Skip to content

{Security} az security va sql: Migrate to aaz with API 2026-04-01-preview#33482

Open
GalGoldi72 wants to merge 8 commits into
Azure:devfrom
GalGoldi72:feature-security-aaz
Open

{Security} az security va sql: Migrate to aaz with API 2026-04-01-preview#33482
GalGoldi72 wants to merge 8 commits into
Azure:devfrom
GalGoldi72:feature-security-aaz

Conversation

@GalGoldi72

@GalGoldi72 GalGoldi72 commented Jun 2, 2026

Copy link
Copy Markdown

Summary

[BREAKING CHANGE] Migrates az security va sql from hand-authored SDK-based commands to atomic aaz-generated commands targeting Microsoft.Security 2026-04-01-preview.

Companion PRs

Breaking changes

Before After
--vm-resource-id + --workspace-id + --server-name + --database-name + --vm-name + --agent-id + --vm-uuid (mash-up of 7 args) Single --resource-id (plus optional --database-name for server-level scopes)
az security va sql baseline set az security va sql baseline add

The 7-arg approach hard-coded resource-id assembly for two scopes (Azure VM and OMS-monitored on-prem). The new API natively supports 7+ scopes via a generic --resource-id.

New commands

Group Commands
security va sql create, delete, show, update (manage settings)
security va sql baseline add, create, delete, list, show, update
security va sql results list, show
security va sql scans initiate-scan, list, show
security va sql scans scan-operation-result show

Scopes supported

  • Azure SQL Server / SQL Managed Instance
  • Synapse Workspace
  • Azure VM (SQL on VM)
  • Arc-enabled SQL Server
  • Server-level variants of each (with --database-name)

Stage

All new commands are Preview (matching API version 2026-04-01-preview). The parent security va group is also Preview since SQL VA is its only content.

Diff summary

  • +28 generated aaz files under security/aaz/latest/security/va/
  • −799 lines of hand-authored code across commands.py, custom.py, _help.py, _params.py, actions.py, _client_factory.py
  • −1 test file + recording (test_va_sql_scenario.py + YAML)

Validation

  • azdev style security: 9.88/10 (only pre-existing line-too-long in unrelated custom.py automation code; score improved from baseline)
  • azdev linter security: PASSED
  • azdev test security: 30 passed, 1 skipped, 0 failed — zero regressions in other security commands

TODO (this PR, before merge)

  • Add a new scenario test for security va sql commands (placeholder — see PR comments for design)
  • Test recording with LiveScenarioTest against a real Azure SQL DB or recorded ScenarioTest with playback

@GalGoldi72
[Security] az security va sql: Migrate to aaz with API 2026-04-01-pre…
f08ec1f 
…view

[BREAKING CHANGE] Replace hand-authored SQL Vulnerability Assessment commands with atomic aaz-generated commands.

- Single --resource-id replaces 7-arg combo (--vm-resource-id, --workspace-id, --server-name, --database-name, --vm-name, --agent-id, --vm-uuid).
- New 'security va sql {create, delete, show, update}' settings commands.
- New 'security va sql baseline {add, create, update}' (replaces 'set').
- New 'security va sql scans initiate-scan' + 'scan-operation-result show'.
- All commands tagged Preview.

Supported scopes: Azure SQL Server, Azure SQL MI, Synapse, Azure VM (SQL on VM), Arc-enabled SQL Server.

Companion aaz PR: Azure/aaz#1021

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 2, 2026 14:08
@azure-client-tools-bot-prd

