[Keyvault] BREAKING CHANGE: az keyvault storage: Remove this command group since service doesn't maintain anymore (#27619)

* fully remove �z keyvault storage command group

* fix linter

Author: evelyn-ys

src/azure-cli/azure/cli/command_modules/keyvault/_help.py

@@ -855,69 +855,6 @@
         az keyvault show-deleted --name MyKeyVault
 """
 
-helps['keyvault storage'] = """
-type: group
-short-summary: Manage storage accounts.
-"""
-
-helps['keyvault storage add'] = """
-type: command
-examples:
-  - name: Create a storage account and setup a vault to manage its keys
-    text: |
-        $id = az storage account create -g resourcegroup -n storageacct --query id
-
-        # assign the Azure Key Vault service the "Storage Account Key Operator Service Role" role.
-        az role assignment create --role "Storage Account Key Operator Service Role" --scope $id \\
-        --assignee cfa8b339-82a2-471a-a3c9-0fc0be7a4093
-
-        az keyvault storage add --vault-name vault -n storageacct --active-key-name key1    \\
-        --auto-regenerate-key --regeneration-period P90D  --resource-id $id
-"""
-
-helps['keyvault storage remove'] = """
-type: command
-short-summary: Remove a Key Vault managed Azure Storage Account and all associated SAS definitions. This operation requires the storage/delete permission.
-examples:
-  - name: Remove a Key Vault managed Azure Storage Account and all associated SAS definitions (autogenerated)
-    text: |
-        az keyvault storage remove --id "/subscriptions/00000000-0000-0000-0000-00000000000000000/resourceGroups/myrg/providers/Microsoft.KeyVault/vaults/mykv/privateEndpointConnections/mykv.00000000-0000-0000-0000-00000000000000000"
-    crafted: true
-  - name: Remove a Key Vault managed Azure Storage Account and all associated SAS definitions (autogenerated)
-    text: |
-        az keyvault storage remove --name MyStorageAccount --vault-name MyVault
-    crafted: true
-"""
-
-helps['keyvault storage sas-definition'] = """
-type: group
-short-summary: Manage storage account SAS definitions.
-"""
-
-helps['keyvault storage sas-definition create'] = """
-type: command
-examples:
-  - name: Add a sas-definition for an account sas-token
-    text: |4
-        $sastoken = az storage account generate-sas --expiry 2020-01-01 --permissions rw --resource-types sco --services bfqt --https-only --account-name storageacct --account-key 00000000
-
-        az keyvault storage sas-definition create --vault-name vault --account-name storageacct -n rwallserviceaccess --validity-period P2D --sas-type account --template-uri $sastoken
-  - name: Add a sas-definition for a blob sas-token
-    text: >4
-        $sastoken = az storage blob generate-sas --account-name storageacct --account-key 00000000 -c container1 -n blob1 --https-only --permissions rw
-
-        $url = az storage blob url --account-name storageacct -c container1 -n blob1
-
-        az keyvault storage sas-definition create --vault-name vault --account-name storageacct -n rwblobaccess --validity-period P2D --sas-type service --template-uri $url?$sastoken
-  - name: Add a sas-definition for a container sas-token
-    text: >4
-        $sastoken = az storage container generate-sas --account-name storageacct --account-key 00000000 -n container1 --https-only --permissions rw
-
-        $url = "https://{storage-account-name}.blob.core.windows.net/{container-name}"  # The prefix of your blob url
-
-        az keyvault storage sas-definition create --vault-name vault --account-name storageacct -n rwcontaineraccess --validity-period P2D --sas-type service --template-uri $url?$sastoken
-"""
-
 helps['keyvault update'] = """
 type: command
 short-summary: Update the properties of a Vault.

