diff --git a/specification/keyvault/Security.KeyVault.EKM/models.tsp b/specification/keyvault/Security.KeyVault.EKM/models.tsp index c251796d5b21..12fdc07048f1 100644 --- a/specification/keyvault/Security.KeyVault.EKM/models.tsp +++ b/specification/keyvault/Security.KeyVault.EKM/models.tsp @@ -12,6 +12,7 @@ namespace KeyVault; /** * A EkmConnection model object. */ +@added(KeyVault.Versions.v2026_01_01_preview) model EkmConnection { /** * EKM proxy FQDN (Fully Qualified Domain Name). Only allowed characters are a-z, A-Z, 0-9, hyphen (-), dot (.), and colon (:). @@ -40,6 +41,7 @@ model EkmConnection { /** * EKM proxy client certificate information. */ +@added(KeyVault.Versions.v2026_01_01_preview) model EkmProxyClientCertificateInfo { /** * The client root CA certificate chain to authenticate to the EKM proxy. An array of certificates in the certificate chain, each in DER format and base64 encoded. @@ -59,6 +61,7 @@ model EkmProxyClientCertificateInfo { /** * EKM proxy information. */ +@added(KeyVault.Versions.v2026_01_01_preview) model EkmProxyInfo { /** * The highest version of proxy interface API supported by the EKM Proxy. diff --git a/specification/keyvault/Security.KeyVault.EKM/routes.tsp b/specification/keyvault/Security.KeyVault.EKM/routes.tsp index be68447b0504..7f4d0c6eb852 100644 --- a/specification/keyvault/Security.KeyVault.EKM/routes.tsp +++ b/specification/keyvault/Security.KeyVault.EKM/routes.tsp @@ -15,6 +15,7 @@ namespace KeyVault; * The External Key Manager (EKM) Get operation returns EKM connection. This operation requires ekm/read permission. */ #suppress "@azure-tools/typespec-azure-core/use-standard-operations" "Foundations.Operation is necessary for Key Vault" +@Versioning.added(KeyVault.Versions.v2026_01_01_preview) @summary("Gets the EKM connection.") @route("/ekm") @get @@ -24,6 +25,7 @@ op getEkmConnection is KeyVaultOperation<{}, EkmConnection>; * The External Key Manager (EKM) Certificate Get operation returns Proxy client certificate. This operation requires ekm/read permission. */ #suppress "@azure-tools/typespec-azure-core/use-standard-operations" "Foundations.Operation is necessary for Key Vault" +@Versioning.added(KeyVault.Versions.v2026_01_01_preview) @summary("Gets the EKM proxy client certificate.") @route("/ekm/certificate") @get @@ -33,6 +35,7 @@ op getEkmCertificate is KeyVaultOperation<{}, EkmProxyClientCertificateInfo>; * The External Key Manager (EKM) Check operation checks the connectivity and authentication with the EKM proxy. This operation requires ekm/read permission. */ #suppress "@azure-tools/typespec-azure-core/use-standard-operations" "Foundations.Operation is necessary for Key Vault" +@Versioning.added(KeyVault.Versions.v2026_01_01_preview) @summary("Checks the connectivity and authentication with the EKM proxy.") @route("/ekm/check") @post @@ -42,6 +45,7 @@ op checkEkmConnection is KeyVaultOperation<{}, EkmProxyInfo>; * The External Key Manager (EKM) sets up the EKM connection. If the EKM connection already exists, this operation fails. This operation requires ekm/write permission. */ #suppress "@azure-tools/typespec-azure-core/use-standard-operations" "Foundations.Operation is necessary for Key Vault" +@Versioning.added(KeyVault.Versions.v2026_01_01_preview) @summary("Creates the EKM connection.") @route("/ekm/create") @post @@ -62,6 +66,7 @@ op createEkmConnection is KeyVaultOperation< * The External Key Manager (EKM) updates the existing EKM connection. If the EKM connection does not exist, this operation fails. This operation requires ekm/write permission. */ #suppress "@azure-tools/typespec-azure-core/use-standard-operations" "Foundations.Operation is necessary for Key Vault" +@Versioning.added(KeyVault.Versions.v2026_01_01_preview) @summary("Updates the EKM connection.") @route("/ekm") @patch(#{ implicitOptionality: true }) @@ -82,6 +87,7 @@ op updateEkmConnection is KeyVaultOperation< * The External Key Manager (EKM) deletes the existing EKM connection. If the EKM connection does not already exists, this operation