[AppConfig] az appconfig create/update: Add data plane proxy settings (#30228)

Author: albertofori

linter_exclusions.yml

@@ -728,6 +728,14 @@ appconfig update:
     encryption_key_version:
       rule_exclusions:
       - option_length_too_long
+    enable_arm_private_network_access:
+      rule_exclusions:
+      - option_length_too_long
+appconfig create:
+  parameters:
+    enable_arm_private_network_access:
+      rule_exclusions:
+      - option_length_too_long
 appservice ase create:
   parameters:
     force_network_security_group:

src/azure-cli/azure/cli/command_modules/appconfig/_constants.py

@@ -129,3 +129,8 @@ class ProvisioningStatus:
     RUNNING = "Running"
     SUCCEEDED = "Succeeded"
     FAILED = "Failed"
+
+
+class ARMAuthenticationMode:
+    LOCAL = "local"
+    PASS_THROUGH = "pass-through"

src/azure-cli/azure/cli/command_modules/appconfig/_help.py

@@ -28,6 +28,10 @@
     text: az appconfig create -g MyResourceGroup -n MyAppConfiguration -l westus --sku Standard --assign-identity /subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCEGROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUserAssignedIdentity
   - name: Create an App Configuration store with name, location and resource group with public network access enabled and local auth disabled.
     text: az appconfig create -g MyResourceGroup -n MyAppConfiguration -l westus --enable-public-network --disable-local-auth
+  - name: Create an App Configuration store with name, location and resource group with ARM authentication mode set to Pass-through.
+    text: az appconfig create -g MyResourceGroup -n MyAppConfiguration -l westus --arm-auth-mode pass-through
+  - name: Create an App Configuration store with name, location and resource group with ARM authentication mode set to Pass-through and private network access via ARM Private Link enabled.
+    text: az appconfig create -g MyResourceGroup -n MyAppConfiguration -l westus --arm-auth-mode pass-through --enable-arm-private-network-access true
 """
 
 helps['appconfig list-deleted'] = """
@@ -369,6 +373,10 @@
     text: az appconfig update -g MyResourceGroup -n MyAppConfiguration --encryption-key-name ""
   - name: Update an App Configuration store to enable public network access and disable local auth.
     text: az appconfig update -g MyResourceGroup -n MyAppConfiguration --enable-public-network true --disable-local-auth true
+  - name: Update an App Configuration store to set ARM authentication mode set to Pass-through.
+    text: az appconfig update -g MyResourceGroup -n MyAppConfiguration --arm-auth-mode pass-through
+  - name: Update an App Configuration store to set ARM authentication mode set to Pass-through and enable private network access via ARM Private Link.
+    text: az appconfig update -g MyResourceGroup -n MyAppConfiguration --arm-auth-mode pass-through --enable-arm-private-network-access true
 """
 
 helps['appconfig feature'] = """

src/azure-cli/azure/cli/command_modules/appconfig/_params.py

@@ -14,7 +14,7 @@
                                                 resource_group_name_type)
 from azure.cli.core.commands.validators import \
     get_default_location_from_resource_group
-from ._constants import ImportExportProfiles, ImportMode, FeatureFlagConstants
+from ._constants import ImportExportProfiles, ImportMode, FeatureFlagConstants, ARMAuthenticationMode
 
 from ._validators import (validate_appservice_name_or_id, validate_sku, validate_snapshot_query_fields,
                           validate_connection_string, validate_datetime,
@@ -119,6 +119,19 @@ def load_arguments(self, _):
         help='Filter snapshots by their status. If no status specified, return all snapshots by default.'
     )
 
