[Key Vault] TypeSpec for Secrets library

[mccoyp]

Data Plane API Specification Update Pull Request

Tip

Overwhelmed by all this guidance? See the Getting help section at the bottom of this PR description.

Based on feedback from #28708. This spec is for the KV Secrets library. This has been successfully tested end-to-end with Python (Azure/azure-sdk-for-python#36901).

PR review workflow diagram

Please understand this diagram before proceeding. It explains how to get your PR approved & merged.

API Info: The Basics

Most of the information about your service should be captured in the issue that serves as your API Spec engagement record.

• Link to API Spec engagement record issue:

Is this review for (select one):

• a private preview
• a public preview
• GA release

Change Scope

^{This section will help us focus on the specific parts of your API that are new or have been modified.
Please share a link to the design document for the new APIs, a link to the previous API Spec document (if applicable), and the root paths that have been updated.}

• Design Document:
• Previous API Spec Doc:
• Updated paths:

Viewing API changes

For convenient view of the API changes made by this PR, refer to the URLs provided in the table
in the Generated ApiView comment added to this PR. You can use ApiView to show API versions diff.

Suppressing failures

If one or multiple validation error/warning suppression(s) is detected in your PR, please follow the
Swagger-Suppression-Process
to get approval.

❔Got questions? Need additional info?? We are here to help!

Contact us!

The Azure API Review Board is dedicated to helping you create amazing APIs. You can read about our mission and learn more about our process on our wiki.

• 💬 Teams Channel
• 💌 email

Click here for links to tools, specs, guidelines & other good stuff

Tooling

• Open API validation tools were run on this PR. Go here to see how to fix errors
• Spectral Linting

Guidelines & Specifications

• Azure REST API Guidelines
• OpenAPI Style Guidelines
• Azure Breaking Change Policy

Helpful Links

• Schedule a data plane REST API spec review

Getting help

• First, please carefully read through this PR description, from top to bottom.
• If you don't have permissions to remove or add labels to the PR, request write access per aka.ms/azsdk/access#request-access-to-rest-api-or-sdk-repositories
• To understand what you must do next to merge this PR, see the Next Steps to Merge comment. It will appear within few minutes of submitting this PR and will continue to be up-to-date with current PR state.
• For guidance on fixing this PR CI check failures, see the hyperlinks provided in given failure
  and https://aka.ms/ci-fix.
• If the PR CI checks appear to be stuck in queued state, please add a comment with contents /azp run.
  This should result in a new comment denoting a PR validation pipeline has started and the checks should be updated after few minutes.
• If the help provided by the previous points is not enough, post to https://aka.ms/azsdk/support/specreview-channel and link to this PR.

[openapi-pipeline-app]

Next Steps to Merge

Next steps that must be taken to merge this PR:

• ❌ This is the public specs repo main branch which is not intended for iterative development.
  You must acknowledge that you understand that after this PR is merged, you won't be able to stop your changes from being published to Azure customers.
  If this is what you intend, add PublishToCustomers label to your PR.
  Otherwise, retarget this PR onto a feature branch, i.e. with prefix release- (see aka.ms/azsdk/api-versions#release--branches).
• ❌ This PR has at least one breaking change (label: BreakingChangeReviewRequired).
  To unblock this PR, follow the process at aka.ms/brch.
• ❌ The required check named Swagger PrettierCheck has failed. Refer to the check in the PR's 'Checks' tab for details on how to fix it and consult the aka.ms/ci-fix guide
• ❌ The required check named Swagger SpellCheck has failed. Refer to the check in the PR's 'Checks' tab for details on how to fix it and consult the aka.ms/ci-fix guide

[openapi-pipeline-app]

Swagger Validation Report

️️✔️BreakingChange succeeded [Detail] [Expand]

There are no breaking changes.

️️✔️Breaking Change(Cross-Version) succeeded [Detail] [Expand]

There are no breaking changes.

️️✔️CredScan succeeded [Detail] [Expand]

There is no credential detected.

️️✔️LintDiff succeeded [Detail] [Expand]

Validation passes for LintDiff.

Compared specs (v2.2.2)	new version	base version
default	default(56e1117)	default(main)

️️✔️Avocado succeeded [Detail] [Expand]

Validation passes for Avocado.

️️✔️SwaggerAPIView succeeded [Detail] [Expand]

️️✔️TypeSpecAPIView succeeded [Detail] [Expand]

️️✔️ModelValidation succeeded [Detail] [Expand]

Validation passes for ModelValidation.