azure-client-tools-bot-prd Bot commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown
️✔️AzureCLI-FullTest
️✔️acr
️✔️latest
️✔️3.12
️✔️3.14
️✔️acs
️✔️latest
️✔️3.12
️✔️3.14
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.14
️✔️ams
️✔️latest
️✔️3.12
️✔️3.14
️✔️apim
️✔️latest
️✔️3.12
️✔️3.14
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.14
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.14
️✔️aro
️✔️latest
️✔️3.12
️✔️3.14
️✔️backup
️✔️latest
️✔️3.12
️✔️3.14
️✔️batch
️✔️latest
️✔️3.12
️✔️3.14
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.14
️✔️billing
️✔️latest
️✔️3.12
️✔️3.14
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.14
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.14
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.14
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.14
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.14
️✔️config
️✔️latest
️✔️3.12
️✔️3.14
️✔️configure
️✔️latest
️✔️3.12
️✔️3.14
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.14
️✔️container
️✔️latest
️✔️3.12
️✔️3.14
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.14
️✔️core
️✔️latest
️✔️3.12
️✔️3.14
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.14
️✔️databoxedge
️✔️latest
️✔️3.12
️✔️3.14
️✔️dls
️✔️latest
️✔️3.12
️✔️3.14
️✔️dms
️✔️latest
️✔️3.12
️✔️3.14
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.14
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.14
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.14
️✔️find
️✔️latest
️✔️3.12
️✔️3.14
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.14
️✔️identity
️✔️latest
️✔️3.12
️✔️3.14
️✔️iot
️✔️latest
️✔️3.12
️✔️3.14
️✔️keyvault
️✔️latest
️✔️3.12
️✔️3.14
️✔️lab
️✔️latest
️✔️3.12
️✔️3.14
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.14
️✔️maps
️✔️latest
️✔️3.12
️✔️3.14
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.14
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.14
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.14
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.14
️✔️network
️✔️latest
️✔️3.12
️✔️3.14
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.14
️✔️postgresql
️✔️latest
️✔️3.12
️✔️3.14
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.14
️✔️profile
️✔️latest
️✔️3.12
️✔️3.14
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.14
️✔️redis
️✔️latest
️✔️3.12
️✔️3.14
️✔️relay
️✔️latest
️✔️3.12
️✔️3.14
️✔️resource
️✔️latest
️✔️3.12
️✔️3.14
️✔️role
️✔️latest
️✔️3.12
️✔️3.14
️✔️search
️✔️latest
️✔️3.12
️✔️3.14
️✔️security
️✔️latest
️✔️3.12
️✔️3.14
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.14
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.14
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.14
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.14
️✔️sql
️✔️latest
️✔️3.12
️✔️3.14
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.14
️✔️storage
️✔️latest
️✔️3.12
️✔️3.14
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.14
️✔️telemetry
️✔️latest
️✔️3.12
️✔️3.14
️✔️util
️✔️latest
️✔️3.12
️✔️3.14
️✔️vm
️✔️latest
️✔️3.12
️✔️3.14

