Replaced parameter EnableRbacAuthorization by DisableRbacAuthorization in New-AzKeyVault and Update-AzKeyVault (#24675)

* wip

* RBAC will be enabled by default during the process of key vault creation.

* add BreakingChangeIssues.csv

* update help docs and test cases

* remove unrelated files

* refresh examples

Author: BethanyZhou

src/KeyVault/KeyVault.Test/LiveTests/TestLiveScenarios.ps1

@@ -47,7 +47,7 @@ Invoke-LiveTestScenario -Name "Update key vault" -Description "Test updating pro
     # Update EnableRbacAuthorization
     $vault = New-AzKeyVault -VaultName $vaultName -ResourceGroupName $rgName -Location $vaultLocation
 
-    $vault = $vault | Update-AzKeyVault -EnableRbacAuthorization $false
+    $vault = $vault | Update-AzKeyVault -DisableRbacAuthorization $true
     Assert-False { $vault.EnableRbacAuthorization } "EnableRbacAuthorization should be false"
 
     # Update Tags

src/KeyVault/KeyVault.Test/ScenarioTests/KeyVaultManagementTests.ps1

@@ -134,7 +134,7 @@ function Test-CreateNewVault {
         Assert-AreEqual 10 $actual.SoftDeleteRetentionInDays "SoftDeleteRetentionInDays should be the same value as set"
 
         # Test enable RbacAuthorization
-        $actual = New-AzKeyVault -VaultName (getAssetName) -ResourceGroupName $rgName -Location $vaultLocation -EnableRbacAuthorization
+        $actual = New-AzKeyVault -VaultName (getAssetName) -ResourceGroupName $rgName -Location $vaultLocation
         Assert-True { $actual.EnableRbacAuthorization } "If specified, EnableRbacAuthorization should be true"
 
         # Test positional parameters
@@ -823,11 +823,11 @@ function Test-UpdateKeyVault {
         # Assert-Throws { $vault = $vault | Update-AzKeyVault -SoftDeleteRetentionInDays 80}
 
         #Set EnableRbacAuthorization true
-        $vault = $vault | Update-AzKeyVault -EnableRbacAuthorization $true
+        $vault = $vault | Update-AzKeyVault -DisableRbacAuthorization $false
         Assert-True { $vault.EnableRbacAuthorization } "5. EnableRbacAuthorization should be true"
 
         #Set EnableRbacAuthorization false
-        $vault = $vault | Update-AzKeyVault -EnableRbacAuthorization $false
+        $vault = $vault | Update-AzKeyVault -DisableRbacAuthorization $true
         Assert-False { $vault.EnableRbacAuthorization } "6. EnableRbacAuthorization should be false"
 
         # Update Tags

src/KeyVault/KeyVault/ChangeLog.md

@@ -18,6 +18,8 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* [Breaking Change] Replaced parameter `EnableRbacAuthorization` by `DisableRbacAuthorization` in `New-AzKeyVault` and `Update-AzKeyVault`.
+    - RBAC will be enabled by default during the process of key vault creation. 
 * Introduced secrets detection feature to safeguard sensitive data.
 * [Upcoming Breaking Change] Added breaking change warning message for parameter `UseDefaultCVMPolicy` of `Add-AzKeyVaultKey`.
     - The offline fallback policy will be removed. Key creation will fail if unable to get regional default CVM SKR policy from MAA Service Discovery API.
@@ -30,7 +32,7 @@
 * [Upcoming Breaking Change] Added breaking change warning message for parameter `EnableRbacAuthorization` of `New-AzKeyVault` and `Update-AzKeyVault`.
     - RBAC will be enabled by default during the process of key vault creation. To disable RBAC authorization, please use parameter 'DisableRbacAuthorization'.
     - Parameter `EnableRbacAuthorization` is expected to be removed in Az.KeyVault 6.0.0 and Az 12.0.0.
-    - Parameter `EnableRbacAuthorization` is expected to be replaced by  `DisableRbacAuthorization`.
+    - Parameter `EnableRbacAuthorization` is expected to be replaced by `DisableRbacAuthorization`.
 * Upgraded Azure.Core to 1.37.0.
 
