[KeyVault] Support MHSM Settings (#22525)

* wip

* add update-azkeyvaultsetting and help docs

* add example for settings

* add change log

* add live test

* fix

* fix

Author: BethanyZhou

src/KeyVault/KeyVault.Test/KeyVault.Test.csproj

@@ -13,7 +13,6 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.Azure.KeyVault" Version="3.0.1" />
     <PackageReference Include="Microsoft.Azure.KeyVault.WebKey" Version="3.0.1" />
-    <PackageReference Include="Microsoft.Azure.Management.KeyVault" Version="4.0.0-preview.1" />
   </ItemGroup>
 
   <ItemGroup>

src/KeyVault/KeyVault.Test/LiveTests/KeyVaultDataPlaneLiveTests/TestNetworkRuleSet.ps1

@@ -0,0 +1,19 @@
+Invoke-LiveTestScenario -Name "Create key vault and specifies network rules" -Description "Create key vault and specifies network rules to allow access to the specified IP address" -ScenarioScript `
+{
+    param ($rg)
+
+    $rgName = $rg.ResourceGroupName
+    $vaultName = New-LiveTestResourceName
+    $vnName = New-LiveTestResourceName
+    $vaultLocation = "eastus"
+    $vnLocation = "westus"
+    $frontendSubnet = New-AzVirtualNetworkSubnetConfig -Name frontendSubnet -AddressPrefix "110.0.1.0/24" -ServiceEndpoint Microsoft.KeyVault
+    $virtualNetwork = New-AzVirtualNetwork -Name $vnName -ResourceGroupName $rg.ResourceGroupName -Location $vnLocation -AddressPrefix "110.0.0.0/16" -Subnet $frontendSubnet
+    $myNetworkResId = $virtualNetwork.Subnets[0].Id
+    $ruleSet = New-AzKeyVaultNetworkRuleSetObject -DefaultAction Allow -Bypass AzureServices -IpAddressRange "110.0.1.0/24" -VirtualNetworkResourceId $myNetworkResId
+    $keyvault = New-AzKeyVault -VaultName $vaultName -ResourceGroupName $rgName -Location $vaultLocation -NetworkRuleSet $ruleSet
+    Assert-AreEqual $keyvault.NetworkAcls.DefaultAction Allow
+    Assert-AreEqual $keyvault.NetworkAcls.Bypass AzureServices
+    # Assert-AreEqual $keyvault.NetworkAcls.VirtualNetworkResourceIds $myNetworkResId
+
+}

src/KeyVault/KeyVault.Test/LiveTests/ManagedHsmDataPlaneLiveTests/TestSetting.ps1

@@ -0,0 +1,16 @@
+Invoke-LiveTestScenario -Name "Get and update key vault setting in a MSHM" -Description "Get and update a key vault setting in a MSHM" -ScenarioScript `
+{
+    param ($rg)
+
+    $rgName = $rg.ResourceGroupName
+    $hsmName = "bezmhsm" + (New-LiveTestRandomName -Option AllNumbers)
+    $hsmLocation = 'eastus2euap'
+    $adminId = (Get-AzADUser -StartsWith Beisi).Id
+    $hsmObject = New-AzKeyVaultManagedHsm -HsmName $hsmName -ResourceGroupName $rgName -Location $hsmLocation -Administrator $adminId
+    Start-Sleep 1800
+    New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName "Managed HSM Crypto User" -ObjectId $adminId
+    Export-AzKeyVaultSecurityDomain -Certificates "$PSScriptRoot\sd1.cer", "$PSScriptRoot\sd2.cer", "$PSScriptRoot\sd3.cer" -Quorum 2 -OutputPath $PSScriptRoot/sd.ps.json -Name $hsmName
+    $setting = $hsmObject | Get-AzKeyVaultSetting -Name "AllowKeyManagementOperationsThroughARM"
+    $updatedSetting= $setting | Update-AzKeyVaultSetting -Value true -PassThru
+    Assert-AreEqual $updatedSetting.Value "true"
+}

