Merge pull request #220971 from GennadNY/gennadyk897

prmerger-automator[bot] · web-flow · commit 3e4c6afa9def · 2022-12-09T01:10:55.000Z
Gennadyk897
diff --git a/articles/postgresql/flexible-server/concepts-data-encryption.md b/articles/postgresql/flexible-server/concepts-data-encryption.md
@@ -158,9 +158,12 @@ Some of the reasons why server state can become *Inaccessible* are:
 - If you setup overly restrictive Azure KeyVault firewall rules that cause Azure Database for PostgreSQL- Flexible Server inability to communicate with Azure KeyVault to retrieve keys. If you enable [KeyVault firewall](../../key-vault/general/overview-vnet-service-endpoints.md#trusted-services), make sure you check an option to *'Allow Trusted Microsoft Services to bypass this firewall.'*
 
 
+> [!NOTE]  
+> CLI examples below are based on 2.43.0 version of Azure Database for PostgreSQL - Flexible Server CLI libraries, which are in preview and may be subject to changes.  
+
 ## Setup Customer Managed Key during Server Creation
 
-### From portal
+### Portal
 
 Prerequisites:
 
@@ -181,7 +184,7 @@ Follow the steps below to enable CMK while creating Postgres Flexible Server usi
 1. Once it's finished, you should be able to navigate to Data Encryption (preview) screen for the server and update identity or key if necessary
 
 
-### From CLI:
+### CLI:
 
 Prerequisites:
 
@@ -192,31 +195,30 @@ Follow the steps below to enable CMK while creating Postgres Flexible Server usi
 1.  Create a key vault and a key to use for a customer-managed key. Also enable purge protection and soft delete on the key vault.
 
 ```azurecli-interactive
-     az keyvault create -g <resource_group> -n <vault_name> --location <azure_region> --enable-purge-
-        protection true
+     az keyvault create -g <resource_group> -n <vault_name> --location <azure_region> --enable-purge-protection true
 ```
 
 2.  In the created Azure Key Vault, create the key that will be used for the data encryption of the Azure Database for PostgreSQL - Flexible server.
 
 ```azurecli-interactive
-    az keyvault key create --name <key_name> -p software --vault-name <vault_name>
+     keyIdentifier=$(az keyvault key create --name <key_name> -p software --vault-name <vault_name> --query key.kid -o tsv)
 ```
 3. Create Managed Identity which will be used to retrieve key from Azure Key Vault
 ```azurecli-interactive
- az identity create -g <resource_group> --name <identity_name> --location <azure_region>
+ identityPrincipalId=$(az identity create -g <resource_group> --name <identity_name> --location <azure_region> --query principalId -o tsv)
 ```
+
 4. Add access policy with key permissions of *wrapKey*,*unwrapKey*, *get*, *list* in Azure KeyVault to the managed identity we created above
 ```azurecli-interactive
-az keyvault set-policy -g <resource_group> -n <vault_name>  --object-id '<principalID of managed_identity>' --key-permissions wrapKey unwrapKey get list
+az keyvault set-policy -g <resource_group> -n <vault_name>  --object-id $identityPrincipalId --key-permissions wrapKey unwrapKey get list
 ```
 5.  Finally, lets create Azure Database for PostgreSQL - Flexible Server with CMK based encryption enabled
 ```azurecli-interactive
-az postgres flexible-server create -g <resource_group> -n <postgres_server_name> --location <azure_region> \
-          --key '<key identifier of key created above>' --identity <identity_name>
+az postgres flexible-server create -g <resource_group> -n <postgres_server_name> --location <azure_region>  --key $keyIdentifier --identity <identity_name>
 ```
 ## Update Customer Managed Key on the CMK enabled Flexible Server
 
-### From portal
+### Portal
 
 Prerequisites:
 
@@ -235,17 +237,20 @@ Follow the steps below to update CMK on CMK enabled Flexible Server using Azure
 1. Select different key by choosing subscription, Key Vault and key from dropdowns provided.
 
 
-### From CLI
+### CLI
 
 Prerequisites:
 - You must have an Azure subscription and be an administrator on that subscription.
 - Key Vault with key in region where Postgres Flex Server will be created. Follow this [tutorial](../../key-vault/general/quick-create-portal.md) to create Key Vault and generate key. 
 
 Follow the steps below to change\rotate key or identity after creation of server with data encryption. 
-1. Change key/identity  for data encryption for existing server
+1. Change key/identity  for data encryption for existing server, first lets get new key identifier
+```azurecli-interactive
+ newKeyIdentifier=$(az keyvault key show --vault-name <vault_name> --name <key_name>  --query key.kid -o tsv)
+```
+2. Update server with new key and\or identity
 ```azurecli-interactive
- az postgres flexible-server update --resource-group <resource_group> --name <server_name> \
-          --key '<key identifier of new AKV key>' --identity <identity_name>
+ <!-- az postgres flexible-server update --resource-group <resource_group> --name <server_name> --key $newKeyIdentifier --identity <identity_name> -->
 ```
 ## Limitations
 
