Azure · zhoxing-ms · Feb 24, 2025 · Nov 13, 2024 · Jan 23, 2025 · Jan 23, 2025
@@ -235,8 +235,9 @@ def load_arguments(self, _):  # pylint: disable=too-many-statements
                         "refer to the system-assigned managed identity or a resource ID to refer to a "
                         "user-assigned managed identity.")
         c.argument('min_tls_version', options_list=['--min-tls-version', '--mintls'],
-                   type=str, help='Specify the minimum TLS version to support for this hub. Can be set to'
-                                  ' "1.2" to have clients that use a TLS version below 1.2 to be rejected.')
+                   type=str, help='Specify the minimum TLS version to support for this hub. Can be set to '
+                                  '"1.0" or "1.2". For example, minimum TLS version set to "1.2" '
+                                  'results in clients that use a TLS version below 1.2 to be rejected.')
         c.argument('tags', tags_type)
         c.argument('system_identity', options_list=['--mi-system-assigned'],
                    arg_type=get_three_state_flag(),

@@ -70,7 +70,7 @@
 from azure.cli.command_modules.iot.shared import EndpointType, EncodingFormat, RenewKeyType, AuthenticationType, IdentityType
 from azure.cli.command_modules.iot._client_factory import resource_service_factory
 from azure.cli.command_modules.iot._client_factory import iot_hub_service_factory
-from azure.cli.command_modules.iot._utils import open_certificate, generate_key
+from azure.cli.command_modules.iot._utils import open_certificate
 
 
 logger = get_logger(__name__)
@@ -636,6 +636,7 @@ def update_iot_hub_custom(instance,
                           fileupload_storage_authentication_type=None,
                           fileupload_storage_container_uri=None,
                           fileupload_storage_identity=None,
+                          min_tls_version=None,
                           tags=None):
     from datetime import timedelta
     if tags is not None:
@@ -668,6 +669,8 @@ def update_iot_hub_custom(instance,
     if fileupload_notification_ttl is not None:
         ttl = timedelta(hours=fileupload_notification_ttl)
         instance.properties.messaging_endpoints['fileNotifications'].ttl_as_iso8601 = ttl
+    if min_tls_version is not None:
+        instance.properties.min_tls_version = min_tls_version
     # only bother with $default storage endpoint checking if modifying fileupload params
     if any([
             fileupload_storage_connectionstring, fileupload_storage_container_name, fileupload_sas_ttl,
@@ -695,6 +698,16 @@ def update_iot_hub_custom(instance,
             fileupload_storage_identity,
         )
 
+    _update_iot_hub_auth(
+        instance=instance,
+        disable_local_auth=disable_local_auth,
+        disable_device_sas=disable_device_sas,
+        disable_module_sas=disable_module_sas
+    )
+    return instance
+
+
+def _update_iot_hub_auth(instance, disable_local_auth=None, disable_device_sas=None, disable_module_sas=None):
     # sas token authentication switches
     if disable_local_auth is not None:
         instance.properties.disable_local_auth = disable_local_auth
@@ -703,8 +716,6 @@ def update_iot_hub_custom(instance,
     if disable_module_sas is not None:
         instance.properties.disable_module_sas = disable_module_sas
 
-    return instance
-
 
 def iot_hub_update(client, hub_name, parameters, resource_group_name=None):
     resource_group_name = _ensure_hub_resource_group_name(client, resource_group_name, hub_name)
@@ -904,9 +915,9 @@ def iot_hub_policy_key_renew(cmd, client, hub_name, policy_name, regenerate_key,
     updated_policies = [p for p in policies if p.key_name.lower() != policy_name.lower()]
     requested_policy = [p for p in policies if p.key_name.lower() == policy_name.lower()]
     if regenerate_key == RenewKeyType.Primary.value:
-        requested_policy[0].primary_key = generate_key()
+        requested_policy[0].primary_key = None
     if regenerate_key == RenewKeyType.Secondary.value:
-        requested_policy[0].secondary_key = generate_key()
+        requested_policy[0].secondary_key = None
     if regenerate_key == RenewKeyType.Swap.value:
         temp = requested_policy[0].primary_key
         requested_policy[0].primary_key = requested_policy[0].secondary_key

@@ -110,10 +110,12 @@ def test_iot_hub(self, resource_group, resource_group_location, storage_account)
         self.cmd('iot hub update -n {0} -g {1} --fsi test/user/'.format(hub, rg), expect_failure=True)
 
         # Test auth config settings
-        updated_hub = self.cmd('iot hub update -n {0} -g {1} --disable-local-auth --disable-module-sas'.format(hub, rg)).get_output_in_json()
+        updated_hub = self.cmd('iot hub update -n {0} -g {1} --disable-local-auth --disable-module-sas '
+                               '--min-tls-version 1.0'.format(hub, rg)).get_output_in_json()
         assert updated_hub['properties']['disableLocalAuth']
         assert not updated_hub['properties']['disableDeviceSas']
         assert updated_hub['properties']['disableModuleSas']
+        assert updated_hub['properties']['minTlsVersion'] == '1.0'
 
         updated_hub = self.cmd('iot hub update -n {0} -g {1} --disable-module-sas false  --disable-device-sas'.format(hub, rg)).get_output_in_json()
         assert updated_hub['properties']['disableLocalAuth']