public static string ConstructNetworkRuleSet(PSModels.PSKeyVaultNetworkRuleSet ruleSet)
{
StringBuilder sb = new StringBuilder();
if (ruleSet != null)
{
sb.AppendLine();
sb.AppendFormat("{0, -43}: {1}\r\n", "Default Action", ruleSet.DefaultAction);
sb.AppendFormat("{0, -43}: {1}\r\n", "Bypass", ruleSet.Bypass);
sb.AppendFormat("{0, -43}: {1}\r\n", "IP Rules", ruleSet.IpAddressRangesText);
sb.AppendFormat("{0, -43}: {1}\r\n", "Virtual Network Rules", ruleSet.VirtualNetworkResourceIdsText);
}
return(sb.ToString());
}
/// <summary>
/// Update vault network rule set
/// </summary>
/// <param name="vaultProperties">Vault property</param>
/// <param name="psRuleSet">Network rule set input</param>
private static void UpdateVaultNetworkRuleSetProperties(VaultProperties vaultProperties, PSKeyVaultNetworkRuleSet psRuleSet)
{
if (vaultProperties == null)
{
return;
}
var updatedRuleSet = new NetworkRuleSet(); // It contains default settings
if (psRuleSet != null)
{
updatedRuleSet.DefaultAction = psRuleSet.DefaultAction.ToString();
updatedRuleSet.Bypass = psRuleSet.Bypass.ToString();
if (psRuleSet.IpAddressRanges != null && psRuleSet.IpAddressRanges.Count > 0)
{
updatedRuleSet.IpRules = psRuleSet.IpAddressRanges.Select(ipAddress => new IPRule {
Value = ipAddress
}).ToList();
}
else
{ // Send empty array [] to server to override default
updatedRuleSet.IpRules = new List <IPRule>();
}
if (psRuleSet.VirtualNetworkResourceIds != null && psRuleSet.VirtualNetworkResourceIds.Count > 0)
{
updatedRuleSet.VirtualNetworkRules = psRuleSet.VirtualNetworkResourceIds.Select(resourceId => new VirtualNetworkRule {
Id = resourceId
}).ToList();
}
else
{ // Send empty array [] to server to override default
updatedRuleSet.VirtualNetworkRules = new List <VirtualNetworkRule>();
}
}
vaultProperties.NetworkAcls = updatedRuleSet;
}
/// <summary>
/// Update an existing vault. Only EnabledForDeployment and AccessPolicies can be updated currently.
/// </summary>
/// <param name="existingVault">the existing vault</param>
/// <param name="updatedPolicies">the update access policies</param>
/// <param name="updatedEnabledForDeployment">enabled for deployment</param>
/// <param name="updatedEnabledForTemplateDeployment">enabled for template deployment</param>
/// <param name="updatedEnabledForDiskEncryption">enabled for disk encryption</param>
/// <param name="updatedNetworkAcls">updated network rule set</param>
/// <param name="adClient">the active directory client</param>
/// <returns>the updated vault</returns>
public PSKeyVault UpdateVault(
PSKeyVault existingVault,
PSKeyVaultAccessPolicy[] updatedPolicies,
bool?updatedEnabledForDeployment,
bool?updatedEnabledForTemplateDeployment,
bool?updatedEnabledForDiskEncryption,
bool?updatedSoftDeleteSwitch,
bool?updatedPurgeProtectionSwitch,
// int? softDeleteRetentionInDays,
PSKeyVaultNetworkRuleSet updatedNetworkAcls,
ActiveDirectoryClient adClient = null)
{
if (existingVault == null)
{
throw new ArgumentNullException("existingVault");
}
if (existingVault.OriginalVault == null)
{
throw new ArgumentNullException("existingVault.OriginalVault");
}
//Update the vault properties in the object received from server
//Only access policies and EnabledForDeployment can be changed
var properties = existingVault.OriginalVault.Properties;
properties.EnabledForDeployment = updatedEnabledForDeployment;
properties.EnabledForTemplateDeployment = updatedEnabledForTemplateDeployment;
properties.EnabledForDiskEncryption = updatedEnabledForDiskEncryption;
// properties.SoftDeleteRetentionInDays = softDeleteRetentionInDays;
// soft delete flags can only be applied if they enable their respective behaviors
// and if different from the current corresponding properties on the vault.
