{ARO} Update aro module with features from 2025_07_25 API (#32796)

Author: cadenmarchese

src/azure-cli-core/azure/cli/core/profiles/_shared.py

@@ -218,7 +218,7 @@ def default_api_version(self):
         ResourceType.MGMT_IOTHUB: None,
         ResourceType.MGMT_IOTDPS: None,
         ResourceType.MGMT_IOTCENTRAL: None,
-        ResourceType.MGMT_ARO: '2023-11-22',
+        ResourceType.MGMT_ARO: None,
         ResourceType.MGMT_DATABOXEDGE: '2021-02-01-preview',
         ResourceType.MGMT_CUSTOMLOCATION: '2021-03-15-preview',
         ResourceType.MGMT_CONTAINERSERVICE: None,

src/azure-cli/azure/cli/command_modules/aro/__init__.py

@@ -3,31 +3,27 @@
 # Licensed under the MIT License. See License.txt in the project root for license information.
 # --------------------------------------------------------------------------------------------
 
-from azure.cli.command_modules.aro._params import load_arguments
-from azure.cli.command_modules.aro.commands import load_command_table
 from azure.cli.core import AzCommandsLoader, ModExtensionSuppress
-from azure.cli.core.commands import CliCommandType
-from azure.cli.core.profiles import ResourceType
-from azure.cli.command_modules.aro._client_factory import cf_aro  # pylint: disable=unused-import
-from azure.cli.command_modules.aro._help import helps  # pylint: disable=unused-import
 
+import azure.cli.command_modules.aro._help  # pylint: disable=unused-import
 
-class AroCommandsLoader(AzCommandsLoader):
 
+class AroCommandsLoader(AzCommandsLoader):
     def __init__(self, cli_ctx=None):
+        from azure.cli.core.commands import CliCommandType
+        from azure.cli.command_modules.aro._client_factory import cf_aro
         aro_custom = CliCommandType(
             operations_tmpl='azure.cli.command_modules.aro.custom#{}',
             client_factory=cf_aro)
-
         suppress = ModExtensionSuppress(__name__, 'aro', '1.0.0',
                                         reason='Its functionality is included in the core az CLI.',
                                         recommend_remove=True)
         super().__init__(cli_ctx=cli_ctx,
                          suppress_extension=suppress,
-                         custom_command_type=aro_custom,
-                         resource_type=ResourceType.MGMT_ARO)
+                         custom_command_type=aro_custom)
 
     def load_command_table(self, args):
+        from azure.cli.command_modules.aro.commands import load_command_table
         from azure.cli.core.aaz import load_aaz_command_table
         try:
             from . import aaz
@@ -43,6 +39,7 @@ def load_command_table(self, args):
         return self.command_table
 
     def load_arguments(self, command):
+        from azure.cli.command_modules.aro._params import load_arguments
         load_arguments(self, command)
 
 

src/azure-cli/azure/cli/command_modules/aro/_aad.py

@@ -5,8 +5,10 @@
 
 import time
 
-from azure.cli.command_modules.role import graph_client_factory
-from azure.cli.command_modules.role import GraphError
+from azure.cli.command_modules.role import (
+    graph_client_factory,
+    GraphError
+)
 
 from knack.log import get_logger
 

src/azure-cli/azure/cli/command_modules/aro/_actions.py

@@ -0,0 +1,28 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+import argparse
+
+from azure.cli.core.azclierror import CLIError
+
+
+# pylint:disable=protected-access
+# pylint:disable=too-few-public-methods
+class AROPlatformWorkloadIdentityAddAction(argparse._AppendAction):
+
+    def __call__(self, parser, namespace, values, option_string=None):
+        from azure.mgmt.redhatopenshift.models import PlatformWorkloadIdentity
+        try:
+            if len(values) != 2:
+                msg = f"{option_string} requires 2 values in format: `OPERATOR_NAME RESOURCE_ID`"
+                raise argparse.ArgumentError(self, msg)
+
+            operator_name, resource_id = values
+            parsed = (operator_name, PlatformWorkloadIdentity(resource_id=resource_id))
+
+            super().__call__(parser, namespace, parsed, option_string)
+
+        except ValueError as e:
+            raise CLIError(f"usage error: {option_string} NAME ID") from e

src/azure-cli/azure/cli/command_modules/aro/_client_factory.py

@@ -4,12 +4,7 @@
 # --------------------------------------------------------------------------------------------
 
 
-from azure.cli.core.commands.client_factory import get_mgmt_service_client
-from azure.mgmt.redhatopenshift import AzureRedHatOpenShiftClient
-
-
 def cf_aro(cli_ctx, *_):
-    client = get_mgmt_service_client(
-        cli_ctx, AzureRedHatOpenShiftClient)
-
-    return client
+    from azure.cli.core.commands.client_factory import get_mgmt_service_client
+    from azure.mgmt.redhatopenshift import AzureRedHatOpenShiftClient
+    return get_mgmt_service_client(cli_ctx, AzureRedHatOpenShiftClient)

src/azure-cli/azure/cli/command_modules/aro/_dynamic_validators.py

@@ -3,24 +3,27 @@
 # Licensed under the MIT License. See License.txt in the project root for license information.
 # --------------------------------------------------------------------------------------------
 
