зеркало из https://github.com/Azure/AzureKeyVault.git
Soft delete (#3)
* support vault soft-delete * linting * update news, desc * del resgrps after testing
This commit is contained in:
Родитель
f0daca523d
Коммит
960a842d17
|
@ -1,6 +1,6 @@
|
|||
Package: AzureKeyVault
|
||||
Title: Key and Secret Management in 'Azure'
|
||||
Version: 1.0.2
|
||||
Version: 1.0.2.9000
|
||||
Authors@R: c(
|
||||
person("Hong", "Ooi", , "hongooi@microsoft.com", role = c("aut", "cre")),
|
||||
person("Microsoft", role="cph")
|
||||
|
|
4
NEWS.md
4
NEWS.md
|
@ -1,3 +1,7 @@
|
|||
# AzureKeyVault 1.0.2.9000
|
||||
|
||||
- Support the soft-delete feature for Key Vaults. By default, a new vault will be created with soft-deletion enabled, which protects the vault and its contents from accidental/malicious deletion. A soft-deleted vault is held for a retention period (90 days) during which it can be restored. To hard-delete a soft-deleted vault, call the new `purge_key_vault` method, or specify `purge=TRUE` when deleting the vault.
|
||||
|
||||
# AzureKeyVault 1.0.2
|
||||
|
||||
- Use `utils::askYesNo` for confirmation prompts on R >= 3.5; this fixes a bug in reading the input. As a side-effect, Windows users who are using RGUI.exe will see a popup dialog box instead of a message in the terminal.
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
#' @import AzureGraph
|
||||
NULL
|
||||
|
||||
utils::globalVariables(c("self", "private"))
|
||||
utils::globalVariables(c("self", "private", "super"))
|
||||
|
||||
.az_cli_app_id <- "04b07795-8ddb-461a-bbee-02f9e1bf7b46"
|
||||
|
||||
|
|
190
R/add_methods.R
190
R/add_methods.R
|
@ -17,6 +17,11 @@
|
|||
#' - `location`: The location/region in which to create the account. Defaults to the resource group location.
|
||||
#' - `initial_access`: The user or service principals that will have access to the vault. This should be a list of objects of type `[vault_access_policy]`, created by the function of the same name. The default is to grant access to the logged-in user or service principal of the current Resource Manager client.
|
||||
#' - `sku`: The sku for the vault. Set this to "Premium" to enable the use of hardware security modules (HSMs).
|
||||
#' - `allow_vm_access`: Whether to allow Azure virtual machines to retrieve certificates from the vault.
|
||||
#' - `allow_arm_access`: Whether to allow Azure Resource Manager to retrieve secrets from the vault for template deployment purposes.
|
||||
#' - `allow_disk_encryption_access`: Whether to allow Azure Disk Encryption to retrieve secrets and keys from the vault.
|
||||
#' - `soft_delete`: Whether soft-deletion should be enabled for this vault. Soft-deletion is a feature which protects both the vault itself and its contents from accidental/malicious deletion; see below.
|
||||
#' - `purge_protection`: Whether purge protection is enabled. If this is TRUE and soft-deletion is enabled for the vault, manual purges are not allowed. Has no effect if `soft_delete=FALSE`.
|
||||
#' - `...`: Other named arguments to pass to the [az_key_vault] initialization function.
|
||||
#' - `wait`: Whether to wait for the resource creation to complete before returning.
|
||||
#'
|
||||
|
@ -25,11 +30,21 @@
|
|||
#'
|
||||
#' A new key vault will have access granted to the user or service principal used to sign in to the Azure Resource Manager client. To manage access policies after creation, use the `add_principal`, `list_principals` and `remove_principal` methods of the key vault object.
|
||||
#'
|
||||
#' Key Vault's soft delete feature allows recovery of the deleted vaults and vault objects, known as soft-delete. Specifically, it addresses the following scenarios:
|
||||
#' - Support for recoverable deletion of a key vault
|
||||
#' - Support for recoverable deletion of key vault objects (keys, secrets, certificates)
|
||||
#'
|
||||
#' With this feature, the delete operation on a key vault or key vault object is a soft-delete, effectively holding the resources for a given retention period (90 days), while giving the appearance that the object is deleted. The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.
