non-versioned. Ex: https://contosovault.vault.azure.net/keys/contosokek/562a4bb76b524a1493a6afe8e536ee78 or https://contosovault.vault.azure.net/keys/contosokek." + } + } + } + } +} From 3a779937ec8f652827de30ee351c69b6dae5a6c0 Mon Sep 17 00:00:00 2001 From: Shahar Avital Date: Sun, 4 Sep 2022 10:02:36 +0300 Subject: [PATCH 2/3] rename enum value for delegated identity type --- .../resource-management/v4/customermanagedkeys.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/specification/common-types/resource-management/v4/customermanagedkeys.json b/specification/common-types/resource-management/v4/customermanagedkeys.json index 4f425bb90744..a9be420dcaad 100644 --- a/specification/common-types/resource-management/v4/customermanagedkeys.json +++ b/specification/common-types/resource-management/v4/customermanagedkeys.json @@ -41,7 +41,7 @@ "enum": [ "systemAssignedIdentity", "userAssignedIdentity", - "none" + "delegatedResourceIdentity" ], "x-ms-enum": { "name": "IdentityType", @@ -51,7 +51,7 @@ }, "userAssignedIdentityResourceId": { "type": "string", - "description": "user assigned identity to use for accessing key encryption key Url. Ex: /subscriptions/fa5fc227-a624-475e-b696-cdd604c735bc/resourceGroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/myId. Mutually exclusive with identityType systemAssignedIdentity and none." + "description": "user assigned identity to use for accessing key encryption key Url. Ex: /subscriptions/fa5fc227-a624-475e-b696-cdd604c735bc/resourceGroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/myId. Mutually exclusive with identityType systemAssignedIdentity and delegatedResourceIdentity." }, "delegatedIdentityClientId": { "type": "string", From 806b6b6b3dd227458200620d998fe34c2ad5fa6c Mon Sep 17 00:00:00 2001 From: Shahar Avital Date: Mon, 3 Oct 2022 15:56:12 +0300 Subject: [PATCH 3/3] use arm-id format for cmk identity resource id --- .../common-types/resource-management/v4/customermanagedkeys.json | 1 + 1 file changed, 1 insertion(+) diff --git a/specification/common-types/resource-management/v4/customermanagedkeys.json b/specification/common-types/resource-management/v4/customermanagedkeys.json index a9be420dcaad..d403a8e2c035 100644 --- a/specification/common-types/resource-management/v4/customermanagedkeys.json +++ b/specification/common-types/resource-management/v4/customermanagedkeys.json @@ -51,6 +51,7 @@ }, "userAssignedIdentityResourceId": { "type": "string", + "format": "arm-id", "description": "user assigned identity to use for accessing key encryption key Url. Ex: /subscriptions/fa5fc227-a624-475e-b696-cdd604c735bc/resourceGroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/myId. Mutually exclusive with identityType systemAssignedIdentity and delegatedResourceIdentity." }, "delegatedIdentityClientId": {