Skip to content

[POSTGRESQL] az postgres flexible-server create/restore/geo-restore/replica create: Add new arguments --federated-client-id and --geo-backup-federated-client-id to support multi-tenant application registration #33645

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
nasc17 wants to merge 1 commit into
base: dev
Choose a base branch
from
+102 −12
Draft

[POSTGRESQL] az postgres flexible-server create/restore/geo-restore/replica create: Add new arguments --federated-client-id and --geo-backup-federated-client-id to support multi-tenant application registration #33645

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions src/azure-cli/azure/cli/command_modules/postgresql/_help.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,25 @@
az postgres flexible-server create -g testgroup -n testserver --location testlocation --geo-redundant-backup Enabled \\
--key $keyIdentifier --identity testidentity --backup-key $geoKeyIdentifier --backup-identity geoidentity

- name: >
Create server with Azure Key Vault from a different Microsoft Entra tenant using multi-tenant application registration.
text: >
# create multi-tenant application registration for accessing key vault from different tenant

testfederatedclientid=$(az ad app create --display-name testmultitenantapp --query appId -o tsv)


# get key identifier from keyvault in different tenant

keyIdentifier=$(az keyvault key show --vault-name testVault --name testKey \\
--query key.kid -o tsv)


# create flexible server with key from different tenant using multi-tenant app

az postgres flexible-server create -g testgroup -n testserver --location testlocation \\
--key $keyIdentifier --identity testidentity --federated-client-id $testfederatedclientid

- name: >
Create flexible server with custom storage performance tier. Accepted values "P4", "P6", "P10", "P15", "P20", "P30", \\
"P40", "P50", "P60", "P70", "P80". Actual allowed values depend on the --storage-size selection for flexible server creation. \\
Expand Down
20 changes: 20 additions & 0 deletions src/azure-cli/azure/cli/command_modules/postgresql/_params.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,6 +323,16 @@ def _flexible_server_params(command_group):
validator=validate_identities
)

federated_client_id_arg_type = CLIArgumentType(
options_list=['--federated-client-id'],
help='The client ID of the federated identity.'
)

geo_backup_federated_client_id_arg_type = CLIArgumentType(
options_list=['--geo-backup-federated-client-id', '-f'],
help='The client ID of the geo backup federated identity.'
)

microsoft_entra_auth_arg_type = CLIArgumentType(
options_list=['--microsoft-entra-auth'],
arg_type=get_enum_type(['Enabled', 'Disabled']),
Expand Down Expand Up @@ -413,6 +423,8 @@ def _flexible_server_params(command_group):
c.argument('zone', zone_arg_type)
c.argument('tags', tags_type)
c.argument('standby_availability_zone', arg_type=standby_availability_zone_arg_type)
c.argument('geo_backup_federated_client_id', arg_type=geo_backup_federated_client_id_arg_type)
c.argument('federated_client_id', arg_type=federated_client_id_arg_type)
c.argument('yes', arg_type=yes_arg_type)

with self.argument_context('{} flexible-server list'.format(command_group)) as c:
Expand All @@ -430,6 +442,8 @@ def _flexible_server_params(command_group):
c.argument('private_dns_zone_arguments', private_dns_zone_arguments_arg_type)
c.argument('zone', arg_type=zone_arg_type)
c.argument('yes', arg_type=yes_arg_type)
c.argument('geo_backup_federated_client_id', arg_type=geo_backup_federated_client_id_arg_type)
c.argument('federated_client_id', arg_type=federated_client_id_arg_type)
c.argument('byok_key', arg_type=key_arg_type)
c.argument('byok_identity', arg_type=identity_arg_type)
c.argument('geo_redundant_backup', default='Disabled', arg_type=geo_redundant_backup_arg_type)
Expand All @@ -452,6 +466,8 @@ def _flexible_server_params(command_group):
c.argument('byok_identity', arg_type=identity_arg_type)
c.argument('backup_byok_identity', arg_type=backup_identity_arg_type)
c.argument('backup_byok_key', arg_type=backup_key_arg_type)
c.argument('geo_backup_federated_client_id', arg_type=geo_backup_federated_client_id_arg_type)
c.argument('federated_client_id', arg_type=federated_client_id_arg_type)