|
||||
#'
|
||||
#' Soft-deleted vaults can be purged (permanently removed) by calling the `purge_key_vault` method for the resource group or subscription classes. The purge protection optional feature provides an additional layer of protection by forbidding manual purges; when this is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed.
|
||||
#'
|
||||
#' To see what soft-deleted key vaults exist, call the `list_deleted_key_vaults` method. To recover a soft-deleted key vault, call the `create_key_vault` method from the vault's original resource group, with the vault name. To purge (permanently delete) it, call the `purge_key_vault` method.
|
||||
#'
|
||||
#' @section Value:
|
||||
#' An object of class `az_key_vault` representing the created key vault.
|
||||
#'
|
||||
#' @seealso
|
||||
#' [get_key_vault], [delete_key_vault], [az_key_vault], [vault_access_policy]
|
||||
#' [get_key_vault], [delete_key_vault], [purge_key_vault], [az_key_vault], [vault_access_policy]
|
||||
#'
|
||||
#' [Azure Key Vault documentation](https://docs.microsoft.com/en-us/azure/key-vault/),
|
||||
#' [Azure Key Vault API reference](https://docs.microsoft.com/en-us/rest/api/keyvault)
|
||||
|
@ -106,18 +121,23 @@ NULL
|
|||
#'
|
||||
#' @section Usage:
|
||||
#' ```
|
||||
#' delete_key_vault(name, confirm=TRUE, wait=FALSE)
|
||||
#' delete_key_vault(name, confirm=TRUE, wait=FALSE, purge=FALSE)
|
||||
#' ```
|
||||
#' @section Arguments:
|
||||
#' - `name`: The name of the key vault.
|
||||
#' - `confirm`: Whether to ask for confirmation before deleting.
|
||||
#' - `wait`: Whether to wait until the deletion is complete.
|
||||
#' - `wait`: Whether to wait until the deletion is complete. Note that `purge=TRUE` will set `wait=TRUE` as well.
|
||||
#' - `purge`: For a vault with the soft-deletion feature enabled, whether to purge it as well (hard delete). Has no effect if the vault does not have soft-deletion enabled.
|
||||
#' @details
|
||||
#' Deleting a key vault that has soft-deletion enabled does not permanently remove it. Instead the resource is held for a given retention period (90 days), during which it can be recovered, essentially undoing the deletion.
|
||||
#'
|
||||
#' To see what soft-deleted key vaults exist, call the `list_deleted_key_vaults` method. To recover a soft-deleted key vault, call the `create_key_vault` method from the vault's original resource group, with the vault name. To purge (permanently delete) it, call the `purge_key_vault` method.
|
||||
#'
|
||||
#' @section Value:
|
||||
#' NULL on successful deletion.
|
||||
#'
|
||||
#' @seealso
|
||||
#' [create_key_vault], [get_key_vault], [az_key_vault],
|
||||
#' [create_key_vault], [get_key_vault], [purge_key_vault], [list_deleted_key_vaults], [az_key_vault],
|
||||
#'
|
||||
#' [Azure Key Vault documentation](https://docs.microsoft.com/en-us/azure/key-vault/),
|
||||
#' [Azure Key Vault API reference](https://docs.microsoft.com/en-us/rest/api/keyvault)
|
||||
|
@ -129,18 +149,97 @@ NULL
|
|||
#' get_subscription("subscription_id")$
|
||||
#' get_resource_group("rgname")
|
||||
#'
|
||||
#' rg$delete_key_vault("mykeyvault")
|
||||
#' # assuming the vault has soft-delete enabled
|
||||
#' rg$delete_key_vault("mykeyvault", purge=FALSE)
|
||||
#'
|
||||
#' # recovering a soft-deleted key vault
|
||||
#' rg$create_key_vault("mykeyvault")
|
||||
#'
|
||||
#' # deleting it for good
|
||||
#' rg$delete_key_vault("mykeyvault", purge=FALSE)
|
||||
#'
|
||||
#' }
|
||||
NULL
|
||||
|
||||
|
||||
#' Purge a deleted Azure Key Vault
|
||||
#'
|
||||
#' Method for the [AzureRMR::az_subscription] and [AzureRMR::az_resource_group] classes.