+    arm_auth_mode_arg_type = CLIArgumentType(
+        options_list=['--arm-auth-mode'],
+        arg_type=get_enum_type([ARMAuthenticationMode.LOCAL, ARMAuthenticationMode.PASS_THROUGH]),
+        help="The authentication mode for accessing the App Configuration Store via ARM. 'pass-through' (Recommended) uses Microsoft Entra ID to access the store via ARM with proper authorization.'local' uses access keys for authentication. This requires access keys to be enabled."
+    )
+
+    enable_arm_private_network_access_arg_type = CLIArgumentType(
+        option_list=['--enable-arm-private-network-access'],
+        arg_type=get_three_state_flag(),
+        help="Enable access to the App Configuration store via ARM Private Link if resource is restricted to private network access. Requires Pass-through ARM authentication mode."
+
+    )
+
     # Used with data plane commands. These take either a store name or connection string argument.
     # We only read default values when neither connection string nor store name is provided so configured defaults are not supplied.
     data_plane_name_arg_type = CLIArgumentType(
@@ -160,6 +173,8 @@ def load_arguments(self, _):
         c.argument('replica_name', arg_type=store_creation_replica_name_arg_type)
         c.argument('replica_location', arg_type=replica_location_arg_type)
         c.argument('no_replica', help='Proceed without replica creation for premium tier store.', arg_type=get_three_state_flag())
+        c.argument('arm_auth_mode', arg_type=arm_auth_mode_arg_type)
+        c.argument('enable_arm_private_network_access', arg_type=enable_arm_private_network_access_arg_type)
 
     with self.argument_context('appconfig update') as c:
         c.argument('sku', help='The sku of the App Configuration store', arg_type=get_enum_type(['Free', 'Premium', 'Standard']))
@@ -168,6 +183,8 @@ def load_arguments(self, _):
                    help='When true, requests coming from public networks have permission to access this store while private endpoint is enabled. When false, only requests made through Private Links can reach this store.')
         c.argument('disable_local_auth', arg_type=get_three_state_flag(), help='Disable all authentication methods other than AAD authentication.')
         c.argument('enable_purge_protection', options_list=['--enable-purge-protection', '-p'], arg_type=get_three_state_flag(), help='Property specifying whether protection against purge is enabled for this App Configuration store. Setting this property to true activates protection against purge for this App Configuration store and its contents. Enabling this functionality is irreversible.')
+        c.argument('arm_auth_mode', arg_type=arm_auth_mode_arg_type)
+        c.argument('enable_arm_private_network_access', arg_type=enable_arm_private_network_access_arg_type)
 
     with self.argument_context('appconfig recover') as c:
         c.argument('location', arg_type=get_location_type(self.cli_ctx), help='Location of the deleted App Configuration store. Can be viewed using command `az appconfig show-deleted`.')

src/azure-cli/azure/cli/command_modules/appconfig/_validators.py

@@ -377,13 +377,14 @@ def validate_snapshot_import(namespace):
 
 def validate_sku(namespace):
     if namespace.sku.lower() == 'free':
-        if (namespace.enable_purge_protection or namespace.retention_days or namespace.replica_name or namespace.replica_location or namespace.no_replica):
+        if (namespace.enable_purge_protection or namespace.retention_days or namespace.replica_name or namespace.replica_location or namespace.no_replica or namespace.enable_arm_private_network_access):  # pylint: disable=too-many-boolean-expressions
             logger.warning("Options '--enable-purge-protection', '--replica-name', '--replica-location' , '--no-replica' and '--retention-days' will be ignored when creating a free store.")
             namespace.retention_days = None
             namespace.enable_purge_protection = None
             namespace.replica_name = None
             namespace.replica_location = None
             namespace.no_replica = None
+            namespace.enable_arm_private_network_access = None
             return
 
     if namespace.sku.lower() == 'premium' and not namespace.no_replica:

src/azure-cli/azure/cli/command_modules/appconfig/custom.py

@@ -20,10 +20,14 @@
                                                 KeyVaultProperties,
                                                 RegenerateKeyParameters,
                                                 CreateMode,
-                                                Replica)
+                                                Replica,
+                                                AuthenticationMode,
+                                                PublicNetworkAccess,
+                                                PrivateLinkDelegation,
+                                                DataPlaneProxyProperties)
 from knack.log import get_logger
 from ._utils import resolve_store_metadata, resolve_deleted_store_metadata
-from ._constants import ProvisioningStatus
+from ._constants import ARMAuthenticationMode, ProvisioningStatus
 
 logger = get_logger(__name__)
 
