Hide CustomerManagedKeyEncryption types as internal; add V4 Foundations replacements

markcowl · Copilot · markcowl · commit eac2801d102f · 2026-06-18T13:16:35.000-07:00
Mark CustomerManagedKeyEncryption, KeyEncryptionKeyIdentity, and
KeyEncryptionKeyIdentityType as internal in the CommonTypes namespace,
preventing direct use in service specifications.

Add CustomerManagedKeyEncryptionV4, KeyEncryptionKeyIdentityV4, and
KeyEncryptionKeyIdentityTypeV4 in Azure.ResourceManager.Foundations as
public replacement types.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.chronus/changes/hide-cmk-internal-2026-6-12-17-1-0.md b/.chronus/changes/hide-cmk-internal-2026-6-12-17-1-0.md
@@ -0,0 +1,14 @@
+---
+changeKind: feature
+packages:
+  - "@azure-tools/typespec-azure-resource-manager"
+---
+
+Hide `CustomerManagedKeyEncryption`, `KeyEncryptionKeyIdentity`, and `KeyEncryptionKeyIdentityType` common types by marking them `internal`. Add public replacement types `CustomerManagedKeyEncryptionV4`, `KeyEncryptionKeyIdentityV4`, and `KeyEncryptionKeyIdentityTypeV4` in the `Azure.ResourceManager.Foundations` namespace.
+
+```tsp
+// Use the new Foundations types instead of the internal CommonTypes types:
+model EncryptionConfig {
+  customerManagedKey?: Azure.ResourceManager.Foundations.CustomerManagedKeyEncryptionV4;
+}
+```
diff --git a/packages/typespec-azure-resource-manager/lib/backcompat.tsp b/packages/typespec-azure-resource-manager/lib/backcompat.tsp
@@ -6,7 +6,6 @@ namespace Azure.ResourceManager;
 alias InfrastructureEncryption = CommonTypes.InfrastructureEncryption;
 alias KeyEncryptionIdentity = CommonTypes.KeyEncryptionKeyIdentity;
 alias KeyEncryptionKeyIdentity = CommonTypes.KeyEncryptionKeyIdentity;
-alias CustomerManagedKeyEncryption = CommonTypes.CustomerManagedKeyEncryption;
 alias EncryptionConfiguration = CommonTypes.Encryption;
 
 // private-links
diff --git a/packages/typespec-azure-resource-manager/lib/common-types/customer-managed-keys.tsp b/packages/typespec-azure-resource-manager/lib/common-types/customer-managed-keys.tsp
@@ -49,7 +49,8 @@ model KeyEncryptionKeyIdentity {
 
 /** Customer-managed key encryption properties for the resource. */
 @added(Versions.v4)
-model CustomerManagedKeyEncryption {
+#suppress "experimental-feature" "internal is intentional for this type"
+internal model CustomerManagedKeyEncryption {
   /** All identity configuration for Customer-managed key settings defining which identity should be used to auth to Key Vault. */
   keyEncryptionKeyIdentity?: KeyEncryptionKeyIdentity;
 
diff --git a/packages/typespec-azure-resource-manager/lib/foundations/arm.foundations.tsp b/packages/typespec-azure-resource-manager/lib/foundations/arm.foundations.tsp
@@ -3,6 +3,7 @@ import "@typespec/rest";
 
