def add_network_rule(cmd,
client,
resource_group_name,
vault_name,
ip_address=None,
subnet=None,
vnet_name=None): # pylint: disable=unused-argument
""" Add a network rule to the network ACLs for a Key Vault. """
from azext_keyvault.mgmt.keyvault.models import VirtualNetworkRule, IPRule, VaultCreateOrUpdateParameters
vault = client.get(resource_group_name=resource_group_name,
vault_name=vault_name)
vault.properties.network_acls = vault.properties.network_acls or _create_network_rule_set(
)
rules = vault.properties.network_acls
if subnet:
rules.virtual_network_rules = rules.virtual_network_rules or []
rules.virtual_network_rules.append(VirtualNetworkRule(id=subnet))
if ip_address:
rules.ip_rules = rules.ip_rules or []
rules.ip_rules.append(IPRule(value=ip_address))
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=VaultCreateOrUpdateParameters(
location=vault.location,
tags=vault.tags,
properties=vault.properties))
def delete_policy(cmd,
client,
resource_group_name,
vault_name,
object_id=None,
spn=None,
upn=None):
""" Delete security policy settings for a Key Vault. """
from azext_keyvault.mgmt.keyvault.models import VaultCreateOrUpdateParameters
object_id = _object_id_args_helper(cmd.cli_ctx, object_id, spn, upn)
vault = client.get(resource_group_name=resource_group_name,
vault_name=vault_name)
prev_policies_len = len(vault.properties.access_policies)
vault.properties.access_policies = [
p for p in vault.properties.access_policies
if vault.properties.tenant_id.lower() != p.tenant_id.lower()
or object_id.lower() != p.object_id.lower()
]
if len(vault.properties.access_policies) == prev_policies_len:
raise CLIError('No matching policies found')
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=VaultCreateOrUpdateParameters(
location=vault.location,
tags=vault.tags,
properties=vault.properties))
def update_keyvault_setter(client, parameters, resource_group_name,
vault_name):
from azext_keyvault.mgmt.keyvault.models import VaultCreateOrUpdateParameters
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=VaultCreateOrUpdateParameters(
location=parameters.location,
properties=parameters.properties))
def set_policy(cmd,
client,
resource_group_name,
vault_name,
object_id=None,
spn=None,
upn=None,
key_permissions=None,
secret_permissions=None,
certificate_permissions=None,
storage_permissions=None):
""" Update security policy settings for a Key Vault. """
from azext_keyvault.mgmt.keyvault.models import (
VaultCreateOrUpdateParameters, AccessPolicyEntry, Permissions)
object_id = _object_id_args_helper(cmd.cli_ctx, object_id, spn, upn)
vault = client.get(resource_group_name=resource_group_name,
vault_name=vault_name)
# Find the existing policy to set
policy = next(
(p for p in vault.properties.access_policies
if object_id.lower() == p.object_id.lower()
and vault.properties.tenant_id.lower() == p.tenant_id.lower()), None)
if not policy:
# Add new policy as none found
vault.properties.access_policies.append(
AccessPolicyEntry(tenant_id=vault.properties.tenant_id,
object_id=object_id,
permissions=Permissions(
keys=key_permissions,
secrets=secret_permissions,
certificates=certificate_permissions,
storage=storage_permissions)))
else:
# Modify existing policy.
# If key_permissions is not set, use prev. value (similarly with secret_permissions).
keys = policy.permissions.keys if key_permissions is None else key_permissions
secrets = policy.permissions.secrets if secret_permissions is None else secret_permissions
certs = policy.permissions.certificates \
if certificate_permissions is None else certificate_permissions
storage = policy.permissions.storage if storage_permissions is None else storage_permissions
policy.permissions = Permissions(keys=keys,
secrets=secrets,
certificates=certs,
storage=storage)
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=VaultCreateOrUpdateParameters(
location=vault.location,
tags=vault.tags,
properties=vault.properties))
def remove_network_rule(cmd,
client,
resource_group_name,
vault_name,
ip_address=None,
subnet=None,
vnet_name=None): # pylint: disable=unused-argument
""" Removes a network rule from the network ACLs for a Key Vault. """
from azext_keyvault.mgmt.keyvault.models import VaultCreateOrUpdateParameters
vault = client.get(resource_group_name=resource_group_name,
vault_name=vault_name)
if not vault.properties.network_acls:
return vault
rules = vault.properties.network_acls
modified = False
if subnet and rules.virtual_network_rules:
new_rules = [x for x in rules.virtual_network_rules if x.id != subnet]
modified |= len(new_rules) != len(rules.virtual_network_rules)
if modified:
rules.virtual_network_rules = new_rules
if ip_address and rules.ip_rules:
new_rules = [x for x in rules.ip_rules if x.value != ip_address]
modified |= len(new_rules) != len(rules.ip_rules)
if modified:
rules.ip_rules = new_rules
# if we didn't modify the network rules just return the vault as is
if not modified:
return vault
# otherwise update
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=VaultCreateOrUpdateParameters(
location=vault.location,
tags=vault.tags,
properties=vault.properties))
def recover_keyvault(cmd, client, vault_name, resource_group_name, location):
from azext_keyvault.mgmt.keyvault.models import (
VaultCreateOrUpdateParameters, CreateMode, Sku, SkuName)
from azure.cli.core._profile import Profile
profile = Profile(cli_ctx=cmd.cli_ctx)
_, _, tenant_id = profile.get_login_credentials(
resource=cmd.cli_ctx.cloud.endpoints.active_directory_graph_resource_id
)
params = VaultCreateOrUpdateParameters(
location=location,
properties={
'tenant_id': tenant_id,
'sku': Sku(name=SkuName.standard.value),
'create_mode': CreateMode.recover.value
})
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=params)
def create_keyvault(
cmd,
client, # pylint: disable=too-many-locals
resource_group_name,
vault_name,
location=None,
sku=None,
enabled_for_deployment=None,
enabled_for_disk_encryption=None,
enabled_for_template_deployment=None,
enable_soft_delete=None,
enable_purge_protection=None,
bypass=None,
default_action=None,
no_self_perms=None,
tags=None):
from azext_keyvault.mgmt.keyvault.models import (
VaultCreateOrUpdateParameters, Permissions, KeyPermissions,
SecretPermissions, CertificatePermissions, StoragePermissions,
AccessPolicyEntry, Sku, VaultProperties)
from azure.cli.core._profile import Profile
from azure.graphrbac.models import GraphErrorException
from azure.graphrbac import GraphRbacManagementClient
profile = Profile(cli_ctx=cmd.cli_ctx)
cred, _, tenant_id = profile.get_login_credentials(
resource=cmd.cli_ctx.cloud.endpoints.active_directory_graph_resource_id
)
graph_client = GraphRbacManagementClient(
cred,
tenant_id,
base_url=cmd.cli_ctx.cloud.endpoints.active_directory_graph_resource_id
)
subscription = profile.get_subscription()
# if bypass or default_action was specified create a NetworkRuleSet
# if neither were specified we make network_acls None
network_acls = _create_network_rule_set(
bypass, default_action) if bypass or default_action else None
if no_self_perms:
access_policies = []
else:
permissions = Permissions(
keys=[
KeyPermissions.get, KeyPermissions.create,
KeyPermissions.delete, KeyPermissions.list,
KeyPermissions.update, KeyPermissions.import_enum,
KeyPermissions.backup, KeyPermissions.restore,
KeyPermissions.recover
],
secrets=[
SecretPermissions.get, SecretPermissions.list,
SecretPermissions.set, SecretPermissions.delete,
SecretPermissions.backup, SecretPermissions.restore,
SecretPermissions.recover
],
certificates=[
CertificatePermissions.get, CertificatePermissions.list,
CertificatePermissions.delete, CertificatePermissions.create,
CertificatePermissions.import_enum,
CertificatePermissions.update,
CertificatePermissions.managecontacts,
CertificatePermissions.getissuers,
CertificatePermissions.listissuers,
CertificatePermissions.setissuers,
CertificatePermissions.deleteissuers,
CertificatePermissions.manageissuers,
CertificatePermissions.recover
],
storage=[
StoragePermissions.get, StoragePermissions.list,
StoragePermissions.delete, StoragePermissions.set,
StoragePermissions.update, StoragePermissions.regeneratekey,
StoragePermissions.setsas, StoragePermissions.listsas,
StoragePermissions.getsas, StoragePermissions.deletesas
])
try:
object_id = _get_current_user_object_id(graph_client)
except GraphErrorException:
object_id = _get_object_id(graph_client, subscription=subscription)
if not object_id:
raise CLIError(
'Cannot create vault.\nUnable to query active directory for information '
'about the current user.\nYou may try the --no-self-perms flag to '
'create a vault without permissions.')
access_policies = [
AccessPolicyEntry(tenant_id=tenant_id,
object_id=object_id,
permissions=permissions)
]
properties = VaultProperties(
tenant_id=tenant_id,
sku=Sku(name=sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=enabled_for_deployment,
enabled_for_disk_encryption=enabled_for_disk_encryption,
enabled_for_template_deployment=enabled_for_template_deployment,
enable_soft_delete=enable_soft_delete,
enable_purge_protection=enable_purge_protection,
network_acls=network_acls)
parameters = VaultCreateOrUpdateParameters(location=location,
tags=tags,
properties=properties)
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=parameters)