 ## Version 5.2.1

src/KeyVault/KeyVault/Commands/GetAzureKeyVault.cs renamed to src/KeyVault/KeyVault/Commands/KeyVault/GetAzureKeyVault.cs

@@ -88,10 +88,9 @@ public class NewAzureKeyVault : KeyVaultManagementCmdletBase
             HelpMessage = "If specified, protection against immediate deletion is enabled for this vault; requires soft delete to be enabled as well. Enabling 'purge protection' on a key vault is an irreversible action. Once enabled, it cannot be changed or removed.")]
         public SwitchParameter EnablePurgeProtection { get; set; }
 
-        [CmdletParameterBreakingChangeWithVersion(nameof(EnableRbacAuthorization), "12.0.0", "6.0.0", ReplaceMentCmdletParameterName = "DisableRbacAuthorization", ChangeDescription = "RBAC will be enabled by default during the process of key vault creation. To disable RBAC authorization, please use parameter 'DisableRbacAuthorization'.")]
         [Parameter(Mandatory = false,
-            HelpMessage = "If specified, enables to authorize data actions by Role Based Access Control (RBAC), and then the access policies specified in vault properties will be ignored. Note that management actions are always authorized with RBAC.")]
-        public SwitchParameter EnableRbacAuthorization { get; set; }
+            HelpMessage = "If specified, disables to authorize data actions by Role Based Access Control (RBAC), and then the access policies specified in vault properties will be ignored. Note that management actions are always authorized with RBAC.")]
+        public SwitchParameter DisableRbacAuthorization { get; set; }
 
         [Parameter(Mandatory = false, HelpMessage = "Specifies how long deleted resources are retained, and how long until a vault or an object in the deleted state can be purged. The default is " + Constants.DefaultSoftDeleteRetentionDaysString + " days.")]
         [ValidateRange(Constants.MinSoftDeleteRetentionDays, Constants.MaxSoftDeleteRetentionDays)]
@@ -169,7 +168,7 @@ public override void ExecuteCmdlet()
                     EnabledForDiskEncryption = EnabledForDiskEncryption.IsPresent ? true : null as bool?,
                     EnableSoftDelete = null,
                     EnablePurgeProtection = EnablePurgeProtection.IsPresent ? true : (bool?)null, // false is not accepted
-                    EnableRbacAuthorization = EnableRbacAuthorization.IsPresent ? true : null as bool?,
+                    EnableRbacAuthorization = DisableRbacAuthorization.IsPresent ? false : true,
                     /*
                      * If retention days is not specified, use the default value,
                      * else use the vault user provides

src/KeyVault/KeyVault/Commands/NewAzureKeyVault.cs renamed to src/KeyVault/KeyVault/Commands/KeyVault/NewAzureKeyVault.cs

@@ -52,9 +52,8 @@ public class UpdateTopLevelResourceCommand : KeyVaultManagementCmdletBase
         [Parameter(Mandatory = false, HelpMessage = "Enable the purge protection functionality for this key vault. Once enabled it cannot be disabled. It requires soft-delete to be turned on.")]
         public SwitchParameter EnablePurgeProtection { get; set; }
 
-        [CmdletParameterBreakingChangeWithVersion(nameof(EnableRbacAuthorization), "12.0.0", "6.0.0", ReplaceMentCmdletParameterName = "DisableRbacAuthorization", ChangeDescription = "RBAC will be enabled by default during the process of key vault creation. To disable RBAC authorization, please use parameter 'DisableRbacAuthorization'.")]
-        [Parameter(Mandatory = false, HelpMessage = "Enable or disable this key vault to authorize data actions by Role Based Access Control (RBAC).")]
-        public bool? EnableRbacAuthorization { get; set; }
+        [Parameter(Mandatory = false, HelpMessage = "Disable or enable this key vault to authorize data actions by Role Based Access Control (RBAC).")]
+        public bool? DisableRbacAuthorization { get; set; }
 
         [Parameter(Mandatory = false,
             HelpMessage = "Specifies whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules.")]
@@ -105,7 +104,7 @@ public override void ExecuteCmdlet()
                     updatedParamater: new VaultCreationOrUpdateParameters
                     {
                         EnablePurgeProtection = this.EnablePurgeProtection.IsPresent ? (true as bool?) : null,
-                        EnableRbacAuthorization = this.EnableRbacAuthorization,
+                        EnableRbacAuthorization = this.DisableRbacAuthorization == null ? null : !this.DisableRbacAuthorization,
                         PublicNetworkAccess = this.PublicNetworkAccess,
                         Tags = this.Tag
                     }

src/KeyVault/KeyVault/Commands/RemoveAzureKeyVault.cs renamed to src/KeyVault/KeyVault/Commands/KeyVault/RemoveAzureKeyVault.cs

