Key rotation swagger change (Azure#11965)

qinl-li · jlichwa · heaths · web-flow · commit f4a4badda9e1 · 2021-06-04T15:01:04.000-07:00
* Key rotation swagger change

* Run PrettierCheck

* fixed spellcheck error

* Update specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/keys.json

Co-authored-by: Heath Stewart &lt;heaths@microsoft.com&gt;

* Update based on comments

* fix prettier failure

* Update Api names

* Add custom words

* Update to key rotation policy

* Remove key rotation policy from response

* Remove required

* fix validation error

* remove parameter force

* Rotate api should be post

* udpate description

* Update UpdateKeyRotationPolicy-example

* Update names

* Microsoft.KeyVault-DP-7.3-preview-KeyAutoRotation

* Update

Co-authored-by: Jack Lichwa &lt;52512203+jlichwa@users.noreply.github.com&gt;
Co-authored-by: Heath Stewart &lt;heaths@microsoft.com&gt;
diff --git a/custom-words.txt b/custom-words.txt
@@ -1593,6 +1593,7 @@ rolloverdetails
 rootfs
 rosettanetprocessconfigurations
 rotatediskencryptionkey
+rotationpolicy
 routable
 routingendpointhealth
 rpki
diff --git a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/examples/GetKeyRotationPolicy-example.json b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/examples/GetKeyRotationPolicy-example.json
@@ -0,0 +1,37 @@
+{
+  "parameters": {
+    "vaultBaseUrl": "https://myvault.vault.azure.net/",
+    "key-name": "key01",
+    "api-version": "7.3-preview"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "https://myvault.vault.azure.net/keys/key01/rotationpolicy",
+        "lifetimeActions": [
+          {
+            "trigger": {
+              "timeAfterCreate": "P90D"
+            },
+            "action": {
+              "type": "rotate"
+            }
+          },
+          {
+            "trigger": {
+              "timeBeforeExpiry": "P30D"
+            },
+            "action": {
+              "type": "notify"
+            }
+          }
+        ],
+        "attributes": {
+          "expiryTime": "P2Y",
+          "created": 1482188947,
+          "updated": 1482188948
+        }
+      }
+    }
+  }
+}
diff --git a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/examples/RotateKey-example.json b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/examples/RotateKey-example.json
@@ -0,0 +1,37 @@
+{
+  "parameters": {
+    "vaultBaseUrl": "https://myvault.vault.azure.net/",
+    "key-name": "Key01",
+    "api-version": "7.3-preview"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "key": {
+          "kid": "https://myvault.vault.azure.net/keys/CreateSoftKeyTest/78deebed173b48e48f55abf87ed4cf71",
+          "kty": "RSA",
+          "key_ops": [
+            "encrypt",
+            "decrypt",
+            "sign",
+            "verify",
+            "wrapKey",
+            "unwrapKey"
+          ],
+          "n": "2HJAE5fU3Cw2Rt9hEuq-F6XjINKGa-zskfISVqopqUy60GOs2eyhxbWbJBeUXNor_gf-tXtNeuqeBgitLeVa640UDvnEjYTKWjCniTxZRaU7ewY8BfTSk-7KxoDdLsPSpX_MX4rwlAx-_1UGk5t4sQgTbm9T6Fm2oqFd37dsz5-Gj27UP2GTAShfJPFD7MqU_zIgOI0pfqsbNL5xTQVM29K6rX4jSPtylZV3uWJtkoQIQnrIHhk1d0SC0KwlBV3V7R_LVYjiXLyIXsFzSNYgQ68ZjAwt8iL7I8Osa-ehQLM13DVvLASaf7Jnu3sC3CWl3Gyirgded6cfMmswJzY87w",
+          "e": "AQAB"
+        },
+        "attributes": {
+          "enabled": true,
+          "created": 1493942451,
+          "updated": 1493942451,
+          "recoveryLevel": "Recoverable+Purgeable"
+        },
+        "tags": {
+          "purpose": "unit test",
+          "test name ": "CreateGetDeleteKeyTest"
+        }
+      }
+    }
+  }
+}
diff --git a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/examples/UpdateKeyRotationPolicy-example.json b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/examples/UpdateKeyRotationPolicy-example.json
@@ -0,0 +1,60 @@
+{
+  "parameters": {
+    "vaultBaseUrl": "https://myvault.vault.azure.net/",
+    "key-name": "updateKey01",
+    "api-version": "7.3-preview",
+    "keyRotationPolicy": {
+      "lifetimeActions": [
+        {
+          "trigger": {
+            "timeAfterCreate": "P90D"
+          },
+          "action": {
+            "type": "rotate"
+          }
+        },
+        {
+          "trigger": {
+            "timeBeforeExpiry": "P30D"
+          },
+          "action": {
+            "type": "notify"
+          }
+        }
+      ],
+      "attributes": {
+        "expirationTime": "P2Y"
+      }