-
+import collections
 import ipaddress
 import re
 from itertools import tee
 
-from azure.cli.command_modules.aro._validators import validate_vnet, validate_cidr
-from azure.cli.command_modules.aro._rbac import has_role_assignment_on_resource
-from azure.cli.command_modules.aro.aaz.latest.network.vnet.subnet import Show as subnet_show
-from azure.cli.command_modules.aro.aaz.latest.network.vnet import Show as vnet_show
 from azure.cli.core.commands.client_factory import get_mgmt_service_client
 from azure.cli.core.commands.validators import get_default_location_from_resource_group
 from azure.cli.core.profiles import ResourceType
-from azure.cli.core.azclierror import CLIInternalError, InvalidArgumentValueError, \
+from azure.cli.core.azclierror import (
+    CLIInternalError,
+    InvalidArgumentValueError,
     RequiredArgumentMissingError
-from azure.core.exceptions import ResourceNotFoundError, HttpResponseError
+)
+from azure.core.exceptions import HttpResponseError, ResourceNotFoundError
 from azure.mgmt.core.tools import is_valid_resource_id, parse_resource_id
+from azure.cli.command_modules.aro._validators import validate_vnet, validate_cidr
+from azure.cli.command_modules.aro._rbac import has_role_assignment_on_resource
+from azure.cli.command_modules.aro.aaz.latest.network.vnet.subnet import Show as subnet_show
+from azure.cli.command_modules.aro.aaz.latest.network.vnet import Show as vnet_show
+
 from knack.log import get_logger
-import azure.cli.command_modules.aro.custom
 
 
 logger = get_logger(__name__)
@@ -289,15 +292,15 @@ def _validate_cidr_ranges(cmd, namespace):
     return _validate_cidr_ranges
 
 
-def dyn_validate_resource_permissions(service_principle_ids, resources):
+def dyn_validate_resource_permissions(service_principal_ids, resources):
     prog = get_progress_tracker("Validating resource permissions")
 
     @prog
     def _validate_resource_permissions(cmd,
                                        _namespace):
         errors = []
 
-        for sp_id in service_principle_ids:
+        for sp_id in service_principal_ids:
             for role in sorted(resources):
                 for resource in resources[role]:
                     try:
@@ -331,7 +334,8 @@ def _validate_version(cmd,
         if namespace.location is None:
             get_default_location_from_resource_group(cmd, namespace)
 
-        versions = azure.cli.command_modules.aro.custom.aro_get_versions(namespace.client, namespace.location)
+        from azure.cli.command_modules.aro.custom import aro_get_versions
+        versions = aro_get_versions(namespace.client, namespace.location)
 
         found = False
         for version in versions:
@@ -351,15 +355,47 @@ def _validate_version(cmd,
 
 def validate_cluster_create(version,
                             resources,
-                            service_principle_ids):
+                            service_principal_ids):
     error_object = []
 
     error_object.append(dyn_validate_vnet("vnet"))
     error_object.append(dyn_validate_subnet_and_route_tables("master_subnet"))
     error_object.append(dyn_validate_subnet_and_route_tables("worker_subnet"))
     error_object.append(dyn_validate_cidr_ranges())
-    error_object.append(dyn_validate_resource_permissions(service_principle_ids, resources))
+    error_object.append(dyn_validate_resource_permissions(service_principal_ids, resources))
     if version is not None:
         error_object.append(dyn_validate_version())
 
     return error_object
+
+
+def dyn_validate_managed_identity_delete_permissions():
+    prog = get_progress_tracker("Validating Managed Identity Delete Permissions")
+
+    @prog
+    def _validate_managed_identity_delete_permissions(cmd, namespace):
+        errors = []
+        managed_identities = namespace.managed_identities
+
+        for mi in managed_identities:
+            parts, auth_client = get_clients(mi, cmd)
+            validation_errors = validate_resource(auth_client, "Managed Identity", parts, [
+                "Microsoft.ManagedIdentity/userAssignedIdentities/delete"
+            ])
+            for error in validation_errors:
+                errors.append(f"{error[3]} over {mi}")
+
+        return errors
+
+    return _validate_managed_identity_delete_permissions
+
+
+def validate_cluster_delete(cmd, delete_identities, managed_identities):
+    errors = []
+
+    if delete_identities:
+        namespace = collections.namedtuple("Namespace", ["managed_identities"])(managed_identities)
+        validate_managed_identity_delete = dyn_validate_managed_identity_delete_permissions()
+        errors.extend(validate_managed_identity_delete(cmd, namespace))
+
+    return errors