fails. This operation requires ekm/delete permission. */ #suppress "@azure-tools/typespec-azure-core/use-standard-operations" "Foundations.Operation is necessary for Key Vault" +@Versioning.added(KeyVault.Versions.v2026_01_01_preview) @summary("Deletes the EKM connection.") @route("/ekm") @delete diff --git a/specification/keyvault/Security.KeyVault.EKM/tspconfig.yaml b/specification/keyvault/Security.KeyVault.EKM/tspconfig.yaml index 1bbe6254e79a..b330eb569d04 100644 --- a/specification/keyvault/Security.KeyVault.EKM/tspconfig.yaml +++ b/specification/keyvault/Security.KeyVault.EKM/tspconfig.yaml @@ -26,11 +26,11 @@ options: # "@azure-tools/typespec-ts": true "@azure-tools/typespec-go": service-dir: "sdk/security/keyvault" - package-dir: "azadmin/ekm" + package-dir: "azkeys/ekm" inject-spans: true single-client: true generate-fakes: true - module: "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azadmin" + module: "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys" module-version: "0.0.1" "@azure-tools/typespec-client-generator-cli": additionalDirectories: diff --git a/specification/keyvault/Security.KeyVault.Keys/models.tsp b/specification/keyvault/Security.KeyVault.Keys/models.tsp index f59b9ee0765a..66cf55346fc3 100644 --- a/specification/keyvault/Security.KeyVault.Keys/models.tsp +++ b/specification/keyvault/Security.KeyVault.Keys/models.tsp @@ -2,6 +2,7 @@ import "@typespec/http"; import "@typespec/rest"; import "@typespec/versioning"; import "@azure-tools/typespec-azure-core"; +import "../Security.KeyVault.EKM/models.tsp"; using TypeSpec.Http; using TypeSpec.Rest; diff --git a/specification/keyvault/Security.KeyVault.Keys/routes.tsp b/specification/keyvault/Security.KeyVault.Keys/routes.tsp index 3d4f0b1b83b3..4261c6fce8b9 100644 --- a/specification/keyvault/Security.KeyVault.Keys/routes.tsp +++ b/specification/keyvault/Security.KeyVault.Keys/routes.tsp @@ -4,6 +4,7 @@ import "@typespec/openapi"; import "@typespec/rest"; import "./models.tsp"; import "../Security.KeyVault.Common/common.tsp"; +import "../Security.KeyVault.EKM/routes.tsp"; using Azure.ClientGenerator.Core; using TypeSpec.Http; diff --git a/specification/keyvault/Security.KeyVault.Keys/tspconfig.yaml b/specification/keyvault/Security.KeyVault.Keys/tspconfig.yaml index 13fc8ea253d8..890ffa31d270 100644 --- a/specification/keyvault/Security.KeyVault.Keys/tspconfig.yaml +++ b/specification/keyvault/Security.KeyVault.Keys/tspconfig.yaml @@ -66,3 +66,4 @@ options: "@azure-tools/typespec-client-generator-cli": additionalDirectories: - "specification/keyvault/Security.KeyVault.Common/" + - "specification/keyvault/Security.KeyVault.EKM/" diff --git a/specification/keyvault/cspell.yaml b/specification/keyvault/cspell.yaml index 9c8d7e2a60bd..eb77d375c7a4 100644 --- a/specification/keyvault/cspell.yaml +++ b/specification/keyvault/cspell.yaml @@ -10,6 +10,7 @@ words: - assetid - azadmin - azekm + - azkeys - backuprestore - byok - CBCPAD @@ -54,15 +55,9 @@ overrides: - filename: '**/specification/keyvault/Security.KeyVault.Certificates/tspconfig.yaml' words: - azcertificates - - filename: '**/specification/keyvault/Security.KeyVault.EKM/tspconfig.yaml' - words: - - azekm - filename: '**/specification/keyvault/Security.KeyVault.Secrets/tspconfig.yaml' words: - azsecrets - - filename: '**/specification/keyvault/Security.KeyVault.Keys/tspconfig.yaml' - words: - - azkeys - filename: '**/specification/keyvault/data-plane/Microsoft.KeyVault/**/storage.json' words: - regenerte diff --git a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/2026-01-01-preview/keys.json b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/2026-01-01-preview/keys.json index bdf3a1021dac..3c9b3d502a7f 100644 --- a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/2026-01-01-preview/keys.json +++ b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/2026-01-01-preview/keys.json @@ -208,6 +208,176 @@ } } }, + "/ekm": { + "get": { + "operationId": "GetEkmConnection", + "summary": "Gets the EKM connection.", + "description": "The