|
||||
#'
|
||||
#' @rdname purge_key_vault
|
||||
#' @name purge_key_vault
|
||||
#' @aliases purge_key_vault
|
||||
#'
|
||||
#' @section Usage:
|
||||
#' ```
|
||||
#' purge_key_vault(name, location, confirm=TRUE)
|
||||
#' ```
|
||||
#' @section Arguments:
|
||||
#' - `name`,`location`: The name and location of the key vault.
|
||||
#' - `confirm`: Whether to ask for confirmation before permanently deleting the vault.
|
||||
#' @details
|
||||
#' This method permanently deletes a soft-deleted key vault. Note that it will fail if the vault has purge protection enabled.
|
||||
#'
|
||||
#' @section Value:
|
||||
#' NULL on successful purging.
|
||||
#'
|
||||
#' @seealso
|
||||
#' [create_key_vault], [get_key_vault], [delete_key_vault], [list_deleted_key_vaults], [az_key_vault],
|
||||
#'
|
||||
#' [Azure Key Vault documentation](https://docs.microsoft.com/en-us/azure/key-vault/),
|
||||
#' [Azure Key Vault API reference](https://docs.microsoft.com/en-us/rest/api/keyvault)
|
||||
#'
|
||||
#' @examples
|
||||
#' \dontrun{
|
||||
#'
|
||||
#' rg <- AzureRMR::get_azure_login()$
|
||||
#' get_subscription("subscription_id")$
|
||||
#' get_resource_group("rgname")
|
||||
#'
|
||||
#' # assuming the vault has soft-delete enabled, and is in the same location as its RG
|
||||
#' rg$delete_key_vault("mykeyvault")
|
||||
#' rg$purge_key_vault("mykeyvault", rg$location)
|
||||
#'
|
||||
#' }
|
||||
NULL
|
||||
|
||||
|
||||
#' List soft-deleted Key Vaults
|
||||
#'
|
||||
#' Method for the [AzureRMR::az_subscription] class.
|
||||
#'
|
||||
#' @rdname list_deleted_key_vaults
|
||||
#' @name list_deleted_key_vaults
|
||||
#' @aliases list_deleted_key_vaults
|
||||
#'
|
||||
#' @section Usage:
|
||||
#' ```
|
||||
#' list_deleted_key_vaults()
|
||||
#' ```
|
||||
#' @section Value:
|
||||
#' This method returns a data frame with the following columns:
|
||||
#' - `name`: The name of the deleted key vault.
|
||||
#' - `location`: The location (region) of the vault.
|
||||
#' - `deletion_date`: When the vault was soft-deleted.
|
||||
#' - `purge_date`: When the vault is scheduled to be purged (permanently deleted).
|
||||
#' - `protected`: Whether the vault has purge protection enabled. If TRUE, manual attempts to purge it will fail.
|
||||
#'
|
||||
#' @seealso
|
||||
#' [create_key_vault], [get_key_vault], [delete_key_vault], [purge_key_vault], [az_key_vault],
|
||||
#'
|
||||
#' [Azure Key Vault documentation](https://docs.microsoft.com/en-us/azure/key-vault/),
|
||||
#' [Azure Key Vault API reference](https://docs.microsoft.com/en-us/rest/api/keyvault)
|
||||
NULL
|
||||
|
||||
|
||||
add_methods <- function()
|
||||
{
|
||||
## extending AzureRMR classes
|
||||
|
||||
AzureRMR::az_resource_group$set("public", "create_key_vault", overwrite=TRUE,
|
||||
function(name, location=self$location, initial_access=default_access(), sku="Standard", ..., wait=TRUE)
|
||||
az_resource_group$set("public", "create_key_vault", overwrite=TRUE,
|
||||
function(name, location=self$location, initial_access=default_access(), sku="Standard",
|
||||
allow_vm_access=FALSE, allow_arm_access=FALSE, allow_disk_encryption_access=FALSE,
|
||||
soft_delete=TRUE, purge_protection=FALSE, ..., wait=TRUE)
|
||||
{
|
||||
creds <- AzureAuth::decode_jwt(self$token$credentials$access_token)
|
||||
tenant <- creds$payload$tid
|
||||
|
@ -160,10 +259,17 @@ add_methods <- function()
|
|||
x$tenantId <- tenant
|
||||
unclass(x)
|
||||
}),
|
||||
enableSoftDelete=soft_delete,
|
||||
enabledForDeployment=allow_vm_access,
|
||||
enabledForTemplateDeployment=allow_arm_access,
|
||||
enabledForDiskEncryption=allow_disk_encryption_access,
|
||||
sku=list(family="A", name=sku)
|
||||
),
|
||||
list(...)
