Azure · evelyn-ys · Jun 1, 2021 · May 28, 2021 · May 28, 2021 · May 31, 2021
@@ -175,6 +175,7 @@ def remove_resource(self, name, **kwargs):
         if not self.skip_delete and not self.dev_setting_name:
             group = self._get_resource_group(**kwargs)
             self.live_only_execute(self.cli_ctx, 'az keyvault delete -n {} -g {} --yes'.format(name, group))
+            self.live_only_execute(self.cli_ctx, 'az keyvault purge -n {} -l {}'.format(name, self.location))
 
     def _get_resource_group(self, **kwargs):
         try:

@@ -17,13 +17,17 @@ class Clients(str, Enum):
     private_endpoint_connections = 'private_endpoint_connections'
     private_link_resources = 'private_link_resources'
     managed_hsms = 'managed_hsms'
+    mhsm_private_endpoint_connections = 'mhsm_private_endpoint_connections'
+    mhsm_private_link_resources = 'mhsm_private_link_resources'
 
 
 OPERATIONS_NAME = {
     Clients.vaults: 'VaultsOperations',
     Clients.private_endpoint_connections: 'PrivateEndpointConnectionsOperations',
     Clients.private_link_resources: 'PrivateLinkResourcesOperations',
-    Clients.managed_hsms: 'ManagedHsmsOperations'
+    Clients.managed_hsms: 'ManagedHsmsOperations',
+    Clients.mhsm_private_endpoint_connections: 'MHSMPrivateEndpointConnectionsOperations',
+    Clients.mhsm_private_link_resources: 'MHSMPrivateLinkResourcesOperations'
 }
 
 KEYVAULT_TEMPLATE_STRINGS = {

@@ -346,12 +346,12 @@
 
 helps['keyvault private-endpoint-connection'] = """
 type: group
-short-summary: Manage vault private endpoint connections.
+short-summary: Manage vault/HSM private endpoint connections.
 """
 
 helps['keyvault private-endpoint-connection approve'] = """
 type: command
-short-summary: Approve a private endpoint connection request for a Key Vault.
+short-summary: Approve a private endpoint connection request for a Key Vault/HSM.
 examples:
   - name: Approve a private endpoint connection request for a Key Vault by ID.
     text: |
@@ -367,11 +367,14 @@
     text: |
         name = (az keyvault show -n mykv --query "privateEndpointConnections[0].name")
         az keyvault private-endpoint-connection approve -g myrg --vault-name mykv --name $name
+  - name: Approve a private endpoint connection request for a HSM using hsm name and connection name.
+    text: |
+        az keyvault private-endpoint-connection approve -g myrg --hsm-name myhsm --name myconnection
 """
 
 helps['keyvault private-endpoint-connection reject'] = """
 type: command
-short-summary: Reject a private endpoint connection request for a Key Vault.
+short-summary: Reject a private endpoint connection request for a Key Vault/HSM.
 examples:
   - name: Reject a private endpoint connection request for a Key Vault by ID.
     text: |
@@ -387,11 +390,14 @@
     text: |
         name = (az keyvault show -n mykv --query "privateEndpointConnections[0].name")
         az keyvault private-endpoint-connection reject -g myrg --vault-name mystorageaccount --name $name
+  - name: Reject a private endpoint connection request for a HSM using hsm name and connection name.
+    text: |
+        az keyvault private-endpoint-connection reject -g myrg --hsm-name myhsm --name myconnection
 """
 
 helps['keyvault private-endpoint-connection delete'] = """
 type: command
-short-summary: Delete the specified private endpoint connection associated with a Key Vault.
+short-summary: Delete the specified private endpoint connection associated with a Key Vault/HSM.
 examples:
   - name: Delete a private endpoint connection request for a Key Vault by ID.
     text: |
@@ -400,18 +406,21 @@
     text: |
         id = (az keyvault show -n mykv --query "privateEndpointConnections[0].id")
         az keyvault private-endpoint-connection delete --id $id
-  - name: Delete a private endpoint connection request for a Key Vault using account name and connection name.
+  - name: Delete a private endpoint connection request for a Key Vault using vault name and connection name.
     text: |
         az keyvault private-endpoint-connection delete -g myrg --vault-name mykv --name myconnection
-  - name: Delete a private endpoint connection request for a Key Vault using account name and connection name.
+  - name: Delete a private endpoint connection request for a Key Vault using vault name and connection name.
     text: |
         name = (az keyvault show -n mykv --query "privateEndpointConnections[0].name")
         az keyvault private-endpoint-connection delete -g myrg --vault-name mykv --name $name
+  - name: Delete a private endpoint connection request for a HSM using hsm name and connection name.
+    text: |
+        az keyvault private-endpoint-connection delete -g myrg --hsm-name myhsm --name myconnection
 """
 