src/KeyVault/KeyVault.Test/LiveTests/ManagedHsmDataPlaneLiveTests/sd1.cer

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUIUpinRAYmz8hRNFjYhxwI745OiAwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDEwMTkwNjIyMDVaFw0yMTEw
+MTkwNjIyMDVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDs+KM6KQpgNNhA+ZwIaqV1C2UCOHrcp7IaZv5q9GnV
+3vcqXxfzLH10T7H2o4/2VNtIayNuWxV9Kmq6/7MMYL49njecqsoGIIIUmhXr2Mb7
+R6i2H6ufUc6w7W/TkSFw+ZhGEDqD2ocJn4FoKGBUY4yppIgBxGk1f/9ehJ1VjQNY
+EqrfYjLgO5HL5hZNwwxqm4TUi+ITk+bcQ1412CQuHtfogQLXIoRDOhrcd8q0zCvS
+0EXmdm0EU688K1Jc16PW/yTsC+Rxlr7Nx54ItqyQq1fI2au1Hm7dvq3EGDsqWwZ8
+flUvOzOSHx+KXHX7Gq+dAVd2ojVcy12wBbMuPApqHpefAgMBAAGjUzBRMB0GA1Ud
+DgQWBBQI8DpMP9uV3CeqJUp+Li39skEGpzAfBgNVHSMEGDAWgBQI8DpMP9uV3Ceq
+JUp+Li39skEGpzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCh
+2c2R2REuskEc4L/A7FATW7oF7vkfdISUBwmyDjUdVpmJqYWFF58afd4wpj/qkRXa
+fbUznmqE7EIbWNjmXscA4uNXLFnPydpYuI7wq2QPkexSOb2isssOoF5E26rYL6UQ
+WV3xWVKDr+pNJc92kWm38rK7dMEHodHUOnOVJbwujS82DEYeN/LGFb+tEhJnfYH9
+mTvF6qeBiwWvkOhl9/UBBFQ21rEyVHbAE49o3o7a0LuVm6p3l7xMPVbP0QrTLZx7
+9XKTo6T/t2B2EV/D68kn9rdRtRJODOcoJD1Rk560Z4jaJocyeFSZ2EdI2UOAXwqN
+WM5V+1ufCMHCH6A9YNta
+-----END CERTIFICATE-----

src/KeyVault/KeyVault.Test/LiveTests/ManagedHsmDataPlaneLiveTests/sd2.cer

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUdhcv4h6Uqh0LhlCrHzMS0HirOzowDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDEwMTkwNjIxNDJaFw0yMTEw
+MTkwNjIxNDJaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC9HLiQac3z5yoOtWz3tZzEllri/ngtjLmArEJrBp8F
+Lixh//RtrYf3QgYhqiw/KSf0KKjstKpbddM7Vk9MdpGvo7E652Cgxa0grDtE6Tnn
+VHbmz+YWt/Uoka5CaXyrf8jmYdOKp10NYG6JKKTb2OZtgBfSADPLFR7h8t0umfAc
+w0SUVTNopAonWQ+stypUaW4drwuPhRJvbNtA9l1+XIdLkondaTd7MOrbqRMXa6p1
+PDZmwuA/SV9ckJcjt8BR4wJRd0OEFQi/2D+lvzVuhfYh4IjBDwGqI4UwP0TBvu0d
+bTYiDULmGT3e+lcaX9S8mR9C9CL38JYyUhnDEw7lNdsRAgMBAAGjUzBRMB0GA1Ud
+DgQWBBR75zgU+Tl1ZqmtUKOUwRwPz9vnOTAfBgNVHSMEGDAWgBR75zgU+Tl1Zqmt
+UKOUwRwPz9vnOTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAm
+iQcCWThTxFf5hL9MUYv2VoJYXQKyd7Fg99aE1Qq9QjeZtouein99Td5qVp+21ypb
+y6KyXELjyf7a8LYl+Odkrx/t9e3onjjFyhEu9HxzlOkXeghJP/r2tFS4cgdkCuzB
+Y5itX1VhLgVQAx9vdHCogBdSUAcpPEXD7af8W+EUgMhpfu5pX/JKhpB3GBRKvc5Y
+64RAN9GOtjskXzktswpVBN9oQEvH6rHm1VubBHCwURLpgOuBjseqITNDBTZTmHmG
+V5M3ia8tTIr84usy/I4vg1AVvtUSdKtn6CmDVcUomxY6I5EoPHaIzwxUQuaJ5PU4
+C3HchcURKKyW3KNogqRn
+-----END CERTIFICATE-----