|
||||
)
|
||||
# only set this if TRUE; API doesn't allow setting it to FALSE
|
||||
if(purge_protection && soft_delete)
|
||||
props$enablePurgeProtection <- TRUE
|
||||
|
||||
AzureKeyVault::az_key_vault$new(self$token, self$subscription, self$name,
|
||||
type="Microsoft.KeyVault/vaults", name=name, location=location,
|
||||
|
@ -171,7 +277,7 @@ add_methods <- function()
|
|||
})
|
||||
|
||||
|
||||
AzureRMR::az_resource_group$set("public", "get_key_vault", overwrite=TRUE,
|
||||
az_resource_group$set("public", "get_key_vault", overwrite=TRUE,
|
||||
function(name)
|
||||
{
|
||||
AzureKeyVault::az_key_vault$new(self$token, self$subscription, self$name,
|
||||
|
@ -179,14 +285,22 @@ add_methods <- function()
|
|||
})
|
||||
|
||||
|
||||
AzureRMR::az_resource_group$set("public", "delete_key_vault", overwrite=TRUE,
|
||||
function(name, confirm=TRUE, wait=FALSE)
|
||||
az_resource_group$set("public", "delete_key_vault", overwrite=TRUE,
|
||||
function(name, confirm=TRUE, wait=FALSE, purge=FALSE)
|
||||
{
|
||||
self$get_key_vault(name)$delete(confirm=confirm, wait=wait)
|
||||
self$get_key_vault(name)$delete(confirm=confirm, wait=wait, purge=purge)
|
||||
})
|
||||
|
||||
|
||||
AzureRMR::az_resource_group$set("public", "list_key_vaults", overwrite=TRUE,
|
||||
az_resource_group$set("public", "purge_key_vault", overwrite=TRUE,
|
||||
function(name, location, confirm=TRUE)
|
||||
{
|
||||
sub <- az_subscription$new(self$token, self$subscription)
|
||||
sub$purge_key_vault(name, location, confirm)
|
||||
})
|
||||
|
||||
|
||||
az_resource_group$set("public", "list_key_vaults", overwrite=TRUE,
|
||||
function()
|
||||
{
|
||||
api_version <- az_subscription$
|
||||
|
@ -204,4 +318,56 @@ add_methods <- function()
|
|||
named_list(lapply(res, function(parms)
|
||||
AzureKeyVault::az_key_vault$new(self$token, self$subscription, deployed_properties=parms)))
|
||||
})
|
||||
|
||||
|
||||
az_subscription$set("public", "purge_key_vault", overwrite=TRUE,
|
||||
function(name, location, confirm=TRUE)
|
||||
{
|
||||
if(interactive() && confirm)
|
||||
{
|
||||
msg <- sprintf("Do you really want to purge the key vault '%s'?", name)
|
||||
ok <- if(getRversion() < numeric_version("3.5.0"))
|
||||
{
|
||||
msg <- paste(msg, "(yes/No/cancel) ")
|
||||
yn <- readline(msg)
|
||||
if (nchar(yn) == 0)
|
||||
FALSE
|
||||
else tolower(substr(yn, 1, 1)) == "y"
|
||||
}
|
||||
else utils::askYesNo(msg, FALSE)
|
||||
if(!ok)
|
||||
return(invisible(NULL))
|
||||
}
|
||||
|
||||
api_version <- self$get_provider_api_version("Microsoft.KeyVault", "deletedVaults")
|
||||
op <- file.path("providers/Microsoft.KeyVault/locations", location, "deletedVaults", name, "purge")
|
||||
|
||||
self$do_operation(op, api_version=api_version, http_verb="POST")
|
||||
invisible(NULL)
|
||||
})
|
||||
|
||||
|
||||
az_subscription$set("public", "list_deleted_key_vaults", overwrite=TRUE,
|
||||
function()
|
||||
{
|
||||
as_datetime <- function(x)
|
||||
{
|
||||
as.POSIXct(x, format="%Y-%m-%dT%H:%M:%S", tz="GMT")
|
||||
}
|
||||
|
||||
api_version <- self$get_provider_api_version("Microsoft.KeyVault", "deletedVaults")
|
||||