@azure-client-tools-bot-prd

azure-client-tools-bot-prd Bot commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown
❌AzureCLI-BreakingChangeTest
❌security
rule cmd_name rule_message suggest_message
1006 - ParaAdd security va sql baseline delete cmd security va sql baseline delete added parameter resource_id please remove parameter resource_id for cmd security va sql baseline delete
1007 - ParaRemove security va sql baseline delete cmd security va sql baseline delete removed parameter agent_id please add back parameter agent_id for cmd security va sql baseline delete
1007 - ParaRemove security va sql baseline delete cmd security va sql baseline delete removed parameter server_name please add back parameter server_name for cmd security va sql baseline delete
1007 - ParaRemove security va sql baseline delete cmd security va sql baseline delete removed parameter vm_name please add back parameter vm_name for cmd security va sql baseline delete
1007 - ParaRemove security va sql baseline delete cmd security va sql baseline delete removed parameter vm_resource_id please add back parameter vm_resource_id for cmd security va sql baseline delete
1007 - ParaRemove security va sql baseline delete cmd security va sql baseline delete removed parameter vm_uuid please add back parameter vm_uuid for cmd security va sql baseline delete
1007 - ParaRemove security va sql baseline delete cmd security va sql baseline delete removed parameter workspace_id please add back parameter workspace_id for cmd security va sql baseline delete
1006 - ParaAdd security va sql baseline list cmd security va sql baseline list added parameter resource_id please remove parameter resource_id for cmd security va sql baseline list
1007 - ParaRemove security va sql baseline list cmd security va sql baseline list removed parameter agent_id please add back parameter agent_id for cmd security va sql baseline list
1007 - ParaRemove security va sql baseline list cmd security va sql baseline list removed parameter server_name please add back parameter server_name for cmd security va sql baseline list
1007 - ParaRemove security va sql baseline list cmd security va sql baseline list removed parameter vm_name please add back parameter vm_name for cmd security va sql baseline list
1007 - ParaRemove security va sql baseline list cmd security va sql baseline list removed parameter vm_resource_id please add back parameter vm_resource_id for cmd security va sql baseline list
1007 - ParaRemove security va sql baseline list cmd security va sql baseline list removed parameter vm_uuid please add back parameter vm_uuid for cmd security va sql baseline list
1007 - ParaRemove security va sql baseline list cmd security va sql baseline list removed parameter workspace_id please add back parameter workspace_id for cmd security va sql baseline list
1006 - ParaAdd security va sql baseline set cmd security va sql baseline set added parameter resource_id please remove parameter resource_id for cmd security va sql baseline set
1007 - ParaRemove security va sql baseline set cmd security va sql baseline set removed parameter agent_id please add back parameter agent_id for cmd security va sql baseline set
1007 - ParaRemove security va sql baseline set cmd security va sql baseline set removed parameter baseline_latest please add back parameter baseline_latest for cmd security va sql baseline set
1007 - ParaRemove security va sql baseline set cmd security va sql baseline set removed parameter baseline please add back parameter baseline for cmd security va sql baseline set
1007 - ParaRemove security va sql baseline set cmd security va sql baseline set removed parameter server_name please add back parameter server_name for cmd security va sql baseline set
1007 - ParaRemove security va sql baseline set cmd security va sql baseline set removed parameter vm_name please add back parameter vm_name for cmd security va sql baseline set
1007 - ParaRemove security va sql baseline set cmd security va sql baseline set removed parameter vm_resource_id please add back parameter vm_resource_id for cmd security va sql baseline set
1007 - ParaRemove security va sql baseline set cmd security va sql baseline set removed parameter vm_uuid please add back parameter vm_uuid for cmd security va sql baseline set
1007 - ParaRemove security va sql baseline set cmd security va sql baseline set removed parameter workspace_id please add back parameter workspace_id for cmd security va sql baseline set
1006 - ParaAdd security va sql baseline show cmd security va sql baseline show added parameter resource_id please remove parameter resource_id for cmd security va sql baseline show
1007 - ParaRemove security va sql baseline show cmd security va sql baseline show removed parameter agent_id please add back parameter agent_id for cmd security va sql baseline show
1007 - ParaRemove security va sql baseline show cmd security va sql baseline show removed parameter server_name please add back parameter server_name for cmd security va sql baseline show
1007 - ParaRemove security va sql baseline show cmd security va sql baseline show removed parameter vm_name please add back parameter vm_name for cmd security va sql baseline show
1007 - ParaRemove security va sql baseline show cmd security va sql baseline show removed parameter vm_resource_id please add back parameter vm_resource_id for cmd security va sql baseline show
1007 - ParaRemove security va sql baseline show cmd security va sql baseline show removed parameter vm_uuid please add back parameter vm_uuid for cmd security va sql baseline show
1007 - ParaRemove security va sql baseline show cmd security va sql baseline show removed parameter workspace_id please add back parameter workspace_id for cmd security va sql baseline show