src/KeyVault/KeyVault.Test/LiveTests/ManagedHsmDataPlaneLiveTests/sd3.cer

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUFLLPncJi3vW3IxmcFJ94d8EdyKQwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDEwMTkwNjIxNTRaFw0yMTEw
+MTkwNjIxNTRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCd7IwTwmgOM1UrCHQlxMROCQwr99FShBjWlJepYGFr
+JeaY8Cskm4b0odX0SYAXLH4hlmpMhRejf1MJPzBO/k7qUl+iqylbm00e+3HKlINa
+ga+1BsM0FN37Ek0UWLv39uxd/O0ys8tnheBXR/2V/dBoenk16n1RVaMkojodcdb4
+tvW64t+PgRWEmvj+yUcCSA/ty1KHjb+119gUbxuDHR3AkUlm2RWzzdBCS5HLJXN3
+VJqvAclEFC76KALIiHA/tGbI5QKofdYEidruRKmWhuuNv/V/CztXZfg1fPlc5sej
+CXG1Sd2CUASo7yWuxP4Li8i6wj3UarR+43CYOtnCULv1AgMBAAGjUzBRMB0GA1Ud
+DgQWBBSnQt/wdFqeVMTKt2eoVOcvz5+nLTAfBgNVHSMEGDAWgBSnQt/wdFqeVMTK
+t2eoVOcvz5+nLTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBH
+o3AcBaOV2sUe2LxcDiesGwP1BKC0u0gPxJ5CxiM/RfihuvuxmS5OwXBWfc/nwZ5t
+4rhYFQRlV9zt0X8tYbIaj6LtTgj18EFe7J4rsZVE4fmj+VSBYqLijcc0zkahYMNJ
+Hkh/dZG2S3bJGmZzupn4DhrhD577bAA2N88Gzf0rLnqpgK9pOFdJooZQbHm9Fs7M
+Gp9r4TJIdy9ocO6s3a62CRyiry0v6fJkcG5m3LRGxm3a5tkMWsIDdX4+hVOtfPrd
+ZExKEt73/wDsHPmNG/RouNIU8mYe+jXK6y1V4xH3xAuwVMK7jDAH0/D7AwM4eCtV
+YwxuRqXxRoG6oB1K0FCO
+-----END CERTIFICATE-----

src/KeyVault/KeyVault.Test/LiveTests/TestLiveScenarios.ps1

@@ -206,3 +206,6 @@ Invoke-LiveTestScenario -Name "Backup and restore key vault secret" -Description
     Assert-AreEqual $vaultName2 $actual.VaultName
     Assert-AreEqual $secretName $actual.Name
 }
+
+& "$PSScriptRoot\KeyVaultDataPlaneLiveTests\TestNetworkRuleSet.ps1"
+# & "$PSScriptRoot\ManagedHsmDataPlaneLiveTests\TestSetting.ps1"

src/KeyVault/KeyVault/Az.KeyVault.psd1

@@ -131,7 +131,8 @@ CmdletsToExport = 'Add-AzKeyVaultCertificate', 'Update-AzKeyVaultCertificate',
                'Undo-AzKeyVaultManagedStorageAccountRemoval', 
                'Add-AzKeyVaultNetworkRule', 'Update-AzKeyVaultNetworkRuleSet', 
                'Remove-AzKeyVaultNetworkRule', 'Export-AzKeyVaultSecurityDomain', 
-               'Import-AzKeyVaultSecurityDomain'
+               'Import-AzKeyVaultSecurityDomain',
+               'Get-AzKeyVaultSetting', 'Update-AzKeyVaultSetting'
 
 # Variables to export from this module
 # VariablesToExport = @()

src/KeyVault/KeyVault/ChangeLog.md

@@ -18,10 +18,11 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Supported Setting for Managed HSM: Added `Get-AzKeyVaultSetting` and `Update-AzKeyVaultSetting`.
 * Updated Azure.Core to 1.34.0.
 
