[KeyVault] BREAKING CHANGE: Support soft-delete feature for managed-HSM. keyvault delete --hsm-name will perform soft delete on a MHSM.

src/azure-cli/azure/cli/command_modules/keyvault/_help.py

@@ -565,6 +565,15 @@
     crafted: true
 """
 
+helps['keyvault show-deleted'] = """
+type: command
+short-summary: Show details of a deleted Vault or HSM.
+examples:
+  - name: Show details of a deleted key vault.
+    text: |
+        az keyvault show-deleted --name MyKeyVault
+"""
+
 helps['keyvault storage'] = """
 type: group
 short-summary: Manage storage accounts.

src/azure-cli/azure/cli/command_modules/keyvault/_params.py

@@ -215,6 +215,12 @@ class CLISecurityDomainOperation(str, Enum):
         c.argument('resource_type', help='When --resource-type is not present the command will list all deleted Vaults '
                                          'and HSMs. Possible values for --resource-type are vault and hsm.')
 
+    with self.argument_context('keyvault show-deleted') as c:
+        c.argument('vault_name', deleted_vault_name_type, options_list=['--name', '-n'],
+                   validator=validate_deleted_vault_or_hsm_name)
+        c.argument('hsm_name', deleted_hsm_name_type)
+        c.argument('location', help='Location of the deleted Vault or HSM', required=False)
+
     with self.argument_context('keyvault delete-policy') as c:
         c.argument('object_id', validator=validate_principal)
 

src/azure-cli/azure/cli/command_modules/keyvault/_validators.py

@@ -289,8 +289,8 @@ def validate_deleted_vault_or_hsm_name(cmd, ns):
     vault_name = getattr(ns, 'vault_name', None)
     hsm_name = getattr(ns, 'hsm_name', None)
 
-    if hsm_name:
-        raise InvalidArgumentValueError('Operation "purge" has not been supported for HSM.')
+    if hsm_name and 'keyvault recover' in cmd.name:
+        raise InvalidArgumentValueError('Operation "recover" has not been supported for HSM.')
 
     if not vault_name and not hsm_name:
         raise CLIError('Please specify --vault-name or --hsm-name.')
@@ -312,25 +312,26 @@ def validate_deleted_vault_or_hsm_name(cmd, ns):
         if vault_name:
             id_comps = parse_resource_id(resource.properties.vault_id)
         else:
-            id_comps = parse_resource_id(resource.properties.id)
+            id_comps = parse_resource_id(resource.id)
 
     # otherwise, iterate through deleted vaults to find one with a matching name
     else:
         for v in client.list_deleted():
             if vault_name:
                 id_comps = parse_resource_id(v.properties.vault_id)
             else:
-                id_comps = parse_resource_id(v.properties.id)
+                id_comps = parse_resource_id(v.id)
             if id_comps['name'].lower() == resource_name.lower():
                 resource = v
-                ns.location = resource.properties.location
+                ns.location = resource.properties.location if vault_name \
+                    else resource.additional_properties.get('location')
                 break
 
     # if the vault was not found, throw an error
     if not resource:
         raise CLIError('No deleted Vault or HSM was found with name ' + resource_name)
 
-    if 'keyvault purge' not in cmd.name:
+    if 'keyvault purge' not in cmd.name and 'keyvault show-deleted' not in cmd.name:
         setattr(ns, 'resource_group_name', getattr(ns, 'resource_group_name', None) or id_comps['resource_group'])
 
         # resource_group_name must match the resource group of the deleted vault

src/azure-cli/azure/cli/command_modules/keyvault/commands.py

@@ -77,6 +77,7 @@ def load_command_table(self, _):
         g.custom_command('delete-policy', 'delete_policy', supports_no_wait=True)
         g.custom_command('list-deleted', 'list_deleted_vault_or_hsm',
                          doc_string_source=mgmt_vaults_entity.operations_docs_tmpl.format('list_deleted'))
+        g.custom_command('show-deleted', 'get_deleted_vault_or_hsm')
         g.generic_update_command(
             'update', setter_name='update_vault_setter', setter_type=kv_vaults_custom,
             custom_func_name='update_vault',

src/azure-cli/azure/cli/command_modules/keyvault/custom.py

@@ -219,6 +219,14 @@ def delete_vault_or_hsm(cmd, client, resource_group_name=None, vault_name=None,
     )
 
 
+def get_deleted_vault_or_hsm(cmd, client, location=None, vault_name=None, hsm_name=None):
+    if is_azure_stack_profile(cmd) or vault_name:
+        return client.get_deleted(vault_name=vault_name, location=location)
+
+    hsm_client = get_client_factory(ResourceType.MGMT_KEYVAULT, Clients.managed_hsms)(cmd.cli_ctx, None)
+    return hsm_client.get_deleted(name=hsm_name, location=location)
+
+
 def purge_vault_or_hsm(cmd, client, location=None, vault_name=None, hsm_name=None,  # pylint: disable=unused-argument
                        no_wait=False):
     if is_azure_stack_profile(cmd) or vault_name:
@@ -228,7 +236,14 @@ def purge_vault_or_hsm(cmd, client, location=None, vault_name=None, hsm_name=Non
             location=location,
             vault_name=vault_name
         )
-    return None
+
+    hsm_client = get_client_factory(ResourceType.MGMT_KEYVAULT, Clients.managed_hsms)(cmd.cli_ctx, None)
+    return sdk_no_wait(
+        no_wait,
+        hsm_client.begin_purge_deleted,
+        location=location,
+        name=hsm_name
+    )
 
 
 def list_deleted_vault_or_hsm(cmd, client, resource_type=None):
@@ -239,7 +254,8 @@ def list_deleted_vault_or_hsm(cmd, client, resource_type=None):
         return client.list_deleted()
 
     if resource_type == 'hsm':
-        raise InvalidArgumentValueError('Operation "list-deleted" has not been supported for HSM.')
+        hsm_client = get_client_factory(ResourceType.MGMT_KEYVAULT, Clients.managed_hsms)(cmd.cli_ctx, None)
+        return hsm_client.list_deleted()
 
     if resource_type == 'vault':
         return client.list_deleted()