@@ -47,13 +51,23 @@ def create_configstore(cmd,
                        enable_purge_protection=None,
                        replica_name=None,
                        replica_location=None,
-                       no_replica=None):  # pylint: disable=unused-argument
+                       no_replica=None,  # pylint: disable=unused-argument
+                       arm_auth_mode=None,
+                       enable_arm_private_network_access=None):
     if assign_identity is not None and not assign_identity:
         assign_identity = [SYSTEM_ASSIGNED_IDENTITY]
 
     public_network_access = None
     if enable_public_network is not None:
-        public_network_access = 'Enabled' if enable_public_network else 'Disabled'
+        public_network_access = PublicNetworkAccess.ENABLED if enable_public_network else PublicNetworkAccess.DISABLED
+
+    arm_private_link_delegation = None
+    if enable_arm_private_network_access is not None:
+        arm_private_link_delegation = PrivateLinkDelegation.ENABLED if enable_arm_private_network_access else PrivateLinkDelegation.DISABLED
+
+    arm_authentication_mode = None
+    if arm_auth_mode is not None:
+        arm_authentication_mode = AuthenticationMode.LOCAL if arm_auth_mode == ARMAuthenticationMode.LOCAL else AuthenticationMode.PASS_THROUGH
 
     configstore_params = ConfigurationStore(location=location.lower(),
                                             identity=__get_resource_identity(assign_identity) if assign_identity else None,
@@ -63,7 +77,10 @@ def create_configstore(cmd,
                                             disable_local_auth=disable_local_auth,
                                             soft_delete_retention_in_days=retention_days,
                                             enable_purge_protection=enable_purge_protection,
-                                            create_mode=CreateMode.DEFAULT)
+                                            create_mode=CreateMode.DEFAULT,
+                                            data_plane_proxy=DataPlaneProxyProperties(
+                                                authentication_mode=arm_authentication_mode,
+                                                private_link_delegation=arm_private_link_delegation))
 
     progress = IndeterminateStandardOut()
 
@@ -161,19 +178,33 @@ def update_configstore(cmd,
                        identity_client_id=None,
                        enable_public_network=None,
                        disable_local_auth=None,
-                       enable_purge_protection=None):
+                       enable_purge_protection=None,
+                       arm_auth_mode=None,
+                       enable_arm_private_network_access=None):
     __validate_cmk(encryption_key_name, encryption_key_vault, encryption_key_version, identity_client_id)
     if resource_group_name is None:
         resource_group_name, _ = resolve_store_metadata(cmd, name)
 
     public_network_access = None
     if enable_public_network is not None:
-        public_network_access = 'Enabled' if enable_public_network else 'Disabled'
+        public_network_access = PublicNetworkAccess.ENABLED if enable_public_network else PublicNetworkAccess.DISABLED
+
+    arm_private_link_delegation = None
+    if enable_arm_private_network_access is not None:
+        arm_private_link_delegation = PrivateLinkDelegation.ENABLED if enable_arm_private_network_access else PrivateLinkDelegation.DISABLED
+
+    arm_authentication_mode = None
+    if arm_auth_mode is not None:
+        arm_authentication_mode = AuthenticationMode.LOCAL if arm_auth_mode == ARMAuthenticationMode.LOCAL else AuthenticationMode.PASS_THROUGH
+
     update_params = ConfigurationStoreUpdateParameters(tags=tags,
                                                        sku=Sku(name=sku) if sku else None,
                                                        public_network_access=public_network_access,
                                                        disable_local_auth=disable_local_auth,
-                                                       enable_purge_protection=enable_purge_protection)
+                                                       enable_purge_protection=enable_purge_protection,
+                                                       data_plane_proxy=DataPlaneProxyProperties(
+                                                           authentication_mode=arm_authentication_mode,
+                                                           private_link_delegation=arm_private_link_delegation))
 
     if encryption_key_name is not None:
         key_vault_properties = KeyVaultProperties()