if (!(properties.EnableSoftDelete.HasValue && properties.EnableSoftDelete.Value) &&
updatedSoftDeleteSwitch.HasValue &&
updatedSoftDeleteSwitch.Value)
{
properties.EnableSoftDelete = updatedSoftDeleteSwitch;
}
if (!(properties.EnablePurgeProtection.HasValue && properties.EnablePurgeProtection.Value) &&
updatedPurgeProtectionSwitch.HasValue &&
updatedPurgeProtectionSwitch.Value)
{
properties.EnablePurgeProtection = updatedPurgeProtectionSwitch;
}
properties.AccessPolicies = (updatedPolicies == null) ?
new List <AccessPolicyEntry>() :
updatedPolicies.Select(a => new AccessPolicyEntry
{
TenantId = a.TenantId,
ObjectId = a.ObjectId,
ApplicationId = a.ApplicationId,
Permissions = new Permissions
{
Keys = a.PermissionsToKeys.ToArray(),
Secrets = a.PermissionsToSecrets.ToArray(),
Certificates = a.PermissionsToCertificates.ToArray(),
Storage = a.PermissionsToStorage.ToArray(),
}
}).ToList();
UpdateVaultNetworkRuleSetProperties(properties, updatedNetworkAcls);
var response = KeyVaultManagementClient.Vaults.CreateOrUpdate(
resourceGroupName: existingVault.ResourceGroupName,
vaultName: existingVault.VaultName,
parameters: new VaultCreateOrUpdateParameters
{
Location = existingVault.Location,
Properties = properties,
Tags = TagsConversionHelper.CreateTagDictionary(existingVault.Tags, validate: true)
}
);
return(new PSKeyVault(response, adClient));
}
/// <summary>
/// Create a new vault
/// </summary>
/// <param name="parameters">vault creation parameters</param>
/// <param name="adClient">the active directory client</param>
/// <returns></returns>
public PSKeyVault CreateNewVault(VaultCreationOrUpdateParameters parameters, ActiveDirectoryClient adClient = null, PSKeyVaultNetworkRuleSet networkRuleSet = null)
{
if (parameters == null)
{
throw new ArgumentNullException("parameters");
}
if (string.IsNullOrWhiteSpace(parameters.Name))
{
throw new ArgumentNullException("parameters.Name");
}
if (string.IsNullOrWhiteSpace(parameters.ResourceGroupName))
{
throw new ArgumentNullException("parameters.ResourceGroupName");
}
if (string.IsNullOrWhiteSpace(parameters.Location))
{
throw new ArgumentNullException("parameters.Location");
}
var properties = new VaultProperties();
if (parameters.CreateMode != CreateMode.Recover)
{
if (string.IsNullOrWhiteSpace(parameters.SkuFamilyName))
{
throw new ArgumentNullException("parameters.SkuFamilyName");
}
if (parameters.TenantId == Guid.Empty)
{
throw new ArgumentException("parameters.TenantId");
}
if (!string.IsNullOrWhiteSpace(parameters.SkuName))
{
if (Enum.TryParse(parameters.SkuName, true, out SkuName skuName))
{
properties.Sku = new Sku(skuName);
}
else
{
throw new InvalidEnumArgumentException("parameters.SkuName");
}
}
properties.EnabledForDeployment = parameters.EnabledForDeployment;
properties.EnabledForTemplateDeployment = parameters.EnabledForTemplateDeployment;
properties.EnabledForDiskEncryption = parameters.EnabledForDiskEncryption;
properties.EnableSoftDelete = parameters.EnableSoftDelete;
properties.EnablePurgeProtection = parameters.EnablePurgeProtection;
properties.EnableRbacAuthorization = parameters.EnableRbacAuthorization;
properties.SoftDeleteRetentionInDays = parameters.SoftDeleteRetentionInDays;
properties.TenantId = parameters.TenantId;
properties.VaultUri = "";
properties.AccessPolicies = (parameters.AccessPolicy != null) ? new[] { parameters.AccessPolicy } : new AccessPolicyEntry[] { };
properties.NetworkAcls = parameters.NetworkAcls;
if (networkRuleSet != null)
{
UpdateVaultNetworkRuleSetProperties(properties, networkRuleSet);
}
}
else
{
properties.CreateMode = CreateMode.Recover;
}
var response = KeyVaultManagementClient.Vaults.CreateOrUpdate(
resourceGroupName: parameters.ResourceGroupName,
vaultName: parameters.Name,
parameters: new VaultCreateOrUpdateParameters
{
Location = parameters.Location,
Tags = TagsConversionHelper.CreateTagDictionary(parameters.Tags, validate: true),
Properties = properties
});
return(new PSKeyVault(response, adClient));
}