1002 - CmdRemove security va sql baseline update cmd security va sql baseline update removed please confirm cmd security va sql baseline update removed
1006 - ParaAdd security va sql results list cmd security va sql results list added parameter resource_id please remove parameter resource_id for cmd security va sql results list
1007 - ParaRemove security va sql results list cmd security va sql results list removed parameter agent_id please add back parameter agent_id for cmd security va sql results list
1007 - ParaRemove security va sql results list cmd security va sql results list removed parameter server_name please add back parameter server_name for cmd security va sql results list
1007 - ParaRemove security va sql results list cmd security va sql results list removed parameter vm_name please add back parameter vm_name for cmd security va sql results list
1007 - ParaRemove security va sql results list cmd security va sql results list removed parameter vm_resource_id please add back parameter vm_resource_id for cmd security va sql results list
1007 - ParaRemove security va sql results list cmd security va sql results list removed parameter vm_uuid please add back parameter vm_uuid for cmd security va sql results list
1007 - ParaRemove security va sql results list cmd security va sql results list removed parameter workspace_id please add back parameter workspace_id for cmd security va sql results list
1006 - ParaAdd security va sql results show cmd security va sql results show added parameter resource_id please remove parameter resource_id for cmd security va sql results show
1007 - ParaRemove security va sql results show cmd security va sql results show removed parameter agent_id please add back parameter agent_id for cmd security va sql results show
1007 - ParaRemove security va sql results show cmd security va sql results show removed parameter server_name please add back parameter server_name for cmd security va sql results show
1007 - ParaRemove security va sql results show cmd security va sql results show removed parameter vm_name please add back parameter vm_name for cmd security va sql results show
1007 - ParaRemove security va sql results show cmd security va sql results show removed parameter vm_resource_id please add back parameter vm_resource_id for cmd security va sql results show
1007 - ParaRemove security va sql results show cmd security va sql results show removed parameter vm_uuid please add back parameter vm_uuid for cmd security va sql results show
1007 - ParaRemove security va sql results show cmd security va sql results show removed parameter workspace_id please add back parameter workspace_id for cmd security va sql results show
1006 - ParaAdd security va sql scans list cmd security va sql scans list added parameter resource_id please remove parameter resource_id for cmd security va sql scans list
1007 - ParaRemove security va sql scans list cmd security va sql scans list removed parameter agent_id please add back parameter agent_id for cmd security va sql scans list
1007 - ParaRemove security va sql scans list cmd security va sql scans list removed parameter server_name please add back parameter server_name for cmd security va sql scans list
1007 - ParaRemove security va sql scans list cmd security va sql scans list removed parameter vm_name please add back parameter vm_name for cmd security va sql scans list
1007 - ParaRemove security va sql scans list cmd security va sql scans list removed parameter vm_resource_id please add back parameter vm_resource_id for cmd security va sql scans list
1007 - ParaRemove security va sql scans list cmd security va sql scans list removed parameter vm_uuid please add back parameter vm_uuid for cmd security va sql scans list
1007 - ParaRemove security va sql scans list cmd security va sql scans list removed parameter workspace_id please add back parameter workspace_id for cmd security va sql scans list
1006 - ParaAdd security va sql scans show cmd security va sql scans show added parameter resource_id please remove parameter resource_id for cmd security va sql scans show
1007 - ParaRemove security va sql scans show cmd security va sql scans show removed parameter agent_id please add back parameter agent_id for cmd security va sql scans show
1007 - ParaRemove security va sql scans show cmd security va sql scans show removed parameter server_name please add back parameter server_name for cmd security va sql scans show
1007 - ParaRemove security va sql scans show cmd security va sql scans show removed parameter vm_name please add back parameter vm_name for cmd security va sql scans show
1007 - ParaRemove security va sql scans show cmd security va sql scans show removed parameter vm_resource_id please add back parameter vm_resource_id for cmd security va sql scans show
1007 - ParaRemove security va sql scans show cmd security va sql scans show removed parameter vm_uuid please add back parameter vm_uuid for cmd security va sql scans show
1007 - ParaRemove security va sql scans show cmd security va sql scans show removed parameter workspace_id please add back parameter workspace_id for cmd security va sql scans show