+    }
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "id": "https://myvault.vault.azure.net/keys/updateKey01/rotationpolicy",
+        "lifetimeActions": [
+          {
+            "trigger": {
+              "timeAfterCreate": "P90D"
+            },
+            "action": {
+              "type": "rotate"
+            }
+          },
+          {
+            "trigger": {
+              "timeBeforeExpiry": "P30D"
+            },
+            "action": {
+              "type": "notify"
+            }
+          }
+        ],
+        "attributes": {
+          "expiryTime": "P2Y",
+          "created": 1482188947,
+          "updated": 1482188948
+        }
+      }
+    }
+  }
+}
diff --git a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/keys.json b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/keys.json
@@ -79,6 +79,48 @@
         }
       }
     },
+    "/keys/{key-name}/rotate": {
+      "post": {
+        "tags": [
+          "Keys"
+        ],
+        "operationId": "RotateKey",
+        "summary": "Creates a new key version, stores it, then returns key parameters, attributes and policy to the client.",
+        "description": "The operation will rotate the key based on the key policy. It requires the keys/rotate permission.",
+        "parameters": [
+          {
+            "name": "key-name",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "pattern": "^[0-9a-zA-Z-]+$",
+            "description": "The name of key to be rotated. The system will generate a new version in the specified key."
+          },
+          {
+            "$ref": "#/parameters/ApiVersionParameter"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A key bundle containing the result of the rotate key request.",
+            "schema": {
+              "$ref": "#/definitions/KeyBundle"
+            }
+          },
+          "default": {
+            "description": "Key Vault error response describing why the operation failed.",
+            "schema": {
+              "$ref": "common.json#/definitions/KeyVaultError"
+            }
+          }
+        },
+        "x-ms-examples": {
+          "Rotate key": {
+            "$ref": "./examples/RotateKey-example.json"
+          }
+        }
+      }
+    },
     "/keys/{key-name}": {
       "put": {
         "tags": [
@@ -1089,6 +1131,95 @@
         }
       }
     },
+    "/keys/{key-name}/rotationpolicy": {
+      "get": {
+        "tags": [
+          "Keys"
+        ],
+        "operationId": "GetKeyRotationPolicy",
+        "summary": "Lists the policy for a key.",
+        "description": "The GetKeyRotationPolicy operation returns the specified key policy resources in the specified key vault. This operation requires the keys/get permission.",
+        "parameters": [
+          {
+            "name": "key-name",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "description": "The name of the key in a given key vault."
+          },
+          {
+            "$ref": "#/parameters/ApiVersionParameter"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "The key rotation policy.",
+            "schema": {
+              "$ref": "#/definitions/KeyRotationPolicy"
+            }
+          },
+          "default": {
+            "description": "Key Vault error response describing why the operation failed.",
+            "schema": {
+              "$ref": "common.json#/definitions/KeyVaultError"
+            }
+          }
+        },
+        "x-ms-examples": {
+          "GetKeyRotationPolicy": {
+            "$ref": "./examples/GetKeyRotationPolicy-example.json"
+          }
+        }
+      },
+      "put": {
+        "tags": [
+          "keys"
+        ],
+        "operationId": "UpdateKeyRotationPolicy",
+        "summary": "Updates the rotation policy for a key.",
+        "description": "Set specified members in the key policy. Leave others as undefined. This operation requires the keys/update permission.",
+        "parameters": [
+          {
+            "name": "key-name",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "description": "The name of the key in the given vault."
+          },
+          {
+            "name": "keyRotationPolicy",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/KeyRotationPolicy"
+            },
+            "description": "The policy for the key."
+          },
+          {
