AzureArcForKubernetes
diff --git a/‎src/aks-preview/HISTORY.rst‎
Lines changed: 2 additions & 0 deletions b/‎src/aks-preview/HISTORY.rst‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/aks-preview/azext_aks_preview/_help.py‎
Lines changed: 3 additions & 0 deletions b/‎src/aks-preview/azext_aks_preview/_help.py‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/aks-preview/azext_aks_preview/_params.py‎
Lines changed: 1 addition & 0 deletions b/‎src/aks-preview/azext_aks_preview/_params.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/aks-preview/azext_aks_preview/custom.py‎
Lines changed: 1 addition & 0 deletions b/‎src/aks-preview/azext_aks_preview/custom.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/aks-preview/azext_aks_preview/managed_cluster_decorator.py‎
Lines changed: 43 additions & 0 deletions b/‎src/aks-preview/azext_aks_preview/managed_cluster_decorator.py‎
Lines changed: 43 additions & 0 deletions
@@ -12,6 +12,8 @@ To release a new version, please select a new version number (usually plus 1 to
 Pending
 +++++++
 
+* Support disabling Azure KeyVault KMS.
+
 0.5.91
 ++++++
 
 
@@ -771,6 +771,9 @@
         - name: --enable-azure-keyvault-kms
           type: bool
           short-summary: Enable Azure KeyVault Key Management Service.
+        - name: --disable-azure-keyvault-kms
+          type: bool
+          short-summary: Disable Azure KeyVault Key Management Service.
         - name: --azure-keyvault-kms-key-id
           type: string
           short-summary: Identifier of Azure Key Vault key.
 
@@ -389,6 +389,7 @@ def load_arguments(self, _):
         c.argument('enable_workload_identity', arg_type=get_three_state_flag())
         c.argument('enable_oidc_issuer', action='store_true', is_preview=True)
         c.argument('enable_azure_keyvault_kms', action='store_true', is_preview=True)
+        c.argument('disable_azure_keyvault_kms', action='store_true', is_preview=True)
         c.argument('azure_keyvault_kms_key_id', validator=validate_azure_keyvault_kms_key_id, is_preview=True)
         c.argument('azure_keyvault_kms_key_vault_network_access', arg_type=get_enum_type(keyvault_network_access_types), is_preview=True)
         c.argument('azure_keyvault_kms_key_vault_resource_id', validator=validate_azure_keyvault_kms_key_vault_resource_id, is_preview=True)
 
@@ -766,6 +766,7 @@ def aks_update(
     enable_workload_identity=None,
     enable_oidc_issuer=False,
     enable_azure_keyvault_kms=False,
+    disable_azure_keyvault_kms=False,
     azure_keyvault_kms_key_id=None,
     azure_keyvault_kms_key_vault_network_access=None,
     azure_keyvault_kms_key_vault_resource_id=None,
 
@@ -680,6 +680,37 @@ def get_enable_azure_keyvault_kms(self) -> bool:
         """
         return self._get_enable_azure_keyvault_kms(enable_validation=True)
 
+    def _get_disable_azure_keyvault_kms(self, enable_validation: bool = False) -> bool:
+        """Internal function to obtain the value of disable_azure_keyvault_kms.
+
+        This function supports the option of enable_validation. When enabled, if both enable_azure_keyvault_kms and disable_azure_keyvault_kms are
+        specified, raise a MutuallyExclusiveArgumentError.
+
+        :return: bool
+        """
+        # Read the original value passed by the command.
+        disable_azure_keyvault_kms = self.raw_param.get("disable_azure_keyvault_kms")
+
+        # This option is not supported in create mode, hence we do not read the property value from the `mc` object.
+        # This parameter does not need dynamic completion.
+        if enable_validation:
+            if disable_azure_keyvault_kms and self._get_enable_azure_keyvault_kms(enable_validation=False):
+                raise MutuallyExclusiveArgumentError(
+                    "Cannot specify --enable-azure-keyvault-kms and --disable-azure-keyvault-kms at the same time."
+                )
+
+        return disable_azure_keyvault_kms
+
+    def get_disable_azure_keyvault_kms(self) -> bool:
+        """Obtain the value of disable_azure_keyvault_kms.
+
+        This function will verify the parameter by default. If both enable_azure_keyvault_kms and disable_azure_keyvault_kms are specified, raise a
+        MutuallyExclusiveArgumentError.
+
+        :return: bool
+        """
+        return self._get_disable_azure_keyvault_kms(enable_validation=True)
+
     def _get_azure_keyvault_kms_key_id(self, enable_validation: bool = False) -> Union[str, None]:
         """Internal function to obtain the value of azure_keyvault_kms_key_id according to the context.
 
@@ -1964,6 +1995,18 @@ def update_azure_keyvault_kms(self, mc: ManagedCluster) -> ManagedCluster:
                     self.context.get_azure_keyvault_kms_key_vault_resource_id()
                 )
 
+        if self.context.get_disable_azure_keyvault_kms():
+            # get kms profile
+            if mc.security_profile is None:
+                mc.security_profile = self.models.ManagedClusterSecurityProfile()
+            azure_key_vault_kms_profile = mc.security_profile.azure_key_vault_kms
+            if azure_key_vault_kms_profile is None:
+                azure_key_vault_kms_profile = self.models.AzureKeyVaultKms()
+                mc.security_profile.azure_key_vault_kms = azure_key_vault_kms_profile
+
+            # set enabled to False
+            azure_key_vault_kms_profile.enabled = False
+
         return mc
 
     def update_storage_profile(self, mc: ManagedCluster) -> ManagedCluster:
-Original file line number
+Diff line change
 Pending
 +++++++
 +* Support disabling Azure KeyVault KMS.
++
 .5.91
 ++++++