⚠️ 1015 - SubgroupPropUpdate security va sql sub group security va sql updated property commands from {} to {'security va sql create': {'name': 'security va sql create', 'is_aaz': True, 'parameters': [{'name': '_change_reference', 'options': ['--change-reference']}, {'name': '_acquire_policy_token', 'options': ['--acquire-policy-token']}, {'name': 'resource_id', 'options': ['--resource-id'], 'required': True, 'aaz_type': 'string', 'type': 'string'}, {'name': 'state', 'options': ['--state'], 'choices': ['Disabled', 'Enabled'], 'aaz_type': 'string', 'type': 'string'}]}, 'security va sql delete': {'name': 'security va sql delete', 'is_aaz': True, 'parameters': [{'name': '_change_reference', 'options': ['--change-reference']}, {'name': '_acquire_policy_token', 'options': ['--acquire-policy-token']}, {'name': 'resource_id', 'options': ['--resource-id'], 'required': True, 'aaz_type': 'string', 'type': 'string'}, {'name': 'yes', 'options': ['--yes', '-y']}]}, 'security va sql show': {'name': 'security va sql show', 'is_aaz': True, 'parameters': [{'name': 'resource_id', 'options': ['--resource-id'], 'required': True, 'aaz_type': 'string', 'type': 'string'}]}, 'security va sql update': {'name': 'security va sql update', 'is_aaz': True, 'parameters': [{'name': '_change_reference', 'options': ['--change-reference']}, {'name': '_acquire_policy_token', 'options': ['--acquire-policy-token']}, {'name': 'generic_update_add', 'options': ['--add'], 'nargs': '+', 'aaz_type': 'AAZGenericUpdateAddArg'}, {'name': 'generic_update_set', 'options': ['--set'], 'nargs': '+', 'aaz_type': 'AAZGenericUpdateSetArg'}, {'name': 'generic_update_remove', 'options': ['--remove'], 'nargs': '+', 'aaz_type': 'AAZGenericUpdateRemoveArg'}, {'name': 'generic_update_force_string', 'options': ['--force-string'], 'choices': ['0', '1', 'f', 'false', 'n', 'no', 't', 'true', 'y', 'yes'], 'nargs': '?', 'aaz_type': 'bool', 'type': 'bool'}, {'name': 'resource_id', 'options': ['--resource-id'], 'required': True, 'aaz_type': 'string', 'type': 'string'}, {'name': 'state', 'options': ['--state'], 'choices': ['Disabled', 'Enabled'], 'aaz_type': 'string', 'type': 'string'}]}}
⚠️ 1001 - CmdAdd security va sql baseline add cmd security va sql baseline add added
⚠️ 1001 - CmdAdd security va sql baseline create cmd security va sql baseline create added
⚠️ 1006 - ParaAdd security va sql baseline delete cmd security va sql baseline delete added parameter yes
⚠️ 1008 - ParaPropAdd security va sql baseline delete cmd security va sql baseline delete update parameter database_name: added property aaz_type=string
⚠️ 1008 - ParaPropAdd security va sql baseline delete cmd security va sql baseline delete update parameter database_name: added property type=string
⚠️ 1009 - ParaPropRemove security va sql baseline delete cmd security va sql baseline delete update parameter database_name: removed property required=True
⚠️ 1008 - ParaPropAdd security va sql baseline delete cmd security va sql baseline delete update parameter rule_id: added property aaz_type=string
⚠️ 1008 - ParaPropAdd security va sql baseline delete cmd security va sql baseline delete update parameter rule_id: added property type=string
⚠️ 1006 - ParaAdd security va sql baseline list cmd security va sql baseline list added parameter pagination_limit
⚠️ 1006 - ParaAdd security va sql baseline list cmd security va sql baseline list added parameter pagination_token
⚠️ 1008 - ParaPropAdd security va sql baseline list cmd security va sql baseline list update parameter database_name: added property aaz_type=string
⚠️ 1008 - ParaPropAdd security va sql baseline list cmd security va sql baseline list update parameter database_name: added property type=string
⚠️ 1009 - ParaPropRemove security va sql baseline list cmd security va sql baseline list update parameter database_name: removed property required=True
⚠️ 1006 - ParaAdd security va sql baseline set cmd security va sql baseline set added parameter latest_scan
⚠️ 1006 - ParaAdd security va sql baseline set cmd security va sql baseline set added parameter results
⚠️ 1003 - CmdPropAdd security va sql baseline set cmd security va sql baseline set added property deprecate_info_redirect
⚠️ 1003 - CmdPropAdd security va sql baseline set cmd security va sql baseline set added property deprecate_info_target
⚠️ 1008 - ParaPropAdd security va sql baseline set cmd security va sql baseline set update parameter database_name: added property aaz_type=string
⚠️ 1008 - ParaPropAdd security va sql baseline set cmd security va sql baseline set update parameter database_name: added property type=string
⚠️ 1009 - ParaPropRemove security va sql baseline set cmd security va sql baseline set update parameter database_name: removed property required=True
⚠️ 1008 - ParaPropAdd security va sql baseline show cmd security va sql baseline show update parameter database_name: added property aaz_type=string
⚠️ 1008 - ParaPropAdd security va sql baseline show cmd security va sql baseline show update parameter database_name: added property type=string
⚠️ 1009 - ParaPropRemove security va sql baseline show cmd security va sql baseline show update parameter database_name: removed property required=True
⚠️ 1008 - ParaPropAdd security va sql baseline show cmd security va sql baseline show update parameter rule_id: added property aaz_type=string
⚠️ 1008 - ParaPropAdd security va sql baseline show cmd security va sql baseline show update parameter rule_id: added property type=string
⚠️ 1006 - ParaAdd security va sql results list cmd security va sql results list added parameter pagination_limit
⚠️ 1006 - ParaAdd security va sql results list cmd security va sql results list added parameter pagination_token
⚠️ 1008 - ParaPropAdd security va sql results list cmd security va sql results list update parameter database_name: added property aaz_type=string
⚠️ 1008 - ParaPropAdd security va sql results list cmd security va sql results list update parameter database_name: added property type=string
⚠️ 1009 - ParaPropRemove security va sql results list cmd security va sql results list update parameter database_name: removed property required=True
