Remove v5/v6 common-types refs for CustomerManagedKeyEncryption

markcowl · Copilot · markcowl · commit b75b1272eb3f · 2026-06-01T15:40:18.000-07:00
- Created new types in Azure.ResourceManager.Foundations namespace that duplicate CustomerManagedKeyEncryption and its dependencies - Removed @@armCommonDefinition augment decorators for v5 and v6 versions of CustomerManagedKeyEncryption (type was removed from common-types after v4) - Deprecated CustomerManagedKeyEncryption, directing users to use the Encryption type instead Fixes #4513 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/packages/typespec-azure-resource-manager/lib/common-types/customer-managed-keys-ref.tsp b/packages/typespec-azure-resource-manager/lib/common-types/customer-managed-keys-ref.tsp
@@ -29,15 +29,3 @@ namespace Azure.ResourceManager.CommonTypes;
   #{ version: Azure.ResourceManager.CommonTypes.Versions.v4, isDefault: true },
   "customermanagedkeys.json"
 );
-@@armCommonDefinition(
-  CustomerManagedKeyEncryption,
-  "customerManagedKeyEncryption",
-  Azure.ResourceManager.CommonTypes.Versions.v5,
-  "customermanagedkeys.json"
-);
-@@armCommonDefinition(
-  CustomerManagedKeyEncryption,
-  "customerManagedKeyEncryption",
-  Azure.ResourceManager.CommonTypes.Versions.v6,
-  "customermanagedkeys.json"
-);
diff --git a/packages/typespec-azure-resource-manager/lib/common-types/customer-managed-keys.tsp b/packages/typespec-azure-resource-manager/lib/common-types/customer-managed-keys.tsp
@@ -48,6 +48,7 @@ model KeyEncryptionKeyIdentity {
 }
 
 /** Customer-managed key encryption properties for the resource. */
+#deprecated "Use Azure.ResourceManager.CommonTypes.Encryption instead"
 @added(Versions.v4)
 model CustomerManagedKeyEncryption {
   /** All identity configuration for Customer-managed key settings defining which identity should be used to auth to Key Vault. */
diff --git a/packages/typespec-azure-resource-manager/lib/foundations/arm.foundations.tsp b/packages/typespec-azure-resource-manager/lib/foundations/arm.foundations.tsp
@@ -3,6 +3,7 @@ import "@typespec/rest";
 
 import "./backcompat.tsp";
 import "./deprecation.tsp";
+import "./encryption.tsp";
 import "../common-types/common-types.tsp";
 import "../decorators.tsp";
 import "../responses.tsp";
diff --git a/packages/typespec-azure-resource-manager/lib/foundations/encryption.tsp b/packages/typespec-azure-resource-manager/lib/foundations/encryption.tsp
@@ -0,0 +1,39 @@
+namespace Azure.ResourceManager.Foundations;
+
+/** The type of identity to use. */
+union KeyEncryptionKeyIdentityType {
+  /** System assigned identity */
+  SystemAssignedIdentity: "systemAssignedIdentity",
+
+  /** User assigned identity */
+  UserAssignedIdentity: "userAssignedIdentity",
+
+  /** Delegated identity */
+  DelegatedResourceIdentity: "delegatedResourceIdentity",
+
+  string,
+}
+
+/** All identity configuration for Customer-managed key settings defining which identity should be used to auth to Key Vault. */
+model KeyEncryptionKeyIdentity {
+  /** The type of identity to use. Values can be systemAssignedIdentity, userAssignedIdentity, or delegatedResourceIdentity. */
+  identityType?: KeyEncryptionKeyIdentityType;
+
+  /** User assigned identity to use for accessing key encryption key Url. Ex: /subscriptions/fa5fc227-a624-475e-b696-cdd604c735bc/resourceGroups/<resource group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myId. Mutually exclusive with identityType systemAssignedIdentity. */
+  userAssignedIdentityResourceId?: Azure.Core.armResourceIdentifier;
+
+  /** application client identity to use for accessing key encryption key Url in a different tenant. Ex: f83c6b1b-4d34-47e4-bb34-9d83df58b540 */
+  federatedClientId?: uuid;
+
+  /** delegated identity to use for accessing key encryption key Url. Ex: /subscriptions/fa5fc227-a624-475e-b696-cdd604c735bc/resourceGroups/<resource group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myId. Mutually exclusive with identityType systemAssignedIdentity and userAssignedIdentity - internal use only. */
+  delegatedIdentityClientId?: uuid;
+}
+
+/** Customer-managed key encryption properties for the resource. */
+model CustomerManagedKeyEncryption {
+  /** All identity configuration for Customer-managed key settings defining which identity should be used to auth to Key Vault. */
+  keyEncryptionKeyIdentity?: KeyEncryptionKeyIdentity;
+
+  /** key encryption key Url, versioned or non-versioned. Ex: https://contosovault.vault.azure.net/keys/contosokek/562a4bb76b524a1493a6afe8e536ee78 or https://contosovault.vault.azure.net/keys/contosokek. */
+  keyEncryptionKeyUrl?: string;
+}

Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,7 @@ model KeyEncryptionKeyIdentity {`
`48`	`48`	`}`
`49`	`49`
`50`	`50`	`/** Customer-managed key encryption properties for the resource. */`
	`51`	`+#deprecated "Use Azure.ResourceManager.CommonTypes.Encryption instead"`
`51`	`52`	`@added(Versions.v4)`
`52`	`53`	`model CustomerManagedKeyEncryption {`
`53`	`54`	`/** All identity configuration for Customer-managed key settings defining which identity should be used to auth to Key Vault. */`