diff --git a/src/CosmosDB/CosmosDB/CosmosDB.csproj b/src/CosmosDB/CosmosDB/CosmosDB.csproj
index c2064331a71a..7793d9804c5b 100644
--- a/src/CosmosDB/CosmosDB/CosmosDB.csproj
+++ b/src/CosmosDB/CosmosDB/CosmosDB.csproj
@@ -6,7 +6,7 @@
-
+
diff --git a/src/KeyVault/KeyVault.Test/Resources/rotationpolicy.json b/src/KeyVault/KeyVault.Test/Resources/rotationpolicy.json
new file mode 100644
index 000000000000..23f607467748
--- /dev/null
+++ b/src/KeyVault/KeyVault.Test/Resources/rotationpolicy.json
@@ -0,0 +1,24 @@
+{
+ "lifetimeActions": [
+ {
+ "trigger": {
+ "timeAfterCreate": "P18M",
+ "timeBeforeExpiry": null
+ },
+ "action": {
+ "type": "Rotate"
+ }
+ },
+ {
+ "trigger": {
+ "timeBeforeExpiry": "P30D"
+ },
+ "action": {
+ "type": "Notify"
+ }
+ }
+ ],
+ "attributes": {
+ "expiryTime": "P2Y"
+ }
+ }
\ No newline at end of file
diff --git a/src/KeyVault/KeyVault/ChangeLog.md b/src/KeyVault/KeyVault/ChangeLog.md
index 221fc7497976..b3afd31cb0ad 100644
--- a/src/KeyVault/KeyVault/ChangeLog.md
+++ b/src/KeyVault/KeyVault/ChangeLog.md
@@ -18,6 +18,9 @@
- Additional information about change #1
-->
## Upcoming Release
+* Supported accepting rotation policy in a JSON file
+* [Breaking Change] Changed parameter `ExpiresIn` in `Set-AzKeyVaultKeyRotationPolicy` from TimeSpan? to string. It must be an ISO 8601 duration like "P30D" for 30 days.
+* [Breaking Change] Changed output properties `ExpiresIn`, `TimeAfterCreate` and `TimeBeforeExpiry` of `Set-AzKeyVaultKeyRotationPolicy` and `Get-AzKeyVaultKeyRotationPolicy` from TimeSpan? to string.
* Supported creating/updating key with release policy in a Managed HSM
## Version 4.5.0
diff --git a/src/KeyVault/KeyVault/Commands/Key/KeyRotation/SetAzKeyVaultKeyRotationPolicy.cs b/src/KeyVault/KeyVault/Commands/Key/KeyRotation/SetAzKeyVaultKeyRotationPolicy.cs
index facfd191c7a4..ac13ea074bca 100644
--- a/src/KeyVault/KeyVault/Commands/Key/KeyRotation/SetAzKeyVaultKeyRotationPolicy.cs
+++ b/src/KeyVault/KeyVault/Commands/Key/KeyRotation/SetAzKeyVaultKeyRotationPolicy.cs
@@ -1,47 +1,113 @@
-using Microsoft.Azure.Commands.KeyVault.Models;
+using Microsoft.Azure.Commands.Common.Exceptions;
+using Microsoft.Azure.Commands.KeyVault.Models;
using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
+
+using Newtonsoft.Json;
using System;
using System.Management.Automation;
+using Track2Sdk = Azure.Security.KeyVault.Keys;
+using System.IO;
+using Microsoft.WindowsAzure.Commands.Common;
+using Microsoft.Azure.Commands.KeyVault.Properties;
+using System.Collections.Generic;
namespace Microsoft.Azure.Commands.KeyVault.Commands.Key
{
///
/// Updates the KeyRotationPolicy for the specified key in Key Vault.
///
- [Cmdlet(VerbsCommon.Set, ResourceManager.Common.AzureRMConstants.AzurePrefix + "KeyVaultKeyRotationPolicy", SupportsShouldProcess = true, DefaultParameterSetName = ByVaultNameParameterSet)]
+ [Cmdlet(VerbsCommon.Set, ResourceManager.Common.AzureRMConstants.AzurePrefix + "KeyVaultKeyRotationPolicy", SupportsShouldProcess = true, DefaultParameterSetName = SetByExpandedPropertiesViaVaultName)]
[OutputType(typeof(PSKeyRotationPolicy))]
- public class SetAzKeyVaultKeyRotationPolicy: KeyVaultOnlyKeyCmdletBase
+ public class SetAzKeyVaultKeyRotationPolicy: KeyVaultCmdletBase
{
#region Parameter Set Names
- internal const string ByKeyRotationPolicyInputObjectParameterSet = "ByKeyRotationPolicyInputObject";
+ private const string SetByExpandedPropertiesViaVaultName = "ByVaultName";
+ private const string SetByRotationPolicyFileViaVaultName = "SetByRotationPolicyFileViaVaultName";
+
+ private const string SetByExpandedPropertiesViaKeyInputObject = "ByKeyInputObject";
+ private const string SetByRotationPolicyFileViaKeyInputObject = "SetByRotationPolicyFileViaKeyInputObject";
+
+ private const string ByKeyRotationPolicyInputObjectParameterSet = "ByKeyRotationPolicyInputObject";
#endregion
#region Input Parameter Definitions
- [Parameter(Mandatory = true,
- Position = 0,
- ParameterSetName = ByKeyRotationPolicyInputObjectParameterSet,
- ValueFromPipeline = true,
- HelpMessage = "PSKeyRotationPolicy object.")]
