[NetAppFiles]Add missing bucket operation

specification/netapp/resource-manager/Microsoft.NetApp/NetApp/Bucket.tsp

@@ -83,6 +83,19 @@ model BucketProperties {
    * Access permissions for the bucket. Either ReadOnly or ReadWrite. The default is ReadOnly if no value is provided during bucket creation.
    */
   permissions?: BucketPermissions = BucketPermissions.ReadOnly;
+
+  /**
+   * Specifies the Azure Key Vault settings. These are used when
+   * a) retrieving the bucket server certificate, and
+   * b) storing the bucket credentials
+   *
+   * Notes:
+   *
+   * 1. If a bucket certificate was previously provided directly using the certificateObject property, it is possible to subsequently use the Azure Key Vault for certificate management by using these 'akvDetails' properties. However, once Azure Key Vault is configured, it is no longer possible to provide the certificate directly via the certificateObject property.
+   * 2. These properties are mutually exclusive with the server.certificateObject property.
+   */
+  @added(Versions.v2025_09_01_preview)
+  akvDetails?: AzureKeyVaultDetails;
 }
 
 /**
@@ -178,10 +191,102 @@ model BucketServerProperties {
   /**
    * A base64-encoded PEM file, which includes both the bucket server's certificate and private key. It is used to authenticate the user and allows access to volume data in a read-only manner.
    */
+  @removed(Versions.v2025_08_01)
+  @added(Versions.v2025_08_01_preview)
+  @removed(Versions.v2025_09_01)
+  @removed(Versions.v2025_09_01_preview)
+  @renamedFrom(Versions.v2025_09_01_preview, "certificateObject")
   @maxLength(10240)
   @minLength(1)
   @visibility(Lifecycle.Create, Lifecycle.Update)
+  certificateObjectOld?: string;
+
+  /**
+   * The base64-encoded contents of a PEM file, which includes both the bucket server's certificate and private key. It is generated by the end user and allows the user to access volume data in a read-only manner.
+   * Note: This is only used when Azure Key Vault is not configured. This property is mutually exclusive with the Azure Key Vault 'akv' properties.
+   */
+  @added(Versions.v2025_09_01_preview)
+  @maxLength(20480)
+  @minLength(1)
+  @secret
+  @visibility(Lifecycle.Create, Lifecycle.Update)
   certificateObject?: string;
+
+  /**
+   * Action to take when there is a certificate conflict.
+   * Possible values include: 'Update', 'Fail'
+   */
+  @added(Versions.v2025_09_01_preview)
+  onCertificateConflictAction?: OnCertificateConflictAction;
+}
+
+/**
+ * Specifies the Azure Key Vault settings. These are used when
+ * a) retrieving the bucket server certificate, and
+ * b) storing the bucket credentials
+ *
+ * Notes:
+ *
+ * 1. If a bucket certificate was previously provided directly using the certificateObject property, it is possible to subsequently use the Azure Key Vault for certificate management by using these 'akvDetails' properties. However, once Azure Key Vault is configured, it is no longer possible to provide the certificate directly via the certificateObject property.
+ *
+ * 2. These properties are mutually exclusive with the server.certificateObject property.
+ */
+@added(Versions.v2025_09_01_preview)
+model AzureKeyVaultDetails {
+  /**
+   * Specifies the Azure Key Vault settings for retrieving the bucket server certificate.
+   */
+  certificateAkvDetails?: CertificateAkvDetails;
+
+  /**
+   * Specifies the Azure Key Vault settings for storing the bucket credentials.
+   */
+  credentialsAkvDetails?: CredentialsAkvDetails;
+}
+
+/**
+ * Specifies the Azure Key Vault settings for retrieving the bucket server certificate.
+ */
+@added(Versions.v2025_09_01_preview)
+model CertificateAkvDetails {
+  /**
+   * The base URI of the Azure Key Vault that is used when retrieving the bucket certificate.
+   */
+  @example("https://<REDACTED>.vault.azure.net/")
+  certificateKeyVaultUri?: url;
+
+  /**
+   * The name of the bucket server certificate stored in the Azure Key Vault.
+   */
+  @maxLength(127)
+  @minLength(1)
+  @pattern("^[a-zA-Z0-9-]{1,127}$")
+  certificateName?: string;
+}
+
+/**
+ * Specifies the Azure Key Vault settings for storing the bucket credentials.
+ */
+@added(Versions.v2025_09_01_preview)
+model CredentialsAkvDetails {
+  /**
+   * The base URI of the Azure Key Vault that is used when storing the bucket credentials.
+   */
+  @example("https://<REDACTED>.vault.azure.net/")
+  credentialsKeyVaultUri?: url;
+
+  /**
+   * The name of the secret stored in Azure Key Vault. The associated key pair has the following structure:
+   *
+   * {
+   * "access_key_id": "<REDACTED>",
+   * "secret_access_key": "<REDACTED>"
+   * }
+   */
+  @maxLength(127)
+  @minLength(1)
+  @pattern("^[a-zA-Z0-9-]{1,127}$")
+  secretName?: string;
 }
 