 helps['keyvault private-endpoint-connection show'] = """
 type: command
-short-summary: Show details of a private endpoint connection associated with a Key Vault.
+short-summary: Show details of a private endpoint connection associated with a Key Vault/HSM.
 examples:
   - name: Show details of a private endpoint connection request for a Key Vault by ID.
     text: |
@@ -443,16 +452,19 @@
 
 helps['keyvault private-link-resource'] = """
 type: group
-short-summary: Manage vault private link resources.
+short-summary: Manage vault/HSM private link resources.
 """
 
 helps['keyvault private-link-resource list'] = """
 type: command
-short-summary: List the private link resources supported for a Key Vault.
+short-summary: List the private link resources supported for a Key Vault/HSM.
 examples:
   - name: Get the private link resources that need to be created for a Key Vault.
     text: |
         az keyvault private-link-resource list --vault-name mykv
+  - name: Get the private link resources that need to be created for a HSM.
+    text: |
+        az keyvault private-link-resource list --hsm-name myhsm
 """
 
 helps['keyvault recover'] = """

@@ -245,17 +245,23 @@ class CLISecurityDomainOperation(str, Enum):
     for item in ['approve', 'reject', 'delete', 'show', 'wait']:
         with self.argument_context('keyvault private-endpoint-connection {}'.format(item), min_api='2018-02-14') as c:
             c.extra('connection_id', options_list=['--id'], required=False,
-                    help='The ID of the private endpoint connection associated with the Key Vault. '
-                         'If specified --vault-name and --name/-n, this should be omitted.')
+                    help='The ID of the private endpoint connection associated with the Key Vault/HSM. '
+                         'If specified --vault-name/--hsm-name and --name/-n, this should be omitted.')
             c.argument('description', help='Comments for the {} operation.'.format(item))
             c.argument('private_endpoint_connection_name', options_list=['--name', '-n'], required=False,
-                       help='The name of the private endpoint connection associated with the Key Vault. '
+                       help='The name of the private endpoint connection associated with the Key Vault/HSM. '
                             'Required if --id is not specified')
             c.argument('vault_name', vault_name_type, required=False,
                        help='Name of the Key Vault. Required if --id is not specified')
+            c.argument('hsm_name', mgmt_plane_hsm_name_type, min_api='2021-04-01-preview',
+                       help='Name of the HSM. Required if --id is not specified.'
+                            '(--hsm-name and --vault-name are mutually exclusive, please specify just one of them)')
 
-    with self.argument_context('keyvault private-link-resource', min_api='2018-02-14') as c:
+    with self.argument_context('keyvault private-link-resource', min_api='2018-02-14', max_api='2020-04-01-preview') as c:
+        c.argument('vault_name', vault_name_type, required=True)
+    with self.argument_context('keyvault private-link-resource', min_api='2021-04-01-preview') as c:
         c.argument('vault_name', vault_name_type)
+        c.argument('hsm_name', mgmt_plane_hsm_name_type)
     # endregion
 
     # region Shared

@@ -228,14 +228,20 @@ def validate_private_endpoint_connection_id(cmd, ns):
         from azure.cli.core.util import parse_proxy_resource_id
         result = parse_proxy_resource_id(ns.connection_id)
         ns.resource_group_name = result['resource_group']
-        ns.vault_name = result['name']
+        if result['type'] and 'managedHSM' in result['type']:
+            ns.hsm_name = result['name']
+        else:
+            ns.vault_name = result['name']
         ns.private_endpoint_connection_name = result['child_name_1']
 
-    if ns.vault_name and not ns.resource_group_name:
-        ns.resource_group_name = _get_resource_group_from_resource_name(cmd.cli_ctx, ns.vault_name)
+    if not ns.resource_group_name:
+        ns.resource_group_name = _get_resource_group_from_resource_name(cli_ctx=cmd.cli_ctx,
+                                                                        vault_name=getattr(ns, 'vault_name', None),
+                                                                        hsm_name=getattr(ns, 'hsm_name', None))
 