 ## Version 4.10.2
-* Bug Fix: Removed depulicated IpRules from `NetworkRuleSet` and `MhsmNetworkRuleSet`. [#22472]
+* Bug Fix: Removed duplicated IpRules from `NetworkRuleSet` and `MhsmNetworkRuleSet`. [#22472]
 
 ## Version 4.10.1
 * Removed maximum number for `IpAddressRange` and `VirtualNetworkResourceId` in `*-AzKeyVaultNetworkRuleSet*` from client side. [#22137]

src/KeyVault/KeyVault/Commands/Setting/GetAzKeyVaultSetting.cs

@@ -0,0 +1,82 @@
+using Microsoft.Azure.Commands.KeyVault.Models;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
+
+using System;
+using System.Collections.Generic;
+using System.Management.Automation;
+using System.Text;
+
+namespace Microsoft.Azure.Commands.KeyVault.Commands.Setting
+{
+    [Cmdlet("Get", ResourceManager.Common.AzureRMConstants.AzurePrefix + "KeyVaultSetting", DefaultParameterSetName = GetSettingViaFlattenParameters)]
+    [OutputType(typeof(PSKeyVaultSetting))]
+    public class GetAzKeyVaultSetting: KeyVaultCmdletBase
+    {
+        #region Parameter Set Names
+        private const string GetSettingViaFlattenParameters = "GetSettingViaFlattenParameters";
+        private const string GetSettingViaHsmObject = "GetSettingViaHsmObject";
+        private const string GetSettingViaHsmId = "GetSettingViaHsmId";
+        #endregion
+
+        #region Input Parameter Definitions
+
+        [Parameter(Mandatory = true,
+            Position = 0,
+            ParameterSetName = GetSettingViaFlattenParameters,
+            HelpMessage = "Name of the HSM.")]
+        [ResourceNameCompleter("Microsoft.KeyVault/managedHSMs", "FakeResourceGroupName")]
+        [ValidateNotNullOrEmpty]
+        public string HsmName;
+
+        [Parameter(Mandatory = true,
+            Position = 0,
+            ParameterSetName = GetSettingViaHsmObject,
+            ValueFromPipeline = true,
+            HelpMessage = "Hsm Object.")]
+        [ValidateNotNullOrEmpty]
+        public PSManagedHsm HsmObject;
+
+        [Parameter(Mandatory = true,
+            Position = 0,
+            ParameterSetName = GetSettingViaHsmId,
+            HelpMessage = "Hsm Resource Id.")]
+        [ValidateNotNullOrEmpty]
+        public string HsmId;
+
+        [Parameter(Mandatory = false,
+            Position = 1,
+            HelpMessage = "Name of the setting.")]
+        public string Name;
+
+        #endregion
+
+        public override void ExecuteCmdlet()
+        {
+            NormalizeParameterSets();
+
+            if (string.IsNullOrEmpty(Name))
+            {
+                WriteObject(this.Track2DataClient.GetManagedHsmSettings(HsmName), true);
+            }
+            else
+            {
+                WriteObject(this.Track2DataClient.GetManagedHsmSetting(HsmName, Name));
+            }
+        }
+
+        private void NormalizeParameterSets()
+        {
+            switch (ParameterSetName)
+            {
+                case GetSettingViaHsmId:
+                    var parsedResourceId = new ResourceIdentifier(HsmId);
+                    HsmName = parsedResourceId.ResourceName;
+                    break;
+                case GetSettingViaHsmObject:
+                    HsmName = HsmObject.VaultName;
+                    break;
+            }
+        }
+    }
+}