⚠️ 1008 - ParaPropAdd security va sql results list cmd security va sql results list update parameter scan_id: added property aaz_type=string
⚠️ 1008 - ParaPropAdd security va sql results list cmd security va sql results list update parameter scan_id: added property type=string
⚠️ 1008 - ParaPropAdd security va sql results show cmd security va sql results show update parameter database_name: added property aaz_type=string
⚠️ 1008 - ParaPropAdd security va sql results show cmd security va sql results show update parameter database_name: added property type=string
⚠️ 1009 - ParaPropRemove security va sql results show cmd security va sql results show update parameter database_name: removed property required=True
⚠️ 1008 - ParaPropAdd security va sql results show cmd security va sql results show update parameter rule_id: added property aaz_type=string
⚠️ 1008 - ParaPropAdd security va sql results show cmd security va sql results show update parameter rule_id: added property type=string
⚠️ 1010 - ParaPropUpdate security va sql results show cmd security va sql results show update parameter rule_id: updated property name from rule_id to scan_result_id
⚠️ 1010 - ParaPropUpdate security va sql results show cmd security va sql results show update parameter rule_id: updated property options from ['--rule-id'] to ['--rule-id', '--scan-result-id']
⚠️ 1008 - ParaPropAdd security va sql results show cmd security va sql results show update parameter scan_id: added property aaz_type=string
⚠️ 1008 - ParaPropAdd security va sql results show cmd security va sql results show update parameter scan_id: added property type=string
⚠️ 1001 - CmdAdd security va sql scans initiate-scan cmd security va sql scans initiate-scan added
⚠️ 1006 - ParaAdd security va sql scans list cmd security va sql scans list added parameter pagination_limit
⚠️ 1006 - ParaAdd security va sql scans list cmd security va sql scans list added parameter pagination_token
⚠️ 1008 - ParaPropAdd security va sql scans list cmd security va sql scans list update parameter database_name: added property aaz_type=string
⚠️ 1008 - ParaPropAdd security va sql scans list cmd security va sql scans list update parameter database_name: added property type=string
⚠️ 1009 - ParaPropRemove security va sql scans list cmd security va sql scans list update parameter database_name: removed property required=True
⚠️ 1011 - SubgroupAdd security va sql scans scan-operation-result sub group security va sql scans scan-operation-result added
⚠️ 1008 - ParaPropAdd security va sql scans show cmd security va sql scans show update parameter database_name: added property aaz_type=string
⚠️ 1008 - ParaPropAdd security va sql scans show cmd security va sql scans show update parameter database_name: added property type=string
⚠️ 1009 - ParaPropRemove security va sql scans show cmd security va sql scans show update parameter database_name: removed property required=True
⚠️ 1008 - ParaPropAdd security va sql scans show cmd security va sql scans show update parameter scan_id: added property aaz_type=string
⚠️ 1008 - ParaPropAdd security va sql scans show cmd security va sql scans show update parameter scan_id: added property type=string
❌vm
rule cmd_name rule_message suggest_message
1010 - ParaPropUpdate restore-point wait cmd restore-point wait update parameter restore_point_collection_name: updated property options from ['--collection-name', '--restore-point-collection-name'] to ['--collection-name'] please change property options from ['--collection-name'] to ['--collection-name', '--restore-point-collection-name'] for parameter restore_point_collection_name of cmd restore-point wait
1007 - ParaRemove vmss update cmd vmss update removed parameter exclude_zones please add back parameter exclude_zones for cmd vmss update
1007 - ParaRemove vmss update cmd vmss update removed parameter include_zones please add back parameter include_zones for cmd vmss update
1007 - ParaRemove vmss update cmd vmss update removed parameter zone_placement_policy please add back parameter zone_placement_policy for cmd vmss update
⚠️ 1009 - ParaPropRemove restore-point wait cmd restore-point wait update parameter expand: removed property aaz_type=string
⚠️ 1009 - ParaPropRemove restore-point wait cmd restore-point wait update parameter expand: removed property choices=['instanceView']
⚠️ 1009 - ParaPropRemove restore-point wait cmd restore-point wait update parameter expand: removed property type=string
⚠️ 1009 - ParaPropRemove restore-point wait cmd restore-point wait update parameter resource_group: removed property aaz_type=string
⚠️ 1009 - ParaPropRemove restore-point wait cmd restore-point wait update parameter resource_group: removed property type=string
⚠️ 1010 - ParaPropUpdate restore-point wait cmd restore-point wait update parameter resource_group: updated property name from resource_group to resource_group_name
⚠️ 1009 - ParaPropRemove restore-point wait cmd restore-point wait update parameter restore_point_collection_name: removed property aaz_type=string
⚠️ 1009 - ParaPropRemove restore-point wait cmd restore-point wait update parameter restore_point_collection_name: removed property id_part=name
⚠️ 1009 - ParaPropRemove restore-point wait cmd restore-point wait update parameter restore_point_collection_name: removed property type=string
⚠️ 1009 - ParaPropRemove restore-point wait cmd restore-point wait update parameter restore_point_name: removed property aaz_type=string
⚠️ 1009 - ParaPropRemove restore-point wait cmd restore-point wait update parameter restore_point_name: removed property id_part=child_name_1
⚠️ 1009 - ParaPropRemove restore-point wait cmd restore-point wait update parameter restore_point_name: removed property type=string