-    if not all([ns.vault_name, ns.resource_group_name, ns.private_endpoint_connection_name]):
-        raise CLIError('incorrect usage: [--id ID | --name NAME --vault-name NAME]')
+    if not all([(getattr(ns, 'vault_name', None) or getattr(ns, 'hsm_name', None)),
+                ns.resource_group_name, ns.private_endpoint_connection_name]):
+        raise CLIError('incorrect usage: [--id ID | --name NAME --vault-name NAME | --name NAME --hsm-name NAME]')
 
     del ns.connection_id
 

@@ -112,17 +112,20 @@ def load_command_table(self, _):
                          validator=validate_private_endpoint_connection_id)
         g.custom_command('reject', 'reject_private_endpoint_connection', supports_no_wait=True,
                          validator=validate_private_endpoint_connection_id)
-        g.command('delete', 'begin_delete', validator=validate_private_endpoint_connection_id, supports_no_wait=True)
-        g.show_command('show', 'get', validator=validate_private_endpoint_connection_id)
-        g.wait_command('wait', validator=validate_private_endpoint_connection_id)
+        g.custom_command('delete', 'delete_private_endpoint_connection',
+                         validator=validate_private_endpoint_connection_id, supports_no_wait=True)
+        g.custom_show_command('show', 'show_private_endpoint_connection',
+                              validator=validate_private_endpoint_connection_id)
+        g.custom_wait_command('wait', 'show_private_endpoint_connection',
+                              validator=validate_private_endpoint_connection_id)
 
     with self.command_group('keyvault private-link-resource',
                             mgmt_plr_entity.command_type,
                             min_api='2018-02-14',
                             client_factory=mgmt_plr_entity.client_factory,
                             is_preview=True) as g:
         from azure.cli.core.commands.transform import gen_dict_to_list_transform
-        g.command('list', 'list_by_vault', transform=gen_dict_to_list_transform(key='value'))
+        g.custom_command('list', 'list_private_link_resource', transform=gen_dict_to_list_transform(key='value'))
 
     # Data Plane Commands
     if not is_azure_stack_profile(self):

@@ -1750,45 +1750,57 @@ def restore_storage_account(client, vault_base_url, file_path):
 # endregion
 
 
+# region private_link
+def _verify_vault_or_hsm_name(vault_name, hsm_name):
+    if not vault_name and not hsm_name:
+        raise RequiredArgumentMissingError('Please specify --vault-name or --hsm-name.')
+
+
+def list_private_link_resource(cmd, client, resource_group_name, vault_name=None, hsm_name=None):
+    _verify_vault_or_hsm_name(vault_name, hsm_name)
+
+    if is_azure_stack_profile(cmd) or vault_name:
+        return client.list_by_vault(resource_group_name=resource_group_name, vault_name=vault_name)
+
+    hsm_plr_client = get_client_factory(ResourceType.MGMT_KEYVAULT,
+                                        Clients.mhsm_private_link_resources)(cmd.cli_ctx, None)
+    return hsm_plr_client.list_by_mhsm_resource(resource_group_name=resource_group_name, name=hsm_name)
+# endregion
+
+
 # region private_endpoint
-def _update_private_endpoint_connection_status(cmd, client, resource_group_name, vault_name,
+def _update_private_endpoint_connection_status(cmd, client, resource_group_name, name,
                                                private_endpoint_connection_name, is_approved=True, description=None,
                                                no_wait=False):
     PrivateEndpointServiceConnectionStatus = cmd.get_models('PrivateEndpointServiceConnectionStatus',
                                                             resource_type=ResourceType.MGMT_KEYVAULT)
 
-    connection = client.get(resource_group_name=resource_group_name, vault_name=vault_name,
-                            private_endpoint_connection_name=private_endpoint_connection_name)
+    connection = client.get(resource_group_name, name, private_endpoint_connection_name)
 
     new_status = PrivateEndpointServiceConnectionStatus.approved \
         if is_approved else PrivateEndpointServiceConnectionStatus.rejected
     connection.private_link_service_connection_state.status = new_status
     connection.private_link_service_connection_state.description = description
 