 /**
@@ -234,6 +339,19 @@ model BucketPatchProperties {
    * Access permissions for the bucket. Either ReadOnly or ReadWrite.
    */
   permissions?: BucketPatchPermissions;
+
+  /**
+   * Specifies the Azure Key Vault settings. These are used when
+   * a) retrieving the bucket server certificate, and
+   * b) storing the bucket credentials
+   *
+   * Notes:
+   *
+   * 1. If a bucket certificate was previously provided directly using the certificateObject property, it is possible to subsequently use the Azure Key Vault for certificate management by using these 'akvDetails' properties. However, once Azure Key Vault is configured, it is no longer possible to provide the certificate directly via the certificateObject property.
+   * 2. These properties are mutually exclusive with the server.certificateObject property.
+   */
+  @added(Versions.v2025_09_01_preview)
+  akvDetails?: AzureKeyVaultDetails;
 }
 
 /**
@@ -253,10 +371,33 @@ model BucketServerPatchProperties {
   /**
    * A base64-encoded PEM file, which includes both the bucket server's certificate and private key. It is used to authenticate the user and allows access to volume data in a read-only manner.
    */
+  @removed(Versions.v2025_08_01)
+  @added(Versions.v2025_08_01_preview)
+  @removed(Versions.v2025_09_01)
+  @removed(Versions.v2025_09_01_preview)
+  @renamedFrom(Versions.v2025_09_01_preview, "certificateObject")
   @maxLength(10240)
   @minLength(1)
   @visibility(Lifecycle.Create, Lifecycle.Update)
+  certificateObjectOld?: string;
+
+  /**
+   * The base64-encoded contents of a PEM file, which includes both the bucket server's certificate and private key. It is generated by the end user and allows the user to access volume data in a read-only manner.
+   * Note: This is only used when Azure Key Vault is not configured. This property is mutually exclusive with the Azure Key Vault 'akv' properties.
+   */
+  @added(Versions.v2025_09_01_preview)
+  @maxLength(20480)
+  @minLength(1)
+  @secret
+  @visibility(Lifecycle.Create, Lifecycle.Update)
   certificateObject?: string;
+
+  /**
+   * Action to take when there is a certificate conflict.
+   * Possible values include: 'Update', 'Fail'
+   */
+  @added(Versions.v2025_09_01_preview)
+  onCertificateConflictAction?: OnCertificateConflictAction;
 }
 
 /**
@@ -381,6 +522,26 @@ union BucketPatchPermissions {
   ReadWrite: "ReadWrite",
 }
 
+/**
+ * This action is triggered when a certificate conflict occurs. A conflict arises if you try to create a new bucket while one or more already exist on the server, or if you update a bucket when multiple buckets are present. This happens because a single certificate is shared among all buckets on the same server.
+ *
+ * Note: This applies both to certificates provided directly via the certificateObject property and to those retrieved from Azure Key Vault. Details for the latter case are specified in the akvDetails.certificateAkvDetails section.
+ */
+@added(Versions.v2025_09_01_preview)
+union OnCertificateConflictAction {
+  string,
+
+  /**
+   * Update the existing certificate regardless of whether there is a conflict or not. This means all buckets on the server will now use the new certificate.
+   */
+  Update: "Update",
+
+  /**
+   * Fail the operation if a conflict occurs, meaning the bucket operation will fail, and the existing certificate will continue to be in use.
+   */
+  Fail: "Fail",
+}
+
 @added(Versions.v2025_07_01_preview)
 @removed(Versions.v2025_08_01)
 @added(Versions.v2025_08_01_preview)
@@ -432,6 +593,30 @@ interface Buckets {
     BucketCredentialsExpiry,
     ArmResponse<BucketGenerateCredentials>
   >;
+
+  /**
+   * Generate the access key and secret key used for accessing the specified volume bucket and store in Azure Key Vault.
+   */
+  @added(Versions.v2025_09_01_preview)
+  @Azure.Core.useFinalStateVia("azure-async-operation")
+  generateAkvCredentials is ArmResourceActionNoResponseContentAsync<
+    Bucket,
+    BucketCredentialsExpiry,
+    LroHeaders = ArmCombinedLroHeaders<FinalResult = void> &
+      Azure.Core.Foundations.RetryAfterHeader
+  >;
+
+  /**
+   * This operation will fetch the certificate from Azure Key Vault and install it on the bucket server.
+   */
+  @added(Versions.v2025_09_01_preview)
+  @Azure.Core.useFinalStateVia("azure-async-operation")
+  refreshCertificate is ArmResourceActionNoResponseContentAsync<
+    Bucket,
+    void,
+    LroHeaders = ArmCombinedLroHeaders<FinalResult = void> &
+      Azure.Core.Foundations.RetryAfterHeader
+  >;
 }
 
 @@maxLength(Bucket.name, 63);

specification/netapp/resource-manager/Microsoft.NetApp/NetApp/examples/2025-09-01-preview/Buckets_CreateOrUpdate.json

@@ -13,8 +13,9 @@
         },
         "permissions": "ReadOnly",
         "server": {
+          "fqdn": "fullyqualified.domainname.com",
           "certificateObject": "<REDACTED>",
-          "fqdn": "fullyqualified.domainname.com"
+          "onCertificateConflictAction": "Update"
         }
       }
     },
@@ -44,7 +45,8 @@
             "certificateCommonName": "www.example.com",
             "certificateExpiryDate": "2027-08-15T13:23:32Z",
             "fqdn": "fullyqualified.domainname.com",
-            "ipAddress": "1.2.3.4"
+            "ipAddress": "1.2.3.4",
+            "onCertificateConflictAction": "Update"
           },
           "status": "NoCredentialsSet"
         }

specification/netapp/resource-manager/Microsoft.NetApp/NetApp/examples/2025-09-01-preview/Buckets_CreateOrUpdateWithAkv.json

@@ -0,0 +1,115 @@
+{
+  "parameters": {
+    "subscriptionId": "00000000-0000-0000-0000-000000000000",
+    "resourceGroupName": "myRG",
+    "accountName": "account1",
+    "poolName": "pool1",
+    "volumeName": "volume1",
+    "bucketName": "bucket1",
+    "api-version": "2025-09-01-preview",
+    "body": {
+      "properties": {
+        "fileSystemUser": {
+          "nfsUser": {
+            "userId": 1001,
+            "groupId": 1000
+          }
+        },
+        "path": "/path",
+        "server": {
+          "fqdn": "fullyqualified.domainname.com",
+          "onCertificateConflictAction": "Fail"
+        },
+        "akvDetails": {
+          "certificateAkvDetails": {
+            "certificateKeyVaultUri": "https://REDACTED.vault.azure.net/",
+            "certificateName": "my-certificate"
+          },
+          "credentialsAkvDetails": {
+            "credentialsKeyVaultUri": "https://REDACTED.vault.azure.net/",
+            "secretName": "my-secret"
+          }
+        },
+        "permissions": "ReadOnly"
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.NetApp/netAppAccounts/account1/capacityPools/pool1/volumes/volume1/buckets/bucket1",
+        "name": "account1/pool1/volume1/bucket1",
+        "type": "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/buckets",
+        "properties": {
+          "path": "/path",
+          "provisioningState": "Succeeded",
+          "fileSystemUser": {
+            "nfsUser": {
+              "userId": 1001,
+              "groupId": 1000
+            }
+          },
+          "status": "NoCredentialsSet",
+          "server": {
+            "fqdn": "fullyqualified.domainname.com",
+            "certificateCommonName": "www.example.com",
+            "certificateExpiryDate": "2027-08-15T13:23:32Z",
+            "ipAddress": "1.2.3.4"
+          },
+          "akvDetails": {
+            "certificateAkvDetails": {
+              "certificateKeyVaultUri": "https://REDACTED.vault.azure.net/",
+              "certificateName": "my-certificate"
+            },
+            "credentialsAkvDetails": {
+              "credentialsKeyVaultUri": "https://REDACTED.vault.azure.net/",
+              "secretName": "my-secret"
+            }
+          },
+          "permissions": "ReadOnly"
+        }
+      }
+    },
+    "201": {
+      "headers": {
+        "Location": "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.NetApp/locations/eastus/operationResults/00000000-0000-0000-0000-000000000000?api-version=2025-09-01-preview&operationResultResponseType=Location",
+        "Azure-AsyncOperation": "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.NetApp/locations/eastus/operationResults/00000000-0000-0000-0000-000000000000?api-version=2025-09-01-preview"
+      },
+      "body": {
+        "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.NetApp/netAppAccounts/account1/capacityPools/pool1/volumes/volume1/buckets/bucket1",
+        "name": "account1/pool1/volume1/bucket1",
+        "type": "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/buckets",
+        "properties": {
+          "path": "/path",
+          "provisioningState": "Creating",
+          "fileSystemUser": {
+            "nfsUser": {
+              "userId": 1001,
+              "groupId": 1000
+            }
+          },
+          "status": "NoCredentialsSet",
+          "server": {
+            "fqdn": "fullyqualified.domainname.com",
+            "certificateCommonName": "www.example.com",
+            "certificateExpiryDate": "2027-08-15T13:23:32Z",
+            "ipAddress": "1.2.3.4"
+          },
+          "akvDetails": {
+            "certificateAkvDetails": {
+              "certificateKeyVaultUri": "https://REDACTED.vault.azure.net/",
+              "certificateName": "my-certificate"
+            },
+            "credentialsAkvDetails": {
+              "credentialsKeyVaultUri": "https://REDACTED.vault.azure.net/",
+              "secretName": "my-secret"
+            }
+          },
+          "permissions": "ReadOnly"
+        }
+      }
+    }
+  },
+  "operationId": "Buckets_CreateOrUpdate",
+  "title": "Buckets_CreateOrUpdateWithAkv"
+}

specification/netapp/resource-manager/Microsoft.NetApp/NetApp/examples/2025-09-01-preview/Buckets_GenerateAkvCredentials.json

@@ -0,0 +1,24 @@
+{
+  "parameters": {
+    "accountName": "account1",
+    "api-version": "2025-09-01-preview",
+    "body": {
+      "keyPairExpiryDays": 3
+    },
+    "bucketName": "bucket1",
+    "poolName": "pool1",
+    "resourceGroupName": "myRG",
+    "subscriptionId": "00000000-0000-0000-0000-000000000000",
+    "volumeName": "volume1"
+  },
+  "responses": {
+    "202": {
+      "headers": {
+        "Location": "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.NetApp/locations/eastus/operationResults/00000000-0000-0000-0000-000000000000?api-version=2025-09-01-preview&operationResultResponseType=Location",
+        "Azure-AsyncOperation": "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.NetApp/locations/eastus/operationResults/00000000-0000-0000-0000-000000000000?api-version=2025-09-01-preview"
+      }
+    }
+  },
+  "operationId": "Buckets_GenerateAkvCredentials",
+  "title": "Buckets_GenerateAkvCredentials"
+}