res <- self$do_operation("providers/Microsoft.KeyVault/deletedVaults", api_version=api_version)
|
||||
lst <- get_paged_list(res, self$token)
|
||||
do.call(rbind, lapply(lst, function(x)
|
||||
{
|
||||
data.frame(
|
||||
name=x$name,
|
||||
location=x$properties$location,
|
||||
deletion_date=as_datetime(x$properties$deletionDate),
|
||||
purge_date=as_datetime(x$properties$scheduledPurgeDate),
|
||||
protected=isTRUE(x$properties$purgeProtectionEnabled),
|
||||
stringsAsFactors=FALSE
|
||||
)
|
||||
}))
|
||||
})
|
||||
}
|
||||
|
|
13
R/az_vault.R
13
R/az_vault.R
|
@ -164,6 +164,19 @@ public=list(
|
|||
{
|
||||
url <- self$properties$vaultUri
|
||||
key_vault(url=url, tenant=tenant, app=app, password=password, ...)
|
||||
},
|
||||
|
||||
delete=function(confirm=TRUE, wait=FALSE, purge=FALSE)
|
||||
{
|
||||
if(purge) wait <- TRUE
|
||||
|
||||
super$delete(confirm, wait)
|
||||
if(purge && isTRUE(self$properties$enableSoftDelete))
|
||||
{
|
||||
sub <- az_subscription$new(self$token, self$subscription)
|
||||
sub$purge_key_vault(self$name, self$location, confirm)
|
||||
}
|
||||
invisible(NULL)
|
||||
}
|
||||
))
|
||||
|
||||
|
|
|
@ -19,6 +19,11 @@ Method for the \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} cl
|
|||
\item \code{location}: The location/region in which to create the account. Defaults to the resource group location.
|
||||
\item \code{initial_access}: The user or service principals that will have access to the vault. This should be a list of objects of type \code{[vault_access_policy]}, created by the function of the same name. The default is to grant access to the logged-in user or service principal of the current Resource Manager client.
|
||||
\item \code{sku}: The sku for the vault. Set this to "Premium" to enable the use of hardware security modules (HSMs).
|
||||
\item \code{allow_vm_access}: Whether to allow Azure virtual machines to retrieve certificates from the vault.
|
||||
\item \code{allow_arm_access}: Whether to allow Azure Resource Manager to retrieve secrets from the vault for template deployment purposes.
|
||||
\item \code{allow_disk_encryption_access}: Whether to allow Azure Disk Encryption to retrieve secrets and keys from the vault.
|
||||
\item \code{soft_delete}: Whether soft-deletion should be enabled for this vault. Soft-deletion is a feature which protects both the vault itself and its contents from accidental/malicious deletion; see below.
|
||||
\item \code{purge_protection}: Whether purge protection is enabled. If this is TRUE and soft-deletion is enabled for the vault, manual purges are not allowed. Has no effect if \code{soft_delete=FALSE}.
|
||||
\item \code{...}: Other named arguments to pass to the \link{az_key_vault} initialization function.
|
||||
\item \code{wait}: Whether to wait for the resource creation to complete before returning.
|
||||
}
|
||||
|
@ -29,6 +34,18 @@ Method for the \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} cl
|
|||
This method deploys a new key vault resource, with parameters given by the arguments. A key vault is a secure facility for storing and managing encryption keys, certificates, storage account keys, and generic secrets.