with self.argument_context('{} flexible-server revive-dropped'. format(command_group)) as c:
c.argument('location', arg_type=get_location_type(self.cli_ctx), required=True)
Expand Down Expand Up @@ -481,6 +497,8 @@ def _flexible_server_params(command_group):
c.argument('byok_identity', arg_type=identity_arg_type)
c.argument('backup_byok_identity', arg_type=backup_identity_arg_type)
c.argument('backup_byok_key', arg_type=backup_key_arg_type)
c.argument('geo_backup_federated_client_id', arg_type=geo_backup_federated_client_id_arg_type)
c.argument('federated_client_id', arg_type=federated_client_id_arg_type)
c.argument('public_access', arg_type=public_access_update_arg_type)
c.argument('auto_grow', arg_type=auto_grow_arg_type)
c.argument('performance_tier', default=None, arg_type=performance_tier_arg_type)
Expand Down Expand Up @@ -592,6 +610,8 @@ def _flexible_server_params(command_group):
c.argument('private_dns_zone_arguments', private_dns_zone_arguments_arg_type)
c.argument('byok_key', arg_type=key_arg_type)
c.argument('byok_identity', arg_type=identity_arg_type)
c.argument('geo_backup_federated_client_id', arg_type=geo_backup_federated_client_id_arg_type)
c.argument('federated_client_id', arg_type=federated_client_id_arg_type)
c.argument('tier', arg_type=tier_arg_type)
c.argument('sku_name', arg_type=sku_name_arg_type)
c.argument('storage_gb', arg_type=storage_gb_arg_type)
Expand Down
36 changes: 29 additions & 7 deletions src/azure-cli/azure/cli/command_modules/postgresql/commands/custom_commands.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ def flexible_server_create(cmd, client,
zonal_resiliency=None, allow_same_zone=False,
zone=None, standby_availability_zone=None,
geo_redundant_backup=None, byok_identity=None, byok_key=None, backup_byok_identity=None, backup_byok_key=None,
federated_client_id=None, geo_backup_federated_client_id=None,
auto_grow=None, performance_tier=None,
storage_type=None, iops=None, throughput=None, cluster_size=None, database_name=None, yes=False):

Expand Down Expand Up @@ -138,6 +139,8 @@ def flexible_server_create(cmd, client,
byok_key=byok_key,
backup_byok_identity=backup_byok_identity,
backup_byok_key=backup_byok_key,
federated_client_id=federated_client_id,
geo_backup_federated_client_id=geo_backup_federated_client_id,
performance_tier=performance_tier,
password_auth=password_auth, microsoft_entra_auth=microsoft_entra_auth,
admin_name=admin_name, admin_id=admin_id, admin_type=admin_type, database_name=database_name)
Expand Down Expand Up @@ -179,7 +182,9 @@ def flexible_server_create(cmd, client,
byok_identity=byok_identity,
byok_key=byok_key,
backup_byok_identity=backup_byok_identity,
backup_byok_key=backup_byok_key)
backup_byok_key=backup_byok_key,
federated_client_id=federated_client_id,
geo_backup_federated_client_id=geo_backup_federated_client_id)

auth_config = postgresql_flexibleservers.models.AuthConfig(active_directory_auth='Enabled' if is_microsoft_entra_auth_enabled else 'Disabled',
password_auth=password_auth)
Expand Down Expand Up @@ -326,7 +331,9 @@ def flexible_server_restore(cmd, client,
source_server, restore_point_in_time=None, zone=None, no_wait=False,
subnet=None, vnet=None,
private_dns_zone_arguments=None, geo_redundant_backup=None,
byok_identity=None, byok_key=None, backup_byok_identity=None, backup_byok_key=None, storage_type=None, yes=False):
byok_identity=None, byok_key=None, backup_byok_identity=None, backup_byok_key=None,
federated_client_id=None, geo_backup_federated_client_id=None,
storage_type=None, yes=False):

server_name = server_name.lower()

