[KeyVault] Support private endpoint connections

src/azure-cli/azure/cli/command_modules/keyvault/_client_factory.py

@@ -14,6 +14,14 @@ def keyvault_client_vaults_factory(cli_ctx, _):
     return keyvault_client_factory(cli_ctx).vaults
 
 
+def keyvault_client_private_endpoint_connections_factory(cli_ctx, _):
+    return keyvault_client_factory(cli_ctx).private_endpoint_connections
+
+
+def keyvault_client_private_link_resources_factory(cli_ctx, _):
+    return keyvault_client_factory(cli_ctx).private_link_resources
+
+
 def keyvault_data_plane_factory(cli_ctx, _):
     from azure.keyvault import KeyVaultAuthentication, KeyVaultClient
     from azure.cli.core.profiles import ResourceType, get_api_version

src/azure-cli/azure/cli/command_modules/keyvault/_help.py

@@ -144,6 +144,31 @@
 short-summary: Manage vault network ACLs.
 """
 
+helps['keyvault private-endpoint'] = """
+type: group
+short-summary: Manage vault private endpoint connections.
+"""
+
+helps['keyvault private-endpoint delete'] = """
+type: command
+short-summary: Delete the specified private endpoint connection associated with a Key Vault.
+"""
+
+helps['keyvault private-endpoint show'] = """
+type: command
+short-summary: Show details of a private endpoint connection associated with a Key Vault.
+"""
+
+helps['keyvault private-link-resource'] = """
+type: group
+short-summary: Manage vault private link resources.
+"""
+
+helps['keyvault private-link-resource show'] = """
+type: command
+short-summary: Show the private link resources supported for a Key Vault.
+"""
+
 helps['keyvault recover'] = """
 type: command
 short-summary: Recover a key vault.

src/azure-cli/azure/cli/command_modules/keyvault/_params.py

@@ -22,8 +22,8 @@
     datetime_type, certificate_type,
     get_vault_base_url_type, validate_key_import_source,
     validate_key_type, validate_policy_permissions,
-    validate_principal, validate_resource_group_name,
-    validate_x509_certificate_chain,
+    validate_principal,
+    validate_resource_group_name, validate_x509_certificate_chain,
     secret_text_encoding_values, secret_binary_encoding_values, validate_subnet,
     validate_vault_id, validate_sas_definition_id, validate_storage_account_id, validate_storage_disabled_attribute,
     validate_deleted_vault_name)
@@ -108,15 +108,37 @@ class CLIJsonWebKeyOperation(str, Enum):
 
     with self.argument_context('keyvault set-policy', arg_group='Permission') as c:
         c.argument('object_id', validator=validate_principal)
-        c.argument('key_permissions', arg_type=get_enum_type(KeyPermissions), metavar='PERM', nargs='*', help='Space-separated list of key permissions to assign.', validator=validate_policy_permissions)
-        c.argument('secret_permissions', arg_type=get_enum_type(SecretPermissions), metavar='PERM', nargs='*', help='Space-separated list of secret permissions to assign.')
-        c.argument('certificate_permissions', arg_type=get_enum_type(CertificatePermissions), metavar='PERM', nargs='*', help='Space-separated list of certificate permissions to assign.')
-        c.argument('storage_permissions', arg_type=get_enum_type(StoragePermissions), metavar='PERM', nargs='*', help='Space-separated list of storage permissions to assign.')
+        c.argument('key_permissions', arg_type=get_enum_type(KeyPermissions), metavar='PERM', nargs='*',
+                   help='Space-separated list of key permissions to assign.', validator=validate_policy_permissions)
+        c.argument('secret_permissions', arg_type=get_enum_type(SecretPermissions), metavar='PERM', nargs='*',
+                   help='Space-separated list of secret permissions to assign.')
+        c.argument('certificate_permissions', arg_type=get_enum_type(CertificatePermissions), metavar='PERM', nargs='*',
+                   help='Space-separated list of certificate permissions to assign.')
+        c.argument('storage_permissions', arg_type=get_enum_type(StoragePermissions), metavar='PERM', nargs='*',
+                   help='Space-separated list of storage permissions to assign.')
 
     with self.argument_context('keyvault network-rule', min_api='2018-02-14') as c:
         c.argument('ip_address', help='IPv4 address or CIDR range.')
         c.argument('subnet', help='Name or ID of subnet. If name is supplied, `--vnet-name` must be supplied.')
         c.argument('vnet_name', help='Name of a virtual network.', validator=validate_subnet)
+
+    with self.argument_context('keyvault private-endpoint', min_api='2018-02-14') as c:
+        c.argument('approval_description', help='Comments for the approval.')
+        c.argument('private_endpoint_connection_name', options_list=['--connection-name', '-n'], required=False,
+                   help='The name of the private endpoint connection associated with the Key Vault. '
+                        'Required if --connection-id is not specified')
+        c.argument('vault_name', vault_name_type, required=False,
+                   help='Name of the Key Vault. Required if --connection-id is not specified')
+        c.argument('rejection_description', help='Comments for the rejection.')
+
+    for item in ['approve', 'reject', 'delete', 'show']:
+        with self.argument_context('keyvault private-endpoint {}'.format(item), min_api='2018-02-14') as c:
+            c.extra('connection_id', required=False,
+                    help='The ID of the private endpoint connection associated with the Key Vault. '
+                         'If specified --vault-name and --connection-name/-n, this should be omitted.')
+
+    with self.argument_context('keyvault private-link-resource', min_api='2018-02-14') as c:
+        c.argument('vault_name', vault_name_type, required=True, help='Name of the Key Vault.')
     # endregion
 
     # region Shared
@@ -216,7 +238,6 @@ class CLIJsonWebKeyOperation(str, Enum):
     # endregion
 
     # region KeyVault Storage Account
-
     with self.argument_context('keyvault storage', arg_group='Id') as c:
         c.argument('storage_account_name', options_list=['--name', '-n'], help='Name to identify the storage account in the vault.', id_part='child_name_1', completer=get_keyvault_name_completion_list('storage_account'))
         c.argument('vault_base_url', vault_name_type, type=get_vault_base_url_type(self.cli_ctx), id_part=None)

src/azure-cli/azure/cli/command_modules/keyvault/_validators.py

@@ -166,6 +166,27 @@ def validate_policy_permissions(ns):
             '--certificate-permissions --storage-permissions')
 
 
+def validate_private_endpoint_connection_id(cmd, ns):
+    connection_id = ns.connection_id
+    connection_name = ns.private_endpoint_connection_name
+    vault_name = ns.vault_name
+
+    if not connection_id:
+        if not all([connection_name, vault_name]):
+            raise argparse.ArgumentError(
+                None, 'specify both: --connection-name/-n and --vault-name')
+        ns.resource_group_name = _get_resource_group_from_vault_name(cmd.cli_ctx, vault_name)
+    else:
+        if any([connection_name, vault_name]):
+            raise argparse.ArgumentError(
+                None, 'you don\'t need to specify --connection-name/-n or --vault-name if --connection-id is specified')
+
+        id_parts = connection_id.split('/')
+        ns.private_endpoint_connection_name = id_parts[-1]
+        ns.vault_name = id_parts[-3]
+        ns.resource_group_name = id_parts[-7]
+
+
 def validate_principal(ns):
     num_set = sum(1 for p in [ns.object_id, ns.spn, ns.upn] if p)
     if num_set != 1:

src/azure-cli/azure/cli/command_modules/keyvault/commands.py

@@ -8,10 +8,11 @@
 
 
 from ._client_factory import (
-    keyvault_client_vaults_factory, keyvault_data_plane_factory)
+    keyvault_client_vaults_factory, keyvault_client_private_endpoint_connections_factory,
+    keyvault_client_private_link_resources_factory, keyvault_data_plane_factory)
 
 from ._validators import (
-    process_secret_set_namespace, process_certificate_cancel_namespace)
+    process_secret_set_namespace, process_certificate_cancel_namespace, validate_private_endpoint_connection_id)
 
 
 # pylint: disable=too-many-locals, too-many-statements
@@ -34,6 +35,18 @@ def load_command_table(self, _):
         resource_type=ResourceType.MGMT_KEYVAULT
     )
 
+    kv_private_endpoint_connections_sdk = CliCommandType(
+        operations_tmpl='azure.mgmt.keyvault.operations#PrivateEndpointConnectionsOperations.{}',
+        client_factory=keyvault_client_private_endpoint_connections_factory,
+        resource_type=ResourceType.MGMT_KEYVAULT
+    )
+
+    kv_private_link_resources_sdk = CliCommandType(
+        operations_tmpl='azure.mgmt.keyvault.operations#PrivateLinkResourcesOperations.{}',
+        client_factory=keyvault_client_private_link_resources_factory,
+        resource_type=ResourceType.MGMT_KEYVAULT
+    )
+
     kv_data_sdk = CliCommandType(
         operations_tmpl='azure.keyvault.key_vault_client#KeyVaultClient.{}',
         client_factory=keyvault_data_plane_factory,
@@ -64,6 +77,25 @@ def load_command_table(self, _):
         g.custom_command('remove', 'remove_network_rule')
         g.custom_command('list', 'list_network_rules')
 
+    with self.command_group('keyvault private-endpoint',
+                            kv_private_endpoint_connections_sdk,
+                            min_api='2018-02-14',
+                            client_factory=keyvault_client_private_endpoint_connections_factory,
+                            is_preview=True) as g:
+        g.custom_command('approve', 'approve_private_endpoint_connection',
+                         validator=validate_private_endpoint_connection_id)
+        g.custom_command('reject', 'reject_private_endpoint_connection',
+                         validator=validate_private_endpoint_connection_id)
+        g.command('delete', 'delete', validator=validate_private_endpoint_connection_id)
+        g.show_command('show', 'get', validator=validate_private_endpoint_connection_id)
+
+    with self.command_group('keyvault private-link-resource',
+                            kv_private_link_resources_sdk,
+                            min_api='2018-02-14',
+                            client_factory=keyvault_client_private_link_resources_factory,
+                            is_preview=True) as g:
+        g.show_command('show', 'list_by_vault')
+
     # Data Plane Commands
     with self.command_group('keyvault key', kv_data_sdk) as g:
         g.keyvault_command('list', 'get_keys')

src/azure-cli/azure/cli/command_modules/keyvault/custom.py

@@ -526,7 +526,7 @@ def add_network_rule(cmd, client, resource_group_name, vault_name, ip_address=No
 
 
 def remove_network_rule(cmd, client, resource_group_name, vault_name, ip_address=None, subnet=None, vnet_name=None):  # pylint: disable=unused-argument
-    """ Removes a network rule from the network ACLs for a Key Vault. """
+    """ Remove a network rule from the network ACLs for a Key Vault. """
 
     VaultCreateOrUpdateParameters = cmd.get_models('VaultCreateOrUpdateParameters',
                                                    resource_type=ResourceType.MGMT_KEYVAULT)
@@ -566,7 +566,7 @@ def remove_network_rule(cmd, client, resource_group_name, vault_name, ip_address
 
 
 def list_network_rules(cmd, client, resource_group_name, vault_name):  # pylint: disable=unused-argument
-    """ Lists the network rules from the network ACLs for a Key Vault. """
+    """ List the network rules from the network ACLs for a Key Vault. """
     vault = client.get(resource_group_name=resource_group_name, vault_name=vault_name)
     return vault.properties.network_acls
 
@@ -1154,3 +1154,45 @@ def restore_storage_account(client, vault_base_url, file_path):
         data = file_in.read()
         return client.restore_storage_account(vault_base_url, data)
 # endregion
+
+
+# region private_endpoint
+def _update_private_endpoint_connection_status(cmd, client, resource_group_name, vault_name,
+                                               private_endpoint_connection_name, is_approved=True, description=None,
+                                               connection_id=None):  # pylint: disable=unused-argument
+    PrivateEndpointServiceConnectionStatus = cmd.get_models('PrivateEndpointServiceConnectionStatus',
+                                                            resource_type=ResourceType.MGMT_KEYVAULT)
+
+    private_endpoint_connection = client.get(resource_group_name=resource_group_name, vault_name=vault_name,
+                                             private_endpoint_connection_name=private_endpoint_connection_name)
+
+    new_status = PrivateEndpointServiceConnectionStatus.approved \
+        if is_approved else PrivateEndpointServiceConnectionStatus.rejected
+    private_endpoint_connection.private_link_service_connection_state.status = new_status
+    private_endpoint_connection.private_link_service_connection_state.description = description
+
+    return client.put(resource_group_name=resource_group_name,
+                      vault_name=vault_name,
+                      private_endpoint_connection_name=private_endpoint_connection_name,
+                      properties=private_endpoint_connection)
+
+
+def approve_private_endpoint_connection(cmd, client, resource_group_name, vault_name, private_endpoint_connection_name,
+                                        approval_description=None, connection_id=None):
+    """Approve a private endpoint connection request for a Key Vault."""
+
+    return _update_private_endpoint_connection_status(
+        cmd, client, resource_group_name, vault_name, private_endpoint_connection_name, is_approved=True,
+        description=approval_description, connection_id=connection_id
+    )
+
+
+def reject_private_endpoint_connection(cmd, client, resource_group_name, vault_name, private_endpoint_connection_name,
+                                       rejection_description=None, connection_id=None):
+    """Reject a private endpoint connection request for a Key Vault."""
+
+    return _update_private_endpoint_connection_status(
+        cmd, client, resource_group_name, vault_name, private_endpoint_connection_name, is_approved=False,
+        description=rejection_description, connection_id=connection_id
+    )
+# endregion