|
||||
|
||||
A new key vault will have access granted to the user or service principal used to sign in to the Azure Resource Manager client. To manage access policies after creation, use the \code{add_principal}, \code{list_principals} and \code{remove_principal} methods of the key vault object.
|
||||
|
||||
Key Vault's soft delete feature allows recovery of the deleted vaults and vault objects, known as soft-delete. Specifically, it addresses the following scenarios:
|
||||
\itemize{
|
||||
\item Support for recoverable deletion of a key vault
|
||||
\item Support for recoverable deletion of key vault objects (keys, secrets, certificates)
|
||||
}
|
||||
|
||||
With this feature, the delete operation on a key vault or key vault object is a soft-delete, effectively holding the resources for a given retention period (90 days), while giving the appearance that the object is deleted. The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.
|
||||
|
||||
Soft-deleted vaults can be purged (permanently removed) by calling the \code{purge_key_vault} method for the resource group or subscription classes. The purge protection optional feature provides an additional layer of protection by forbidding manual purges; when this is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed.
|
||||
|
||||
To see what soft-deleted key vaults exist, call the \code{list_deleted_key_vaults} method. To recover a soft-deleted key vault, call the \code{create_key_vault} method from the vault's original resource group, with the vault name. To purge (permanently delete) it, call the \code{purge_key_vault} method.
|
||||
}
|
||||
|
||||
\section{Value}{
|
||||
|
@ -55,7 +72,7 @@ rg$create_key_vault("mykeyvault",
|
|||
}
|
||||
}
|
||||
\seealso{
|
||||
\link{get_key_vault}, \link{delete_key_vault}, \link{az_key_vault}, \link{vault_access_policy}
|
||||
\link{get_key_vault}, \link{delete_key_vault}, \link{purge_key_vault}, \link{az_key_vault}, \link{vault_access_policy}
|
||||
|
||||
\href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
|
||||
\href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
|
||||
|
|
|
@ -6,8 +6,13 @@
|
|||
\description{
|
||||
Method for the \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} class.
|
||||
}
|
||||
\details{
|
||||
Deleting a key vault that has soft-deletion enabled does not permanently remove it. Instead the resource is held for a given retention period (90 days), during which it can be recovered, essentially undoing the deletion.
|
||||
|
||||
To see what soft-deleted key vaults exist, call the \code{list_deleted_key_vaults} method. To recover a soft-deleted key vault, call the \code{create_key_vault} method from the vault's original resource group, with the vault name. To purge (permanently delete) it, call the \code{purge_key_vault} method.
|
||||
}
|
||||
\section{Usage}{
|
||||
\preformatted{delete_key_vault(name, confirm=TRUE, wait=FALSE)
|
||||
\preformatted{delete_key_vault(name, confirm=TRUE, wait=FALSE, purge=FALSE)
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -16,7 +21,8 @@ Method for the \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} cl
|
|||
\itemize{
|
||||
\item \code{name}: The name of the key vault.
|
||||
\item \code{confirm}: Whether to ask for confirmation before deleting.
|
||||
\item \code{wait}: Whether to wait until the deletion is complete.
|
||||
\item \code{wait}: Whether to wait until the deletion is complete. Note that \code{purge=TRUE} will set \code{wait=TRUE} as well.
|
||||
\item \code{purge}: For a vault with the soft-deletion feature enabled, whether to purge it as well (hard delete). Has no effect if the vault does not have soft-deletion enabled.
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -32,12 +38,19 @@ rg <- AzureRMR::get_azure_login()$
|
|||
get_subscription("subscription_id")$
|
||||
get_resource_group("rgname")
|
||||
|
||||
rg$delete_key_vault("mykeyvault")
|
||||
# assuming the vault has soft-delete enabled
|
||||
rg$delete_key_vault("mykeyvault", purge=FALSE)
|
||||
|
||||
# recovering a soft-deleted key vault
|
||||
rg$create_key_vault("mykeyvault")
|
||||
|
||||
# deleting it for good
|
||||
rg$delete_key_vault("mykeyvault", purge=FALSE)
|
||||
|
||||
}
|
||||
}
|
||||
\seealso{
|
||||
\link{create_key_vault}, \link{get_key_vault}, \link{az_key_vault},
|
||||
\link{create_key_vault}, \link{get_key_vault}, \link{purge_key_vault}, \link{list_deleted_key_vaults}, \link{az_key_vault},
|
||||
|
||||
\href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
|
||||
\href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
% Generated by roxygen2: do not edit by hand
|
||||
% Please edit documentation in R/add_methods.R
|
||||
\name{list_deleted_key_vaults}
|
||||
\alias{list_deleted_key_vaults}
|
||||
\title{List soft-deleted Key Vaults}
|
||||
\description{
|
||||
Method for the \link[AzureRMR:az_subscription]{AzureRMR::az_subscription} class.