 import "./backcompat.tsp";
 import "./deprecation.tsp";
+import "./encryption.tsp";
 import "../common-types/common-types.tsp";
 import "../decorators.tsp";
 import "../responses.tsp";
diff --git a/packages/typespec-azure-resource-manager/lib/foundations/encryption.tsp b/packages/typespec-azure-resource-manager/lib/foundations/encryption.tsp
@@ -0,0 +1,41 @@
+using Azure.Core;
+
+namespace Azure.ResourceManager.Foundations;
+
+/** The type of identity to use. */
+union KeyEncryptionKeyIdentityTypeV4 {
+  /** System assigned identity */
+  SystemAssignedIdentity: "systemAssignedIdentity",
+
+  /** User assigned identity */
+  UserAssignedIdentity: "userAssignedIdentity",
+
+  /** Delegated identity */
+  DelegatedResourceIdentity: "delegatedResourceIdentity",
+
+  string,
+}
+
+/** All identity configuration for Customer-managed key settings defining which identity should be used to auth to Key Vault. */
+model KeyEncryptionKeyIdentityV4 {
+  /** The type of identity to use. Values can be systemAssignedIdentity, userAssignedIdentity, or delegatedResourceIdentity. */
+  identityType?: KeyEncryptionKeyIdentityTypeV4;
+
+  /** User assigned identity to use for accessing key encryption key Url. Ex: /subscriptions/fa5fc227-a624-475e-b696-cdd604c735bc/resourceGroups/<resource group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myId. Mutually exclusive with identityType systemAssignedIdentity. */
+  userAssignedIdentityResourceId?: Azure.Core.armResourceIdentifier;
+
+  /** application client identity to use for accessing key encryption key Url in a different tenant. Ex: f83c6b1b-4d34-47e4-bb34-9d83df58b540 */
+  federatedClientId?: uuid;
+
+  /** delegated identity to use for accessing key encryption key Url. Ex: /subscriptions/fa5fc227-a624-475e-b696-cdd604c735bc/resourceGroups/<resource group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myId. Mutually exclusive with identityType systemAssignedIdentity and userAssignedIdentity - internal use only. */
+  delegatedIdentityClientId?: uuid;
+}
+
+/** Customer-managed key encryption properties for the resource. */
+model CustomerManagedKeyEncryptionV4 {
+  /** All identity configuration for Customer-managed key settings defining which identity should be used to auth to Key Vault. */
+  keyEncryptionKeyIdentity?: KeyEncryptionKeyIdentityV4;
+
+  /** key encryption key Url, versioned or non-versioned. Ex: https://contosovault.vault.azure.net/keys/contosokek/562a4bb76b524a1493a6afe8e536ee78 or https://contosovault.vault.azure.net/keys/contosokek. */
+  keyEncryptionKeyUrl?: string;
+}
diff --git a/packages/typespec-azure-resource-manager/test/foundations-encryption.test.ts b/packages/typespec-azure-resource-manager/test/foundations-encryption.test.ts
@@ -0,0 +1,110 @@
+import { Tester } from "#test/tester.js";
+import { TesterInstance } from "@typespec/compiler/testing";
+import { beforeEach, describe, it } from "vitest";
+
+let runner: TesterInstance;
+
+beforeEach(async () => {
+  runner = await Tester.createInstance();
+});
+
+describe("CustomerManagedKeyEncryptionV4 foundations type", () => {
+  it("can be used in a service spec as a property type", async () => {
+    const diagnostics = await runner.diagnose(
+      `
+      @armProviderNamespace
+      @service
+      namespace Microsoft.Contoso;
+
+      model EncryptionConfig {
+        customerManagedKey?: Azure.ResourceManager.Foundations.CustomerManagedKeyEncryptionV4;
+      }
+    `,
+    );
+    expectDiagnosticEmpty(diagnostics);
+  });
+
+  it("exposes keyEncryptionKeyIdentity and keyEncryptionKeyUrl properties", async () => {
+    const diagnostics = await runner.diagnose(
+      `
+      @armProviderNamespace
+      @service
+      namespace Microsoft.Contoso;
+
+      model EncryptionConfig {
+        customerManagedKey?: Azure.ResourceManager.Foundations.CustomerManagedKeyEncryptionV4;
+      }
+
+      model UsesIdentity {
+        identity?: Azure.ResourceManager.Foundations.KeyEncryptionKeyIdentityV4;
+      }
+    `,
+    );
+    expectDiagnosticEmpty(diagnostics);
+  });
+
+  it("KeyEncryptionKeyIdentityTypeV4 union can be referenced", async () => {
+    const diagnostics = await runner.diagnose(
+      `
+      @armProviderNamespace
+      @service
+      namespace Microsoft.Contoso;
+
+      model IdentityConfig {
+        identityType?: Azure.ResourceManager.Foundations.KeyEncryptionKeyIdentityTypeV4;
+      }
+    `,
+    );
+    expectDiagnosticEmpty(diagnostics);
+  });
+
+  it("CustomerManagedKeyEncryption is internal and cannot be used outside Azure.ResourceManager", async () => {
+    const diagnostics = await runner.diagnose(
+      `
+      @armProviderNamespace
+      @service
+      namespace Microsoft.Contoso;
+
+      model EncryptionConfig {
+        customerManagedKey?: Azure.ResourceManager.CommonTypes.CustomerManagedKeyEncryption;
+      }
+    `,
+    );
+    expectDiagnosticNotEmpty(diagnostics);
+  });
+
+  it("Encryption wrapper type remains public and usable", async () => {
+    const diagnostics = await runner.diagnose(
+      `
+      @service(#{ title: "Test" })
+      @versioned(Microsoft.Contoso.Versions)
+      @armProviderNamespace
+      namespace Microsoft.Contoso;
+
+      enum Versions {
+        @armCommonTypesVersion(Azure.ResourceManager.CommonTypes.Versions.v4)
+        v4;
+      }
+
+      model ResourceProperties {
+        encryption?: Azure.ResourceManager.CommonTypes.Encryption;
+      }
+    `,
+    );
+    expectDiagnosticEmpty(diagnostics);
+  });
+});
+
+function expectDiagnosticEmpty(diagnostics: readonly any[]) {
+  if (diagnostics.length > 0) {
+    throw new Error(
+      `Expected no diagnostics but got ${diagnostics.length}: ${diagnostics.map((d) => `${d.code}: ${d.message}`).join(", ")}`,
+    );
+  }
+}
+
+function expectDiagnosticNotEmpty(diagnostics: readonly any[]) {
+  if (diagnostics.length === 0) {
+    throw new Error("Expected diagnostics but got none");
+  }
+}
diff --git a/website/src/content/docs/docs/libraries/azure-resource-manager/reference/data-types.md b/website/src/content/docs/docs/libraries/azure-resource-manager/reference/data-types.md
@@ -1979,21 +1979,6 @@ model Azure.ResourceManager.CommonTypes.CheckNameAvailabilityResponse
 | reason?        | [`CheckNameAvailabilityReason`](./data-types.md#Azure.ResourceManager.CommonTypes.CheckNameAvailabilityReason) | The reason why the given name is not available.      |
 | message?       | `string`                                                                                                       | Detailed reason why the given name is not available. |
 