Please submit your Breaking Change Pre-announcement ASAP if you haven't already. Please note:

  • Breaking changes can only be merged during the designated breaking change window
  • A pre-announcement must be released at least one month in advance

For more details on how to introduce breaking changes, refer to the documentation: azure-cli/doc/how_to_introduce_breaking_changes.md

Copilot AI reviewed Jun 2, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR migrates az security va sql (SQL Vulnerability Assessment) from hand-authored command implementations to AAZ-generated atomic commands targeting 2026-04-01-preview, removing the legacy SDK wiring, custom argument actions, help entries, and live scenario tests.

Changes:

  • Replace legacy security va sql commands (custom.py/commands.py/_params.py/_help.py/_client_factory.py) with AAZ-generated command implementations under aaz/latest/security/va/sql/....
  • Introduce new command surface (va sql create/show/update/delete, scans initiate-scan, scans scan-operation-result show, and baseline add/create/update).
  • Remove the legacy live scenario test and its recording for test_va_sql_scenario.

Reviewed changes

Copilot reviewed 37 out of 37 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
src/azure-cli/azure/cli/command_modules/security/tests/latest/test_va_sql_scenario.py Removes legacy live scenario coverage for VA SQL commands.
src/azure-cli/azure/cli/command_modules/security/tests/latest/recordings/test_va_sql_scenario.yaml Removes recorded HTTP interactions for the deleted scenario.
src/azure-cli/azure/cli/command_modules/security/custom.py Deletes hand-authored VA SQL command implementations and related imports.
src/azure-cli/azure/cli/command_modules/security/commands.py Removes legacy VA SQL command groups and SDK command types wiring.
src/azure-cli/azure/cli/command_modules/security/actions.py Removes baseline argparse actions used by legacy VA SQL baseline commands.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/scans/scan_operation_result/_show.py Adds AAZ command to show scan operation result by operation id.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/scans/scan_operation_result/init.py Exposes the scan-operation-result command group commands.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/scans/scan_operation_result/__cmd_group.py Registers the scan-operation-result command group.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/scans/_show.py Adds AAZ command to show a single scan record.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/scans/_list.py Adds AAZ command to list scan records with pagination support.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/scans/_initiate_scan.py Adds AAZ command to initiate a scan (LRO/no-wait).
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/scans/init.py Exposes the scans command group commands.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/scans/__cmd_group.py Registers the scans command group.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/results/_show.py Adds AAZ command to show a single scan result.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/results/_list.py Adds AAZ command to list scan results with pagination support.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/results/init.py Exposes the results command group commands.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/results/__cmd_group.py Registers the results command group.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/_update.py Adds AAZ command to update a baseline rule (generic update flow).
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/_show.py Adds AAZ command to show a baseline rule.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/_list.py Adds AAZ command to list baseline rules with pagination support.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/_delete.py Adds AAZ command to delete a baseline rule with confirmation prompt.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/_create.py Adds AAZ command to create/replace a baseline rule.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/_add.py Adds AAZ command to set/replace baseline rules collection (POST).
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/init.py Exposes the baseline command group commands.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/__cmd_group.py Registers the baseline command group.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/_update.py Adds AAZ command to update VA SQL settings (generic update flow).
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/_show.py Adds AAZ command to show VA SQL settings.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/_delete.py Adds AAZ command to delete VA SQL settings with confirmation prompt.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/_create.py Adds AAZ command to create VA SQL settings.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/init.py Exposes security va sql commands.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/__cmd_group.py Registers the security va sql command group.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/init.py Exposes the security va command group.
src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/__cmd_group.py Registers the security va command group.
src/azure-cli/azure/cli/command_modules/security/_params.py Removes legacy VA SQL parameters/actions; relies on AAZ args schemas.
src/azure-cli/azure/cli/command_modules/security/_help.py Removes legacy hand-authored help for VA SQL commands.
src/azure-cli/azure/cli/command_modules/security/_client_factory.py Removes legacy VA SQL client factories.
src/azure-cli/HISTORY.rst Documents the breaking changes and new AAZ-based command surface.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/results/_show.py
Comment thread src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/_create.py
Comment thread src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/_add.py
Comment thread src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/_update.py Outdated
Comment thread src/azure-cli/azure/cli/command_modules/security/aaz/latest/security/va/sql/baseline/_add.py Outdated
Comment thread src/azure-cli/HISTORY.rst Outdated
GalGoldi72 added a commit to GalGoldi72/aaz that referenced this pull request Jun 2, 2026
@GalGoldi72
[Security] Add --rule-id alias to security va sql results show
b751eb4 
Adds `rule-id` as a primary option for the scanResultId argument on
`az security va sql results show`, with `scan-result-id` kept as a
secondary alias. This aligns with the `baseline` commands which use
`--rule-id` for the same logical concept and matches Copilot review
feedback on Azure/azure-cli#33482.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
GalGoldi72 and others added 2 commits June 2, 2026 21:41
@GalGoldi72
[Security] az security va sql: Address PR feedback
c699974 
Addresses Copilot review comments on Azure#33482:

- `security va sql results show`: Accept both `--rule-id`
  (preferred, consistent with `baseline` commands) and
  `--scan-result-id` (alias). Examples updated to use `--rule-id`.
- `security va sql baseline add/create/update`: Reject mutually
  exclusive `--latest-scan` and `--results` arguments with a
  clear error message, matching the legacy behavior.
- `security va sql baseline set`: Re-added as a deprecated alias of
  `baseline add` for backwards compatibility with the legacy CLI.
- `security va sql baseline update`: Behaves as a true upsert -- if
  no baseline exists yet for the specified rule, an empty instance is
  initialized so the subsequent PUT creates one (instead of 404).
- `security va sql baseline add`: Fixed example to use valid JSON
  for the `--results` argument.
- HISTORY.rst updated to document the rule-id alias, deprecated `set`
  alias, and upsert behavior of `baseline update`.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@GalGoldi72
[Security] Remove security va sql baseline update
160a1b0 
The AAZ-generated `update` command uses the standard GET -> patch instance ->
PUT flow. The Microsoft.Security
`sqlVulnerabilityAssessments/default/baselineRules` service has an asymmetric
request/response shape: PUT accepts only a flat `{ latestScan, results }` body,
but GET returns the ARM-canonical `{ properties: { latestScan, results }, ... }`
shape. The generic-update flow therefore PUTs a mixed payload that the service
rejects with `400 UnsupportedProperties: 'properties'`.

