Skip to content

{Keyvault} Support ip rules for MHSM#32142

Merged
evelyn-ys merged 16 commits intoAzure:devfrom
evelyn-ys:mhsm_ip_rules
Sep 24, 2025
Merged

{Keyvault} Support ip rules for MHSM#32142
evelyn-ys merged 16 commits intoAzure:devfrom
evelyn-ys:mhsm_ip_rules

Conversation

@evelyn-ys
Copy link
Copy Markdown
Member

@evelyn-ys evelyn-ys commented Sep 19, 2025
edited
Loading

Related command

az keyvault create
az keyvault network-rule add/remove/list/wait

Description

Similar with vault, managed hsm now allows managing ip rules as well.
This PR adds ip rule management support for

  • MHSM creation through az keyvault create --hsm-name with --network-acls-ips
  • MHSM update through az keyvault network-rule add/remove --hsm-name with --ip-address
  • and for checking, use az keyvault network-rule list --hsm-name

PR relies on SDK release https://github.com/Azure/sdk-release-request/issues/6578

Testing Guide

Check the added scenario test

History Notes

[Keyvault] az keyvault create: Support --network-acls-ips while creating Managed HSM
[Keyvault] az keyvault network-rule add/remove/list/wait: Support ip rule configuration for Managed HSM

This checklist is used to make sure that common guidelines for a pull request are followed.

Copilot AI review requested due to automatic review settings September 19, 2025 02:07
@azure-client-tools-bot-prd
Copy link
Copy Markdown

azure-client-tools-bot-prd bot commented Sep 19, 2025
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️latest
️✔️3.12
️✔️3.13
️✔️acs
️✔️latest
️✔️3.12
️✔️3.13
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.13
️✔️ams
️✔️latest
️✔️3.12
️✔️3.13
️✔️apim
️✔️latest
️✔️3.12
️✔️3.13
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.13
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️aro
️✔️latest
️✔️3.12
️✔️3.13
️✔️backup
️✔️latest
️✔️3.12
️✔️3.13
️✔️batch
️✔️latest
️✔️3.12
️✔️3.13
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.13
️✔️billing
️✔️latest
️✔️3.12
️✔️3.13
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.13
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.13
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.13
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.13
️✔️config
️✔️latest
️✔️3.12
️✔️3.13
️✔️configure
️✔️latest
️✔️3.12
️✔️3.13
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.13
️✔️container
️✔️latest
️✔️3.12
️✔️3.13
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.13
️✔️core
️✔️latest
️✔️3.12
️✔️3.13
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.13
️✔️databoxedge
️✔️latest
️✔️3.12
️✔️3.13
️✔️dls
️✔️latest
️✔️3.12
️✔️3.13
️✔️dms
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.13
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.13
️✔️find
️✔️latest
️✔️3.12
️✔️3.13
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.13
️✔️identity
️✔️latest
️✔️3.12
️✔️3.13
️✔️iot
️✔️latest
️✔️3.12
️✔️3.13
️✔️keyvault
️✔️latest
️✔️3.12
️✔️3.13
️✔️lab
️✔️latest
️✔️3.12
️✔️3.13
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️maps
️✔️latest
️✔️3.12
️✔️3.13
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.13
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.13
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.13
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.13
️✔️network
️✔️latest
️✔️3.12
️✔️3.13
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.13
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.13
️✔️profile
️✔️latest
️✔️3.12
️✔️3.13
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.13
️✔️redis
️✔️latest
️✔️3.12
️✔️3.13
️✔️relay
️✔️latest
️✔️3.12
️✔️3.13
️✔️resource
️✔️latest
️✔️3.12
️✔️3.13
️✔️role
️✔️latest
️✔️3.12
️✔️3.13
️✔️search
️✔️latest
️✔️3.12
️✔️3.13
️✔️security
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.13
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.13
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.13
️✔️sql
️✔️latest
️✔️3.12
️✔️3.13
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.13
️✔️storage
️✔️latest
️✔️3.12
️✔️3.13
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.13
️✔️telemetry
️✔️latest
️✔️3.12
️✔️3.13
️✔️util
️✔️latest
️✔️3.12
️✔️3.13
️✔️vm
️✔️latest
️✔️3.12
️✔️3.13