-### `CustomerManagedKeyEncryption` {#Azure.ResourceManager.CommonTypes.CustomerManagedKeyEncryption}
-
-Customer-managed key encryption properties for the resource.
-
-```typespec
-model Azure.ResourceManager.CommonTypes.CustomerManagedKeyEncryption
-```
-
-#### Properties
-
-| Name                      | Type                                                                                                     | Description                                                                                                                                                                                            |
-| ------------------------- | -------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| keyEncryptionKeyIdentity? | [`KeyEncryptionKeyIdentity`](./data-types.md#Azure.ResourceManager.CommonTypes.KeyEncryptionKeyIdentity) | All identity configuration for Customer-managed key settings defining which identity should be used to auth to Key Vault.                                                                              |
-| keyEncryptionKeyUrl?      | `string`                                                                                                 | key encryption key Url, versioned or non-versioned. Ex: https://contosovault.vault.azure.net/keys/contosokek/562a4bb76b524a1493a6afe8e536ee78 or https://contosovault.vault.azure.net/keys/contosokek. |
-
 ### `DelegatedResource` {#Azure.ResourceManager.CommonTypes.DelegatedResource}
 
 Delegated resource properties - internal use only.
@@ -2035,10 +2020,10 @@ model Azure.ResourceManager.CommonTypes.Encryption
 