+ ///
+ /// Vault name
+ ///
+ [Parameter(Mandatory = true, Position = 0, ParameterSetName = SetByExpandedPropertiesViaVaultName, HelpMessage = "Vault name.")]
+ [Parameter(Mandatory = true, Position = 0, ParameterSetName = SetByRotationPolicyFileViaVaultName)]
+ [ResourceNameCompleter("Microsoft.KeyVault/vaults", "FakeResourceGroupName")]
+ [ValidateNotNullOrEmpty]
+ public string VaultName { get; set; }
+
+ ///
+ /// Key name.
+ ///
+ [Parameter(Mandatory = true, Position = 1, ParameterSetName = SetByExpandedPropertiesViaVaultName, HelpMessage = "Key name.")]
+ [Parameter(Mandatory = true, Position = 1, ParameterSetName = SetByRotationPolicyFileViaVaultName)]
+ [ValidateNotNullOrEmpty]
+ [Alias(Constants.KeyName)]
+ public string Name { get; set; }
+
+ ///
+ /// Key object
+ ///
+ [Parameter(Mandatory = true, Position = 0, ParameterSetName = SetByExpandedPropertiesViaKeyInputObject,
+ ValueFromPipeline = true, HelpMessage = "Key object")]
+ [Parameter(Mandatory = true, Position = 0, ParameterSetName = SetByRotationPolicyFileViaKeyInputObject,
+ ValueFromPipeline = true)]
+ [ValidateNotNullOrEmpty]
+ [Alias("Key")]
+ public PSKeyVaultKeyIdentityItem InputObject { get; set; }
+
+ [Parameter(Mandatory = true, Position = 0, ParameterSetName = ByKeyRotationPolicyInputObjectParameterSet,
+ ValueFromPipeline = true, HelpMessage = "PSKeyRotationPolicy object.")]
public PSKeyRotationPolicy KeyRotationPolicy { get; set; }
- [Parameter(ParameterSetName = ByVaultNameParameterSet,
- HelpMessage = "The time span when the key rotation policy will expire. It should be at least 28 days.")]
- [Parameter(ParameterSetName = ByKeyInputObjectParameterSet)]
- public TimeSpan ExpiresIn { get; set; }
+ [Parameter(ParameterSetName = SetByExpandedPropertiesViaVaultName,
+ HelpMessage = "The expiryTime will be applied on the new key version. It should be at least 28 days. It will be in ISO 8601 Format. Examples: 90 days: P90D, 3 months: P3M, 48 hours: PT48H, 1 year and 10 days: P1Y10D")]
+ [Parameter(ParameterSetName = SetByExpandedPropertiesViaKeyInputObject)]
+ public string ExpiresIn { get; set; }
- [Parameter(ParameterSetName = ByVaultNameParameterSet,
+ [Parameter(ParameterSetName = SetByExpandedPropertiesViaVaultName,
HelpMessage = "PSKeyRotationLifetimeAction object.")]
- [Parameter(ParameterSetName = ByKeyInputObjectParameterSet)]
+ [Parameter(ParameterSetName = SetByExpandedPropertiesViaKeyInputObject)]
public PSKeyRotationLifetimeAction[] KeyRotationLifetimeAction { get; set; }
+ [Parameter(Mandatory = true, ParameterSetName = SetByRotationPolicyFileViaVaultName,
+ HelpMessage = "A path to the rotation policy file that contains JSON policy definition.")]
+ [Parameter(Mandatory = true, ParameterSetName = SetByRotationPolicyFileViaKeyInputObject)]
+ public string PolicyPath { get; set; }
#endregion
- internal override void NormalizeParameterSets()
+ protected override void BeginProcessing()
+ {
+ PolicyPath = this.TryResolvePath(PolicyPath);
+ base.BeginProcessing();
+ }
+
+ internal void ValidateParameters()
+ {
+ if((this.ParameterSetName.Equals(SetByExpandedPropertiesViaVaultName) ||
+ this.ParameterSetName.Equals(SetByExpandedPropertiesViaKeyInputObject)) &&
+ null == ExpiresIn && null == KeyRotationLifetimeAction)
+ {
+ throw new ArgumentException(string.Format("Must specify ExpiresIn or KeyRotationLifetimeAction."));
+ }
+
+ if(this.IsParameterBound(c => c.PolicyPath) && !File.Exists(PolicyPath))
+ {
+ throw new AzPSFileNotFoundException(string.Format(Resources.FileNotFound, PolicyPath), nameof(PolicyPath));
+ }
+ }
+
+ internal void NormalizeParameterSets()
{
if (null != InputObject)
{
@@ -57,33 +123,84 @@ internal override void NormalizeParameterSets()
}
}
- if (!this.ParameterSetName.Equals(ByKeyRotationPolicyInputObjectParameterSet))
+ switch (this.ParameterSetName)
{
-
- // Only update specified parameter, others keep same
- KeyRotationPolicy = Track2DataClient.GetKeyRotationPolicy(VaultName, Name) ??
