[KeyVault] az keyvault region: GA MHSM region commands (#25942)

* bump version

* GA keyvault region, move from extension, test not working

* test passed

* lint

* lint

* need to exclude old api-version for region

* lint

src/azure-cli/azure/cli/command_modules/keyvault/_client_factory.py

@@ -22,6 +22,7 @@ class Clients(str, Enum):
     managed_hsms = 'managed_hsms'
     mhsm_private_endpoint_connections = 'mhsm_private_endpoint_connections'
     mhsm_private_link_resources = 'mhsm_private_link_resources'
+    mhsm_regions = 'mhsm_regions'
 
 
 OPERATIONS_NAME = {
@@ -30,7 +31,8 @@ class Clients(str, Enum):
     Clients.private_link_resources: 'PrivateLinkResourcesOperations',
     Clients.managed_hsms: 'ManagedHsmsOperations',
     Clients.mhsm_private_endpoint_connections: 'MHSMPrivateEndpointConnectionsOperations',
-    Clients.mhsm_private_link_resources: 'MHSMPrivateLinkResourcesOperations'
+    Clients.mhsm_private_link_resources: 'MHSMPrivateLinkResourcesOperations',
+    Clients.mhsm_regions: 'MHSMRegionsOperations'
 }
 
 KEYVAULT_TEMPLATE_STRINGS = {

src/azure-cli/azure/cli/command_modules/keyvault/_help.py

@@ -828,3 +828,40 @@
     text: |
         az keyvault set-policy -n MyVault --key-permissions get list --spn {SPN}
 """
+
+helps['keyvault region'] = """
+type: group
+short-summary: Manage MHSM multi-regions.
+"""
+
+helps['keyvault region list'] = """
+type: command
+short-summary: Get regions information associated with the managed HSM Pool.
+"""
+
+helps['keyvault region add'] = """
+type: command
+short-summary: Add regions for the managed HSM Pool.
+examples:
+  - name: Add regions for the managed HSM.
+    text: |
+        az keyvault region add --region-name westus2 --hsm-name myhsm --resource-group myrg
+"""
+
+helps['keyvault region remove'] = """
+type: command
+short-summary: Remove regions for the managed HSM Pool.
+examples:
+  - name: Remove regions for the managed HSM.
+    text: |
+        az keyvault region remove --region-name westus2 --hsm-name myhsm --resource-group myrg
+"""
+
+helps['keyvault region wait'] = """
+type: command
+short-summary: Place the CLI in a waiting state until a condition of the HSM is met.
+examples:
+  - name: Pause CLI until the regions are updated.
+    text: |
+        az keyvault region wait --hsm-name myhsm --updated
+"""

src/azure-cli/azure/cli/command_modules/keyvault/_params.py

@@ -860,3 +860,8 @@ class PrincipalType(str, Enum):  # Copied from azure.mgmt.authorization v2018_09
         c.argument('assignee_principal_type', options_list=['--assignee-principal-type', '-t'],
                    arg_type=get_enum_type(PrincipalType), help='The principal type of assignee.')
     # endregion
+
+    with self.argument_context('keyvault region') as c:
+        c.argument('name', hsm_name_type)
+        c.argument('region_name', options_list=['--region-name', '--region', '-r'],
+                   help='The region name.')

src/azure-cli/azure/cli/command_modules/keyvault/_validators.py

@@ -375,7 +375,7 @@ def validate_resource_group_name(cmd, ns):
 
     vault_name = getattr(ns, 'vault_name', None)
     hsm_name = getattr(ns, 'hsm_name', None)
-    if 'keyvault update-hsm' in cmd.name:
+    if 'keyvault update-hsm' in cmd.name or 'keyvault region' in cmd.name:
         hsm_name = getattr(ns, 'name', None)
 
     if vault_name and hsm_name:

src/azure-cli/azure/cli/command_modules/keyvault/commands.py

@@ -45,11 +45,13 @@ def load_command_table(self, _):
 