External Key Manager (EKM) Get operation returns EKM connection. This operation requires ekm/read permission.", + "parameters": [ + { + "$ref": "#/parameters/Azure.Core.Foundations.ApiVersionParameter" + } + ], + "responses": { + "200": { + "description": "The request has succeeded.", + "schema": { + "$ref": "#/definitions/EkmConnection" + } + }, + "default": { + "description": "An unexpected error response.", + "schema": { + "$ref": "#/definitions/KeyVaultError" + } + } + } + }, + "patch": { + "operationId": "UpdateEkmConnection", + "summary": "Updates the EKM connection.", + "description": "The External Key Manager (EKM) updates the existing EKM connection. If the EKM connection does not exist, this operation fails. This operation requires ekm/write permission.", + "parameters": [ + { + "$ref": "#/parameters/Azure.Core.Foundations.ApiVersionParameter" + }, + { + "name": "ekmConnection", + "in": "body", + "description": "The ekmConnection to update.", + "required": true, + "schema": { + "$ref": "#/definitions/EkmConnectionUpdate" + } + } + ], + "responses": { + "200": { + "description": "The request has succeeded.", + "schema": { + "$ref": "#/definitions/EkmConnection" + } + }, + "default": { + "description": "An unexpected error response.", + "schema": { + "$ref": "#/definitions/KeyVaultError" + } + } + } + }, + "delete": { + "operationId": "DeleteEkmConnection", + "summary": "Deletes the EKM connection.", + "description": "The External Key Manager (EKM) deletes the existing EKM connection. If the EKM connection does not already exists, this operation fails. This operation requires ekm/delete permission.", + "parameters": [ + { + "$ref": "#/parameters/Azure.Core.Foundations.ApiVersionParameter" + } + ], + "responses": { + "200": { + "description": "The request has succeeded.", + "schema": { + "$ref": "#/definitions/EkmConnection" + } + }, + "default": { + "description": "An unexpected error response.", + "schema": { + "$ref": "#/definitions/KeyVaultError" + } + } + } + } + }, + "/ekm/certificate": { + "get": { + "operationId": "GetEkmCertificate", + "summary": "Gets the EKM proxy client certificate.", + "description": "The External Key Manager (EKM) Certificate Get operation returns Proxy client certificate. This operation requires ekm/read permission.", + "parameters": [ + { + "$ref": "#/parameters/Azure.Core.Foundations.ApiVersionParameter" + } + ], + "responses": { + "200": { + "description": "The request has succeeded.", + "schema": { + "$ref": "#/definitions/EkmProxyClientCertificateInfo" + } + }, + "default": { + "description": "An unexpected error response.", + "schema": { + "$ref": "#/definitions/KeyVaultError" + } + } + } + } + }, + "/ekm/check": { + "post": { + "operationId": "CheckEkmConnection", + "summary": "Checks the connectivity and authentication with the EKM proxy.", + "description": "The External Key Manager (EKM) Check operation checks the connectivity and authentication with the EKM proxy. This operation requires ekm/read permission.", + "parameters": [ + { + "$ref": "#/parameters/Azure.Core.Foundations.ApiVersionParameter" + } + ], + "responses": { + "200": { + "description": "The request has succeeded.", + "schema": { + "$ref": "#/definitions/EkmProxyInfo" + } + }, + "default": { + "description": "An unexpected error response.", + "schema": { + "$ref": "#/definitions/KeyVaultError" + } + } + } + } + }, + "/ekm/create": { + "post": { + "operationId": "CreateEkmConnection", + "summary": "Creates the EKM connection.", + "description": "The External Key Manager (EKM) sets up the EKM connection. If the EKM connection already exists, this operation fails. This operation requires ekm/write permission.", + "parameters": [ + { + "$ref": "#/parameters/Azure.Core.Foundations.ApiVersionParameter" + }, + { + "name": "ekmConnection", + "in": "body", + "description": "The ekmConnection to create.", + "required": true, + "schema": { + "$ref": "#/definitions/EkmConnection" + } + } + ], + "responses": { + "200": { + "description": "The request has