public static string ConstructNetworkRuleSet(PSModels.PSKeyVaultNetworkRuleSet ruleSet) { StringBuilder sb = new StringBuilder(); if (ruleSet != null) { sb.AppendLine(); sb.AppendFormat("{0, -43}: {1}\r\n", "Default Action", ruleSet.DefaultAction); sb.AppendFormat("{0, -43}: {1}\r\n", "Bypass", ruleSet.Bypass); sb.AppendFormat("{0, -43}: {1}\r\n", "IP Rules", ruleSet.IpAddressRangesText); sb.AppendFormat("{0, -43}: {1}\r\n", "Virtual Network Rules", ruleSet.VirtualNetworkResourceIdsText); } return(sb.ToString()); }
/// <summary> /// Update vault network rule set /// </summary> /// <param name="vaultProperties">Vault property</param> /// <param name="psRuleSet">Network rule set input</param> private static void UpdateVaultNetworkRuleSetProperties(VaultProperties vaultProperties, PSKeyVaultNetworkRuleSet psRuleSet) { if (vaultProperties == null) { return; } var updatedRuleSet = new NetworkRuleSet(); // It contains default settings if (psRuleSet != null) { updatedRuleSet.DefaultAction = psRuleSet.DefaultAction.ToString(); updatedRuleSet.Bypass = psRuleSet.Bypass.ToString(); if (psRuleSet.IpAddressRanges != null && psRuleSet.IpAddressRanges.Count > 0) { updatedRuleSet.IpRules = psRuleSet.IpAddressRanges.Select(ipAddress => new IPRule { Value = ipAddress }).ToList(); } else { // Send empty array [] to server to override default updatedRuleSet.IpRules = new List <IPRule>(); } if (psRuleSet.VirtualNetworkResourceIds != null && psRuleSet.VirtualNetworkResourceIds.Count > 0) { updatedRuleSet.VirtualNetworkRules = psRuleSet.VirtualNetworkResourceIds.Select(resourceId => new VirtualNetworkRule { Id = resourceId }).ToList(); } else { // Send empty array [] to server to override default updatedRuleSet.VirtualNetworkRules = new List <VirtualNetworkRule>(); } } vaultProperties.NetworkAcls = updatedRuleSet; }
/// <summary> /// Update an existing vault. Only EnabledForDeployment and AccessPolicies can be updated currently. /// </summary> /// <param name="existingVault">the existing vault</param> /// <param name="updatedPolicies">the update access policies</param> /// <param name="updatedEnabledForDeployment">enabled for deployment</param> /// <param name="updatedEnabledForTemplateDeployment">enabled for template deployment</param> /// <param name="updatedEnabledForDiskEncryption">enabled for disk encryption</param> /// <param name="updatedNetworkAcls">updated network rule set</param> /// <param name="adClient">the active directory client</param> /// <returns>the updated vault</returns> public PSKeyVault UpdateVault( PSKeyVault existingVault, PSKeyVaultAccessPolicy[] updatedPolicies, bool?updatedEnabledForDeployment, bool?updatedEnabledForTemplateDeployment, bool?updatedEnabledForDiskEncryption, bool?updatedSoftDeleteSwitch, bool?updatedPurgeProtectionSwitch, // int? softDeleteRetentionInDays, PSKeyVaultNetworkRuleSet updatedNetworkAcls, ActiveDirectoryClient adClient = null) { if (existingVault == null) { throw new ArgumentNullException("existingVault"); } if (existingVault.OriginalVault == null) { throw new ArgumentNullException("existingVault.OriginalVault"); } //Update the vault properties in the object received from server //Only access policies and EnabledForDeployment can be changed var properties = existingVault.OriginalVault.Properties; properties.EnabledForDeployment = updatedEnabledForDeployment; properties.EnabledForTemplateDeployment = updatedEnabledForTemplateDeployment; properties.EnabledForDiskEncryption = updatedEnabledForDiskEncryption; // properties.SoftDeleteRetentionInDays = softDeleteRetentionInDays; // soft delete flags can only be applied if they enable their respective behaviors // and if different from the current corresponding properties on the vault. if (!(properties.EnableSoftDelete.HasValue && properties.EnableSoftDelete.Value) && updatedSoftDeleteSwitch.HasValue && updatedSoftDeleteSwitch.Value) { properties.EnableSoftDelete = updatedSoftDeleteSwitch; } if (!