Merge pull request #250753 from aditivgupta/cmk

Add CMK

Author: prmerger-automator[bot]

articles/mysql/migrate/migrate-single-flexible-mysql-import-cli.md

@@ -53,8 +53,7 @@ az account set --subscription <subscription id>
 - MySQL Import for Single Servers with Legacy Storage architecture (General Purpose storage V1) isn't supported. You must upgrade your storage to the latest storage architecture (General Purpose storage V2) to trigger a MySQL Import operation. Find your storage type and upgrade steps by following directions [here](../single-server/concepts-pricing-tiers.md#how-can-i-determine-which-storage-type-my-server-is-running-on).
 - MySQL Import to an existing Azure MySQL Flexible Server isn't supported. The CLI command initiates the import of a new Azure MySQL Flexible Server.
 - If the flexible target server is provisioned as non-HA (High Availability disabled) when updating the CLI command parameters, it can later be switched to Same-Zone HA but not Zone-Redundant HA.
-- MySQL Import doesn't currently support Azure Database for MySQL Single Servers with Customer managed key (CMK).
-- MySQL Imposer doesn't currently support Azure Database for MySQL Single Servers with Infrastructure Double Encryption.
+- MySQL Import doesn't currently support Azure Database for MySQL Single Servers with Infrastructure Double Encryption.
 - Only instance-level import is supported. No option to import selected databases within an instance is provided.
 - Below items should be copied from source to target by the user post MySQL Import operation:
   - Firewall rules
@@ -113,6 +112,29 @@ The following example takes in the data source information for Single Server nam
 az mysql flexible-server import create --data-source-type "mysql_single" --data-source "test-single-server" --resource-group "test-rg"  --name "test-flexible-server" --high-availability ZoneRedundant --zone 1 --standby-zone 3  --vnet "myVnet" --subnet "mySubnet" --private-dns-zone "myserver.private.contoso.com"
 ```
 
+The following example takes in the data source information for Single Server named 'test-single-server' with CUstomer Managed Key (CMK) enabled and target Flexible Server information, creates a target Flexible Server named `test-flexible-server` and performs an import from source to target. For CMK enabled Single Server instances, MySQL Import command requires you to provide mandatory input parameters for enabling CMK : --key keyIdentifierOfTestKey --identity testIdentity.
+
+```azurecli-interactive
+# create keyvault
+az keyvault create -g testGroup -n testVault --location testLocation \
+  --enable-purge-protection true
+
+# create key in keyvault and save its key identifier
+keyIdentifier=$(az keyvault key create --name testKey -p software \
+  --vault-name testVault --query key.kid -o tsv)
+
+# create identity and save its principalId
+identityPrincipalId=$(az identity create -g testGroup --name testIdentity \
+  --location testLocation --query principalId -o tsv)
+
+# add testIdentity as an access policy with key permissions 'Wrap Key', 'Unwrap Key', 'Get' and 'List' inside testVault
+az keyvault set-policy -g testGroup -n testVault --object-id $identityPrincipalId \
+  --key-permissions wrapKey unwrapKey get list
+
+# trigger mysql import for CMK enabled single server
+az mysql flexible-server import create --data-source-type "mysql_single" --data-source "test-single-server" --resource-group "test-rg"  --name "test-flexible-server" --key <key identifier of testKey> --identity testIdentity
+```
+
 Here are the details for the arguments above:
 
 **Setting** | **Sample value** | **Description**
@@ -131,6 +153,8 @@ public-access | 0.0.0.0 | Determines the public access for the target Azure Data
 vnet | myVnet | Name or ID of a new or existing virtual network. If you want to use a vnet from different resource group or subscription, please provide a resource ID. The name must be between 2 to 64 characters. The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens.
 subnet | mySubnet | Name or resource ID of a new or existing subnet. If you want to use a subnet from different resource group or subscription, please provide resource ID instead of name. Please note that the subnet will be delegated to flexibleServers. After delegation, this subnet cannot be used for any other type of Azure resources.
 private-dns-zone | myserver.private.contoso.com | The name or id of new or existing private dns zone. You can use the private dns zone from same resource group, different resource group, or different subscription. If you want to use a zone from different resource group or subscription, please provide resource Id. CLI creates a new private dns zone within the same resource group as virtual network if not provided by users.
+key | key identifier of testKey | The resource ID of the primary keyvault key for data encryption.
+identity | testIdentity | The name or resource ID of the user assigned identity for data encryption.
 storage-size | 32 | The storage capacity of the target Azure Database for MySQL Flexible Server. The minimum is 20 GiB, and max is 16 TiB.
 tags | key=value | Provide the name of the Azure resource group.
 version | 5.7 | Server major version of the target Azure Database for MySQL Flexible Server.