@@ -16,10 +16,10 @@ Creates a key vault.
 ```
 New-AzKeyVault [-Name] <String> [-ResourceGroupName] <String> [-Location] <String> [-EnabledForDeployment]
  [-EnabledForTemplateDeployment] [-EnabledForDiskEncryption] [-EnablePurgeProtection]
- [-EnableRbacAuthorization] [-SoftDeleteRetentionInDays <Int32>] [-PublicNetworkAccess <String>]
+ [-DisableRbacAuthorization] [-SoftDeleteRetentionInDays <Int32>] [-PublicNetworkAccess <String>]
  [-Sku <String>] [-Tag <Hashtable>] [-NetworkRuleSet <PSKeyVaultNetworkRuleSet>]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
- [-SubscriptionId <String>] [<CommonParameters>]
+ [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [-SubscriptionId <String>]
+ [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -184,9 +184,8 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
-### -EnabledForDeployment
-Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this
-key vault is referenced in resource creation, for example when creating a virtual machine.
+### -DisableRbacAuthorization
+If specified, disables to authorize data actions by Role Based Access Control (RBAC), and then the access policies specified in vault properties will be ignored. Note that management actions are always authorized with RBAC.
 
 ```yaml
 Type: System.Management.Automation.SwitchParameter
@@ -196,12 +195,13 @@ Aliases:
 Required: False
 Position: Named
 Default value: None
-Accept pipeline input: True (ByPropertyName)
+Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
-### -EnabledForDiskEncryption
-Enables the Azure disk encryption service to get secrets and unwrap keys from this key vault.
+### -EnabledForDeployment
+Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this
+key vault is referenced in resource creation, for example when creating a virtual machine.
 
 ```yaml
 Type: System.Management.Automation.SwitchParameter
@@ -215,8 +215,8 @@ Accept pipeline input: True (ByPropertyName)
 Accept wildcard characters: False
 ```
 
-### -EnabledForTemplateDeployment
-Enables Azure Resource Manager to get secrets from this key vault when this key vault is referenced in a template deployment.
+### -EnabledForDiskEncryption
+Enables the Azure disk encryption service to get secrets and unwrap keys from this key vault.
 
 ```yaml
 Type: System.Management.Automation.SwitchParameter
@@ -230,8 +230,8 @@ Accept pipeline input: True (ByPropertyName)
 Accept wildcard characters: False
 ```
 
-### -EnablePurgeProtection
-If specified, protection against immediate deletion is enabled for this vault; requires soft delete to be enabled as well.
+### -EnabledForTemplateDeployment
+Enables Azure Resource Manager to get secrets from this key vault when this key vault is referenced in a template deployment.
 
 ```yaml
 Type: System.Management.Automation.SwitchParameter
@@ -241,12 +241,12 @@ Aliases:
 Required: False
 Position: Named
 Default value: None
-Accept pipeline input: False
+Accept pipeline input: True (ByPropertyName)
 Accept wildcard characters: False
 ```
 
-### -EnableRbacAuthorization
-If specified, enables to authorize data actions by Role Based Access Control (RBAC), and then the access policies specified in vault properties will be ignored. Note that management actions are always authorized with RBAC.
+### -EnablePurgeProtection
+If specified, protection against immediate deletion is enabled for this vault; requires soft delete to be enabled as well.
 
 ```yaml
 Type: System.Management.Automation.SwitchParameter

src/KeyVault/KeyVault/Commands/UndoAzureKeyVaultRemoval.cs renamed to src/KeyVault/KeyVault/Commands/KeyVault/UndoAzureKeyVaultRemoval.cs

@@ -15,23 +15,23 @@ Update the state of an Azure key vault.
 ### UpdateByNameParameterSet (Default)
 ```
 Update-AzKeyVault -ResourceGroupName <String> -VaultName <String> [-EnablePurgeProtection]
- [-EnableRbacAuthorization <Boolean>] [-PublicNetworkAccess <String>] [-Tag <Hashtable>]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
- [-SubscriptionId <String>] [<CommonParameters>]
+ [-DisableRbacAuthorization <Boolean>] [-PublicNetworkAccess <String>] [-Tag <Hashtable>]
+ [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm] [-SubscriptionId <String>]
+ [<CommonParameters>]
 ```
 
 ### UpdateByInputObjectParameterSet
 ```
-Update-AzKeyVault -InputObject <PSKeyVault> [-EnablePurgeProtection] [-EnableRbacAuthorization <Boolean>]
- [-PublicNetworkAccess <String>] [-Tag <Hashtable>] [-DefaultProfile <IAzureContextContainer>]
- [-WhatIf] [-Confirm] [-SubscriptionId <String>] [<CommonParameters>]
+Update-AzKeyVault -InputObject <PSKeyVault> [-EnablePurgeProtection] [-DisableRbacAuthorization <Boolean>]
+ [-PublicNetworkAccess <String>] [-Tag <Hashtable>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf]
+ [-Confirm] [-SubscriptionId <String>] [<CommonParameters>]
 ```
 
 ### UpdateByResourceIdParameterSet
 ```
-Update-AzKeyVault -ResourceId <String> [-EnablePurgeProtection] [-EnableRbacAuthorization <Boolean>]
- [-PublicNetworkAccess <String>] [-Tag <Hashtable>] [-DefaultProfile <IAzureContextContainer>]
- [-WhatIf] [-Confirm] [-SubscriptionId <String>] [<CommonParameters>]
+Update-AzKeyVault -ResourceId <String> [-EnablePurgeProtection] [-DisableRbacAuthorization <Boolean>]
+ [-PublicNetworkAccess <String>] [-Tag <Hashtable>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf]
+ [-Confirm] [-SubscriptionId <String>] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -48,7 +48,7 @@ Enables purge protection using piping syntax.
 