 #### Properties
 
-| Name                          | Type                                                                                                             | Description                                                      |
-| ----------------------------- | ---------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- |
-| infrastructureEncryption?     | [`InfrastructureEncryption`](./data-types.md#Azure.ResourceManager.CommonTypes.InfrastructureEncryption)         | Values are enabled and disabled.                                 |
-| customerManagedKeyEncryption? | [`CustomerManagedKeyEncryption`](./data-types.md#Azure.ResourceManager.CommonTypes.CustomerManagedKeyEncryption) | All Customer-managed key encryption properties for the resource. |
+| Name                          | Type                                                                                                     | Description                                                      |
+| ----------------------------- | -------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- |
+| infrastructureEncryption?     | [`InfrastructureEncryption`](./data-types.md#Azure.ResourceManager.CommonTypes.InfrastructureEncryption) | Values are enabled and disabled.                                 |
+| customerManagedKeyEncryption? | `Azure.ResourceManager.CommonTypes.CustomerManagedKeyEncryption`                                         | All Customer-managed key encryption properties for the resource. |
 
 ### `EncryptionProperties` {#Azure.ResourceManager.CommonTypes.EncryptionProperties}
 
@@ -3792,6 +3777,21 @@ model Azure.ResourceManager.Foundations.ArmTagsProperty
 | ----- | ---------------- | -------------- |
 | tags? | `Record<string>` | Resource tags. |
 
+### `CustomerManagedKeyEncryptionV4` {#Azure.ResourceManager.Foundations.CustomerManagedKeyEncryptionV4}
+
+Customer-managed key encryption properties for the resource.
+
+```typespec
+model Azure.ResourceManager.Foundations.CustomerManagedKeyEncryptionV4
+```
+
+#### Properties
+
+| Name                      | Type                                                                                                         | Description                                                                                                                                                                                            |
+| ------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| keyEncryptionKeyIdentity? | [`KeyEncryptionKeyIdentityV4`](./data-types.md#Azure.ResourceManager.Foundations.KeyEncryptionKeyIdentityV4) | All identity configuration for Customer-managed key settings defining which identity should be used to auth to Key Vault.                                                                              |
+| keyEncryptionKeyUrl?      | `string`                                                                                                     | key encryption key Url, versioned or non-versioned. Ex: https://contosovault.vault.azure.net/keys/contosokek/562a4bb76b524a1493a6afe8e536ee78 or https://contosovault.vault.azure.net/keys/contosokek. |
+
 ### `DefaultBaseParameters` {#Azure.ResourceManager.Foundations.DefaultBaseParameters}
 
 Base parameters for a resource.
@@ -3853,6 +3853,23 @@ model Azure.ResourceManager.Foundations.ExtensionScope<Resource>
 | resourceUri | `string`                         | The fully qualified Azure Resource manager identifier of the resource. |
 | provider    | `"Microsoft.ThisWillBeReplaced"` |                                                                        |
 
+### `KeyEncryptionKeyIdentityV4` {#Azure.ResourceManager.Foundations.KeyEncryptionKeyIdentityV4}
+
+All identity configuration for Customer-managed key settings defining which identity should be used to auth to Key Vault.
+
+```typespec
+model Azure.ResourceManager.Foundations.KeyEncryptionKeyIdentityV4
+```
+
+#### Properties
+
+| Name                            | Type                                                                                                                 | Description                                                                                                                                                                                                                                                                                                                        |
+| ------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| identityType?                   | [`KeyEncryptionKeyIdentityTypeV4`](./data-types.md#Azure.ResourceManager.Foundations.KeyEncryptionKeyIdentityTypeV4) | The type of identity to use. Values can be systemAssignedIdentity, userAssignedIdentity, or delegatedResourceIdentity.                                                                                                                                                                                                             |
+| userAssignedIdentityResourceId? | `Azure.Core.armResourceIdentifier`                                                                                   | User assigned identity to use for accessing key encryption key Url. Ex: /subscriptions/fa5fc227-a624-475e-b696-cdd604c735bc/resourceGroups/<resource group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myId. Mutually exclusive with identityType systemAssignedIdentity.                                          |
+| federatedClientId?              | `Azure.Core.uuid`                                                                                                    | application client identity to use for accessing key encryption key Url in a different tenant. Ex: f83c6b1b-4d34-47e4-bb34-9d83df58b540                                                                                                                                                                                            |
+| delegatedIdentityClientId?      | `Azure.Core.uuid`                                                                                                    | delegated identity to use for accessing key encryption key Url. Ex: /subscriptions/fa5fc227-a624-475e-b696-cdd604c735bc/resourceGroups/<resource group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myId. Mutually exclusive with identityType systemAssignedIdentity and userAssignedIdentity - internal use only. |
+
 ### `LocationBaseParameters` {#Azure.ResourceManager.Foundations.LocationBaseParameters}
 
