Antoshni cosmos db 2021 10 15 preview cek management (#1)

* Adds base for updating Microsoft.DocumentDB from version preview/2021-07-01-preview to version 2021-10-15-preview * Updates readme * Updates API version in new specs and examples * ClientEncryptionKey management API changes * Address semantics validation errors * Fix representation of wrappedDek * fix Swagger prettier formatting check * minor edits to address comments" * fix LintDiff error * Adds base for updating Microsoft.DocumentDB from version preview/2021-07-01-preview to version 2021-10-15-preview * Updates readme * Updates API version in new specs and examples * remove CreateUpdateOptions as they arent applicable for CEK * fix Model validation check Co-authored-by: anujtoshniwal <62551957+anujtoshniwal@users.noreply.github.com> Co-authored-by: Anuj Toshniwal <antoshni@microsoft.com>
yuzhangyi · Sep 29, 2021 · 60844c7 · 60844c7
1 parent 1db5652
commit 60844c7
Show file tree

Hide file tree

Showing 5 changed files with 377 additions and 0 deletions.
diff --git a/custom-words.txt b/custom-words.txt
@@ -352,6 +352,7 @@ classificationrules
 clfs
 Clickthrough
 clientaccesspolicy
+ClientEncryptionKeys
 clienterror
 clientgroup
 clientlib

diff --git a/...cosmos-db/resource-manager/Microsoft.DocumentDB/preview/2021-10-15-preview/cosmos-db.json b/...cosmos-db/resource-manager/Microsoft.DocumentDB/preview/2021-10-15-preview/cosmos-db.json
@@ -1932,6 +1932,130 @@
         }
       }
     },
+    "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DocumentDB/databaseAccounts/{accountName}/sqlDatabases/{databaseName}/clientEncryptionKeys": {
+      "get": {
+        "operationId": "SqlResources_ListClientEncryptionKeys",
+        "x-ms-examples": {
+          "CosmosDBClientEncryptionKeysList": {
+            "$ref": "./examples/CosmosDBSqlClientEncryptionKeysList.json"
+          }
+        },
+        "description": "Lists the ClientEncryptionKeys under an existing Azure Cosmos DB SQL database.",
+        "parameters": [
+          {
+            "$ref": "../../../../../common-types/resource-management/v1/types.json#/parameters/SubscriptionIdParameter"
+          },
+          {
+            "$ref": "../../../../../common-types/resource-management/v1/types.json#/parameters/ResourceGroupNameParameter"
+          },
+          {
+            "$ref": "#/parameters/accountNameParameter"
+          },
+          {
+            "$ref": "#/parameters/databaseNameParameter"
+          },
+          {
+            "$ref": "../../../../../common-types/resource-management/v1/types.json#/parameters/ApiVersionParameter"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "The ClientEncryptionKeys were retrieved successfully.",
+            "schema": {
+              "$ref": "#/definitions/ClientEncryptionKeysListResult"
+            }
+          }
+        },
+        "x-ms-pageable": {
+          "nextLinkName": null
+        }
+      }
+    },
+    "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DocumentDB/databaseAccounts/{accountName}/sqlDatabases/{databaseName}/clientEncryptionKeys/{clientEncryptionKeyName}": {
+      "get": {
+        "operationId": "SqlResources_GetClientEncryptionKey",
+        "x-ms-examples": {
+          "CosmosDBClientEncryptionKeyGet": {
+            "$ref": "./examples/CosmosDBSqlClientEncryptionKeyGet.json"
+          }
+        },
+        "description": "Gets the ClientEncryptionKey under an existing Azure Cosmos DB SQL database.",
+        "parameters": [
+          {
+            "$ref": "../../../../../common-types/resource-management/v1/types.json#/parameters/SubscriptionIdParameter"
+          },
+          {
+            "$ref": "../../../../../common-types/resource-management/v1/types.json#/parameters/ResourceGroupNameParameter"
+          },
+          {
+            "$ref": "#/parameters/accountNameParameter"
+          },
+          {
+            "$ref": "#/parameters/databaseNameParameter"
+          },
+          {
+            "$ref": "#/parameters/clientEncryptionKeyNameParameter"
+          },
+          {
+            "$ref": "../../../../../common-types/resource-management/v1/types.json#/parameters/ApiVersionParameter"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "The ClientEncryptionKey was retrieved successfully.",
+            "schema": {
+              "$ref": "#/definitions/ClientEncryptionKeyGetResults"
+            }
+          }
+        }
+      },
+      "put": {
+        "operationId": "SqlResources_CreateUpdateClientEncryptionKey",
+        "x-ms-examples": {
+          "CosmosDBClientEncryptionKeyCreateUpdate": {
+            "$ref": "./examples/CosmosDBSqlClientEncryptionKeyCreateUpdate.json"
+          }
+        },
+        "description": "Create or update a ClientEncryptionKey. This API is meant to be invoked via tools such as the Azure Powershell (instead of directly).",
+        "parameters": [
+          {
+            "$ref": "../../../../../common-types/resource-management/v1/types.json#/parameters/SubscriptionIdParameter"
+          },
+          {
+            "$ref": "../../../../../common-types/resource-management/v1/types.json#/parameters/ResourceGroupNameParameter"
+          },
+          {
+            "$ref": "#/parameters/accountNameParameter"
+          },
+          {
+            "$ref": "#/parameters/databaseNameParameter"
+          },
+          {
+            "$ref": "#/parameters/clientEncryptionKeyNameParameter"
+          },
+          {
+            "$ref": "../../../../../common-types/resource-management/v1/types.json#/parameters/ApiVersionParameter"
+          },
+          {
+            "name": "createUpdateClientEncryptionKeyParameters",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/ClientEncryptionKeyCreateUpdateParameters"
+            },
+            "description": "The parameters to provide for the client encryption key."
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "The client encryption key create or update operation was completed successfully.",
+            "schema": {
+              "$ref": "#/definitions/ClientEncryptionKeyGetResults"
+            }
+          }
+        }
+      }
+    },
     "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DocumentDB/databaseAccounts/{accountName}/sqlDatabases/{databaseName}/containers": {
       "get": {
         "operationId": "SqlResources_ListSqlContainers",
@@ -5636,6 +5760,20 @@
     }
   },
   "definitions": {
+    "ClientEncryptionKeysListResult": {
+      "type": "object",
+      "properties": {
+        "value": {
+          "readOnly": true,
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/ClientEncryptionKeyGetResults"
+          },
+          "description": "List of client encryption keys and their properties."
+        }
+      },
+      "description": "The List operation response, that contains the client encryption keys and their properties."
+    },
     "DatabaseAccountsListResult": {
       "properties": {
         "value": {
@@ -5990,6 +6128,65 @@
       },
       "x-ms-azure-resource": true
     },
+    "ClientEncryptionKeyCreateUpdateParameters": {
+      "description": "Parameters to create and update ClientEncryptionKey.",
+      "type": "object",
+      "properties": {
+        "properties": {
+          "x-ms-client-flatten": true,
+          "description": "Properties to create and update ClientEncryptionKey.",
+          "$ref": "#/definitions/ClientEncryptionKeyCreateUpdateProperties"
+        }
+      },
+      "required": [
+        "properties"
+      ]
+    },
+    "ClientEncryptionKeyCreateUpdateProperties": {
+      "description": "Properties to create and update ClientEncryptionKey.",
+      "type": "object",
+      "properties": {
+        "resource": {
+          "description": "The standard JSON format of a ClientEncryptionKey",
+          "$ref": "#/definitions/ClientEncryptionKeyResource"
+        }
+      },
+      "required": [
+        "resource"
+      ]
+    },
+    "ClientEncryptionKeyGetResults": {
+      "description": "Client Encryption Key.",
+      "type": "object",
+      "properties": {
+        "properties": {
+          "x-ms-client-flatten": true,
+          "description": "The properties of a ClientEncryptionKey",
+          "$ref": "#/definitions/ClientEncryptionKeyGetProperties"
+        }
+      },
+      "allOf": [
+        {
+          "$ref": "#/definitions/ARMProxyResource"
+        }
+      ]
+    },
+    "ClientEncryptionKeyGetProperties": {
+      "description": "The properties of a ClientEncryptionKey resource",
+      "type": "object",
+      "properties": {
+        "resource": {
+          "allOf": [
+            {
+              "$ref": "#/definitions/ClientEncryptionKeyResource"
+            },
+            {
+              "$ref": "#/definitions/ExtendedResourceProperties"
+            }
+          ]
+        }
+      }
+    },
     "DatabaseAccountGetResults": {
       "description": "An Azure Cosmos DB database account.",
       "type": "object",
@@ -7917,6 +8114,43 @@
         }
       }
     },
+    "ClientEncryptionKeyResource": {
+      "type": "object",
+      "description": "Cosmos DB client encryption key resource object.",
+      "properties": {
+        "encryptionAlgorithm": {
+          "type": "string",
+          "description": "Encryption algorithm that will be used along with this client encryption key to encrypt/decrypt data."
+        },
+        "wrappedDataEncryptionKey": {
+          "type": "string",
+          "format": "byte",
+          "description": "Wrapped (encrypted) form of the key represented as a byte array."
+        },
+        "keyWrapMetadata": {
+          "description": "Metadata for the wrapping provider that can be used to unwrap the wrapped client encryption key.",
+          "$ref": "#/definitions/KeyWrapMetadata"
+        }
+      }
+    },
+    "KeyWrapMetadata": {
+      "type": "object",
+      "description": "Represents key wrap metadata that a key wrapping provider can use to wrap/unwrap a client encryption key.",
+      "properties": {
+        "name": {
+          "type": "string",
+          "description": "The name of associated KeyEncryptionKey (aka CustomerManagedKey)."
+        },
+        "type": {
+          "type": "string",
+          "description": "ProviderName of KeyStoreProvider."
+        },
+        "value": {
+          "type": "string",
+          "description": "Reference / link to the KeyEncryptionKey."
+        }
+      }
+    },
     "SqlDatabaseResource": {
       "type": "object",
       "description": "Cosmos DB SQL database resource object",
@@ -9601,6 +9835,14 @@
       "x-ms-parameter-location": "method",
       "description": "Cosmos DB database name."
     },
+    "clientEncryptionKeyNameParameter": {
+      "name": "clientEncryptionKeyName",
+      "in": "path",
+      "required": true,
+      "type": "string",
+      "x-ms-parameter-location": "method",
+      "description": "Cosmos DB ClientEncryptionKey name."
+    },
     "containerNameParameter": {
       "name": "containerName",
       "in": "path",

diff --git a/...entDB/preview/2021-10-15-preview/examples/CosmosDBSqlClientEncryptionKeyCreateUpdate.json b/...entDB/preview/2021-10-15-preview/examples/CosmosDBSqlClientEncryptionKeyCreateUpdate.json
@@ -0,0 +1,46 @@
+{
+  "parameters": {
+    "api-version": "2021-10-15-preview",
+    "subscriptionId": "subId",
+    "resourceGroupName": "rgName",
+    "accountName": "accountName",
+    "databaseName": "databaseName",
+    "clientEncryptionKeyName": "cekName",
+    "createUpdateClientEncryptionKeyParameters": {
+      "properties": {
+        "resource": {
+          "encryptionAlgorithm": "AEAD_AES_256_CBC_HMAC_SHA256",
+          "wrappedDataEncryptionKey": "This is actually an array of bytes. This request/response is being presented as a string for readability in the example",
+          "keyWrapMetadata": {
+            "name": "customerManagedKey",
+            "type": "AzureKeyVault",
+            "value": "AzureKeyVault Key URL"
+          }
+        }
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/subId/resourceGroups/rgName/providers/Microsoft.DocumentDB/databaseAccounts/accountName/sqlDatabases/databaseName/clientEncryptionKeys/cekName",
+        "name": "cekName",
+        "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/clientEncryptionKey",
+        "properties": {
+          "resource": {
+            "encryptionAlgorithm": "AEAD_AES_256_CBC_HMAC_SHA256",
+            "wrappedDataEncryptionKey": "This is actually an array of bytes. This request/response is being presented as a string for readability in the example",
+            "keyWrapMetadata": {
+              "name": "customerManagedKey",
+              "type": "AzureKeyVault",
+              "value": "AzureKeyVault Key URL"
+            },
+            "_rid": "tNc4AAAAAAAQkjzWAgAAAA==",
+            "_ts": 1626425552,
+            "_etag": "00000000-0000-0000-7a1f-bc0828e801d7"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/...oft.DocumentDB/preview/2021-10-15-preview/examples/CosmosDBSqlClientEncryptionKeyGet.json b/...oft.DocumentDB/preview/2021-10-15-preview/examples/CosmosDBSqlClientEncryptionKeyGet.json
@@ -0,0 +1,33 @@
+{
+  "parameters": {
+    "api-version": "2021-10-15-preview",
+    "subscriptionId": "subId",
+    "resourceGroupName": "rgName",
+    "accountName": "accountName",
+    "databaseName": "databaseName",
+    "clientEncryptionKeyName": "cekName"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "/subscriptions/subId/resourceGroups/rgName/providers/Microsoft.DocumentDB/databaseAccounts/accountName/sqlDatabases/databaseName/clientEncryptionKeys/cekName",
+        "name": "cekName",
+        "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/clientEncryptionKey",
+        "properties": {
+          "resource": {
+            "encryptionAlgorithm": "AEAD_AES_256_CBC_HMAC_SHA256",
+            "wrappedDataEncryptionKey": "This is actually an array of bytes. This request/response is being presented as a string for readability in the example",
+            "keyWrapMetadata": {
+              "name": "customerManagedKey",
+              "type": "AzureKeyVault",
+              "value": "AzureKeyVault Key URL"
+            },
+            "_rid": "tNc4AAAAAAAQkjzWAgAAAA==",
+            "_ts": 1626425552,
+            "_etag": "00000000-0000-0000-7a1f-bc0828e801d7"
+          }
+        }
+      }
+    }
+  }
+}