[Network]: Command Onboard for Private Endpoint and Private Link Serv…

…ice (#10258) * Initial work. * Progress. * upgrade to 2019-04-01 and small fix * In progress * finish the coding work * add --private-link-service-enable-polices and --private-end-point-enable-polices for subnet * test in progress * In progress * comments to command due to service limitation * correct the name of parameter * todo: pls delete/ pls connection * add test for private end point * Add test * Update help and add examples * Update History.rst * increse min_api for PLS * fix linter and style * fix Linter * Improve History to avoid Devops Bug * Fix tests * fix for python2 * update HISTORY.rst * Fix history.rst * improve the help information, use three flag instead of enum type * add example for disabling private endpoint network policies
Azure · Aug 21, 2019 · 03b1e75 · 03b1e75
1 parent 57b1402
commit 03b1e75
Show file tree

Hide file tree

Showing 21 changed files with 7,715 additions and 3,880 deletions.
diff --git a/src/azure-cli/HISTORY.rst b/src/azure-cli/HISTORY.rst
@@ -20,6 +20,13 @@ Release History
 
 * Fix the bug in secret set command that igores the expires argument
 
+**Network**
+
+* az network lb create/frontend-ip create: Fixes #10018. Support `--private-ip-address-version` argument to create IPv6 based private-ip-address 
+* az network private-endpoint create/update/list-types: Fixes #9474. Support create/update/list-types commands for private endpoint.
+* az network private-link-service: Fixes #9475. Onboard commands for private link service.
+* az network vnet subnet update: Support `--private-endpoint-network-policies` and `--private-link-service-network-policies` arguments for update command.
+
 **RBAC**
 
 * Fix #10151 - `az ad app update --homepage` not updating homepage.
@@ -34,10 +41,6 @@ Release History
 
 * Add `revoke-delegation-keys` command for storage account
 
-**Network**
-
-* az network lb create/frontend-ip create: Fixes #10018. Support `--private-ip-address-version` argument to create IPv6 based private-ip-address 
-
 2.0.71
 ++++++
 

diff --git a/src/azure-cli/azure/cli/command_modules/network/_client_factory.py b/src/azure-cli/azure/cli/command_modules/network/_client_factory.py
@@ -84,6 +84,14 @@ def cf_private_endpoints(cli_ctx, _):
     return network_client_factory(cli_ctx).private_endpoints
 
 
+def cf_private_endpoint_types(cli_ctx, _):
+    return network_client_factory(cli_ctx).available_private_endpoint_types
+
+
+def cf_private_link_services(cli_ctx, _):
+    return network_client_factory(cli_ctx).private_link_services
+
+
 def cf_load_balancers(cli_ctx, _):
     return network_client_factory(cli_ctx).load_balancers
 

diff --git a/src/azure-cli/azure/cli/command_modules/network/_help.py b/src/azure-cli/azure/cli/command_modules/network/_help.py
@@ -3191,14 +3191,93 @@
 short-summary: Manage private endpoints.
 """
 
+helps['network private-endpoint create'] = """
+type: command
+short-summary: Create a private endpoint.
+examples:
+  - name: Create a private endpoint.
+    text: az network private-endpoint create -g MyResourceGroup -n MyPE --vnet-name MyVnetName --subnet MySubnet --private-connection-resource-id ""/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/privateLinkServices/MyPLS"" --connection-name tttt -l centralus
+"""
+
+helps['network private-endpoint delete'] = """
+type: command
+short-summary: Delete a private endpoint.
+"""
+
 helps['network private-endpoint list'] = """
 type: command
 short-summary: List private endpoints.
 """
 