-    retval = client.put(resource_group_name=resource_group_name,
-                        vault_name=vault_name,
-                        private_endpoint_connection_name=private_endpoint_connection_name,
-                        properties=connection)
+    retval = client.put(resource_group_name, name, private_endpoint_connection_name, connection)
 
     if no_wait:
         return retval
 
     new_retval = \
-        _wait_private_link_operation(client, resource_group_name, vault_name, private_endpoint_connection_name)
+        _wait_private_link_operation(client, resource_group_name, name, private_endpoint_connection_name)
 
     if new_retval:
         return new_retval
     return retval
 
 
-def _wait_private_link_operation(client, resource_group_name, vault_name, private_endpoint_connection_name):
+def _wait_private_link_operation(client, resource_group_name, name, private_endpoint_connection_name):
     retries = 0
     max_retries = 10
     wait_second = 1
     while retries < max_retries:
-        pl = client.get(resource_group_name=resource_group_name,
-                        vault_name=vault_name,
-                        private_endpoint_connection_name=private_endpoint_connection_name)
+        pl = client.get(resource_group_name, name, private_endpoint_connection_name)
 
         if pl.provisioning_state == 'Succeeded':
             return pl
@@ -1798,24 +1810,45 @@ def _wait_private_link_operation(client, resource_group_name, vault_name, privat
     return None
 
 
-def approve_private_endpoint_connection(cmd, client, resource_group_name, vault_name, private_endpoint_connection_name,
-                                        description=None, no_wait=False):
-    """Approve a private endpoint connection request for a Key Vault."""
+def _get_vault_or_hsm_pec_client(cmd, client, vault_name, hsm_name):
+    _verify_vault_or_hsm_name(vault_name, hsm_name)
+    if is_azure_stack_profile(cmd) or vault_name:
+        return client
+    return get_client_factory(ResourceType.MGMT_KEYVAULT, Clients.mhsm_private_endpoint_connections)(cmd.cli_ctx, None)
 
-    return _update_private_endpoint_connection_status(
-        cmd, client, resource_group_name, vault_name, private_endpoint_connection_name, is_approved=True,
-        description=description, no_wait=no_wait
-    )
 
+def approve_private_endpoint_connection(cmd, client, resource_group_name, private_endpoint_connection_name,
+                                        vault_name=None, hsm_name=None, description=None, no_wait=False):
+    """Approve a private endpoint connection request for a Key Vault."""
+    pec_client = _get_vault_or_hsm_pec_client(cmd, client, vault_name, hsm_name)
+    return _update_private_endpoint_connection_status(cmd, pec_client, resource_group_name,
+                                                      vault_name or hsm_name, private_endpoint_connection_name,
+                                                      is_approved=True, description=description, no_wait=no_wait)
 
-def reject_private_endpoint_connection(cmd, client, resource_group_name, vault_name, private_endpoint_connection_name,
-                                       description=None, no_wait=False):
-    """Reject a private endpoint connection request for a Key Vault."""
 
-    return _update_private_endpoint_connection_status(
-        cmd, client, resource_group_name, vault_name, private_endpoint_connection_name, is_approved=False,
-        description=description, no_wait=no_wait
-    )
+def reject_private_endpoint_connection(cmd, client, resource_group_name, private_endpoint_connection_name,
+                                       vault_name=None, hsm_name=None, description=None, no_wait=False):
+    """Reject a private endpoint connection request for a Key Vault."""
+    pec_client = _get_vault_or_hsm_pec_client(cmd, client, vault_name, hsm_name)
+    return _update_private_endpoint_connection_status(cmd, pec_client, resource_group_name,
+                                                      vault_name or hsm_name, private_endpoint_connection_name,
+                                                      is_approved=False, description=description, no_wait=no_wait)
+
+
+def delete_private_endpoint_connection(cmd, client, resource_group_name, private_endpoint_connection_name,
+                                       vault_name=None, hsm_name=None):
+    pec_client = _get_vault_or_hsm_pec_client(cmd, client, vault_name, hsm_name)
+    return pec_client.begin_delete(resource_group_name,
+                                   vault_name or hsm_name,
+                                   private_endpoint_connection_name)
+
+
+def show_private_endpoint_connection(cmd, client, resource_group_name, private_endpoint_connection_name,
+                                     vault_name=None, hsm_name=None):
+    pec_client = _get_vault_or_hsm_pec_client(cmd, client, vault_name, hsm_name)
+    return pec_client.get(resource_group_name,
+                          vault_name or hsm_name,
+                          private_endpoint_connection_name)
 # endregion