src/azure-cli/azure/cli/command_modules/keyvault/_params.py

@@ -24,8 +24,8 @@
     validate_key_import_source, validate_key_type, validate_policy_permissions, validate_principal,
     validate_resource_group_name, validate_x509_certificate_chain,
     secret_text_encoding_values, secret_binary_encoding_values, validate_subnet, validate_ip_address,
-    validate_vault_or_hsm, validate_key_id, validate_sas_definition_id, validate_storage_account_id,
-    validate_storage_disabled_attribute, validate_deleted_vault_or_hsm_name, validate_encryption, validate_decryption,
+    validate_vault_or_hsm, validate_key_id,
+    validate_deleted_vault_or_hsm_name, validate_encryption, validate_decryption,
     validate_vault_name_and_hsm_name, set_vault_base_url, validate_keyvault_resource_id,
     process_hsm_name, KeyEncryptionDataType, process_key_release_policy, process_certificate_policy,
     process_certificate_import)
@@ -38,11 +38,6 @@
 
 # pylint: disable=too-many-locals, too-many-branches, too-many-statements, line-too-long
 def load_arguments(self, _):
-    (JsonWebKeyOperation, SasTokenType,
-     SasDefinitionAttributes, StorageAccountAttributes) = self.get_models(
-         'JsonWebKeyOperation', 'SasTokenType',
-         'SasDefinitionAttributes', 'StorageAccountAttributes',
-         resource_type=ResourceType.DATA_KEYVAULT)
 
     JsonWebKeyType = self.get_sdk('KeyType', resource_type=ResourceType.DATA_KEYVAULT_KEYS, mod='_enums')
     KeyCurveName = self.get_sdk('KeyCurveName', resource_type=ResourceType.DATA_KEYVAULT_KEYS, mod='_enums')
@@ -674,77 +669,6 @@ class CLISecurityDomainOperation(str, Enum):
 
     # endregion
 
-    # region KeyVault Storage Account
-    with self.argument_context('keyvault storage', arg_group='Id') as c:
-        c.argument('storage_account_name', options_list=['--name', '-n'],
-                   help='Name to identify the storage account in the vault.', id_part='child_name_1',
-                   completer=get_keyvault_name_completion_list('storage_account'))
-        c.argument('vault_base_url', vault_name_type, type=get_vault_base_url_type(self.cli_ctx), id_part=None)
-
-    for scope in ['keyvault storage add', 'keyvault storage update']:
-        with self.argument_context(scope) as c:
-            c.extra('disabled', arg_type=get_three_state_flag(), help='Add the storage account in a disabled state.',
-                    validator=validate_storage_disabled_attribute(
-                        'storage_account_attributes', StorageAccountAttributes))
-            c.ignore('storage_account_attributes')
-            c.argument('auto_regenerate_key', arg_type=get_three_state_flag(), required=False)
-            c.argument('regeneration_period', help='The key regeneration time duration specified in ISO-8601 format, '
-                                                   'such as "P30D" for rotation every 30 days.')
-    for scope in ['backup', 'show', 'update', 'remove', 'regenerate-key']:
-        with self.argument_context('keyvault storage ' + scope, arg_group='Id') as c:
-            c.extra('identifier', options_list=['--id'],
-                    help='Id of the storage account.  If specified all other \'Id\' arguments should be omitted.',
-                    validator=validate_storage_account_id)
-            c.argument('storage_account_name', required=False,
-                       help='Name to identify the storage account in the vault. Required if --id is not specified.')
-            c.argument('vault_base_url', help='Name of the Key Vault. Required if --id is not specified.',
-                       required=False)
-
-    with self.argument_context('keyvault storage backup') as c:
-        c.argument('file_path', options_list=['--file', '-f'], type=file_type, completer=FilesCompleter(),
-                   help='Local file path in which to store storage account backup.')
-
-    with self.argument_context('keyvault storage restore') as c:
-        c.argument('file_path', options_list=['--file', '-f'], type=file_type, completer=FilesCompleter(),
-                   help='Local key backup from which to restore storage account.')
-
-    with self.argument_context('keyvault storage sas-definition', arg_group='Id') as c:
-        c.argument('storage_account_name', options_list=['--account-name'],
-                   help='Name to identify the storage account in the vault.', id_part='child_name_1',
-                   completer=get_keyvault_name_completion_list('storage_account'))
-        c.argument('sas_definition_name', options_list=['--name', '-n'],
-                   help='Name to identify the SAS definition in the vault.', id_part='child_name_2')
-
-    for scope in ['keyvault storage sas-definition create', 'keyvault storage sas-definition update']:
-        with self.argument_context(scope) as c:
-            c.extra('disabled', arg_type=get_three_state_flag(), help='Add the storage account in a disabled state.',
-                    validator=validate_storage_disabled_attribute('sas_definition_attributes', SasDefinitionAttributes))
-            c.ignore('sas_definition_attributes')
-            c.argument('sas_type', arg_type=get_enum_type(SasTokenType))
-            c.argument('template_uri',
-                       help='The SAS definition token template signed with the key 00000000. '
-                            'In the case of an account token this is only the sas token itself, for service tokens, '
-                            'the full service endpoint url along with the sas token.  Tokens created according to the '
-                            'SAS definition will have the same properties as the template.')
-            c.argument('validity_period',
-                       help='The validity period of SAS tokens created according to the SAS definition in ISO-8601, '
-                            'such as "PT12H" for 12 hour tokens.')
-            c.argument('auto_regenerate_key', arg_type=get_three_state_flag())
-
-    for scope in ['keyvault storage sas-definition delete', 'keyvault storage sas-definition show',
-                  'keyvault storage sas-definition update']:
-        with self.argument_context(scope, arg_group='Id') as c:
-            c.extra('identifier', options_list=['--id'],
-                    help='Id of the SAS definition. If specified all other \'Id\' arguments should be omitted.',
-                    validator=validate_sas_definition_id)
-            c.argument('storage_account_name', required=False,
-                       help='Name to identify the storage account in the vault. Required if --id is not specified.')
-            c.argument('sas_definition_name', required=False,
-                       help='Name to identify the SAS definition in the vault. Required if --id is not specified.')
-            c.argument('vault_base_url', help='Name of the Key Vault. Required if --id is not specified.',
-                       required=False)
-    # endregion
-
     # KeyVault Certificate
     with self.argument_context('keyvault certificate issuer admin') as c:
         c.argument('email', help='Admin e-mail address. Must be unique within the vault.')