 helps['network private-endpoint show'] = """
 type: command
-short-summary: Get the details of an private endpoint.
+short-summary: Get the details of a private endpoint.
+"""
+
+helps['network private-endpoint update'] = """
+type: command
+short-summary: Update a private endpoint.
+examples:
+  - name: Update a private endpoint.
+    text: az network private-endpoint update -g MyResourceGroup -n MyPE --request-message "test" --tags mytag=hello
+"""
+
+helps['network private-link-service'] = """
+type: group
+short-summary: Manage private link services.
+"""
+
+helps['network private-link-service create'] = """
+type: command
+short-summary: Create a private link service.
+examples:
+  - name: Create a private link service
+    text: az network private-link-service create -g MyResourceGroup -n MyPLSName --vnet-name MyVnetName --subnet MySubnet --lb-name MyLBName --lb-frontend-ip-configs LoadBalancerFrontEnd -l centralus
+"""
+
+helps['network private-link-service delete'] = """
+type: command
+short-summary: Delete a private link service.
+"""
+
+helps['network private-link-service list'] = """
+type: command
+short-summary: List private link services.
+"""
+
+helps['network private-link-service show'] = """
+type: command
+short-summary: Get the details of a private link service.
+"""
+
+helps['network private-link-service update'] = """
+type: command
+short-summary: Update a private link service.
+examples:
+  - name: Update a private link service
+    text: az network private-link-service update -g MyResourceGroup -n MyPLSName --visibility SubId1 SubId2 --auto-approval SubId1 SubId2
+"""
+
+helps['network private-link-service connection'] = """
+type: group
+short-summary: Manage private link service endpoint connections.
+"""
+
+helps['network private-link-service connection delete'] = """
+type: command
+short-summary: Delete a private link service endpoint connection.
+"""
+
+helps['network private-link-service connection update'] = """
+type: command
+short-summary: Update a private link service endpoint connection.
+long-summary: >
+    To update the connection status, the name of the connection should be provided.
+    Please obtain this name by running 'az network private-link-service show -g MyResourceGroup -n MyPLSName'.
+    The connection name is under the 'privateEndpointConnections' filed.
+examples:
+  - name: Update the endpoint connections status of private link service
+    text: az network private-link-service connection update -g MyResourceGroup -n MyEndpointName.f072a430-2d82-4470-ab30-d23fcfee58d1 --service-name MyPLSName --connection-status Rejected
 """
 
 helps['network profile'] = """
@@ -3950,6 +4029,8 @@
     text: az network vnet subnet update -g MyResourceGroup -n MySubnet --vnet-name MyVNet --network-security-group MyNsg
   - name: Update subnet with NAT gateway.
     text: az network vnet subnet update -n MySubnet --vnet-name MyVnet -g MyResourceGroup --nat-gateway MyNatGateway --address-prefixes "10.0.0.0/21"
+  - name: Disable the private endpoint network policies
+    text: az network vnet subnet update -n MySubnet --vnet-name MyVnet -g MyResourceGroup --disable-private-endpoint-network-policies
 """
 
 helps['network vnet update'] = """

diff --git a/src/azure-cli/azure/cli/command_modules/network/_params.py b/src/azure-cli/azure/cli/command_modules/network/_params.py
@@ -32,7 +32,7 @@
     WafConfigExclusionAction, validate_express_route_peering, validate_virtual_hub,
     validate_express_route_port, bandwidth_validator_factory,
     get_header_configuration_validator, validate_nat_gateway, validate_match_variables,
-    validate_waf_policy)
+    validate_waf_policy, get_subscription_list_validator, validate_frontend_ip_configs)
 from azure.mgmt.trafficmanager.models import MonitorProtocol, ProfileStatus
 from azure.cli.command_modules.network._completers import (
     subnet_completion_list, get_lb_subresource_completion_list, get_ag_subresource_completion_list,
@@ -607,15 +607,55 @@ def load_arguments(self, _):
         c.argument('location_name', options_list=['--location', '-l'])
     # endregion
 
-    # region InterfaceEndpoint
+    # region PrivateEndpoint
     private_endpoint_name = CLIArgumentType(options_list='--endpoint-name', id_part='name', help='Name of the private endpoint.', completer=get_resource_name_completion_list('Microsoft.Network/interfaceEndpoints'))
 
     with self.argument_context('network private-endpoint') as c:
         c.argument('private_endpoint_name', private_endpoint_name, options_list=['--name', '-n'])
         c.argument('location', get_location_type(self.cli_ctx), validator=get_default_location_from_resource_group)
+        c.argument('subnet', validator=get_subnet_validator(), help='Name or ID of an existing subnet. If name is specified, also specify --vnet-name.', id_part=None)
+        c.argument('virtual_network_name', help='The virtual network (VNet) associated with the subnet (Omit if supplying a subnet id).', metavar='', id_part=None)
+        c.argument('private_connection_resource_id', help='The resource id of which private enpoint connect to')
+        c.argument('group_ids', nargs='+', help='The ID(s) of the group(s) obtained from the remote resource that this private endpoint should connect to. You can use "az network private-resource show to obtain the list of group ids."')
+        c.argument('request_message', help='A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars.')
+        c.argument('manual_request', help='Use manual request to establish the connection', arg_type=get_three_state_flag())
+        c.argument('connection_name', help='Name of the private link service connection.')
         c.ignore('expand')
     # endregion
 