- new PSKeyRotationPolicy()
- {
+ case SetByRotationPolicyFileViaVaultName:
+ case SetByRotationPolicyFileViaKeyInputObject:
+ KeyRotationPolicy = ConstructKeyRotationPolicyFromFile(PolicyPath);
+ break;
+ case SetByExpandedPropertiesViaVaultName:
+ case SetByExpandedPropertiesViaKeyInputObject:
+ KeyRotationPolicy = new PSKeyRotationPolicy()
+ {
VaultName = VaultName,
KeyName = Name,
- ExpiresIn = null,
- LifetimeActions = null
+ ExpiresIn = ExpiresIn ?? Track2DataClient.GetKeyRotationPolicy(VaultName, Name).ExpiresIn,
+ LifetimeActions = KeyRotationLifetimeAction ?? Track2DataClient.GetKeyRotationPolicy(VaultName, Name).LifetimeActions
};
+ break;
+ default:
+ // do nothing
+ break;
+ }
- if (MyInvocation.BoundParameters.ContainsKey("ExpiresIn"))
- {
- KeyRotationPolicy.ExpiresIn = ExpiresIn;
- }
+ }
+
+ private PSKeyRotationPolicy ConstructKeyRotationPolicyFromFile(string policyPath)
+ {
+ try
+ {
+ string content = File.ReadAllText(policyPath);
+ // first-level dictionary
+ var dict = JsonUtilities.DeserializeJson(content, true);
- if (MyInvocation.BoundParameters.ContainsKey("KeyRotationLifetimeAction"))
+ // second-level dictionary
+ var attributes = JsonUtilities.DeserializeJson(JsonConvert.SerializeObject(dict["attributes"]), true);
+ var lifetimeActionsArray = JsonConvert.DeserializeObject(JsonConvert.SerializeObject(dict["lifetimeActions"]));
+
+ // third-level dictionary
+ string expiresIn = attributes["expiryTime"].ToString();
+
+ var lifetimeActions = new List();
+ lifetimeActionsArray?.ForEach((lifetimeAction) =>
{
- KeyRotationPolicy.LifetimeActions = KeyRotationLifetimeAction;
- }
+ var lifetimeActionDict = JsonUtilities.DeserializeJson(JsonConvert.SerializeObject(lifetimeAction), true);
+ var action = JsonUtilities.DeserializeJson(JsonConvert.SerializeObject(lifetimeActionDict["action"]), true);
+ var trigger = JsonUtilities.DeserializeJson(JsonConvert.SerializeObject(lifetimeActionDict["trigger"]), true);
+
+ // 4th-level dictionary
+ string actionType = action["type"].ToString();
+
+ // timeAfterCreate or timeBeforeExpiry may absent
+ string timeAfterCreate = trigger.ContainsKey("timeAfterCreate") ? trigger["timeAfterCreate"]?.ToString() : null;
+ string timeBeforeExpiry = trigger.ContainsKey("timeBeforeExpiry") ? trigger["timeBeforeExpiry"]?.ToString() : null;
+
+ lifetimeActions.Add(new PSKeyRotationLifetimeAction()
+ {
+ Action = actionType,
+ TimeAfterCreate = timeAfterCreate,
+ TimeBeforeExpiry = timeBeforeExpiry
+ });
+ });
+
+ return new PSKeyRotationPolicy()
+ {
+ VaultName = this.VaultName,
+ KeyName = this.Name,
+ ExpiresIn = expiresIn,
+ LifetimeActions = lifetimeActions
+ };
}
+ catch
+ {
+ throw new AzPSArgumentException(string.Format("Deserialize {0} failed", policyPath), nameof(PolicyPath));
+ }
+
}
public override void ExecuteCmdlet()
{
+ ValidateParameters();
NormalizeParameterSets();
ConfirmAction(KeyRotationPolicy.KeyName, Properties.Resources.SetKeyRotationPolicy, () =>
diff --git a/src/KeyVault/KeyVault/Commands/Key/UpdateAzureKeyVaultKey.cs b/src/KeyVault/KeyVault/Commands/Key/UpdateAzureKeyVaultKey.cs
index a28f6d776d6a..3e98d8d3d7c4 100644
--- a/src/KeyVault/KeyVault/Commands/Key/UpdateAzureKeyVaultKey.cs
+++ b/src/KeyVault/KeyVault/Commands/Key/UpdateAzureKeyVaultKey.cs
@@ -132,11 +132,11 @@ public class UpdateAzureKeyVaultKey : KeyVaultCmdletBase
public SwitchParameter Immutable { get; set; }
///
- /// A path to a file containing JSON policy definition. The policy rules under which a key can be exported.
+ /// A path to the release policy file that contains JSON policy definition. The policy rules under which a key can be exported.
///
[Parameter(Mandatory = false,
ParameterSetName = HsmInteractiveParameterSet,
- HelpMessage = "A path to a file containing JSON policy definition. The policy rules under which a key can be exported.")]