+            "$ref": "#/parameters/ApiVersionParameter"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "The policy for the key.",
+            "schema": {
+              "$ref": "#/definitions/KeyRotationPolicy"
+            }
+          },
+          "default": {
+            "description": "Key Vault error response describing why the operation failed.",
+            "schema": {
+              "$ref": "common.json#/definitions/KeyVaultError"
+            }
+          }
+        },
+        "x-ms-examples": {
+          "UpdateKeyRotationPolicy": {
+            "$ref": "./examples/UpdateKeyRotationPolicy-example.json"
+          }
+        }
+      }
+    },
     "/rng": {
       "post": {
         "tags": [
@@ -2060,6 +2191,101 @@
       },
       "description": "The backup key result, containing the backup blob."
     },
+    "KeyRotationPolicy": {
+      "properties": {
+        "id": {
+          "type": "string",
+          "description": "The key policy id.",
+          "readOnly": true
+        },
+        "lifetimeActions": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/LifetimeActions"
+          },
+          "description": "Actions that will be performed by Key Vault over the lifetime of a key. For preview, lifetimeActions can only have two items at maximum: one for rotate, one for notify. Notification time would be default to 30 days before expiry and it is not configurable."
+        },
+        "attributes": {
+          "$ref": "#/definitions/KeyRotationPolicyAttributes",
+          "description": "The key rotation policy attributes."
+        }
+      },
+      "description": "Management policy for a key."
+    },
+    "LifetimeActions": {
+      "properties": {
+        "trigger": {
+          "$ref": "#/definitions/LifetimeActionsTrigger",
+          "description": "The condition that will execute the action."
+        },
+        "action": {
+          "$ref": "#/definitions/LifetimeActionsType",
+          "description": "The action that will be executed."
+        }
+      },
+      "description": "Action and its trigger that will be performed by Key Vault over the lifetime of a key."
+    },
+    "LifetimeActionsTrigger": {
+      "properties": {
+        "timeAfterCreate": {
+          "type": "string",
+          "description": "Time after creation to attempt rotate. It will be in ISO 8601 format. Example: 90 days : \"P90D\" "
+        },
+        "timeBeforeExpiry": {
+          "type": "string",
+          "description": "Time before expiry to attempt rotate. It will be in ISO 8601 format. Example: 90 days : \"P90D\""
+        }
+      },
+      "description": "A condition to be satisfied for an action to be executed."
+    },
+    "LifetimeActionsType": {
+      "properties": {
+        "type": {
+          "type": "string",
+          "description": "The type of the action.",
+          "enum": [
+            "rotate",
+            "notify"
+          ],
+          "x-ms-enum": {
+            "name": "ActionType",
+            "modelAsString": false,
+            "values": [
+              {
+                "value": "rotate",
+                "description": "Rotate the key based on the key policy."
+              },
+              {
+                "value": "notify",
+                "description": "Trigger event grid events. For preview, the notification time is not configurable and it is default to 30 days before expiry."
+              }
+            ]
+          }
+        }
+      },
+      "description": "The action that will be executed."
+    },
+    "KeyRotationPolicyAttributes": {
+      "properties": {
+        "expiryTime": {
+          "type": "string",
+          "description": "The expiryTime will be applied on the new key version. It should be at least 28 days. It will be in ISO 8601 Format. Examples: 90 days: P90D, 3 months: P3M, 48 hours: PT48H, 1 year and 10 days: P1Y10D"
+        },
+        "created": {
+          "type": "integer",
+          "format": "unixtime",
+          "readOnly": true,
+          "description": "The key rotation policy created time in UTC."
+        },
+        "updated": {
+          "type": "integer",
+          "format": "unixtime",
+          "readOnly": true,
+          "description": "The key rotation policy's last updated time in UTC."
+        }
+      },
+      "description": "The key rotation policy attributes."
+    },
     "KeyReleaseResult": {
       "properties": {
         "value": {