|
||||
}
|
||||
\section{Usage}{
|
||||
\preformatted{list_deleted_key_vaults()
|
||||
}
|
||||
}
|
||||
|
||||
\section{Value}{
|
||||
|
||||
This method returns a data frame with the following columns:
|
||||
\itemize{
|
||||
\item \code{name}: The name of the deleted key vault.
|
||||
\item \code{location}: The location (region) of the vault.
|
||||
\item \code{deletion_date}: When the vault was soft-deleted.
|
||||
\item \code{purge_date}: When the vault is scheduled to be purged (permanently deleted).
|
||||
\item \code{protected}: Whether the vault has purge protection enabled. If TRUE, manual attempts to purge it will fail.
|
||||
}
|
||||
}
|
||||
|
||||
\seealso{
|
||||
\link{create_key_vault}, \link{get_key_vault}, \link{delete_key_vault}, \link{purge_key_vault}, \link{az_key_vault},
|
||||
|
||||
\href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
|
||||
\href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
|
||||
}
|
|
@ -0,0 +1,48 @@
|
|||
% Generated by roxygen2: do not edit by hand
|
||||
% Please edit documentation in R/add_methods.R
|
||||
\name{purge_key_vault}
|
||||
\alias{purge_key_vault}
|
||||
\title{Purge a deleted Azure Key Vault}
|
||||
\description{
|
||||
Method for the \link[AzureRMR:az_subscription]{AzureRMR::az_subscription} and \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} classes.
|
||||
}
|
||||
\details{
|
||||
This method permanently deletes a soft-deleted key vault. Note that it will fail if the vault has purge protection enabled.
|
||||
}
|
||||
\section{Usage}{
|
||||
\preformatted{purge_key_vault(name, location, confirm=TRUE)
|
||||
}
|
||||
}
|
||||
|
||||
\section{Arguments}{
|
||||
|
||||
\itemize{
|
||||
\item \code{name},\code{location}: The name and location of the key vault.
|
||||
\item \code{confirm}: Whether to ask for confirmation before permanently deleting the vault.
|
||||
}
|
||||
}
|
||||
|
||||
\section{Value}{
|
||||
|
||||
NULL on successful purging.
|
||||
}
|
||||
|
||||
\examples{
|
||||
\dontrun{
|
||||
|
||||
rg <- AzureRMR::get_azure_login()$
|
||||
get_subscription("subscription_id")$
|
||||
get_resource_group("rgname")
|
||||
|
||||
# assuming the vault has soft-delete enabled, and is in the same location as its RG
|
||||
rg$delete_key_vault("mykeyvault")
|
||||
rg$purge_key_vault("mykeyvault", rg$location)
|
||||
|
||||
}
|
||||
}
|
||||
\seealso{
|
||||
\link{create_key_vault}, \link{get_key_vault}, \link{delete_key_vault}, \link{list_deleted_key_vaults}, \link{az_key_vault},
|
||||
|
||||
\href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
|
||||
\href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
|
||||
}
|
|
@ -89,6 +89,7 @@ test_that("Access policy management works",
|
|||
test_that("Resource deletion works",
|
||||
{
|
||||
expect_message(rg$delete_key_vault(kvname, confirm=FALSE))
|
||||
expect_silent(rg$purge_key_vault(kvname, rg$location, confirm=FALSE))
|
||||
})
|
||||
|
||||
|
||||
|
|
|
@ -0,0 +1,77 @@
|
|||
context("Soft delete and purge")
|
||||
|
||||
tenant <- Sys.getenv("AZ_TEST_TENANT_ID")