️️✔️SemanticValidation succeeded [Detail] [Expand]

Validation passes for SemanticValidation.

️️✔️PoliCheck succeeded [Detail] [Expand]

Validation passed for PoliCheck.

️️✔️SpellCheck succeeded [Detail] [Expand]

Validation passes for SpellCheck.

️️✔️Lint(RPaaS) succeeded [Detail] [Expand]

Validation passes for Lint(RPaaS).

️️✔️PR Summary succeeded [Detail] [Expand]

Validation passes for Summary.

️️✔️Automated merging requirements met succeeded [Detail] [Expand]

_{Posted by Swagger Pipeline | How to fix these errors?}

[openapi-pipeline-app]

Swagger Generation Artifacts

️️✔️ApiDocPreview succeeded [Detail] [Expand]

️⚠️ azure-sdk-for-python warning [Detail]

For more instructions, please refer to the FAQ .
• ⚠️Warning in generating from 4e64f3e551925ec5a52ddd927e6584675b93add9. SDK Automation 14.0.0

  command	sh scripts/automation_init.sh ../azure-sdk-for-python_tmp/initInput.json ../azure-sdk-for-python_tmp/initOutput.json
  cmderr	[automation_init.sh] W: Target Packages (main/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list.d/azure-cli.list:1 and /etc/apt/sources.list.d/azure-cli.sources:1
  cmderr	[automation_init.sh] W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list.d/azure-cli.list:1 and /etc/apt/sources.list.d/azure-cli.sources:1
  cmderr	[automation_init.sh] W: Target Translations (main/i18n/Translation-en) is configured multiple times in /etc/apt/sources.list.d/azure-cli.list:1 and /etc/apt/sources.list.d/azure-cli.sources:1
  cmderr	[automation_init.sh] W: Target CNF (main/cnf/Commands-amd64) is configured multiple times in /etc/apt/sources.list.d/azure-cli.list:1 and /etc/apt/sources.list.d/azure-cli.sources:1
  cmderr	[automation_init.sh] W: Target CNF (main/cnf/Commands-all) is configured multiple times in /etc/apt/sources.list.d/azure-cli.list:1 and /etc/apt/sources.list.d/azure-cli.sources:1
  cmderr	[automation_init.sh] WARNING: Skipping azure-nspkg as it is not installed.
  warn		Warning: azure-sdk-for-python cannot be found in specification/keyvault/data-plane/readme.md. This SDK will be skipped from SDK generation. Please add the right config to the readme file according to this guidance https://github.com/Azure/azure-rest-api-specs/blob/main/documentation/code-gen/configure-go-sdk.md#swagger-to-sdk.
  command	sh scripts/automation_generate.sh ../azure-sdk-for-python_tmp/generateInput.json ../azure-sdk-for-python_tmp/generateOutput.json
  warn	Warning: No file changes detected after the generation. Please refer to the generation errors to understand the reasons.
  warn	Warning: No package detected after generation. Please refer to the above logs to understand why the package hasn't been generated.

_{Posted by Swagger Pipeline | How to fix these errors?}

[openapi-pipeline-app]

Generated ApiView

Language	Package Name	ApiView Link
JavaScript	@azure/keyvault-secrets	https://apiview.dev/Assemblies/Review/9b9eab186a844afaae0c631b8976019f?revisionId=e6f6026b5cc047d19dfa17f9dab77a8d
Python	azure-keyvault-secrets	https://apiview.dev/Assemblies/Review/8103c86200684133980931472e4f8e24?revisionId=8256dedadfbd4a088f19c881137323dd
TypeSpec	Security.KeyVault.Secrets	https://apiview.dev/Assemblies/Review/0529655b61bc404ebd37d2d5192ba45a?revisionId=6b6bac58e616465cb2520e678fed6667

[heaths]

I'm going to wait for the Breaking Change validation to run. It'll be easier than having to manually diff.

[heaths]

Breaking change validation didn't really find anything, but, overall, I'm concerned this doesn't use much of Azure Core's abstractions and instead uses individual ops using Foundations. I appreciate Key Vault doesn't support much of the standard traits, but we can define our own and likely use more resource collections; otherwise, I don't think these TypeSpecs really "sell" the idea and likely are more authoring than the existing swaggers. We want the service team to be able to take these over, and resource collection abstractions should reduce the onboarding and maintenance effort.

We can talk offline more but should get some others e.g., @johanste involved in the discussions. I suspect my feedback will be the same as for Keys and Certificates.

BTW: Missing Administration.

Also BTW: All these need to be in separate project directories. We need to split them based on the SDK splits now.