+ HelpMessage = "A path to the release policy file that contains JSON policy definition. The policy rules under which a key can be exported.")]
public string ReleasePolicyPath { get; set; }
diff --git a/src/KeyVault/KeyVault/KeyVault.csproj b/src/KeyVault/KeyVault/KeyVault.csproj
index 3a56c8925fa1..ad0b036683a4 100644
--- a/src/KeyVault/KeyVault/KeyVault.csproj
+++ b/src/KeyVault/KeyVault/KeyVault.csproj
@@ -13,7 +13,7 @@
-
+
diff --git a/src/KeyVault/KeyVault/Models/Key/PSKeyRotationLifetimeAction.cs b/src/KeyVault/KeyVault/Models/Key/PSKeyRotationLifetimeAction.cs
index aa9ae50ef659..91c7aae469b7 100644
--- a/src/KeyVault/KeyVault/Models/Key/PSKeyRotationLifetimeAction.cs
+++ b/src/KeyVault/KeyVault/Models/Key/PSKeyRotationLifetimeAction.cs
@@ -14,24 +14,32 @@ public class PSKeyRotationLifetimeAction
// Gets or sets he Azure.Security.KeyVault.Keys.KeyRotationPolicyAction that will
// be executed.
public string Action { get; set; }
- //
- // Summary:
- // Gets or sets the System.TimeSpan after creation to attempt to rotate. It only
- // applies to Azure.Security.KeyVault.Keys.KeyRotationPolicyAction.Rotate.
- public TimeSpan? TimeAfterCreate { get; set; }
- //
- // Summary:
- // Gets or sets the System.TimeSpan before expiry to attempt to Azure.Security.KeyVault.Keys.KeyRotationPolicyAction.Rotate
- // or Azure.Security.KeyVault.Keys.KeyRotationPolicyAction.Notify.
- public TimeSpan? TimeBeforeExpiry { get; set; }
+
+ ///
+ /// Gets or sets the ISO 8601 duration after creation to attempt to rotate. It only
+ /// applies to Azure.Security.KeyVault.Keys.KeyRotationPolicyAction.Rotate.
+ ///
+ ///
+ /// ISO 8601 duration examples:
+ /// • P90D – 90 days
+ /// • P3M – 3 months
+ /// • P1Y10D – 1 year and 10 days
+ ///
+ public string TimeAfterCreate { get; set; }
+
+ ///
+ /// Gets or sets the ISO 8601 duration before expiry to attempt to Azure.Security.KeyVault.Keys.KeyRotationPolicyAction.Rotate
+ /// or Azure.Security.KeyVault.Keys.KeyRotationPolicyAction.Notify.
+ ///
+ public string TimeBeforeExpiry { get; set; }
public PSKeyRotationLifetimeAction() { }
public PSKeyRotationLifetimeAction(KeyRotationLifetimeAction keyRotationLifetimeAction)
{
Action = keyRotationLifetimeAction.Action.ToString();
- TimeAfterCreate = string.IsNullOrEmpty(keyRotationLifetimeAction.TimeAfterCreate) ? null : XmlConvert.ToTimeSpan(keyRotationLifetimeAction.TimeAfterCreate) as TimeSpan?;
- TimeBeforeExpiry = string.IsNullOrEmpty(keyRotationLifetimeAction.TimeBeforeExpiry) ? null : XmlConvert.ToTimeSpan(keyRotationLifetimeAction.TimeBeforeExpiry) as TimeSpan?;
+ TimeAfterCreate = keyRotationLifetimeAction.TimeAfterCreate;
+ TimeBeforeExpiry = keyRotationLifetimeAction.TimeBeforeExpiry;
}
public override string ToString()
diff --git a/src/KeyVault/KeyVault/Models/Key/PSKeyRotationPolicy.cs b/src/KeyVault/KeyVault/Models/Key/PSKeyRotationPolicy.cs
index 1e1c45c47f2f..71cbdb3951ca 100644
--- a/src/KeyVault/KeyVault/Models/Key/PSKeyRotationPolicy.cs
+++ b/src/KeyVault/KeyVault/Models/Key/PSKeyRotationPolicy.cs
@@ -36,11 +36,12 @@ public class PSKeyRotationPolicy
// Summary:
// Gets the actions that will be performed by Key Vault over the lifetime of a key.
public IList LifetimeActions { get; set; }
- //
- // Summary:
- // Gets or sets the System.TimeSpan when the Azure.Security.KeyVault.Keys.KeyRotationPolicy
- // will expire. It should be at least 28 days.
- public TimeSpan? ExpiresIn { get; set; }
+
+ ///
+ /// The expiryTime will be applied on the new key version. It should be at least 28 days.
+ /// It will be in ISO 8601 Format. Examples: 90 days: P90D, 3 months: P3M, 48 hours: PT48H, 1 year and 10 days: P1Y10D"
+ ///
+ public string ExpiresIn { get; set; }
//
// Summary:
// Gets a System.DateTimeOffset indicating when the Azure.Security.KeyVault.Keys.KeyRotationPolicy
@@ -65,7 +66,7 @@ public PSKeyRotationPolicy(KeyRotationPolicy keyRotationPolicy, string vaultName
LifetimeActions.Add(new PSKeyRotationLifetimeAction(action));
}
- ExpiresIn = string.IsNullOrEmpty(keyRotationPolicy.ExpiresIn) ? null : XmlConvert.ToTimeSpan(keyRotationPolicy.ExpiresIn) as TimeSpan?;
+ ExpiresIn = keyRotationPolicy.ExpiresIn;
CreatedOn = keyRotationPolicy.CreatedOn;
UpdatedOn = keyRotationPolicy.UpdatedOn;
}
diff --git a/src/KeyVault/KeyVault/Track2Models/Track2HsmClient.cs b/src/KeyVault/KeyVault/Track2Models/Track2HsmClient.cs
index 2d431f6a2dcd..c8e26844e464 100644
--- a/src/KeyVault/KeyVault/Track2Models/Track2HsmClient.cs
+++ b/src/KeyVault/KeyVault/Track2Models/Track2HsmClient.cs
@@ -543,17 +543,16 @@ internal PSKeyRotationPolicy SetKeyRotationPolicy(PSKeyRotationPolicy psKeyRotat
var client = CreateKeyClient(psKeyRotationPolicy.VaultName);
var policy = new KeyRotationPolicy()
{
- ExpiresIn = psKeyRotationPolicy.ExpiresIn.HasValue ? XmlConvert.ToString(psKeyRotationPolicy.ExpiresIn.Value) : null,
+ ExpiresIn = psKeyRotationPolicy.ExpiresIn,
LifetimeActions = { }
};
psKeyRotationPolicy.LifetimeActions?.ForEach(
psKeyRotationLifetimeAction => policy.LifetimeActions.Add(
- new KeyRotationLifetimeAction()
+ new KeyRotationLifetimeAction(new KeyRotationPolicyAction(psKeyRotationLifetimeAction.Action))
{
- Action = psKeyRotationLifetimeAction.Action,
- TimeAfterCreate = psKeyRotationLifetimeAction.TimeAfterCreate.HasValue ? XmlConvert.ToString(psKeyRotationLifetimeAction.TimeAfterCreate.Value) : null,
- TimeBeforeExpiry = psKeyRotationLifetimeAction.TimeBeforeExpiry.HasValue ? XmlConvert.ToString(psKeyRotationLifetimeAction.TimeBeforeExpiry.Value) : null
+ TimeAfterCreate = psKeyRotationLifetimeAction.TimeAfterCreate,
+ TimeBeforeExpiry = psKeyRotationLifetimeAction.TimeBeforeExpiry
}
));
diff --git a/src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs b/src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs
index f17d4919f7c0..705bfa5c9f17 100644
--- a/src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs
+++ b/src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs
@@ -185,17 +185,16 @@ internal PSKeyRotationPolicy SetKeyRotationPolicy(PSKeyRotationPolicy psKeyRotat
var client = CreateKeyClient(psKeyRotationPolicy.VaultName);
var policy = new KeyRotationPolicy()
{
- ExpiresIn = psKeyRotationPolicy.ExpiresIn.HasValue ? XmlConvert.ToString(psKeyRotationPolicy.ExpiresIn.Value) : null,
+ ExpiresIn = psKeyRotationPolicy.ExpiresIn,
LifetimeActions = {}
};
psKeyRotationPolicy.LifetimeActions?.ForEach(
psKeyRotationLifetimeAction => policy.LifetimeActions.Add(
- new KeyRotationLifetimeAction()
+ new KeyRotationLifetimeAction(psKeyRotationLifetimeAction.Action)
{
- Action = psKeyRotationLifetimeAction.Action,
- TimeAfterCreate = psKeyRotationLifetimeAction.TimeAfterCreate.HasValue ? XmlConvert.ToString(psKeyRotationLifetimeAction.TimeAfterCreate.Value) : null,
- TimeBeforeExpiry = psKeyRotationLifetimeAction.TimeBeforeExpiry.HasValue ? XmlConvert.ToString(psKeyRotationLifetimeAction.TimeBeforeExpiry.Value) : null
+ TimeAfterCreate = psKeyRotationLifetimeAction.TimeAfterCreate,
+ TimeBeforeExpiry = psKeyRotationLifetimeAction.TimeBeforeExpiry
}
));
diff --git a/src/KeyVault/KeyVault/help/Get-AzKeyVaultKeyRotationPolicy.md b/src/KeyVault/KeyVault/help/Get-AzKeyVaultKeyRotationPolicy.md
index 32a2928b32c1..c434aa5e5ab0 100644
--- a/src/KeyVault/KeyVault/help/Get-AzKeyVaultKeyRotationPolicy.md
+++ b/src/KeyVault/KeyVault/help/Get-AzKeyVaultKeyRotationPolicy.md
@@ -38,7 +38,7 @@ Get-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key
Id :
VaultName : test-kv
KeyName : test-key
-LifetimeActions : {[Action: Notify, TimeAfterCreate: , TimeBeforeExpiry: 30.00:00:00]}
+LifetimeActions : {[Action: Notify, TimeAfterCreate: , TimeBeforeExpiry: P30D]}
ExpiresIn :
CreatedOn :
UpdatedOn :
diff --git a/src/KeyVault/KeyVault/help/Set-AzKeyVaultKeyRotationPolicy.md b/src/KeyVault/KeyVault/help/Set-AzKeyVaultKeyRotationPolicy.md
index b33cfecd9349..97126ae87cb5 100644
--- a/src/KeyVault/KeyVault/help/Set-AzKeyVaultKeyRotationPolicy.md
+++ b/src/KeyVault/KeyVault/help/Set-AzKeyVaultKeyRotationPolicy.md
@@ -14,21 +14,33 @@ Sets the key rotation policy for the specified key in Key Vault.
### ByVaultName (Default)
```
-Set-AzKeyVaultKeyRotationPolicy [-ExpiresIn ]
- [-KeyRotationLifetimeAction ] [-VaultName] [-Name]
- [-DefaultProfile ] [-WhatIf] [-Confirm] []
+Set-AzKeyVaultKeyRotationPolicy [-VaultName] [-Name] [-ExpiresIn ]
+ [-KeyRotationLifetimeAction ] [-DefaultProfile ]
+ [-WhatIf] [-Confirm] []
```
-### ByKeyRotationPolicyInputObject
+### SetByRotationPolicyFileViaVaultName
```
-Set-AzKeyVaultKeyRotationPolicy [-KeyRotationPolicy]
+Set-AzKeyVaultKeyRotationPolicy [-VaultName] [-Name] -PolicyPath
[-DefaultProfile ] [-WhatIf] [-Confirm] []
```
### ByKeyInputObject
```
-Set-AzKeyVaultKeyRotationPolicy [-ExpiresIn ]
- [-KeyRotationLifetimeAction ] [-InputObject]
+Set-AzKeyVaultKeyRotationPolicy [-InputObject] [-ExpiresIn ]
+ [-KeyRotationLifetimeAction ] [-DefaultProfile ]
+ [-WhatIf] [-Confirm] []
+```
+
+### SetByRotationPolicyFileViaKeyInputObject
+```
+Set-AzKeyVaultKeyRotationPolicy [-InputObject] -PolicyPath
+ [-DefaultProfile ] [-WhatIf] [-Confirm] []
+```
+
+### ByKeyRotationPolicyInputObject
+```
+Set-AzKeyVaultKeyRotationPolicy [-KeyRotationPolicy]
[-DefaultProfile ] [-WhatIf] [-Confirm] []
```
@@ -37,86 +49,112 @@ This cmdlet requires the key update permission. It returns a key rotation policy
## EXAMPLES
-### Example 1: Sets key rotation policy expiry time
+### Example 1: Sets key rotation policy by JSON file
```powershell
-$t = New-TimeSpan -Days 50
-Set-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key -ExpiresIn $t
+<#
+rotation_policy.json
+{
+ "lifetimeActions": [
+ {
+ "trigger": {
+ "timeAfterCreate": "P18M",
+ "timeBeforeExpiry": null
+ },
+ "action": {
+ "type": "Rotate"
+ }
+ },
+ {
+ "trigger": {
+ "timeBeforeExpiry": "P30D"
+ },
+ "action": {
+ "type": "Notify"
+ }
+ }
+ ],
+ "attributes": {
+ "expiryTime": "P2Y"
+ }
+ }
+#>
+Set-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key -PolicyPath rotation_policy.json
```
```output
Id : https://test-kv.vault.azure.net/keys/test-key/rotationpolicy
VaultName : test-kv
-KeyName : test-key
-LifetimeActions : {[Action: Notify, TimeAfterCreate: , TimeBeforeExpiry: 30.00:00:00]}
-ExpiresIn : 50.00:00:00
+KeyName : test-keyAM +00:00
+LifetimeActions : {[Action: Notify, TimeAfterCreate: , TimeBeforeExpiry: P30D]}
+ExpiresIn : P2Y
CreatedOn : 12/10/2021 3:21:51 AM +00:00
-UpdatedOn : 12/10/2021 3:22:14 AM +00:00
+UpdatedOn : 6/9/2022 7:43:27
```
-These cmdlets set the key rotation policy expiry time of test-key as 50 days.
+These commands set the rotation policy of key `test-key` by JSON file.
-### Example 2: Sets key rotation policy by InputObject
+### Example 2: Sets key rotation policy expiry time
```powershell
-$key = Get-AzKeyVaultKey -VaultName test-kv -Name test-key
-$action = [Microsoft.Azure.Commands.KeyVault.Models.PSKeyRotationLifetimeAction]::new()
-$action.Action = "Rotate"
-$action.TimeBeforeExpiry = New-TimeSpan -Days 30
-Set-AzKeyVaultKeyRotationPolicy -InputObject $key -KeyRotationLifetimeAction $action
+Set-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key -ExpiresIn P2Y
```
```output
Id : https://test-kv.vault.azure.net/keys/test-key/rotationpolicy
VaultName : test-kv
-KeyName : test-key
-LifetimeActions : {[Action: Rotate, TimeAfterCreate: , TimeBeforeExpiry: 30.00:00:00], [Action: Notify,
- TimeAfterCreate: , TimeBeforeExpiry: 30.00:00:00]}
-ExpiresIn : 50.00:00:00
+KeyName : test-keyAM +00:00
+LifetimeActions : {[Action: Notify, TimeAfterCreate: , TimeBeforeExpiry: P30D]}
+ExpiresIn : P2Y
CreatedOn : 12/10/2021 3:21:51 AM +00:00
-UpdatedOn : 12/14/2021 5:26:28 AM +00:00
+UpdatedOn : 6/9/2022 7:43:27
```
-These cmdlets set the key rotation policy expiry time of test-key as 50 days.
+These commands set the expiry time will be applied on the new key version of `test-key` as 2 years.
-### Example 3: Sets key rotation policy by PSKeyRotationPolicy object
+### Example 3: Sets key rotation policy via piping
```powershell
-$key = Get-AzKeyVaultKey -VaultName test-kv -Name test-key
-$policy = Get-AzKeyVaultKeyRotationPolicy $key
-$policy.ExpiresIn = New-TimeSpan -Days 60
-Set-AzKeyVaultKeyRotationPolicy -KeyRotationPolicy $policy
+Get-AzKeyVaultKey -VaultName test-kv -Name test-key | Set-AzKeyVaultKeyRotationPolicy -KeyRotationLifetimeAction @{Action = "Rotate"; TimeBeforeExpiry = "P18M"}
```
```output
-LifetimeActions : {[Action: Rotate, TimeAfterCreate: , TimeBeforeExpiry: 30.00:00:00], [Action: Notify,
- TimeAfterCreate: , TimeBeforeExpiry: 30.00:00:00]}
-ExpiresIn : 60.00:00:00
+Id : https://test-kv.vault.azure.net/keys/test-key/rotationpolicy
+VaultName : test-kv
+KeyName : test-key
+LifetimeActions : {[Action: Rotate, TimeAfterCreate: , TimeBeforeExpiry: P18M], [Action: Notify, TimeAfterCreate: ,
+ TimeBeforeExpiry: P30D]}
+ExpiresIn : P2Y
CreatedOn : 12/10/2021 3:21:51 AM +00:00
-UpdatedOn : 12/14/2021 5:34:00 AM +00:00
+UpdatedOn : 6/9/2022 8:10:43 AM +00:00
```
-These cmdlets set the key rotation policy expiry time of test-key as 50 days.
+These commands set the duration before expiry to attempt to rotate `test-key` as 18 months.
-## PARAMETERS
+### Example 4: Copy key rotation policy to another key via PSKeyRotationPolicy object
+```powershell
+$policy = Get-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key1
+$policy.KeyName = "test-key2"
+$policy | Set-AzKeyVaultKeyRotationPolicy
+```
-### -Confirm
-Prompts you for confirmation before running the cmdlet.
+```output
+Id : https://test-kv.vault.azure.net/keys/test-key2/rotationpolicy
+VaultName : test-kv
+KeyName : test-key2
+LifetimeActions : {[Action: Rotate, TimeAfterCreate: , TimeBeforeExpiry: P18M], [Action: Notify, TimeAfterCreate: ,
+ TimeBeforeExpiry: P30D]}
+ExpiresIn : P2Y
+CreatedOn : 6/9/2022 8:26:35 AM +00:00
+UpdatedOn : 6/9/2022 8:26:35 AM +00:00
+```
-```yaml
-Type: SwitchParameter
-Parameter Sets: (All)
-Aliases: cf
+These commands copy the key rotation policy `test-key1` to key `test-key2`.
-Required: False
-Position: Named
-Default value: None
-Accept pipeline input: False
-Accept wildcard characters: False
-```
+## PARAMETERS
### -DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
```yaml
-Type: IAzureContextContainer
+Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
Parameter Sets: (All)
Aliases: AzContext, AzureRmContext, AzureCredential
@@ -128,11 +166,10 @@ Accept wildcard characters: False
```
### -ExpiresIn
-The time span when the key rotation policy will expire.
-It should be at least 28 days.
+The expiryTime will be applied on the new key version. It should be at least 28 days. It will be in ISO 8601 Format. Examples: 90 days: P90D, 3 months: P3M, 48 hours: PT48H, 1 year and 10 days: P1Y10D.
```yaml
-Type: TimeSpan
+Type: System.String
Parameter Sets: ByVaultName, ByKeyInputObject
Aliases:
@@ -147,8 +184,8 @@ Accept wildcard characters: False
Key object
```yaml
-Type: PSKeyVaultKeyIdentityItem
-Parameter Sets: ByKeyInputObject
+Type: Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultKeyIdentityItem
+Parameter Sets: ByKeyInputObject, SetByRotationPolicyFileViaKeyInputObject
Aliases: Key
Required: True
@@ -162,7 +199,7 @@ Accept wildcard characters: False
PSKeyRotationLifetimeAction object.
```yaml
-Type: PSKeyRotationLifetimeAction[]
+Type: Microsoft.Azure.Commands.KeyVault.Models.PSKeyRotationLifetimeAction[]
Parameter Sets: ByVaultName, ByKeyInputObject
Aliases:
@@ -177,8 +214,8 @@ Accept wildcard characters: False
PSKeyRotationPolicy object.
```yaml
-Type: PSKeyRotationPolicy
-Parameter Sets: ByKeyRotationPolicyInputObject
+Type: Microsoft.Azure.Commands.KeyVault.Models.PSKeyRotationPolicy
+Parameter Sets: ByKeyRotationPolicyInputObject
Aliases:
Required: True
@@ -192,8 +229,8 @@ Accept wildcard characters: False
Key name.
```yaml
-Type: String
-Parameter Sets: ByVaultName
+Type: System.String
+Parameter Sets: ByVaultName, SetByRotationPolicyFileViaVaultName
Aliases: KeyName
Required: True
@@ -203,12 +240,27 @@ Accept pipeline input: False
Accept wildcard characters: False
```
+### -PolicyPath
+A path to the rotation policy file that contains JSON policy definition.
+
+```yaml
+Type: System.String
+Parameter Sets: SetByRotationPolicyFileViaVaultName, SetByRotationPolicyFileViaKeyInputObject
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
### -VaultName
Vault name.
```yaml
-Type: String
-Parameter Sets: ByVaultName
+Type: System.String
+Parameter Sets: ByVaultName, SetByRotationPolicyFileViaVaultName
Aliases:
Required: True
@@ -218,12 +270,27 @@ Accept pipeline input: False
Accept wildcard characters: False
```
+### -Confirm
+Prompts you for confirmation before running the cmdlet.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
### -WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
```yaml
-Type: SwitchParameter
+Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases: wi
@@ -251,6 +318,6 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable
## RELATED LINKS
-[Get-AzKeyVaultKeyRotationPolicy.md](./Get-AzKeyVaultKeyRotationPolicy.md)
+[Get-AzKeyVaultKeyRotationPolicy](./Get-AzKeyVaultKeyRotationPolicy.md)
-[Invoke-AzKeyVaultKeyRotation.md](./Invoke-AzKeyVaultKeyRotation.md)
\ No newline at end of file
+[Invoke-AzKeyVaultKeyRotation](./Invoke-AzKeyVaultKeyRotation.md)
\ No newline at end of file
diff --git a/tools/StaticAnalysis/Exceptions/Az.KeyVault/BreakingChangeIssues.csv b/tools/StaticAnalysis/Exceptions/Az.KeyVault/BreakingChangeIssues.csv
new file mode 100644
index 000000000000..18ab68cdd864
--- /dev/null
+++ b/tools/StaticAnalysis/Exceptions/Az.KeyVault/BreakingChangeIssues.csv
@@ -0,0 +1,7 @@
+"AssemblyFileName","ClassName","Target","Severity","ProblemId","Description","Remediation"
+"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.Commands.Key.GetAzKeyVaultKeyRotationPolicy","Get-AzKeyVaultKeyRotationPolicy","0","3000","The type of property 'TimeAfterCreate' of type 'Microsoft.Azure.Commands.KeyVault.Models.PSKeyRotationLifetimeAction' has changed from 'System.Nullable`1[System.TimeSpan]' to 'System.String'.","Change the type of property 'TimeAfterCreate' back to 'System.Nullable`1[System.TimeSpan]'."
+"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.Commands.Key.GetAzKeyVaultKeyRotationPolicy","Get-AzKeyVaultKeyRotationPolicy","0","3000","The type of property 'TimeBeforeExpiry' of type 'Microsoft.Azure.Commands.KeyVault.Models.PSKeyRotationLifetimeAction' has changed from 'System.Nullable`1[System.TimeSpan]' to 'System.String'.","Change the type of property 'TimeBeforeExpiry' back to 'System.Nullable`1[System.TimeSpan]'."
+"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.Commands.Key.GetAzKeyVaultKeyRotationPolicy","Get-AzKeyVaultKeyRotationPolicy","0","3000","The type of property 'ExpiresIn' of type 'Microsoft.Azure.Commands.KeyVault.Models.PSKeyRotationPolicy' has changed from 'System.Nullable`1[System.TimeSpan]' to 'System.String'.","Change the type of property 'ExpiresIn' back to 'System.Nullable`1[System.TimeSpan]'."
+"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.Commands.Key.SetAzKeyVaultKeyRotationPolicy","Set-AzKeyVaultKeyRotationPolicy","0","3000","The type of property 'ExpiresIn' of type 'Microsoft.Azure.Commands.KeyVault.Models.PSKeyRotationPolicy' has changed from 'System.Nullable`1[System.TimeSpan]' to 'System.String'.","Change the type of property 'ExpiresIn' back to 'System.Nullable`1[System.TimeSpan]'."
+"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.Commands.Key.SetAzKeyVaultKeyRotationPolicy","Set-AzKeyVaultKeyRotationPolicy","0","3000","The type of property 'ExpiresIn' of type 'Microsoft.Azure.Commands.KeyVault.Models.PSKeyRotationPolicy' has changed from 'System.Nullable`1[System.TimeSpan]' to 'System.String'.","Change the type of property 'ExpiresIn' back to 'System.Nullable`1[System.TimeSpan]'."
+"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.Commands.Key.SetAzKeyVaultKeyRotationPolicy","Set-AzKeyVaultKeyRotationPolicy","0","2020","The cmdlet 'Set-AzKeyVaultKeyRotationPolicy' no longer supports the type 'System.TimeSpan' for parameter 'ExpiresIn'.","Change the type for parameter 'ExpiresIn' back to 'System.TimeSpan'."
\ No newline at end of file