|
||||
app <- Sys.getenv("AZ_TEST_APP_ID")
|
||||
password <- Sys.getenv("AZ_TEST_PASSWORD")
|
||||
subscription <- Sys.getenv("AZ_TEST_SUBSCRIPTION")
|
||||
username <- Sys.getenv("AZ_TEST_USERNAME")
|
||||
|
||||
if(tenant == "" || app == "" || password == "" || subscription == "" || username == "")
|
||||
skip("Tests skipped: ARM credentials not set")
|
||||
|
||||
rgname <- paste(sample(letters, 20, replace=TRUE), collapse="")
|
||||
rg2name <- paste(sample(letters, 20, replace=TRUE), collapse="")
|
||||
kvsoftname <- paste(sample(letters, 10, replace=TRUE), collapse="")
|
||||
kvhardname <- paste(sample(letters, 10, replace=TRUE), collapse="")
|
||||
|
||||
sub <- AzureRMR::az_rm$
|
||||
new(tenant=tenant, app=app, password=password)$
|
||||
get_subscription(subscription)
|
||||
|
||||
rg <- sub$create_resource_group(rgname, location="australiaeast")
|
||||
rg2 <- sub$create_resource_group(rg2name, location="australiaeast")
|
||||
|
||||
|
||||
test_that("Resource soft delete works",
|
||||
{
|
||||
kvsoft <- rg$create_key_vault(kvsoftname, soft_delete=TRUE)
|
||||
kvsoft_vault <- kvsoft$get_endpoint()
|
||||
kvsoft_vault$secrets$create("mysecret", "value")
|
||||
|
||||
expect_message(kvsoft$delete(confirm=FALSE))
|
||||
Sys.sleep(30)
|
||||
|
||||
# recreating a soft-deleted vault in another RG should fail
|
||||
expect_error(rg2$create_key_vault(kvsoftname))
|
||||
|
||||
# but recreating it in the same RG should work
|
||||
expect_message(rg$create_key_vault(kvsoftname, soft_delete=TRUE))
|
||||
|
||||
# contents should survive soft delete
|
||||
kvsoft_vault <- rg$get_key_vault(kvsoftname)$get_endpoint()
|
||||
expect_is(kvsoft_vault$secrets$get("mysecret"), "stored_secret")
|
||||
|
||||
expect_message(kvsoft$delete(confirm=FALSE, purge=TRUE))
|
||||
Sys.sleep(30)
|
||||
|
||||
deleted <- sub$list_deleted_key_vaults()
|
||||
expect_false(kvsoftname %in% deleted$name)
|
||||
|
||||
# after purge, recreating in another RG should work
|
||||
expect_is(rg2$create_key_vault(kvsoftname), "az_key_vault")
|
||||
expect_true(is_empty(rg2$get_key_vault(kvsoftname)$get_endpoint()$secrets$list()))
|
||||
|
||||
expect_message(rg2$delete_key_vault(kvsoftname, confirm=FALSE, purge=TRUE))
|
||||
})
|
||||
|
||||
|
||||
test_that("Resource hard delete works",
|
||||
{
|
||||
kvhard <- rg$create_key_vault(kvhardname, soft_delete=FALSE)
|
||||
kvhard_vault <- kvhard$get_endpoint()
|
||||
kvhard_vault$secrets$create("mysecret", "value")
|
||||
|
||||
expect_message(kvhard$delete(confirm=FALSE))
|
||||
Sys.sleep(30)
|
||||
|
||||
# recreating a hard-deleted vault should always work
|
||||
expect_is(rg2$create_key_vault(kvhardname, soft_delete=FALSE), "az_key_vault")
|
||||
expect_true(is_empty(rg2$get_key_vault(kvhardname)$get_endpoint()$secrets$list()))
|
||||
|
||||
# purge should be a no-op with hard delete
|
||||
expect_message(rg2$delete_key_vault(kvhardname, confirm=FALSE, purge=TRUE))
|
||||
})
|
||||
|
||||
|
||||
rg$delete(confirm=FALSE)
|
||||
rg2$delete(confirm=FALSE)
|
Загрузка…
Ссылка в новой задаче