[heaths]

I can't find the definition of StandardResourceOperations, but I highly doubt this is correct. Key Vault does not, for example, support etags for resources which, I'm betting, is probably standard for Azure.

[mccoyp]

That's a good point; I didn't consider that Azure-standard traits could be carried over by this which wouldn't apply to Key Vault. This was done for defining resource operations (e.g. KeyVaultOperations.ResourceList).

[heaths]

Key Vault doesn't really support standard resource operations, though. They are close, but not standard.

[heaths]

I believe it's just "name" for all SDKs. Should that use a decorator instead? The old swagger uses "secret-name". Same for "secret-version" below.

[heaths]

This will create problems for SDKs but I'm not sure how to solve it. We went with making "version" an optional parameter across languages, which means we basically collapsed the routes into one. @lmazuel or @johanste any suggestions? Can client TSPs "fix" this, or is this a case where we're going to generate an incompatible SDK and have to either wrap it or ship a new major version?

[heaths]

/cc @pallavit

[heaths]

This uses the right pattern. Why don't the others? Do they not work? Do we need to declare our own traits so they do align? Key Vault doesn't really support many of the (now-) standard params.

[mccoyp]

Answered in #29249 (comment)

[johanste]

Where is this used other than as a base class?

[mccoyp]

This is just used as a base class that comes from the original swagger.

[johanste]

We do not want this in the service description. Please create a client.tsp for client codegen customizations.

[johanste]

Isn't this just the subset of properties of a SecretBundle that are writeable? If so, why do we need two models and not one with the appropriate visibility?

[johanste]

Why does this extend Attributes? Can I ever use one in place of another?

[johanste]

This looks like a resource create or replace?

[mccoyp]

See #29249 (comment). Many of these operations could be standard resource operations if the service returned a resource name instead of a resource ID in the form of a full URL. I couldn't get operations to conform to using the latter as a resource key, and I'm not aware of a way to override the route otherwise.

[johanste]

So the secret name is not returned? It is only in the path of the request?

[mccoyp]

It's not returned as a standalone property, no. It's part of the id but needs to be parsed manually -- here's an example from a recording.

"id": "https://vaultname.vault.azure.net/secrets/{secretName}/{secretVersion}"

[johanste]

This looks like a resource delete?

[heaths]

Either here or in a client TSP, this or something else should be changed so we generate a SecretClient and not a KeyVaultClient.

See Azure/autorest.rust#86 for context.

[heaths]

Lots of breaking changes reported: https://github.com/Azure/azure-rest-api-specs/pull/29249/checks?check_run_id=32562321385

[mccoyp]

Lots of breaking changes reported: https://github.com/Azure/azure-rest-api-specs/pull/29249/checks?check_run_id=32562321385

The majority of these are from path formatting changes (e.g. /secrets/{secret-name} --> /secrets/{secretName}), but some are just now being identified because of moving the TypeSpec directory from keyvault/data-plane to keyvault. Addressing them now.

[maorleger]

👋 I think this should be DeletionRecoveryLevel and not a string IIUC - because DeletionRecoveryLevel is not actually used in routes it is not generated (at least by the typespec-ts codegen) - can we change that?

When I change the type to DeletionRecoveryLevel I see the correct code being generated (including extensible enum patterns)

[mccoyp]

We should be able to get DeletionRecoveryLevel generated by using @@access(DeletionRecoveryLevel, Access.public) in our client.tsp. For example, from another library:

azure-rest-api-specs/specification/ai/Face/client.tsp

Line 29 in cf80ee4

@@access(DetectionModel, Access.public);

EDIT: @@access didn't actually seem to work, but local testing showed that @@usage is what we'd want -- PR has been updated!

[maorleger]

But why not use DeletionRecoveryLevel here instead of adding a client.tsp customization - does it not generate the correct thing? Just trying to understand the reasoning behind not using recoveryLevel?: DeletionRecoveryLevel when DeletionRecoveryLevel is defined as a string union already

[mccoyp]

Using a plain string instead of the enum was a change request from Heath; "[i]t's response-only and should not be compared, which is why none of our client libraries should ship it as an enum".

[maorleger]

Ah ok, got it! Thanks for the context.

So @heaths do you consider it a bug that JS shipped KnownDeletionRecoveryLevel as part of our public API? I think what you said makes sense re: response-only just want to triple-check - if an extensible enum value can only show up in a response, never as an input, we should not be shipping the Known enum values as part of our public API is that accurate? (I know the ship has sailed on this one for JS, but mostly asking for my future self)