(properties.EnablePurgeProtection.HasValue && properties.EnablePurgeProtection.Value) && updatedPurgeProtectionSwitch.HasValue && updatedPurgeProtectionSwitch.Value) { properties.EnablePurgeProtection = updatedPurgeProtectionSwitch; } properties.AccessPolicies = (updatedPolicies == null) ? new List <AccessPolicyEntry>() : updatedPolicies.Select(a => new AccessPolicyEntry { TenantId = a.TenantId, ObjectId = a.ObjectId, ApplicationId = a.ApplicationId, Permissions = new Permissions { Keys = a.PermissionsToKeys.ToArray(), Secrets = a.PermissionsToSecrets.ToArray(), Certificates = a.PermissionsToCertificates.ToArray(), Storage = a.PermissionsToStorage.ToArray(), } }).ToList(); UpdateVaultNetworkRuleSetProperties(properties, updatedNetworkAcls); var response = KeyVaultManagementClient.Vaults.CreateOrUpdate( resourceGroupName: existingVault.ResourceGroupName, vaultName: existingVault.VaultName, parameters: new VaultCreateOrUpdateParameters { Location = existingVault.Location, Properties = properties, Tags = TagsConversionHelper.CreateTagDictionary(existingVault.Tags, validate: true) } ); return(new PSKeyVault(response, adClient)); }
/// <summary> /// Create a new vault /// </summary> /// <param name="parameters">vault creation parameters</param> /// <param name="adClient">the active directory client</param> /// <returns></returns> public PSKeyVault CreateNewVault(VaultCreationOrUpdateParameters parameters, ActiveDirectoryClient adClient = null, PSKeyVaultNetworkRuleSet networkRuleSet = null) { if (parameters == null) { throw new ArgumentNullException("parameters"); } if (string.IsNullOrWhiteSpace(parameters.Name)) { throw new ArgumentNullException("parameters.Name"); } if (string.IsNullOrWhiteSpace(parameters.ResourceGroupName)) { throw new ArgumentNullException("parameters.ResourceGroupName"); } if (string.IsNullOrWhiteSpace(parameters.Location)) { throw new ArgumentNullException("parameters.Location"); } var properties = new VaultProperties(); if (parameters.CreateMode != CreateMode.Recover) { if (string.IsNullOrWhiteSpace(parameters.SkuFamilyName)) { throw new ArgumentNullException("parameters.SkuFamilyName"); } if (parameters.TenantId == Guid.Empty) { throw new ArgumentException("parameters.TenantId"); } if (!string.IsNullOrWhiteSpace(parameters.SkuName)) { if (Enum.TryParse(parameters.SkuName, true, out SkuName skuName)) { properties.Sku = new Sku(skuName); } else { throw new InvalidEnumArgumentException("parameters.SkuName"); } } properties.EnabledForDeployment = parameters.EnabledForDeployment; properties.EnabledForTemplateDeployment = parameters.EnabledForTemplateDeployment; properties.EnabledForDiskEncryption = parameters.EnabledForDiskEncryption; properties.EnableSoftDelete = parameters.EnableSoftDelete; properties.EnablePurgeProtection = parameters.EnablePurgeProtection; properties.EnableRbacAuthorization = parameters.EnableRbacAuthorization; properties.SoftDeleteRetentionInDays = parameters.SoftDeleteRetentionInDays; properties.TenantId = parameters.TenantId; properties.VaultUri = ""; properties.AccessPolicies = (parameters.AccessPolicy != null) ? new[] { parameters.AccessPolicy } : new AccessPolicyEntry[] { }; properties.NetworkAcls = parameters.NetworkAcls; if (networkRuleSet != null) { UpdateVaultNetworkRuleSetProperties(properties, networkRuleSet); } } else { properties.CreateMode = CreateMode.Recover; } var response = KeyVaultManagementClient.Vaults.CreateOrUpdate( resourceGroupName: parameters.ResourceGroupName, vaultName: parameters.Name, parameters: new VaultCreateOrUpdateParameters { Location = parameters.Location, Tags = TagsConversionHelper.CreateTagDictionary(parameters.Tags, validate: true), Properties = properties }); return(new PSKeyVault(response, adClient)); }