@azure-client-tools-bot-prd
Copy link
Copy Markdown

azure-client-tools-bot-prd bot commented Sep 19, 2025
edited
Loading

⚠️AzureCLI-BreakingChangeTest
⚠️keyvault
rule cmd_name rule_message suggest_message
⚠️ 1006 - ParaAdd keyvault network-rule add cmd keyvault network-rule add added parameter hsm_name
⚠️ 1009 - ParaPropRemove keyvault network-rule add cmd keyvault network-rule add update parameter vault_name: removed property required=True
⚠️ 1006 - ParaAdd keyvault network-rule list cmd keyvault network-rule list added parameter hsm_name
⚠️ 1009 - ParaPropRemove keyvault network-rule list cmd keyvault network-rule list update parameter vault_name: removed property required=True
⚠️ 1006 - ParaAdd keyvault network-rule remove cmd keyvault network-rule remove added parameter hsm_name
⚠️ 1009 - ParaPropRemove keyvault network-rule remove cmd keyvault network-rule remove update parameter vault_name: removed property required=True
⚠️ 1006 - ParaAdd keyvault network-rule wait cmd keyvault network-rule wait added parameter hsm_name
⚠️ 1009 - ParaPropRemove keyvault network-rule wait cmd keyvault network-rule wait update parameter vault_name: removed property required=True

@yonzhan
Copy link
Copy Markdown
Collaborator

yonzhan commented Sep 19, 2025

Thank you for your contribution! We will review the pull request and get back to you soon.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Sep 19, 2025

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

Copilot AI reviewed Sep 19, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds IP network rule management support for Azure Key Vault Managed HSM (MHSM) resources, extending existing functionality that was previously available only for Key Vault resources.

  • Adds IP rule configuration support for MHSM creation via az keyvault create --hsm-name with --network-acls-ips
  • Extends az keyvault network-rule add/remove/list/wait commands to support MHSM resources with --hsm-name parameter
  • Updates SDK dependencies to version 12.1.0 to support new MHSM IP rule functionality

Reviewed Changes

Copilot reviewed 17 out of 30 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
setup.py Updates azure-mgmt-keyvault dependency to version 12.1.0
requirements.py3.*.txt Updates azure-mgmt-keyvault dependency across all platform requirement files
_params.py Adds hsm_name parameter support to network-rule commands
commands.py Updates network-rule commands to use new vault-or-hsm functions and custom wait command
custom.py Implements MHSM IP rule management functions and updates existing commands to support both vault and HSM
_help.py Updates help text to reflect support for both vault and managed HSM
test_keyvault_commands.py Adds comprehensive test coverage for MHSM network rule functionality

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread src/azure-cli/azure/cli/command_modules/keyvault/_help.py Outdated
Comment thread src/azure-cli/azure/cli/command_modules/keyvault/_help.py Outdated
Comment thread src/azure-cli/azure/cli/command_modules/keyvault/_params.py
@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Sep 19, 2025
FumingZhang
FumingZhang previously approved these changes Sep 23, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@FumingZhang FumingZhang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

approved for acs (AKS)

@evelyn-ys
Copy link
Copy Markdown
Member Author

evelyn-ys commented Sep 24, 2025

@microsoft-github-policy-service rerun

@evelyn-ys evelyn-ys merged commit c6ce095 into Azure:dev Sep 24, 2025
48 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jsntcy jsntcy jsntcy approved these changes

@zhoxing-ms zhoxing-ms zhoxing-ms approved these changes

@calvinhzy calvinhzy calvinhzy approved these changes

@kairu-ms kairu-ms kairu-ms approved these changes

@FumingZhang FumingZhang FumingZhang left review comments

@jiasli jiasli Awaiting requested review from jiasli jiasli is a code owner

@yonzhan yonzhan Awaiting requested review from yonzhan yonzhan is a code owner

@yanzhudd yanzhudd Awaiting requested review from yanzhudd yanzhudd is a code owner

@wangzelin007 wangzelin007 Awaiting requested review from wangzelin007

@necusjz necusjz Awaiting requested review from necusjz necusjz is a code owner

Assignees

@evelyn-ys evelyn-ys

Labels

Auto-Assign Auto assign by bot KeyVault az keyvault

Projects

None yet

Milestone

October 2025 (2025-10-14)

Development

Successfully merging this pull request may close these issues.

9 participants

@evelyn-ys @yonzhan @jsntcy @zhoxing-ms @calvinhzy @kairu-ms @FumingZhang @azclibot