Added the ability to deploy a Managed HSM in our CI pipelines. (Azure#22319)

* Added the ability to provision a Managed HSM for CI runs.

* Updated Key Vault Administration tests.

* Added HSM tests for Key Vault Keys.

* Removed unused imports.

* Fixed test issues. Added missing recordings.

* Applied PR feedback.

* Applied PR feedback and fixed backup/restore tests.

* Fixed tests playback issue.

* Applied ARM template fixes for MSHM.

Author: vcolin7

sdk/keyvault/.gitignore

@@ -1,4 +1,7 @@
 *.class
+*.cer
+*.key
+*.pfx
 
 #External libs
 extlib/

sdk/keyvault/azure-security-keyvault-administration/pom.xml

@@ -86,6 +86,18 @@
       <version>1.7.0</version> <!-- {x-version-update;com.azure:azure-core-http-okhttp;dependency} -->
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>com.azure</groupId>
+      <artifactId>azure-security-keyvault-keys</artifactId>
+      <version>4.2.8</version> <!-- {x-version-update;com.azure:azure-security-keyvault-keys;dependency} -->
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.azure</groupId>
+      <artifactId>azure-storage-blob</artifactId>
+      <version>12.12.0</version> <!-- {x-version-update;com.azure:azure-storage-blob;dependency} -->
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>com.azure</groupId>
       <artifactId>azure-identity</artifactId>

sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/KeyVaultAccessControlAsyncClient.java

@@ -24,7 +24,6 @@
 import com.azure.security.keyvault.administration.implementation.KeyVaultAdministrationUtils;
 import com.azure.security.keyvault.administration.implementation.KeyVaultErrorCodeStrings;
 import com.azure.security.keyvault.administration.implementation.models.DataAction;
-import com.azure.security.keyvault.administration.implementation.models.KeyVaultErrorException;
 import com.azure.security.keyvault.administration.implementation.models.Permission;
 import com.azure.security.keyvault.administration.implementation.models.RoleAssignment;
 import com.azure.security.keyvault.administration.implementation.models.RoleAssignmentCreateParameters;
@@ -34,8 +33,8 @@
 import com.azure.security.keyvault.administration.implementation.models.RoleDefinitionCreateParameters;
 import com.azure.security.keyvault.administration.implementation.models.RoleDefinitionProperties;
 import com.azure.security.keyvault.administration.implementation.models.RoleScope;
-import com.azure.security.keyvault.administration.models.KeyVaultDataAction;
 import com.azure.security.keyvault.administration.models.KeyVaultAdministrationException;
+import com.azure.security.keyvault.administration.models.KeyVaultDataAction;
 import com.azure.security.keyvault.administration.models.KeyVaultPermission;
 import com.azure.security.keyvault.administration.models.KeyVaultRoleAssignment;
 import com.azure.security.keyvault.administration.models.KeyVaultRoleAssignmentProperties;
@@ -254,7 +253,7 @@ public Mono<KeyVaultRoleDefinition> setRoleDefinition(KeyVaultRoleScope roleScop
     }
 
     /**
-     * Creates or updates a {@link KeyVaultRoleDefinition}. If no name is provided, then a 
+     * Creates or updates a {@link KeyVaultRoleDefinition}. If no name is provided, then a
      * {@link KeyVaultRoleDefinition} will be created with a randomly generated name.
      *
      * @param roleScope The {@link KeyVaultRoleScope role scope} of the {@link KeyVaultRoleDefinition}. Managed HSM only
@@ -456,8 +455,7 @@ Mono<Response<KeyVaultRoleDefinition>> getRoleDefinitionWithResponse(KeyVaultRol
      *
      * @return A {@link Mono} of a {@link Void}.
      *
-     * @throws KeyVaultAdministrationException If a {@link KeyVaultRoleDefinition role definition} with the given name
-     * cannot be found or if the given {@code roleScope} is invalid.
+     * @throws KeyVaultAdministrationException If the given {@code roleScope} is invalid.
      * @throws NullPointerException If the {@link KeyVaultRoleScope role scope} or {@link String roleDefinitionName} are
      * {@code null}.
      */
@@ -474,8 +472,7 @@ public Mono<Void> deleteRoleDefinition(KeyVaultRoleScope roleScope, String roleD
      *
      * @return A {@link Mono} containing a {@link Response} with a {@link Void} value.
      *
-     * @throws KeyVaultAdministrationException If a {@link KeyVaultRoleDefinition role definition} with the given name
-     * cannot be found or if the given {@code roleScope} is invalid.
+     * @throws KeyVaultAdministrationException If the given {@code roleScope} is invalid.
      * @throws NullPointerException If the {@link KeyVaultRoleScope role scope} or {@link String roleDefinitionName} are
      * {@code null}.
      */
@@ -494,8 +491,7 @@ public Mono<Response<Void>> deleteRoleDefinitionWithResponse(KeyVaultRoleScope r
      *
      * @return A {@link Mono} containing a {@link Response} with a {@link Void} value.
      *
-     * @throws KeyVaultAdministrationException If a {@link KeyVaultRoleDefinition role definition} with the given name
-     * cannot be found or if the given {@code roleScope} is invalid.
+     * @throws KeyVaultAdministrationException If the given {@code roleScope} is invalid.
      * @throws NullPointerException If the {@link KeyVaultRoleScope role scope} or {@link String roleDefinitionName} are
      * {@code null}.
      */
@@ -518,7 +514,8 @@ Mono<Response<Void>> deleteRoleDefinitionWithResponse(KeyVaultRoleScope roleScop
                 .doOnError(error -> logger.warning("Failed to delete role assignment - {}", roleDefinitionName, error))
                 .onErrorMap(KeyVaultAdministrationUtils::mapThrowableToKeyVaultAdministrationException)
                 .map(response -> (Response<Void>) new SimpleResponse<Void>(response, null))
-                .onErrorResume(KeyVaultErrorException.class, e -> swallowExceptionForStatusCode(404, e, logger));
+                .onErrorResume(KeyVaultAdministrationException.class, e ->
+                    swallowExceptionForStatusCode(404, e, logger));
         } catch (RuntimeException e) {
             return monoError(logger, e);
         }
@@ -839,8 +836,7 @@ Mono<Response<KeyVaultRoleAssignment>> getRoleAssignmentWithResponse(KeyVaultRol
      *
      * @return A {@link Mono} of a {@link Void}.
      *
-     * @throws KeyVaultAdministrationException If a {@link KeyVaultRoleAssignment role assignment} with the given name
-     * cannot be found or if the given {@code roleScope} is invalid.
+     * @throws KeyVaultAdministrationException If the given {@code roleScope} is invalid.
      * @throws NullPointerException If the {@link KeyVaultRoleScope role scope} or {@link String roleAssignmentName} are
      * {@code null}.
      */
@@ -857,8 +853,7 @@ public Mono<Void> deleteRoleAssignment(KeyVaultRoleScope roleScope, String roleA
      *
      * @return A {@link Mono} containing a {@link Response} with a {@link Void} value.
      *
-     * @throws KeyVaultAdministrationException If a {@link KeyVaultRoleAssignment role assignment} with the given name
-     * cannot be found or if the given {@code roleScope} is invalid.
+     * @throws KeyVaultAdministrationException If the given {@code roleScope} is invalid.
      * @throws NullPointerException If the {@link KeyVaultRoleScope role scope} or {@link String roleAssignmentName} are
      * {@code null}.
      */
@@ -877,8 +872,7 @@ public Mono<Response<Void>> deleteRoleAssignmentWithResponse(KeyVaultRoleScope r
      *
      * @return A {@link Mono} containing a {@link Response} with a {@link Void} value.
      *
-     * @throws KeyVaultAdministrationException If a {@link KeyVaultRoleAssignment role assignment} with the given name
-     * cannot be found or if the given {@code roleScope} is invalid.
+     * @throws KeyVaultAdministrationException If the given {@code roleScope} is invalid.
      * @throws NullPointerException If the {@link KeyVaultRoleScope role scope} or {@link String roleAssignmentName} are
      * {@code null}.
      */
@@ -900,7 +894,8 @@ Mono<Response<Void>> deleteRoleAssignmentWithResponse(KeyVaultRoleScope roleScop
                 .doOnError(error -> logger.warning("Failed to delete role assignment - {}", roleAssignmentName, error))
                 .onErrorMap(KeyVaultAdministrationUtils::mapThrowableToKeyVaultAdministrationException)
                 .map(response -> (Response<Void>) new SimpleResponse<Void>(response, null))
-                .onErrorResume(KeyVaultErrorException.class, e -> swallowExceptionForStatusCode(404, e, logger));
+                .onErrorResume(KeyVaultAdministrationException.class, e ->
+                    swallowExceptionForStatusCode(404, e, logger));
         } catch (RuntimeException e) {
             return monoError(logger, e);
         }

sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/KeyVaultAccessControlClient.java

@@ -99,7 +99,7 @@ public KeyVaultRoleDefinition setRoleDefinition(KeyVaultRoleScope roleScope) {
     }
 
     /**
-     * Creates or updates a {@link KeyVaultRoleDefinition} with a given name. If no name is provided, then a 
+     * Creates or updates a {@link KeyVaultRoleDefinition} with a given name. If no name is provided, then a
      * {@link KeyVaultRoleDefinition} will be created with a randomly generated name.
      *
      * @param roleScope The {@link KeyVaultRoleScope role scope} of the {@link KeyVaultRoleDefinition}. Managed HSM
@@ -184,8 +184,7 @@ public Response<KeyVaultRoleDefinition> getRoleDefinitionWithResponse(KeyVaultRo
      * only supports '/'.
      * @param roleDefinitionName The name of the {@link KeyVaultRoleDefinition}.
      *
-     * @throws KeyVaultAdministrationException If a {@link KeyVaultRoleDefinition role definition} with the given name
-     * cannot be found or if the given {@code roleScope} is invalid.
+     * @throws KeyVaultAdministrationException If the given {@code roleScope} is invalid.
      * @throws NullPointerException If the {@link KeyVaultRoleScope role scope} or {@link String roleDefinitionName} are
      * {@code null}.
      */
@@ -203,8 +202,7 @@ public void deleteRoleDefinition(KeyVaultRoleScope roleScope, String roleDefinit
      *
      * @return A {@link Response} with a {@link Void} value.
      *
-     * @throws KeyVaultAdministrationException If a {@link KeyVaultRoleDefinition role definition} with the given name
-     * cannot be found or if the given {@code roleScope} is invalid.
+     * @throws KeyVaultAdministrationException If the given {@code roleScope} is invalid.
      * @throws NullPointerException If the {@link KeyVaultRoleScope role scope} or {@link String roleDefinitionName} are
      * {@code null}.
      */
@@ -365,8 +363,7 @@ public Response<KeyVaultRoleAssignment> getRoleAssignmentWithResponse(KeyVaultRo
      * @param roleScope The {@link KeyVaultRoleScope role scope} of the {@link KeyVaultRoleAssignment}.
      * @param roleAssignmentName The name of the {@link KeyVaultRoleAssignment}.
      *
-     * @throws KeyVaultAdministrationException If a {@link KeyVaultRoleAssignment role assignment} with the given name
-     * cannot be found or if the given {@code roleScope} is invalid.
+     * @throws KeyVaultAdministrationException If the given {@code roleScope} is invalid.
      * @throws NullPointerException if the {@link KeyVaultRoleScope roleScope} or {@link String roleAssignmentName} are
      * {@code null}.
      */
@@ -384,8 +381,7 @@ public void deleteRoleAssignment(KeyVaultRoleScope roleScope, String roleAssignm
      *
      * @return A {@link Response} with a {@link Void} value.
      *
-     * @throws KeyVaultAdministrationException If a {@link KeyVaultRoleAssignment role assignment} with the given name
-     * cannot be found or if the given {@code roleScope} is invalid.
+     * @throws KeyVaultAdministrationException If the given {@code roleScope} is invalid.
      * @throws NullPointerException if the {@link KeyVaultRoleScope roleScope} or {@link String roleAssignmentName} are
      * {@code null}.
      */