Expand Down Expand Up @@ -362,7 +369,9 @@ def flexible_server_restore(cmd, client,
logging_name='PostgreSQL', command_group='postgres', server_client=client, location=location)
validate_server_name(db_context, server_name, 'Microsoft.DBforPostgreSQL/flexibleServers')

pg_byok_validator(byok_identity, byok_key, backup_byok_identity, backup_byok_key, geo_redundant_backup)
pg_byok_validator(byok_identity, byok_key, backup_byok_identity, backup_byok_key, geo_redundant_backup,
federated_client_id=federated_client_id,
geo_backup_federated_client_id=geo_backup_federated_client_id)

pg_restore_validator(source_server_object.sku.tier, storage_type=storage_type)
storage = postgresql_flexibleservers.models.Storage(type=storage_type if source_server_object.storage.type != "PremiumV2_LRS" else None)
Expand Down Expand Up @@ -397,7 +406,9 @@ def flexible_server_restore(cmd, client,
byok_identity=byok_identity,
byok_key=byok_key,
backup_byok_identity=backup_byok_identity,
backup_byok_key=backup_byok_key)
backup_byok_key=backup_byok_key,
federated_client_id=federated_client_id,
geo_backup_federated_client_id=geo_backup_federated_client_id)

except Exception as e:
raise ResourceNotFoundError(e)
Expand All @@ -417,6 +428,7 @@ def flexible_server_update_custom_func(cmd, client, instance,
maintenance_window=None,
byok_identity=None, byok_key=None,
backup_byok_identity=None, backup_byok_key=None,
federated_client_id=None, geo_backup_federated_client_id=None,
microsoft_entra_auth=None, password_auth=None,
private_dns_zone_arguments=None,
public_access=None,
Expand Down Expand Up @@ -450,6 +462,8 @@ def flexible_server_update_custom_func(cmd, client, instance,
byok_key=byok_key,
backup_byok_identity=backup_byok_identity,
backup_byok_key=backup_byok_key,
federated_client_id=federated_client_id,
geo_backup_federated_client_id=geo_backup_federated_client_id,
performance_tier=performance_tier,
cluster_size=cluster_size, instance=instance)

Expand Down Expand Up @@ -526,6 +540,8 @@ def flexible_server_update_custom_func(cmd, client, instance,
byok_key=byok_key,
backup_byok_identity=backup_byok_identity,
backup_byok_key=backup_byok_key,
federated_client_id=federated_client_id,
geo_backup_federated_client_id=geo_backup_federated_client_id,
instance=instance)

auth_config = instance.auth_config
Expand Down Expand Up @@ -678,7 +694,9 @@ def flexible_list_skus(cmd, client, location):
def flexible_server_georestore(cmd, client, resource_group_name, server_name, source_server, location, zone=None,
vnet=None, subnet=None,
private_dns_zone_arguments=None, geo_redundant_backup=None, no_wait=False, yes=False,
byok_identity=None, byok_key=None, backup_byok_identity=None, backup_byok_key=None, restore_point_in_time=None):
byok_identity=None, byok_key=None, backup_byok_identity=None, backup_byok_key=None,
federated_client_id=None, geo_backup_federated_client_id=None,
restore_point_in_time=None):
validate_resource_group(resource_group_name)

server_name = server_name.lower()
Expand Down Expand Up @@ -716,7 +734,9 @@ def flexible_server_georestore(cmd, client, resource_group_name, server_name, so
if source_server_object.network.delegated_subnet_resource_id is not None:
validate_georestore_network(source_server_object, None, vnet, subnet, 'postgres')

pg_byok_validator(byok_identity, byok_key, backup_byok_identity, backup_byok_key, geo_redundant_backup)
pg_byok_validator(byok_identity, byok_key, backup_byok_identity, backup_byok_key, geo_redundant_backup,
federated_client_id=federated_client_id,
geo_backup_federated_client_id=geo_backup_federated_client_id)

storage = postgresql_flexibleservers.models.Storage(type=None)