src/azure-cli/azure/cli/command_modules/keyvault/_validators.py

@@ -696,44 +696,6 @@ def _validate(ns):
     return _validate
 
 
-def validate_sas_definition_id(ns):
-    from .vendored_sdks.azure_keyvault_t1 import StorageSasDefinitionId
-    acct_name = getattr(ns, 'storage_account_name', None)
-    sas_name = getattr(ns, 'sas_definition_name', None)
-    vault = getattr(ns, 'vault_base_url', None)
-    identifier = getattr(ns, 'identifier', None)
-
-    if identifier:
-        ident = StorageSasDefinitionId(uri=identifier)
-        setattr(ns, 'sas_definition_name', getattr(ident, 'sas_definition'))
-        setattr(ns, 'storage_account_name', getattr(ident, 'account_name'))
-        setattr(ns, 'vault_base_url', ident.vault)
-    elif not (acct_name and sas_name and vault):
-        raise CLIError('incorrect usage: --id ID | --vault-name VAULT --account-name --name NAME')
-
-
-def validate_storage_account_id(ns):
-    from .vendored_sdks.azure_keyvault_t1 import StorageAccountId
-    acct_name = getattr(ns, 'storage_account_name', None)
-    vault = getattr(ns, 'vault_base_url', None)
-    identifier = getattr(ns, 'identifier', None)
-
-    if identifier:
-        ident = StorageAccountId(uri=identifier)
-        setattr(ns, 'storage_account_name', ident.name)
-        setattr(ns, 'vault_base_url', ident.vault)
-    elif not (acct_name and vault):
-        raise CLIError('incorrect usage: --id ID | --vault-name VAULT --name NAME')
-
-
-def validate_storage_disabled_attribute(attr_arg_name, attr_type):
-    def _validate(ns):
-        disabled = getattr(ns, 'disabled', None)
-        attr_arg = attr_type(enabled=(not disabled))
-        setattr(ns, attr_arg_name, attr_arg)
-    return _validate
-
-
 def validate_encryption(ns):
     if ns.data_type == KeyEncryptionDataType.BASE64:
         ns.value = base64.b64decode(ns.value.encode('utf-8'))

src/azure-cli/azure/cli/command_modules/keyvault/commands.py

@@ -331,39 +331,6 @@ def load_command_table(self, _):
             g.keyvault_command('show', 'get_setting')
             g.keyvault_custom('update', 'update_hsm_setting')
 