succeeded.", + "schema": { + "$ref": "#/definitions/EkmConnection" + } + }, + "default": { + "description": "An unexpected error response.", + "schema": { + "$ref": "#/definitions/KeyVaultError" + } + } + } + } + }, "/keys": { "get": { "operationId": "GetKeys", @@ -1545,6 +1715,132 @@ ] } }, + "EkmConnection": { + "type": "object", + "description": "A EkmConnection model object.", + "properties": { + "host": { + "type": "string", + "description": "EKM proxy FQDN (Fully Qualified Domain Name). Only allowed characters are a-z, A-Z, 0-9, hyphen (-), dot (.), and colon (:)." + }, + "path_prefix": { + "type": "string", + "description": "Optional path prefix for the EKM proxy (if any).", + "x-ms-client-name": "pathPrefix" + }, + "server_ca_certificates": { + "type": "array", + "description": "The root CA certificate chain that issued the proxy server's certificate. An array of certificates in the certificate chain, each in DER format and base64 encoded.", + "items": { + "type": "string", + "format": "byte" + }, + "x-ms-client-name": "serverCaCertificates" + }, + "server_subject_common_name": { + "type": "string", + "description": "The subject common name of the server certificate of EKM Proxy.", + "x-ms-client-name": "serverSubjectCommonName" + } + }, + "required": [ + "host", + "server_ca_certificates" + ] + }, + "EkmConnectionUpdate": { + "type": "object", + "description": "A EkmConnection model object.", + "properties": { + "host": { + "type": "string", + "description": "EKM proxy FQDN (Fully Qualified Domain Name). Only allowed characters are a-z, A-Z, 0-9, hyphen (-), dot (.), and colon (:)." + }, + "path_prefix": { + "type": "string", + "description": "Optional path prefix for the EKM proxy (if any).", + "x-ms-client-name": "pathPrefix" + }, + "server_ca_certificates": { + "type": "array", + "description": "The root CA certificate chain that issued the proxy server's certificate. An array of certificates in the certificate chain, each in DER format and base64 encoded.", + "items": { + "type": "string", + "format": "byte" + }, + "x-ms-client-name": "serverCaCertificates" + }, + "server_subject_common_name": { + "type": "string", + "description": "The subject common name of the server certificate of EKM Proxy.", + "x-ms-client-name": "serverSubjectCommonName" + } + } + }, + "EkmProxyClientCertificateInfo": { + "type": "object", + "description": "EKM proxy client certificate information.", + "properties": { + "ca_certificates": { + "type": "array", + "description": "The client root CA certificate chain to authenticate to the EKM proxy. An array of certificates in the certificate chain, each in DER format and base64 encoded.", + "items": { + "type": "string", + "format": "byte" + }, + "readOnly": true, + "x-ms-client-name": "caCertificates" + }, + "subject_common_name": { + "type": "string", + "description": "The subject common name of the client certificate used to authenticate to the EKM proxy.", + "readOnly": true, + "x-ms-client-name": "subjectCommonName" + } + }, + "required": [ + "ca_certificates", + "subject_common_name" + ] + }, + "EkmProxyInfo": { + "type": "object", + "description": "EKM proxy information.", + "properties": { + "api_version": { + "type": "string", + "description": "The highest version of proxy interface API supported by the EKM Proxy.", + "x-ms-client-name": "apiVersion" + }, + "proxy_vendor": { + "type": "string", + "description": "The name of the proxy vendor.", + "x-ms-client-name": "proxyVendor" + }, + "proxy_name": { + "type": "string", + "description": "The name of the proxy product and its version.", + "x-ms-client-name": "proxyName" + }, + "ekm_vendor": { + "type": "string", + "description": "The name of the EKM vendor.", + "x-ms-client-name": "ekmVendor" + }, + "ekm_product": { + "type": "string", + "description": "The name of the EKM product and its version.", + "x-ms-client-name": "ekmProduct" + } + }, + "required": [ + "api_version", + "proxy_vendor", + "proxy_name", + "ekm_vendor", + "ekm_product" + ] + }, "Error": { "type": "object", "properties": {