     if not is_azure_stack_profile(self):
         mgmt_hsms_entity = get_client(self.cli_ctx, ResourceType.MGMT_KEYVAULT, Clients.managed_hsms)
+        mgmt_hsms_regions_entity = get_client(self.cli_ctx, ResourceType.MGMT_KEYVAULT, Clients.mhsm_regions)
         private_data_entity = get_client(self.cli_ctx, ResourceType.DATA_PRIVATE_KEYVAULT)
         data_backup_entity = get_client(self.cli_ctx, ResourceType.DATA_KEYVAULT_ADMINISTRATION_BACKUP)
         data_access_control_entity = get_client(self.cli_ctx, ResourceType.DATA_KEYVAULT_ADMINISTRATION_ACCESS_CONTROL)
     else:
-        mgmt_hsms_entity = private_data_entity = data_backup_entity = data_access_control_entity = None
+        mgmt_hsms_entity = mgmt_hsms_regions_entity = private_data_entity = data_backup_entity = \
+            data_access_control_entity = None
 
     kv_vaults_custom = CliCommandType(
         operations_tmpl='azure.cli.command_modules.keyvault.custom#{}',
@@ -342,3 +344,14 @@ def load_command_table(self, _):
             g.keyvault_command('list-deleted', 'get_deleted_sas_definitions', transform=keep_max_results)
             g.keyvault_command('show-deleted', 'get_deleted_sas_definition')
             g.keyvault_command('recover', 'recover_deleted_sas_definition')
+
+    if not is_azure_stack_profile(self):
+        with self.command_group('keyvault region', mgmt_hsms_regions_entity.command_type,
+                                client_factory=mgmt_hsms_regions_entity.client_factory, min_api='2023-02-01') as g:
+            g.command('list', 'list_by_resource', client_factory=mgmt_hsms_regions_entity.client_factory)
+
+        with self.command_group('keyvault region', mgmt_hsms_entity.command_type,
+                                client_factory=mgmt_hsms_entity.client_factory, min_api='2023-02-01') as g:
+            g.custom_command('add', 'add_hsm_region', supports_no_wait=True)
+            g.custom_command('remove', 'remove_hsm_region', supports_no_wait=True)
+            g.wait_command('wait')

src/azure-cli/azure/cli/command_modules/keyvault/custom.py

@@ -2642,3 +2642,36 @@ def check_name_availability(cmd, client, name, resource_type='hsm'):
     check_name = CheckNameAvailabilityParameters(name=name)
     return client.check_mhsm_name_availability(check_name)
 # endregion
+
+
+# region mhsm regions
+def add_hsm_region(cmd, client, resource_group_name, name, region_name, no_wait=False):
+    MHSMGeoReplicatedRegion = cmd.get_models('MHSMGeoReplicatedRegion', resource_type=ResourceType.MGMT_KEYVAULT)
+
+    hsm = client.get(resource_group_name=resource_group_name, name=name)
+    existing_regions = hsm.properties.regions or []
+    for existing_region in existing_regions:
+        if region_name == existing_region.name:
+            logger.warning("%s has already existed", region_name)
+            return hsm
+    existing_regions.append(MHSMGeoReplicatedRegion(name=region_name))
+    hsm.properties.regions = existing_regions
+    return sdk_no_wait(no_wait, client.begin_update,
+                       resource_group_name=resource_group_name,
+                       name=name,
+                       parameters=hsm)
+
+
+def remove_hsm_region(client, resource_group_name, name, region_name, no_wait=False):
+    hsm = client.get(resource_group_name=resource_group_name, name=name)
+    existing_regions = hsm.properties.regions or []
+    for existing_region in existing_regions:
+        if region_name == existing_region.name:
+            existing_regions.remove(existing_region)
+            hsm.properties.regions = existing_regions
+            return sdk_no_wait(no_wait, client.begin_update,
+                               resource_group_name=resource_group_name,
+                               name=name, parameters=hsm)
+    logger.warning("%s doesn't exist", region_name)
+    return hsm
+# endregion