-    data_api_version = str(get_api_version(self.cli_ctx, ResourceType.DATA_KEYVAULT)).\
-        replace('.', '_').replace('-', '_')
-
-    if data_api_version != '2016_10_01':
-        with self.command_group('keyvault storage', data_entity.command_type, deprecate_info=self.deprecate()) as g:
-            g.keyvault_command('add', 'set_storage_account')
-            g.keyvault_command('list', 'get_storage_accounts', transform=keep_max_results)
-            g.keyvault_command('show', 'get_storage_account')
-            g.keyvault_command('update', 'update_storage_account')
-            g.keyvault_command('remove', 'delete_storage_account')
-            g.keyvault_command('regenerate-key', 'regenerate_storage_account_key')
-            g.keyvault_command('list-deleted', 'get_deleted_storage_accounts', transform=keep_max_results)
-            g.keyvault_command('show-deleted', 'get_deleted_storage_account')
-            g.keyvault_command('purge', 'purge_deleted_storage_account')
-            g.keyvault_command('recover', 'recover_deleted_storage_account')
-            g.keyvault_custom('backup', 'backup_storage_account',
-                              doc_string_source=data_entity.operations_docs_tmpl.format('backup_storage_account'))
-            g.keyvault_custom('restore', 'restore_storage_account',
-                              doc_string_source=data_entity.operations_docs_tmpl.format('restore_storage_account'))
-
-    if data_api_version != '2016_10_01':
-        with self.command_group('keyvault storage sas-definition', data_entity.command_type) as g:
-            g.keyvault_command('create', 'set_sas_definition',
-                               doc_string_source=data_entity.operations_docs_tmpl.format('set_sas_definition'))
-            g.keyvault_command('list', 'get_sas_definitions', transform=keep_max_results)
-            g.keyvault_command('show', 'get_sas_definition')
-            g.keyvault_command('update', 'update_sas_definition',
-                               doc_string_source=data_entity.operations_docs_tmpl.format('update_sas_definition'))
-            g.keyvault_command('delete', 'delete_sas_definition')
-            g.keyvault_command('list-deleted', 'get_deleted_sas_definitions', transform=keep_max_results)
-            g.keyvault_command('show-deleted', 'get_deleted_sas_definition')
-            g.keyvault_command('recover', 'recover_deleted_sas_definition')
-
     if not is_azure_stack_profile(self):
         with self.command_group('keyvault region', mgmt_hsms_regions_entity.command_type,
                                 client_factory=mgmt_hsms_regions_entity.client_factory, min_api='2023-02-01') as g:

src/azure-cli/azure/cli/command_modules/keyvault/custom.py

@@ -1695,21 +1695,6 @@ def delete_certificate_issuer_admin(client, issuer_name, email):
 # endregion
 
 
-# region storage_account
-def backup_storage_account(client, file_path, vault_base_url=None,
-                           storage_account_name=None, identifier=None):  # pylint: disable=unused-argument
-    backup = client.backup_storage_account(vault_base_url, storage_account_name).value
-    with open(file_path, 'wb') as output:
-        output.write(backup)
-
-
-def restore_storage_account(client, vault_base_url, file_path):
-    with open(file_path, 'rb') as file_in:
-        data = file_in.read()
-        return client.restore_storage_account(vault_base_url, data)
-# endregion
-
-
 # region private_link
 def _verify_vault_or_hsm_name(vault_name, hsm_name):
     if not vault_name and not hsm_name: