Update release dates and key rotation code/samples (Azure#23688)

Author: mccoyp

sdk/keyvault/azure-keyvault-administration/CHANGELOG.md

@@ -1,6 +1,6 @@
 # Release History
 
-## 4.1.0 (2022-03-25)
+## 4.1.0 (2022-03-28)
 
 ### Features Added
 - Key Vault API version 7.3 is now the default

sdk/keyvault/azure-keyvault-certificates/CHANGELOG.md

@@ -1,6 +1,6 @@
 # Release History
 
-## 4.4.0 (2022-03-25)
+## 4.4.0 (2022-03-28)
 
 ### Features Added
 - Key Vault API version 7.3 is now the default

sdk/keyvault/azure-keyvault-keys/CHANGELOG.md

@@ -1,6 +1,6 @@
 # Release History
 
-## 4.5.0 (2022-03-25)
+## 4.5.0 (2022-03-28)
 
 ### Features Added
 - Key Vault API version 7.3 is now the default

sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_client.py

@@ -815,7 +815,7 @@ def update_key_rotation_policy(self, key_name, policy, **kwargs):
             ]
 
         attributes = self._models.KeyRotationPolicyAttributes(expiry_time=kwargs.pop("expires_in", policy.expires_in))
-        new_policy = self._models.KeyRotationPolicy(lifetime_actions=lifetime_actions, attributes=attributes)
+        new_policy = self._models.KeyRotationPolicy(lifetime_actions=lifetime_actions or [], attributes=attributes)
         result = self._client.update_key_rotation_policy(
             vault_base_url=self._vault_url, key_name=key_name, key_rotation_policy=new_policy
         )

sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_client.py

@@ -798,7 +798,7 @@ async def update_key_rotation_policy(
             ]
 
         attributes = self._models.KeyRotationPolicyAttributes(expiry_time=kwargs.pop("expires_in", policy.expires_in))
-        new_policy = self._models.KeyRotationPolicy(lifetime_actions=lifetime_actions, attributes=attributes)
+        new_policy = self._models.KeyRotationPolicy(lifetime_actions=lifetime_actions or [], attributes=attributes)
         result = await self._client.update_key_rotation_policy(
             vault_base_url=self._vault_url, key_name=key_name, key_rotation_policy=new_policy
         )

sdk/keyvault/azure-keyvault-keys/samples/key_rotation.py

@@ -4,7 +4,7 @@
 # ------------------------------------
 import os
 from azure.identity import DefaultAzureCredential
-from azure.keyvault.keys import KeyClient, KeyRotationLifetimeAction, KeyRotationPolicyAction
+from azure.keyvault.keys import KeyClient, KeyRotationLifetimeAction, KeyRotationPolicy, KeyRotationPolicyAction
 
 # ----------------------------------------------------------------------------------------------------------
 # Prerequisites:
@@ -45,30 +45,51 @@
 key = client.create_rsa_key(key_name)
 print("\nCreated a key; new version is {}".format(key.properties.version))
 
-# Set the key's automated rotation policy to rotate the key two months after the key was created
-actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE, time_after_create="P2M")]
-updated_policy = client.update_key_rotation_policy(key_name, lifetime_actions=actions)
+# Set the key's automated rotation policy to rotate the key two months after the key was created.
+# If you pass an empty KeyRotationPolicy() as the `policy` parameter, the rotation policy will be set to the
+# default policy. Any keyword arguments will update specified properties of the policy.
+actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.rotate, time_after_create="P2M")]
+updated_policy = client.update_key_rotation_policy(
+    key_name, KeyRotationPolicy(), expires_in="P90D", lifetime_actions=actions
+)
+assert updated_policy.expires_in == "P90D"
 
-# The created policy should only have one action
-assert len(updated_policy.lifetime_actions) == 1, "There should be exactly one rotation policy action"
-policy_action = updated_policy.lifetime_actions[0]
+# The updated policy should have the specified lifetime action
+policy_action = None
+for i in range(len(updated_policy.lifetime_actions)):
+    if updated_policy.lifetime_actions[i].action == KeyRotationPolicyAction.rotate:
+        policy_action = updated_policy.lifetime_actions[i]
+assert policy_action, "The specified action should exist in the key rotation policy"
+assert policy_action.time_after_create == "P2M", "The action should have the specified time_after_create"
+assert policy_action.time_before_expiry is None, "The action shouldn't have a time_before_expiry"
 print("\nCreated a new key rotation policy: {} after {}".format(policy_action.action, policy_action.time_after_create))
 
 # Get the key's current rotation policy
 current_policy = client.get_key_rotation_policy(key_name)
-policy_action = current_policy.lifetime_actions[0]
+policy_action = None
+for i in range(len(current_policy.lifetime_actions)):
+    if current_policy.lifetime_actions[i].action == KeyRotationPolicyAction.rotate:
+        policy_action = current_policy.lifetime_actions[i]
 print("\nCurrent rotation policy: {} after {}".format(policy_action.action, policy_action.time_after_create))
 
-# Update the key's automated rotation policy to notify 30 days before the key expires
-new_actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.NOTIFY, time_before_expiry="P30D")]
-# You may also specify the duration after which the newly rotated key will expire
-# In this example, any new key versions will expire after 90 days
-new_policy = client.update_key_rotation_policy(key_name, expires_in="P90D", lifetime_actions=new_actions)
+# Update the key's automated rotation policy to notify 10 days before the key expires
+new_actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.notify, time_before_expiry="P10D")]
+# To preserve an existing rotation policy, pass in the existing policy as the `policy` parameter.
+# Any property specified as a keyword argument will be overridden completely by the provided value.
+# In this case, the rotate action we created earlier will be removed from the policy.
+new_policy = client.update_key_rotation_policy(key_name, current_policy, lifetime_actions=new_actions)
+assert new_policy.expires_in == "P90D", "The key's expiry time should have been preserved"
 
-# The updated policy should only have one action
-assert len(new_policy.lifetime_actions) == 1, "There should be exactly one rotation policy action"
-policy_action = new_policy.lifetime_actions[0]
-print("\nUpdated rotation policy: {} {} before expiry".format(policy_action.action, policy_action.time_before_expiry))
+# The updated policy should include the new notify action
+notify_action = None
+for i in range(len(new_policy.lifetime_actions)):
+    if new_policy.lifetime_actions[i].action == KeyRotationPolicyAction.notify:
+        notify_action = new_policy.lifetime_actions[i]
+
+assert notify_action, "The specified action should exist in the key rotation policy"
+assert notify_action.time_after_create is None, "The action shouldn't have a time_after_create"
+assert notify_action.time_before_expiry == "P10D", "The action should have the specified time_before_expiry"
+print("\nNew policy action: {} {} before expiry".format(notify_action.action, notify_action.time_before_expiry))
 
 # Finally, you can rotate a key on-demand by creating a new version of the key
 rotated_key = client.rotate_key(key_name)

sdk/keyvault/azure-keyvault-keys/samples/key_rotation_async.py

@@ -5,7 +5,7 @@
 import asyncio
 import os
 from azure.identity.aio import DefaultAzureCredential
-from azure.keyvault.keys import KeyRotationLifetimeAction, KeyRotationPolicyAction
+from azure.keyvault.keys import KeyRotationLifetimeAction, KeyRotationPolicy, KeyRotationPolicyAction
 from azure.keyvault.keys.aio import KeyClient
 
 # ----------------------------------------------------------------------------------------------------------
@@ -48,34 +48,53 @@ async def run_sample():
     key = await client.create_rsa_key(key_name)
     print("\nCreated a key; new version is {}".format(key.properties.version))
 
-    # Set the key's automated rotation policy to rotate the key two months after the key was created
-    actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE, time_after_create="P2M")]
-    updated_policy = await client.update_key_rotation_policy(key_name, lifetime_actions=actions)
+    # Set the key's automated rotation policy to rotate the key two months after the key was created.
+    # If you pass an empty KeyRotationPolicy() as the `policy` parameter, the rotation policy will be set to the
+    # default policy. Any keyword arguments will update specified properties of the policy.
+    actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.rotate, time_after_create="P2M")]
+    updated_policy = await client.update_key_rotation_policy(
+        key_name, KeyRotationPolicy(), expires_in="P90D", lifetime_actions=actions
+    )
+    assert updated_policy.expires_in == "P90D"
 
-    # The created policy should only have one action
-    assert len(updated_policy.lifetime_actions) == 1, "There should be exactly one rotation policy action"
-    policy_action = updated_policy.lifetime_actions[0]
+    # The updated policy should have the specified lifetime action
+    policy_action = None
+    for i in range(len(updated_policy.lifetime_actions)):
+        if updated_policy.lifetime_actions[i].action == KeyRotationPolicyAction.rotate:
+            policy_action = updated_policy.lifetime_actions[i]
+    assert policy_action, "The specified action should exist in the key rotation policy"
+    assert policy_action.time_after_create == "P2M", "The action should have the specified time_after_create"
+    assert policy_action.time_before_expiry is None, "The action shouldn't have a time_before_expiry"
     print(
         "\nCreated a new key rotation policy: {} after {}".format(policy_action.action, policy_action.time_after_create)
     )
 
     # Get the key's current rotation policy
     current_policy = await client.get_key_rotation_policy(key_name)
-    policy_action = current_policy.lifetime_actions[0]
+    policy_action = None
+    for i in range(len(current_policy.lifetime_actions)):
+        if current_policy.lifetime_actions[i].action == KeyRotationPolicyAction.rotate:
+            policy_action = current_policy.lifetime_actions[i]
     print("\nCurrent rotation policy: {} after {}".format(policy_action.action, policy_action.time_after_create))
 
-    # Update the key's automated rotation policy to notify 30 days before the key expires
-    new_actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.NOTIFY, time_before_expiry="P30D")]
-    # You may also specify the duration after which the newly rotated key will expire
-    # In this example, any new key versions will expire after 90 days
-    new_policy = await client.update_key_rotation_policy(key_name, expires_in="P90D", lifetime_actions=new_actions)
+    # Update the key's automated rotation policy to notify 10 days before the key expires
+    new_actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.notify, time_before_expiry="P10D")]
+    # To preserve an existing rotation policy, pass in the existing policy as the `policy` parameter.
+    # Any property specified as a keyword argument will be overridden completely by the provided value.
+    # In this case, the rotate action we created earlier will be removed from the policy.
+    new_policy = await client.update_key_rotation_policy(key_name, current_policy, lifetime_actions=new_actions)
+    assert new_policy.expires_in == "P90D", "The key's expiry time should have been preserved"
 
-    # The updated policy should only have one action
-    assert len(new_policy.lifetime_actions) == 1, "There should be exactly one rotation policy action"
-    policy_action = new_policy.lifetime_actions[0]
-    print(
-        "\nUpdated rotation policy: {} {} before expiry".format(policy_action.action, policy_action.time_before_expiry)
-    )
+    # The updated policy should include the new notify action
+    notify_action = None
+    for i in range(len(new_policy.lifetime_actions)):
+        if new_policy.lifetime_actions[i].action == KeyRotationPolicyAction.notify:
+            notify_action = new_policy.lifetime_actions[i]
+
+    assert notify_action, "The specified action should exist in the key rotation policy"
+    assert notify_action.time_after_create is None, "The action shouldn't have a time_after_create"
+    assert notify_action.time_before_expiry == "P10D", "The action should have the specified time_before_expiry"
+    print("\nNew policy action: {} {} before expiry".format(notify_action.action, notify_action.time_before_expiry))
 
     # Finally, you can rotate a key on-demand by creating a new version of the key
     rotated_key = await client.rotate_key(key_name)