 ### Example 2: Enable RBAC Authorization
 ```powershell
-Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName | Update-AzKeyVault -EnableRbacAuthorization $true
+Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName | Update-AzKeyVault -DisableRbacAuthorization $false
 ```
 
 Enables RBAC Authorization using piping syntax.
@@ -84,13 +84,11 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
-### -EnablePurgeProtection
-Enable the purge protection functionality for this key vault.
-Once enabled it cannot be disabled.
-It requires soft-delete to be turned on.
+### -DisableRbacAuthorization
+Disable or enable this key vault to authorize data actions by Role Based Access Control (RBAC).
 
 ```yaml
-Type: System.Management.Automation.SwitchParameter
+Type: System.Nullable`1[System.Boolean]
 Parameter Sets: (All)
 Aliases:
 
@@ -101,11 +99,13 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
-### -EnableRbacAuthorization
-Enable or disable this key vault to authorize data actions by Role Based Access Control (RBAC).
+### -EnablePurgeProtection
+Enable the purge protection functionality for this key vault.
+Once enabled it cannot be disabled.
+It requires soft-delete to be turned on.
 
 ```yaml
-Type: System.Nullable`1[System.Boolean]
+Type: System.Management.Automation.SwitchParameter
 Parameter Sets: (All)
 Aliases:
 

src/KeyVault/KeyVault/Commands/UpdateAzureKeyVault.cs renamed to src/KeyVault/KeyVault/Commands/KeyVault/UpdateAzureKeyVault.cs

@@ -0,0 +1,8 @@
+"Module","ClassName","Target","Severity","ProblemId","Description","Remediation"
+"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.NewAzureKeyVault","New-AzKeyVault","0","2000","The cmdlet 'New-AzKeyVault' no longer supports the parameter 'EnableRbacAuthorization' and no alias was found for the original parameter name.","Add the parameter 'EnableRbacAuthorization' back to the cmdlet 'New-AzKeyVault', or add an alias to the original parameter name."
+"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.NewAzureKeyVault","New-AzKeyVault","0","1050","The parameter set '__AllParameterSets' for cmdlet 'New-AzKeyVault' has been removed.","Add parameter set '__AllParameterSets' back to cmdlet 'New-AzKeyVault'."
+"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.UpdateTopLevelResourceCommand","Update-AzKeyVault","0","2000","The cmdlet 'Update-AzKeyVault' no longer supports the parameter 'EnableRbacAuthorization' and no alias was found for the original parameter name.","Add the parameter 'EnableRbacAuthorization' back to the cmdlet 'Update-AzKeyVault', or add an alias to the original parameter name."
+"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.UpdateTopLevelResourceCommand","Update-AzKeyVault","0","1050","The parameter set 'UpdateByNameParameterSet' for cmdlet 'Update-AzKeyVault' has been removed.","Add parameter set 'UpdateByNameParameterSet' back to cmdlet 'Update-AzKeyVault'."
+"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.UpdateTopLevelResourceCommand","Update-AzKeyVault","0","1050","The parameter set 'UpdateByInputObjectParameterSet' for cmdlet 'Update-AzKeyVault' has been removed.","Add parameter set 'UpdateByInputObjectParameterSet' back to cmdlet 'Update-AzKeyVault'."
+"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.UpdateTopLevelResourceCommand","Update-AzKeyVault","0","1050","The parameter set 'UpdateByResourceIdParameterSet' for cmdlet 'Update-AzKeyVault' has been removed.","Add parameter set 'UpdateByResourceIdParameterSet' back to cmdlet 'Update-AzKeyVault'."
+"Az.KeyVault","Microsoft.Azure.Commands.KeyVault.UpdateTopLevelResourceCommand","Update-AzKeyVault","0","1050","The parameter set '__AllParameterSets' for cmdlet 'Update-AzKeyVault' has been removed.","Add parameter set '__AllParameterSets' back to cmdlet 'Update-AzKeyVault'."