Merge pull request #221183 from GennadNY/gennadyk897

Stacyrch140 · web-flow · commit 16cde8138104 · 2022-12-12T22:09:23.000-05:00
Gennadyk897
diff --git a/articles/postgresql/TOC.yml b/articles/postgresql/TOC.yml
@@ -576,6 +576,10 @@
         href: flexible-server/how-to-manage-server-cli.md
       - name: Connect and query guide
         href: flexible-server/how-to-connect-query-guide.md
+    - name: Encryption with CMK
+      items:
+      - name: Azure CLI
+        href: flexible-server/how-to-create-server-customer-managed-key-cli.md
     - name: Database deployment
       items:
       - name: GitHub Actions
@@ -600,12 +604,6 @@
           href: flexible-server/how-to-manage-firewall-portal.md
         - name: Azure CLI
           href: flexible-server/how-to-manage-firewall-cli.md
-    - name: Security (TLS/SSL/SCRAM)
-      items:
-      - name: Connect using TLS/SSL
-        href: flexible-server/how-to-connect-tls-ssl.md
-      - name: Connect using SCRAM
-        href: flexible-server/how-to-connect-scram.md
     - name: Configure server parameters
       items:
       - name: Azure portal
diff --git a/articles/postgresql/flexible-server/concepts-data-encryption.md b/articles/postgresql/flexible-server/concepts-data-encryption.md
@@ -155,7 +155,7 @@ Some of the reasons why server state can become *Inaccessible* are:
 - If you delete the key from the KeyVault, the Azure Database for PostgreSQL- Flexible Server will be unable to access the key and will move to *Inaccessible* state. [Recover the Key](../../key-vault/general/key-vault-recovery.md) and revalidate the data encryption to make the server *Available*.
 - If you delete [managed identity](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) from Azure AD that is used to retrieve a key from KeyVault, the Azure Database for PostgreSQL- Flexible Server will be unable to access the key and will move to *Inaccessible* state.[Recover the identity](../../active-directory/fundamentals/recover-from-deletions.md) and revalidate data encryption to make server *Available*. 
 - If you revoke  the Key Vault's list, get, wrapKey, and unwrapKey access policies from the [managed identity](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) that is used to retrieve a key from KeyVault, the Azure Database for PostgreSQL- Flexible Server will be unable to access the key and will move to *Inaccessible* state. [Add required access policies](../../key-vault/general/assign-access-policy.md) to the identity in KeyVault. 
-- If you setup overly restrictive Azure KeyVault firewall rules that cause Azure Database for PostgreSQL- Flexible Server inability to communicate with Azure KeyVault to retrieve keys. If you enable [KeyVault firewall](../../key-vault/general/overview-vnet-service-endpoints.md#trusted-services), make sure you check an option to *'Allow Trusted Microsoft Services to bypass this firewall.'*
+- If you set up overly restrictive Azure KeyVault firewall rules that cause Azure Database for PostgreSQL- Flexible Server inability to communicate with Azure KeyVault to retrieve keys. If you enable [KeyVault firewall](../../key-vault/general/overview-vnet-service-endpoints.md#trusted-services), make sure you check an option to *'Allow Trusted Microsoft Services to bypass this firewall.'*
 
 
 > [!NOTE]  
@@ -250,7 +250,7 @@ Follow the steps below to change\rotate key or identity after creation of server
 ```
 2. Update server with new key and\or identity
 ```azurecli-interactive
- <!-- az postgres flexible-server update --resource-group <resource_group> --name <server_name> --key $newKeyIdentifier --identity <identity_name> -->
+  az postgres flexible-server update --resource-group <resource_group> --name <server_name> --key $newKeyIdentifier --identity <identity_name>
 ```
 ## Limitations
 
diff --git a/articles/postgresql/flexible-server/how-to-create-server-customer-managed-key-cli.md b/articles/postgresql/flexible-server/how-to-create-server-customer-managed-key-cli.md
@@ -0,0 +1,69 @@
+---
+title: Create and manage  Azure Database for PostgreSQL - Flexible Server with data  encrypted by Customer Managed Keys using the Azure CLI
+description: Create and manage  Azure Database for PostgreSQL - Flexible Server with data  encrypted by Customer Managed Keys using the Azure CLI
+author: gennadNY 
+ms.author: gennadyk
+ms.service: postgresql
+ms.subservice: flexible-server
+ms.topic: how-to
+ms.date: 12/10/2022
+---
+# Create and manage  Azure Database for PostgreSQL - Flexible Server with data  encrypted by Customer Managed Keys (CMK) using the Azure CLI
+
+[!INCLUDE [applies-to-postgresql-flexible-server](../includes/applies-to-postgresql-flexible-server.md)]
+
+> [!NOTE]  
+> CLI examples below are based on 2.43.0 version of Azure Database for PostgreSQL - Flexible Server CLI libraries, which are in preview and may be subject to changes.  