Expand Down Expand Up @@ -748,7 +768,9 @@ def flexible_server_georestore(cmd, client, resource_group_name, server_name, so
byok_identity=byok_identity,
byok_key=byok_key,
backup_byok_identity=backup_byok_identity,
backup_byok_key=backup_byok_key)
backup_byok_key=backup_byok_key,
federated_client_id=federated_client_id,
geo_backup_federated_client_id=geo_backup_federated_client_id)

return sdk_no_wait(no_wait, client.begin_create_or_update, resource_group_name, server_name, parameters)

Expand Down
9 changes: 7 additions & 2 deletions src/azure-cli/azure/cli/command_modules/postgresql/commands/replica_commands.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ def flexible_replica_create(cmd, client, resource_group_name, source_server, nam
location=None, vnet=None, subnet=None,
private_dns_zone_arguments=None, no_wait=False,
byok_identity=None, byok_key=None,
federated_client_id=None, geo_backup_federated_client_id=None,
sku_name=None, tier=None, storage_type=None,
storage_gb=None, performance_tier=None, yes=False, tags=None):
validate_resource_group(resource_group_name)
Expand Down Expand Up @@ -82,7 +83,9 @@ def flexible_replica_create(cmd, client, resource_group_name, source_server, nam
logging_name='PostgreSQL', command_group='postgres', server_client=client, location=location)
validate_server_name(db_context, name, 'Microsoft.DBforPostgreSQL/flexibleServers')

pg_byok_validator(byok_identity, byok_key)
pg_byok_validator(byok_identity, byok_key,
federated_client_id=federated_client_id,
geo_backup_federated_client_id=geo_backup_federated_client_id)

parameters = postgresql_flexibleservers.models.Server(
tags=tags,
Expand All @@ -108,7 +111,9 @@ def flexible_replica_create(cmd, client, resource_group_name, source_server, nam

parameters.identity, parameters.data_encryption = build_identity_and_data_encryption(db_engine='postgres',
byok_identity=byok_identity,
byok_key=byok_key)
byok_key=byok_key,
federated_client_id=federated_client_id,
geo_backup_federated_client_id=geo_backup_federated_client_id)

parameters.sku = postgresql_flexibleservers.models.Sku(name=sku_name, tier=tier)

Expand Down
6 changes: 5 additions & 1 deletion src/azure-cli/azure/cli/command_modules/postgresql/utils/_flexible_server_util.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -372,7 +372,9 @@ def _is_resource_name(resource):


def build_identity_and_data_encryption(db_engine, byok_identity=None, backup_byok_identity=None,
byok_key=None, backup_byok_key=None, instance=None):
byok_key=None, backup_byok_key=None,
federated_client_id=None, geo_backup_federated_client_id=None,
instance=None):
identity, data_encryption = None, None

primary_user_assigned_identity_id = byok_identity
Expand All @@ -397,6 +399,8 @@ def build_identity_and_data_encryption(db_engine, byok_identity=None, backup_byo
primary_key_uri=primary_key_uri,
geo_backup_user_assigned_identity_id=geo_backup_user_assigned_identity_id,
geo_backup_key_uri=geo_backup_key_uri,
primary_federated_identity_client_id=federated_client_id,
geo_backup_federated_identity_client_id=geo_backup_federated_client_id,
type="AzureKeyVault")

return identity, data_encryption
Expand Down
Loading
Loading