Merge pull request #271307 from dileepraotv-github/05042024

Changes for CMK existing accounts

Author: prmerger-automator[bot]

articles/cosmos-db/cmk-troubleshooting-guide.md

@@ -60,6 +60,16 @@ You see this error when the Azure Key Vault or specified Key are not found.
 
 Check if the Azure Key Vault or the specified key exist and restore them if accidentally got deleted, then wait for one hour. If the issue isn't resolved after more than 2 hours, contact customer service. 
 
+## Azure key Disabled or expired 
+
+### Reason for error 
+
+You see this error when the Azure Key Vault key has been expired or deleted.
+
+### Troubleshooting 
+
+If your key has been disabled please enable it. If it has been expired please un-expire it, and once the account is not revoked anymore feel free to rotate the key as Azure Cosmos DB will update the key version once the account is online.
+
 ## Invalid Azure Cosmos DB default identity 
 
 ### Reason for error 

articles/cosmos-db/how-to-setup-customer-managed-keys-existing-accounts.md

@@ -10,25 +10,31 @@ ms.author: turao
 ms.devlang: azurecli
 ---
 
-# Configure customer-managed keys for your existing Azure Cosmos DB account with Azure Key Vault (Preview)
+# Configure customer-managed keys for your existing Azure Cosmos DB account with Azure Key Vault
 
 [!INCLUDE[NoSQL, MongoDB, Gremlin, Table](includes/appliesto-nosql-mongodb-cassandra-gremlin-table.md)]
 
 Enabling a second layer of encryption for data at rest using [Customer Managed Keys](./how-to-setup-customer-managed-keys.md) while creating a new Azure Cosmos DB account has been Generally available for some time now. As a natural next step, we now have the capability to enable CMK on existing Azure Cosmos DB accounts.
 
 This feature eliminates the need for data migration to a new account to enable CMK. It helps to improve customers’ security and compliance posture.
 
-> [!NOTE]
-> Currently, enabling customer-managed keys on existing Azure Cosmos DB accounts is in preview. This preview is provided without a service-level agreement. Certain features of this preview may not be supported or may have constrained capabilities. For more information, see [supplemental terms of use for Microsoft Azure previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-
 Enabling CMK kicks off a background, asynchronous process to encrypt all the existing data in the account, while new incoming data are encrypted before persisting. There's no need to wait for the asynchronous operation to succeed. The enablement process consumes unused/spare RUs so that it doesn't affect your read/write workloads. You can refer to this [link](./how-to-setup-customer-managed-keys.md?tabs=azure-powershell#how-do-customer-managed-keys-influence-capacity-planning) for capacity planning once your account is encrypted. 
 
 ## Get started by enabling CMK on your existing accounts
 
+> [!IMPORTANT]
+> Go through the prerequisites section thoroughly. These are important considerations.
+
 ### Prerequisites
 
 All the prerequisite steps needed while configuring Customer Managed Keys for new accounts is applicable to enable CMK on your existing account. Refer to the steps [here](./how-to-setup-customer-managed-keys.md?tabs=azure-portal#prerequisites)
 
+It is important to note that enabling encryption on your Azure Cosmos DB account will add a small overhead to your document's ID, limiting the maximum size of the document ID to 990 bytes instead of 1024 bytes. If your account has any documents with IDs larger than 990 bytes, the encryption process will fail until those documents are deleted.
+ 
+To verify if your account is compliant, you can use the provided console application [hosted here](https://github.com/AzureCosmosDB/Cosmos-DB-Non-CMK-to-CMK-Migration-Scanner) to scan your account. Make sure that you are using the endpoint from your 'sqlEndpoint' account property, no matter the API selected. 
+
+If you wish to disable server-side validation for this during migration, please contact support.
+
 ### Steps to enable CMK on your existing account
 
 To enable CMK on an existing account, update the account with an ARM template setting a Key Vault key identifier in the keyVaultKeyUri property – just like you would when enabling CMK on a new account. This step can be done by issuing a PATCH call with the following payload:
@@ -141,7 +147,7 @@ The state of the key is checked when CMK encryption is triggered. If the key in
 
 **Can we enable CMK encryption on our existing production account?**
 
-Yes. Since the capability is currently in preview, we recommend testing all scenarios first on nonproduction accounts and once you're comfortable you can consider production accounts.
+Yes. Go through the prerequisite section thoroughly. We recommend testing all scenarios first on nonproduction accounts and once you're comfortable you can consider production accounts.
 
 ## Next steps
 

articles/cosmos-db/how-to-setup-customer-managed-keys.md

@@ -22,7 +22,7 @@ Data stored in your Azure Cosmos DB account is automatically and seamlessly encr
 You must store customer-managed keys in [Azure Key Vault](../key-vault/general/overview.md) and provide a key for each Azure Cosmos DB account that is enabled with customer-managed keys. This key is used to encrypt all the data stored in that account.
 
 > [!NOTE]
-> Currently, customer-managed keys are available only for new Azure Cosmos DB accounts. You should configure them during account creation. Enabling customer-managed keys on your existing accounts is available for preview. You can refer to the link [here](how-to-setup-customer-managed-keys-existing-accounts.md) for more details
+> If you wish to enable customer-managed keys on your existing Azure Cosmos DB accounts then you can refer to the link [here](how-to-setup-customer-managed-keys-existing-accounts.md) for more details
 
 > [!WARNING]
 > The following field names are reserved on Cassandra API tables in accounts using Customer-managed Keys: