Azure · qwordy · Feb 13, 2020 · Feb 7, 2020 · Feb 8, 2020 · Feb 9, 2020
@@ -254,6 +254,10 @@
     text: az appconfig update -g MyResourceGroup -n MyAppConfiguration --tags key1=value1 key2=value2
   - name: Upgrade sku of an App Configuration to standard
     text: az appconfig update -g MyResourceGroup -n MyAppConfiguration --sku Standard
+  - name: Enable customer encryption key with system assigned identity
+    text: az appconfig update -g MyResourceGroup -n MyAppConfiguration --encryption-key-name myKey --encryption-key-version keyVersion --encryption-key-vault https://keyVaultName.vault.azure.net
+  - name: Remove customer encryption key
+    text: az appconfig update -g MyResourceGroup -n MyAppConfiguration --encryption-key-name ""
 """
 
 helps['appconfig feature'] = """

@@ -766,10 +766,11 @@ def __convert_feature_dict_to_keyvalue_list(features_dict, enabled_for_keyword):
                             if filter_param:
                                 new_val["parameters"] = filter_param
                             feature_flag_value.conditions["client_filters"][idx] = new_val
-
-                    else:
-                        feature_flag_value.enabled = v
-                        feature_flag_value.conditions = default_conditions
+                elif isinstance(v, bool):
+                    feature_flag_value.enabled = v
+                    feature_flag_value.conditions = default_conditions
+                else:
+                    raise ValueError("The type of '{}' should be either boolean or dictionary.".format(v))
 
                 set_kv = KeyValue(key=key,
                                   value=json.dumps(feature_flag_value, default=lambda o: o.__dict__, ensure_ascii=False),

@@ -79,6 +79,12 @@ def load_arguments(self, _):
     with self.argument_context('appconfig update') as c:
         c.argument('tags', arg_type=tags_type)
 
+    with self.argument_context('appconfig update', arg_group='Customer Managed Key', is_preview=True) as c:
+        c.argument('encryption_key_name', help='The name of the KeyVault key.')
+        c.argument('encryption_key_vault', help='The URI of the KeyVault.')
+        c.argument('encryption_key_version', help='The version of the KeyVault key. Use the latest version by default.')
+        c.argument('identity_client_id', help='Client ID of the managed identity with wrap and unwrap access to encryption key. Use system assigned identity by default.')
+
     with self.argument_context('appconfig identity assign') as c:
         c.argument('identities', arg_type=identities_arg_type)
 

@@ -5,12 +5,15 @@
 
 # pylint: disable=line-too-long
 
+from knack.util import CLIError
 from knack.log import get_logger
 from azure.mgmt.appconfiguration.models import (ConfigurationStoreUpdateParameters,
                                                 ConfigurationStore,
                                                 Sku,
                                                 ResourceIdentity,
-                                                UserIdentity)
+                                                UserIdentity,
+                                                EncryptionProperties,
+                                                KeyVaultProperties)
 
 from ._utils import resolve_resource_group, user_confirmation
 
@@ -60,12 +63,26 @@ def update_configstore(cmd,
                        name,
                        resource_group_name=None,
                        tags=None,
-                       sku=None):
+                       sku=None,
+                       encryption_key_name=None,
+                       encryption_key_vault=None,
+                       encryption_key_version=None,
+                       identity_client_id=None):
+    __validate_cmk(encryption_key_name, encryption_key_vault, encryption_key_version, identity_client_id)
     if resource_group_name is None:
         resource_group_name, _ = resolve_resource_group(cmd, name)
 
-    update_params = ConfigurationStoreUpdateParameters(tags=tags,
-                                                       sku=sku)
+    update_params = ConfigurationStoreUpdateParameters(tags=tags if tags else None,
+                                                       sku=Sku(name=sku) if sku else None)
+
+    if encryption_key_name is not None:
+        key_vault_properties = KeyVaultProperties()
+        if encryption_key_name:
+            # key identifier schema https://keyvaultname.vault-int.azure-int.net/keys/keyname/keyversion
+            key_identifier = "{}/keys/{}/{}".format(encryption_key_vault.strip('/'), encryption_key_name, encryption_key_version if encryption_key_version else "")
+            key_vault_properties = KeyVaultProperties(key_identifier=key_identifier, identity_client_id=identity_client_id)
+
+        update_params.encryption = EncryptionProperties(key_vault_properties=key_vault_properties)
 
     return client.update(resource_group_name=resource_group_name,
                          config_store_name=name,
@@ -189,6 +206,22 @@ def __get_resource_identity(assign_identity):
                             user_assigned_identities=user_assigned if user_assigned else None)
 
 
+def __validate_cmk(encryption_key_name=None,
+                   encryption_key_vault=None,
+                   encryption_key_version=None,
+                   identity_client_id=None):
+    if encryption_key_name is None:
+        if any(arg is not None for arg in [encryption_key_vault, encryption_key_version, identity_client_id]):
+            raise CLIError("To modify customer encryption key --encryption-key-name is required")
+    else:
+        if encryption_key_name:
+            if encryption_key_vault is None:
+                raise CLIError("To modify customer encryption key --encryption-key-vault is required")
+        else:
+            if any(arg is not None for arg in [encryption_key_vault, encryption_key_version, identity_client_id]):
+                logger.warning("Removing the customer encryption key. Key vault related arguments are ignored.")
+
+
 def __convert_api_key_to_json(credentail, endpoint):
     augmented_credential = {}
     augmented_credential['id'] = credentail.id

diff --git a/src/azure-cli/azure/cli/command_modules/appconfig/tests/latest/export.json b/src/azure-cli/azure/cli/command_modules/appconfig/tests/latest/export.json
@@ -1,6 +1,6 @@
 {
-  "Language": "spanish",
   "FeatureManagement": {
     "Beta": false
-  }
+  },
+  "Language": "spanish"
 }
@@ -1,7 +1,6 @@
 {
+  "Region": "West US",
   "FeatureManagement": {
-    "Beta": false,
-    "Percentage": true,
     "Timestamp": {
       "EnabledFor": [
         {
@@ -19,8 +18,9 @@
           "Name": "Production Tests"
         }
       ]
-    }
+    },
+    "Percentage": true,
+    "Beta": false
   },
-  "Color": "Red",
-  "Region": "West US"
+  "Color": "Red"
 }
@@ -1,12 +1,12 @@
-#Mon Feb 03 18:35:05 Pacific Standard Time 2020
-feature-management.FeatureSample.enabled-for[2].Name=Filter@3
+#Tue Feb 11 18:26:04 Pacific Standard Time 2020
+feature-management.FeatureSample.enabled-for[0].Name=Filter1
+feature-management.FeatureSample.enabled-for[0].Parameters.paramforfilter1=value1
 feature-management.FeatureSample.enabled-for[3].Name=filter.4
-Region=West US
 feature-management.FalseFeature=false
+Region=West US
+feature-management.FeatureSample.enabled-for[1].Name=Filter2
+feature-management.FeatureSample.enabled-for[2].Name=Filter@3
 feature-management.FeatureSample.enabled-for[3].Parameters.dotInFilter.Param=?
-feature-management.FeatureSample.enabled-for[0].Name=Filter1
-Color=Red
 feature-management.FeatureSample.enabled-for[3].Parameters.EmptyValue=
-feature-management.FeatureSample.enabled-for[0].Parameters.paramforfilter1=value1
+Color=Red
 feature-management.TrueFeature=true
-feature-management.FeatureSample.enabled-for[1].Name=Filter2
@@ -1,3 +1,4 @@
+Color: Red
 feature-management:
   Beta: false
   Timestamp:
@@ -10,5 +11,4 @@ feature-management:
       Parameters:
         EndTime: '2019-11-01T00:00:00Z'
         StartTime: '2019-09-02T00:00:00Z'
-Color: Red
 Region: West US