+    # region PrivateLinkService
+    service_name = CLIArgumentType(options_list='--service-name', id_part='name', help='Name of the private link service.', completer=get_resource_name_completion_list('Microsoft.Network/privateLinkServices'))
+    with self.argument_context('network private-link-service') as c:
+        c.argument('service_name', service_name, options_list=['--name', '-n'])
+        c.argument('auto_approval', nargs='+', help='Space-separated list of subscription IDs to auto-approve.', validator=get_subscription_list_validator('auto_approval', 'PrivateLinkServicePropertiesAutoApproval'))
+        c.argument('visibility', nargs='+', help='Space-separated list of subscription IDs for which the private link service is visible.', validator=get_subscription_list_validator('visibility', 'PrivateLinkServicePropertiesVisibility'))
+        c.argument('frontend_ip_configurations', nargs='+', options_list='--lb-frontend-ip-configs', help='Space-separated list of names or IDs of load balancer frontend IP configurations to link to. If names are used, also supply `--lb-name`.', validator=validate_frontend_ip_configs)
+        c.argument('load_balancer_name', options_list='--lb-name', help='Name of the load balancer to retrieve frontend IP configs from. Ignored if a frontend IP configuration ID is supplied.')
+        c.argument('private_endpoint_connections', nargs='+', help='Space-separated list of private endpoint connections.')
+        c.argument('fqdns', nargs='+', help='Space-separated list of FQDNs.')
+        c.argument('location', get_location_type(self.cli_ctx), validator=get_default_location_from_resource_group)
+
+    with self.argument_context('network private-link-service', arg_group='IP Configuration') as c:
+        c.argument('private_ip_address', private_ip_address_type)
+        c.argument('private_ip_allocation_method', help='Private IP address allocation method', arg_type=get_enum_type(IPAllocationMethod))
+        c.argument('private_ip_address_version', help='IP version of the private IP address.', arg_type=get_enum_type(IPVersion, 'ipv4'))
+        c.argument('public_ip_address', help='Name or ID of the a public IP address to use.', completer=get_resource_name_completion_list('Microsoft.Network/publicIPAddresses'), validator=get_public_ip_validator())
+        c.argument('subnet', help='Name or ID of subnet to use. If name provided, also supply `--vnet-name`.', validator=get_subnet_validator())
+        c.argument('virtual_network_name', options_list='--vnet-name')
+
+    with self.argument_context('network private-link-service connection') as c:
+        c.argument('service_name', service_name, id_part=None)
+        c.argument('pe_connection_name', help='Name of the private endpoint connection. List them by using "az network private-link-service show".', options_list=['--name', '-n'])
+        c.argument('action_required', help='A message indicating if changes on the service provider require any updates on the consumer.')
+        c.argument('description', help='The reason for approval/rejection of the connection.')
+        c.argument('connection_status', help='Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service.', arg_type=get_enum_type(['Approved', 'Rejected', 'Removed']))
+
+    with self.argument_context('network private-link-service ip-configs') as c:
+        c.argument('service_name', service_name)
+        c.argument('ip_config_name', help='Name of the ip configuration.', options_list=['--name', '-n'])
+        c.argument('virtual_network_name', id_part=None)
+    # endregion
+
     # region LoadBalancers
     lb_subresources = [
         {'name': 'address-pool', 'display': 'backend address pool', 'ref': 'backend_address_pools'},
@@ -1130,6 +1170,8 @@ def load_arguments(self, _):
         c.argument('service_endpoints', nargs='+', min_api='2017-06-01')
         c.argument('service_endpoint_policy', nargs='+', min_api='2018-07-01', help='Space-separated list of names or IDs of service endpoint policies to apply.', validator=validate_service_endpoint_policy)
         c.argument('delegations', nargs='+', min_api='2017-08-01', help='Space-separated list of services to whom the subnet should be delegated. (e.g. Microsoft.Sql/servers)', validator=validate_delegations)
+        c.argument('disable_private_endpoint_network_policies', arg_type=get_three_state_flag(positive_label='Disabled', negative_label='Enabled'), min_api='2019-04-01', help='Disable private endpoint network policies on the subnet.')
+        c.argument('disable_private_link_service_network_policies', arg_type=get_three_state_flag(positive_label='Disabled', negative_label='Enabled'), min_api='2019-04-01', help='Disable private link service network policies on the subnet.')
 