+
+In this article, you learn how to create and manage Azure Database for PostgreSQL - Flexible Server with data  encrypted by Customer Managed Keys using the Azure CLI. To learn more about Customer Managed Keys (CMK) feature with Azure Database for PostgreSQL - Flexible Server, see the [overview](concepts-data-encryption.md).
+
+## Setup Customer Managed Key during Server Creation
+
+Prerequisites:
+
+- You must have an Azure subscription and be an administrator on that subscription.
+
+Follow the steps below to enable CMK while creating Postgres Flexible Server using Azure CLI.
+
+1.  Create a key vault and a key to use for a customer-managed key. Also enable purge protection and soft delete on the key vault.
+
+```azurecli-interactive
+     az keyvault create -g <resource_group> -n <vault_name> --location <azure_region> --enable-purge-protection true
+```
+
+2.  In the created Azure Key Vault, create the key that will be used for the data encryption of the Azure Database for PostgreSQL - Flexible server.
+
+```azurecli-interactive
+     keyIdentifier=$(az keyvault key create --name <key_name> -p software --vault-name <vault_name> --query key.kid -o tsv)
+```
+3. Create Managed Identity which will be used to retrieve key from Azure Key Vault
+```azurecli-interactive
+ identityPrincipalId=$(az identity create -g <resource_group> --name <identity_name> --location <azure_region> --query principalId -o tsv)
+```
+
+4. Add access policy with key permissions of *wrapKey*,*unwrapKey*, *get*, *list* in Azure KeyVault to the managed identity we created above
+```azurecli-interactive
+az keyvault set-policy -g <resource_group> -n <vault_name>  --object-id $identityPrincipalId --key-permissions wrapKey unwrapKey get list
+```
+5.  Finally, lets create Azure Database for PostgreSQL - Flexible Server with CMK based encryption enabled
+```azurecli-interactive
+az postgres flexible-server create -g <resource_group> -n <postgres_server_name> --location <azure_region>  --key $keyIdentifier --identity <identity_name>
+```
+## Update Customer Managed Key on the CMK enabled Flexible Server
+
+Prerequisites:
+- You must have an Azure subscription and be an administrator on that subscription.
+- Key Vault with key in region where Postgres Flex Server will be created. Follow this [tutorial](../../key-vault/general/quick-create-portal.md) to create Key Vault and generate key. 
+
+Follow the steps below to change\rotate key or identity after creation of server with data encryption. 
+1. Change key/identity  for data encryption for existing server, first lets get new key identifier
+```azurecli-interactive
+ newKeyIdentifier=$(az keyvault key show --vault-name <vault_name> --name <key_name>  --query key.kid -o tsv)
+```
+2. Update server with new key and\or identity
+```azurecli-interactive
+  az postgres flexible-server update --resource-group <resource_group> --name <server_name> --key $newKeyIdentifier --identity <identity_name>
+```
+## Next steps
+
+- [Manage an Azure Database for PostgreSQL - Flexible Server by using the Azure CLI](how-to-manage-server-cli.md)