 The static parameters for a location-based resource
@@ -4106,6 +4123,22 @@ model Azure.ResourceManager.Foundations.TenantScope<Resource>
 | apiVersion | `string`                         | The API version to use for this operation. |
 | provider   | `"Microsoft.ThisWillBeReplaced"` |                                            |
 
+### `KeyEncryptionKeyIdentityTypeV4` {#Azure.ResourceManager.Foundations.KeyEncryptionKeyIdentityTypeV4}
+
+The type of identity to use.
+
+```typespec
+union Azure.ResourceManager.Foundations.KeyEncryptionKeyIdentityTypeV4
+```
+
+#### Variants
+
+| Name                      | Type                          | Description              |
+| ------------------------- | ----------------------------- | ------------------------ |
+| SystemAssignedIdentity    | `"systemAssignedIdentity"`    | System assigned identity |
+| UserAssignedIdentity      | `"userAssignedIdentity"`      | User assigned identity   |
+| DelegatedResourceIdentity | `"delegatedResourceIdentity"` | Delegated identity       |
+
 ## Azure.ResourceManager.Legacy
 
 ### `ArmFeatureOptions` {#Azure.ResourceManager.Legacy.ArmFeatureOptions}
diff --git a/website/src/content/docs/docs/libraries/azure-resource-manager/reference/index.mdx b/website/src/content/docs/docs/libraries/azure-resource-manager/reference/index.mdx
@@ -227,7 +227,6 @@ npm install --save-peer @azure-tools/typespec-azure-resource-manager
 - [`AzureEntityResource`](./data-types.md#Azure.ResourceManager.CommonTypes.AzureEntityResource)
 - [`CheckNameAvailabilityRequest`](./data-types.md#Azure.ResourceManager.CommonTypes.CheckNameAvailabilityRequest)
 - [`CheckNameAvailabilityResponse`](./data-types.md#Azure.ResourceManager.CommonTypes.CheckNameAvailabilityResponse)
-- [`CustomerManagedKeyEncryption`](./data-types.md#Azure.ResourceManager.CommonTypes.CustomerManagedKeyEncryption)
 - [`DelegatedResource`](./data-types.md#Azure.ResourceManager.CommonTypes.DelegatedResource)
 - [`DelegatedResources`](./data-types.md#Azure.ResourceManager.CommonTypes.DelegatedResources)
 - [`Encryption`](./data-types.md#Azure.ResourceManager.CommonTypes.Encryption)
@@ -344,9 +343,11 @@ npm install --save-peer @azure-tools/typespec-azure-resource-manager
 ### Models
 
 - [`ArmTagsProperty`](./data-types.md#Azure.ResourceManager.Foundations.ArmTagsProperty)
+- [`CustomerManagedKeyEncryptionV4`](./data-types.md#Azure.ResourceManager.Foundations.CustomerManagedKeyEncryptionV4)
 - [`DefaultBaseParameters`](./data-types.md#Azure.ResourceManager.Foundations.DefaultBaseParameters)
 - [`ExtensionBaseParameters`](./data-types.md#Azure.ResourceManager.Foundations.ExtensionBaseParameters)
 - [`ExtensionScope`](./data-types.md#Azure.ResourceManager.Foundations.ExtensionScope)
+- [`KeyEncryptionKeyIdentityV4`](./data-types.md#Azure.ResourceManager.Foundations.KeyEncryptionKeyIdentityV4)
 - [`LocationBaseParameters`](./data-types.md#Azure.ResourceManager.Foundations.LocationBaseParameters)
 - [`LocationScope`](./data-types.md#Azure.ResourceManager.Foundations.LocationScope)
 - [`ProxyResourceUpdateModel`](./data-types.md#Azure.ResourceManager.Foundations.ProxyResourceUpdateModel)