     with self.argument_context('network vnet subnet update') as c:
         c.argument('network_security_group', validator=get_nsg_validator(), help='Name or ID of a network security group (NSG). Use empty string "" to detach it.')

diff --git a/src/azure-cli/azure/cli/command_modules/network/_validators.py b/src/azure-cli/azure/cli/command_modules/network/_validators.py
@@ -52,6 +52,18 @@ def _validate_asg_name_or_id(cmd, namespace):
     return _validate_asg_name_or_id
 
 
+def get_subscription_list_validator(dest, model_class):
+
+    def _validate_subscription_list(cmd, namespace):
+        val = getattr(namespace, dest, None)
+        if not val:
+            return
+        model = cmd.get_models(model_class)
+        setattr(namespace, dest, model(subscriptions=val))
+
+    return _validate_subscription_list
+
+
 def get_vnet_validator(dest):
     from msrestazure.tools import is_valid_resource_id, resource_id
 

diff --git a/src/azure-cli/azure/cli/command_modules/network/commands.py b/src/azure-cli/azure/cli/command_modules/network/commands.py
@@ -26,7 +26,7 @@
     cf_service_endpoint_policy_definitions, cf_dns_references, cf_private_endpoints, cf_network_profiles,
     cf_express_route_circuit_connections, cf_express_route_gateways, cf_express_route_connections,
     cf_express_route_ports, cf_express_route_port_locations, cf_express_route_links, cf_app_gateway_waf_policy,
-    cf_service_tags)
+    cf_service_tags, cf_private_link_services, cf_private_endpoint_types)
 from azure.cli.command_modules.network._util import (
     list_network_resource_property, get_network_resource_property_entry, delete_network_resource_property_entry)
 from azure.cli.command_modules.network._format import (
@@ -174,6 +174,12 @@ def load_command_table(self, _):
         min_api='2018-08-01'
     )
 
+    network_private_link_service_sdk = CliCommandType(
+        operations_tmpl='azure.mgmt.network.operations#PrivateLinkServicesOperations.{}',
+        client_factory=cf_private_link_services,
+        min_api='2019-04-01'
+    )
+
     network_lb_sdk = CliCommandType(
         operations_tmpl='azure.mgmt.network.operations#LoadBalancersOperations.{}',
         client_factory=cf_load_balancers
@@ -577,8 +583,37 @@ def _make_singular(value):
 
     # region PrivateEndpoint
     with self.command_group('network private-endpoint', network_private_endpoint_sdk) as g:
+        g.custom_command('create', 'create_private_endpoint', min_api='2019-04-01', is_preview=True)
+        g.command('delete', 'delete', min_api='2019-04-01', is_preview=True)
         g.custom_command('list', 'list_private_endpoints')
         g.show_command('show')
+        g.generic_update_command('update', custom_func_name='update_private_endpoint', is_preview=True, min_api='2019-04-01')
+        g.command(
+            'list-types', 'list',
+            operations_tmpl='azure.mgmt.network.operations#AvailablePrivateEndpointTypesOperations.{}',
+            client_factory=cf_private_endpoint_types,
+            is_preview=True,
+            min_api='2019-04-01'
+        )
+    # endregion
+
+    # region PrivateLinkServices
+    with self.command_group('network private-link-service', network_private_link_service_sdk, is_preview=True) as g:
+        g.custom_command('create', 'create_private_link_service')
+        g.command('delete', 'delete')
+        g.custom_command('list', 'list_private_link_services')
+        g.show_command('show')
+        g.generic_update_command('update', custom_func_name='update_private_link_service')
+
+    with self.command_group('network private-link-service connection', network_private_link_service_sdk) as g:
+        g.command('delete', 'delete_private_endpoint_connection')
+        g.custom_command('update', 'update_private_endpoint_connection')
+
+    # TODO: Due to service limitation.
+    # with self.command_group('network private-link-service ip-configs', network_private_link_service_sdk) as g:
+    #     g.custom_command('add', 'add_private_link_services_ipconfig')
+    #     g.custom_command('remove', 'remove_private_link_services_ipconfig')
+
     # endregion
 
     # region LoadBalancers