Hub CA Certificate Migration

[vilit1]

Migrate the Certificate CA for IoT Hub from Baltimore to DigiCert.

Commands introduced:

• az iot hub certificate root-authority show
• az iot hub certificate root-authority set

Show has a default, since the service will return {} or None for that property. Set checks if the version chosen is already set before migration.

Note that this is a temporary command, will be removed after every hub has been migrated.

Note that this command will work only for some subscriptions and resource managers in the current state. Will update the pr as the feature becomes more avaliable.

---

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Thank you for contributing to the IoT extension!

This checklist is used to make sure that common guidelines for a pull request are followed.

General Guidelines

Intent for Production

• [ ] It is expected that pull requests made to default or core branches such as dev or main are of production grade. Corollary to this, any merged contributions to these branches may be deployed in a public release at any given time. By checking this box, you agree and commit to the expected production quality of code.

Basic expectations

• [ ] If introducing new functionality or modified behavior, are they backed by unit and/or integration tests?
• [ ] In the same context as above are command names and their parameter definitions accurate? Do help docs have sufficient content?
• [ ] Have all the relevant unit and integration tests pass? i.e. pytest <project root> -vv. Please provide evidence in the form of a screenshot showing a succesful run of tests locally OR a link to a test pipeline that has been run against the change-set.
• [ ] Have linter checks passed using the .pylintrc and .flake8 rules? Look at the CI scripts for example usage.
• [ ] Have extraneous print or debug statements, commented out code-blocks or code-statements (if any) been removed from the surface area of changes?
• [ ] Have you made an entry in HISTORY.rst which concisely explains your user-facing feature or change?

Azure IoT CLI maintainers reserve the right to enforce any of the outlined expectations.

A PR is considered ready for review when all basic expectations have been met (or do not apply).

[avagraw]

Please post the pipeline run showing the testing evidence.

@digimaun Since, this is a temporary change, should we update history?

[digimaun]

Please add an entry to HISTORY.rst under 0.17.1 and we can increment the version of the extension in this PR to 0.17.1

https://github.com/Azure/azure-iot-cli-extension/blob/dev/azext_iot/constants.py#L10

[vilit1]

Durations with a pre-created IoT Hub with the correct feature enabled:

[digimaun]

Please post the pipeline run showing the testing evidence.

@digimaun Since, this is a temporary change, should we update history?

I would still because its user facing, even if temporary, in fact our release notes can use some kind of "limited period availability" nomenclature.

[vilit1]

Added a fix for the initial root authority change

tests passing (local run, on a different sub, still in canary env):

Note that for these tests, I modified the tests so that:

1. the rbac "IoT Hub Data Contributor" role is not assigned (I do not have permissions in the test sub, and is not needed for this test)
2. the dataplane actions (check for and delete any devices, configurations) during teardown are skipped. I will add back the dataplane actions once there is a fix on the service side.

[vilit1]

[digimaun]

LGTM pending bash feedback, and successful IT run. +We discussed RBAC simplification strategies for tests offline.

[vilit1]

https://dev.azure.com/azureiotdevxp/aziotcli/_build/results?buildId=6956&view=results

[vilit1]

https://dev.azure.com/azureiotdevxp/aziotcli/_build/results?buildId=7077&view=results