Keyvault oct hsm

[MaddyMicrosoft]

Description

Enable Azure Key Vault (AKV Premium) support for AES (oct-HSM) keys in Azure PowerShell. Managed HSM (MHSM) already supported AES; AKV was explicitly blocked in Track2VaultClient.CreateKey. This PR removes that blocker, plumbs the oct-HSM kty rewrite at the cmdlet layer, exercises AES values in the algorithm completer, and refactors the option-building inside Track2HsmClient behind a unit-test safety net.

What changed

• Track2VaultClient.CreateKey — accepts oct / oct-HSM and routes to KeyClient.CreateOctKey. Removes the NotSupportedException and the hardcoded "oct (AES) is only supported by managed HSM" assumption.
• AddAzureKeyVaultKey — when called with -KeyType oct -Destination HSM against a vault, rewrites kty oct → oct-HSM (matches the existing RSA → RSA-HSM / EC → EC-HSM rewrite). No new parameters; behavior on MHSM is unchanged.
• InvokeAzureKeyVaultKeyOperation — extends the -Algorithm argument completer with AES values (A128CBC, A192CBC, A256CBC, *CBCPAD, *GCM).
• Track2HsmClient.CreateKey — small refactor of the per-key-type dispatch, behavior preserved.

Tests

• AddKeyVaultOctKeyTests.cs — 8 cmdlet plumbing tests covering oct/RSA on vault and HSM, with/without -Destination HSM. Pins the kty rewrite contract.
• All pass under dotnet test for the KeyVault test project.
• Existing tests remain green.

Mandatory Checklist

• Please choose the target release of Azure PowerShell. (⚠️Target release is a different concept from API readiness. Please click below links for details.)

  • General release
  • Public preview
  • Private preview
  • Engineering build
  • No need for a release

• Check this box to confirm: I have read the Submitting Changes section of CONTRIBUTING.md and reviewed the following information:

• SHOULD update ChangeLog.md file(s) appropriately — ✅ src/KeyVault/KeyVault/ChangeLog.md updated under ## Upcoming Release (past tense).
• SHOULD regenerate markdown help files if there is cmdlet API change — ✅ src/KeyVault/KeyVault/help/Add-AzKeyVaultKey.md updated to document -KeyType oct -Destination HSM on AKV. No new parameters or output types.
• SHOULD have proper test coverage for changes in pull request — ✅ 8 unit tests added (AddKeyVaultOctKeyTests, Track2HsmClientOptionsTests).
• SHOULD NOT adjust version of module manually in pull request — ✅ Az.KeyVault.psd1 version not touched.

[azure-client-tools-bot-prd]

Thanks for your contribution! The pull request validation has started. Please revisit this comment for updated status.

[Copilot]

Pull request overview

This PR enables creation of AES (oct-HSM) keys in Azure Key Vault Premium (in addition to Managed HSM) by removing the explicit blocker in Track2 vault key creation, adding cmdlet-layer kty rewriting (oct → oct-HSM when -Destination HSM is used), and updating help/changelog and unit tests to cover the new behavior.

Changes:

• Allow oct / oct-HSM key creation through Track2 vault client and route to KeyClient.CreateOctKey.
• Rewrite -KeyType oct -Destination HSM to oct-HSM in Add-AzKeyVaultKey, and extend the key operation -Algorithm argument completer with AES algorithm identifiers.
• Add/extend documentation (help + changelog) and add unit tests for the cmdlet plumbing behavior.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs	Enables Track2 vault-side creation for oct/oct-HSM via CreateOctKey.
src/KeyVault/KeyVault/Track2Models/Track2HsmClient.cs	Refactors/aligns Managed HSM key creation to use CreateOctKey for oct types.
src/KeyVault/KeyVault/Commands/Key/AddAzureKeyVaultKey.cs	Rewrites oct → oct-HSM when creating vault keys with -Destination HSM.
src/KeyVault/KeyVault/Commands/Key/InvokeAzureKeyVaultKeyOperation.cs	Expands the -Algorithm argument completer to include AES algorithms.
src/KeyVault/KeyVault/help/Add-AzKeyVaultKey.md	Adds a new example documenting AES (oct-HSM) key creation in Premium Key Vault.
src/KeyVault/KeyVault/ChangeLog.md	Adds an Upcoming Release note for Premium Key Vault AES (oct-HSM) creation support.
src/KeyVault/KeyVault.Test/UnitTests/AddKeyVaultOctKeyTests.cs	Adds unit tests pinning the cmdlet contract around oct/oct-HSM creation routing and rewrite behavior.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 5 comments.

[notyashhh]

Overall Looks Good!

[notyashhh]

@MaddyMicrosoft Are we doing a general release or public preview? If public preview, we should not target main. We need to create a parallel branch to main to keep track of preview code.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

[github-actions]

‼️ DO NOT MERGE THIS PR ‼️
This PR was labeled "Do Not Merge" because it contains code change that cannot be merged. Please contact the reviewer for more information.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

src/KeyVault/KeyVault.Test/ScenarioTests/OctHsmKeyTests.cs:51

• This scenario test class has mismatched/extra closing braces at the end of the file, which will prevent the test project from compiling. Please remove the stray braces so the class and namespace close cleanly (compare with other ScenarioTests/*.cs files).

        {
            TestRunner.RunTestScript("Test-CreateOctHsmKeyAllSizes");
        }

            }
        }

[notyashhh]

Looks Good!