[IoT] az iot hub update: Add --min-tls-version parameter to allow…

… updating min tls version in a cleaner way (#30710)
Azure · Feb 24, 2025 · cdbbe8e · cdbbe8e
1 parent 3bd985d
commit cdbbe8e
Show file tree

Hide file tree

Showing 4 changed files with 4,251 additions and 2,273 deletions.
diff --git a/src/azure-cli/azure/cli/command_modules/iot/_params.py b/src/azure-cli/azure/cli/command_modules/iot/_params.py
@@ -235,8 +235,9 @@ def load_arguments(self, _):  # pylint: disable=too-many-statements
                         "refer to the system-assigned managed identity or a resource ID to refer to a "
                         "user-assigned managed identity.")
         c.argument('min_tls_version', options_list=['--min-tls-version', '--mintls'],
-                   type=str, help='Specify the minimum TLS version to support for this hub. Can be set to'
-                                  ' "1.2" to have clients that use a TLS version below 1.2 to be rejected.')
+                   type=str, help='Specify the minimum TLS version to support for this hub. Can be set to '
+                                  '"1.0" or "1.2". For example, minimum TLS version set to "1.2" '
+                                  'results in clients that use a TLS version below 1.2 to be rejected.')
         c.argument('tags', tags_type)
         c.argument('system_identity', options_list=['--mi-system-assigned'],
                    arg_type=get_three_state_flag(),

diff --git a/src/azure-cli/azure/cli/command_modules/iot/custom.py b/src/azure-cli/azure/cli/command_modules/iot/custom.py
@@ -636,6 +636,7 @@ def update_iot_hub_custom(instance,
                           fileupload_storage_authentication_type=None,
                           fileupload_storage_container_uri=None,
                           fileupload_storage_identity=None,
+                          min_tls_version=None,
                           tags=None):
     from datetime import timedelta
     if tags is not None:
@@ -668,6 +669,8 @@ def update_iot_hub_custom(instance,
     if fileupload_notification_ttl is not None:
         ttl = timedelta(hours=fileupload_notification_ttl)
         instance.properties.messaging_endpoints['fileNotifications'].ttl_as_iso8601 = ttl
+    if min_tls_version is not None:
+        instance.properties.min_tls_version = min_tls_version
     # only bother with $default storage endpoint checking if modifying fileupload params
     if any([
             fileupload_storage_connectionstring, fileupload_storage_container_name, fileupload_sas_ttl,
@@ -695,6 +698,16 @@ def update_iot_hub_custom(instance,
             fileupload_storage_identity,
         )
 
+    _update_iot_hub_auth(
+        instance=instance,
+        disable_local_auth=disable_local_auth,
+        disable_device_sas=disable_device_sas,
+        disable_module_sas=disable_module_sas
+    )
+    return instance
+
+
+def _update_iot_hub_auth(instance, disable_local_auth=None, disable_device_sas=None, disable_module_sas=None):
     # sas token authentication switches
     if disable_local_auth is not None:
         instance.properties.disable_local_auth = disable_local_auth
@@ -703,8 +716,6 @@ def update_iot_hub_custom(instance,
     if disable_module_sas is not None:
         instance.properties.disable_module_sas = disable_module_sas
 
-    return instance
-
 
 def iot_hub_update(client, hub_name, parameters, resource_group_name=None):
     resource_group_name = _ensure_hub_resource_group_name(client, resource_group_name, hub_name)

diff --git a/src/azure-cli/azure/cli/command_modules/iot/tests/latest/recordings/test_iot_hub.yaml b/src/azure-cli/azure/cli/command_modules/iot/tests/latest/recordings/test_iot_hub.yaml
diff --git a/src/azure-cli/azure/cli/command_modules/iot/tests/latest/test_iot_commands.py b/src/azure-cli/azure/cli/command_modules/iot/tests/latest/test_iot_commands.py
@@ -110,10 +110,12 @@ def test_iot_hub(self, resource_group, resource_group_location, storage_account)
         self.cmd('iot hub update -n {0} -g {1} --fsi test/user/'.format(hub, rg), expect_failure=True)
 
         # Test auth config settings
-        updated_hub = self.cmd('iot hub update -n {0} -g {1} --disable-local-auth --disable-module-sas'.format(hub, rg)).get_output_in_json()
+        updated_hub = self.cmd('iot hub update -n {0} -g {1} --disable-local-auth --disable-module-sas '
+                               '--min-tls-version 1.0'.format(hub, rg)).get_output_in_json()
         assert updated_hub['properties']['disableLocalAuth']
         assert not updated_hub['properties']['disableDeviceSas']
         assert updated_hub['properties']['disableModuleSas']
+        assert updated_hub['properties']['minTlsVersion'] == '1.0'
 
         updated_hub = self.cmd('iot hub update -n {0} -g {1} --disable-module-sas false  --disable-device-sas'.format(hub, rg)).get_output_in_json()
         assert updated_hub['properties']['disableLocalAuth']