Verified directly against the live API:
  PUT { latestScan: true }                  -> 200 OK
  PUT { properties: { latestScan: true } }  -> 400 UnsupportedProperties

Because `baseline create` is the same PUT endpoint and is a full upsert,
removing `update` does not reduce functionality.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@yonzhan yonzhan assigned calvinhzy and unassigned evelyn-ys Jun 2, 2026
@yonzhan

yonzhan commented Jun 2, 2026

Copy link
Copy Markdown
Collaborator

sql

GalGoldi72 and others added 4 commits June 3, 2026 12:15
@GalGoldi72
[Security] az security va sql: Add scenario tests for 2026-04-01-prev…
038874b 
…iew migration

Adds three scenario tests covering the new aaz-generated 'security va sql' commands:

* test_security_va_sql_paas_lifecycle: full 17-step PaaS happy path (Azure SQL Server + DB), exercising the --resource-id=<db-id> URL form. Covers settings (create/show/update/delete), scans (initiate/show/list), baseline (add/create/show/list/delete), and results (list/show via both --rule-id and legacy --scan-result-id aliases).

* test_security_va_sql_paas_dbname_form: focused coverage of the --database-name query-string form (--resource-id=<server> --database-name=<db>) for all db-scoped commands (scans, baseline, results). This is the only URL shape that can target system DBs like master.

* test_security_va_sql_negative: validator coverage that doesn't need cloud resources (mutual exclusivity of --latest-scan/--results; presence of the deprecated 'baseline set' alias).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@GalGoldi72
[Security] az security va sql: Add Arc-enabled SQL scenario test
5bd5cf1 
Adds test_security_va_sql_arc_lifecycle, which exercises the new aaz 'security va sql' commands against an Arc-enabled SQL Server hosted on a Microsoft.HybridCompute/machines resource.

Coverage differs from PaaS because the RP returns 404 ResourceTypeNotSupported on Arc for: settings (create/show/update/delete), scans initiate-scan, and scan-operation-result show (scans are auto-scheduled by the agent, not API-triggerable). The Arc test therefore covers scans (show via --scan-id latest + list), results (list + show via both --rule-id and --scan-result-id), and a non-destructive baseline create/show/delete round-trip on a single rule that is not already baselined.

The test targets a pre-existing real resource (rg=ggoldshtein, arc=galLaptop, srv=SQLEXPRESS, db=master) instead of using ResourceGroupPreparer because Arc infra cannot be provisioned in a test setup hook. Subscription id is constructed via self.get_subscription_id() so the cassette is portable; the recording sub id has been anonymized to 00000000-...-0.

Service quirks discovered while authoring this test (noted as inline comments):

* baseline list returns 404 NoBaseline (not an empty list) when zero baselines exist on the DB -- test wraps the call to treat it as empty set

* baseline create --latest-scan true fails with 400 EmptyBaseline on rules with status != 'Finding' -- test filters rule selection to status='Finding' only

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@GalGoldi72
[Security] custom.py: silence pre-existing line-too-long
5d02a49 
Twelve long lines in adaptive application controls and automation handlers (lines 597, 861, 866, 870, 875, 886, 906, 919, 934, 941, 943, 977) pre-date this PR and are unrelated to the VA SQL migration. They were not flagged before because the prior pylint disables lived inside the now-removed VA SQL helpers. Add a file-scope disable to unblock azdev-style without touching unrelated functions.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@GalGoldi72
[Security] va sql baseline create: fix invalid JSON in --results example
0ca6dcb 
Replace bare identifiers in the --results example with proper JSON (quoted strings) so users can copy/paste the example and have it parse as AAZDictArg / AAZListArg input.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@GalGoldi72

GalGoldi72 commented Jun 9, 2026

Copy link
Copy Markdown
Author

Friendly bump 🙂 — this PR has been open for ~1 week with all CI checks green and Copilot review comments resolved.

@yonzhan @evelyn-ys — could either of you take a look (or help route to the right reviewer)? The migration is gated by upstream AAZ PR Azure/aaz#1021, which is also waiting on a reviewer.

Happy to walk through the changes, hop on a call, or address feedback quickly. Thanks!

@GalGoldi72

GalGoldi72 commented Jun 16, 2026

Copy link
Copy Markdown
Author

Friendly bump 🙂 this PR has been open for ~2 week with all CI checks green and Copilot review comments resolved.

@jsntcy could you take a look? The migration is gated by upstream AAZ PR Azure/aaz#1021, which is also waiting on a reviewer.

Happy to walk through the changes, hop on a call, or address feedback quickly. Thanks!

@necusjz

necusjz commented Jun 24, 2026

Copy link
Copy Markdown
Member

/azp run

@azure-pipelines

azure-pipelines Bot commented Jun 24, 2026

Copy link
Copy Markdown
Azure Pipelines successfully started running 3 pipeline(s).

necusjz
necusjz reviewed Jun 24, 2026
View reviewed changes
Comment thread src/azure-cli/HISTORY.rst Outdated
@necusjz necusjz changed the title [Security] az security va sql: Migrate to aaz with API 2026-04-01-preview {Security} az security va sql: Migrate to aaz with API 2026-04-01-preview Jun 24, 2026
@GalGoldi72
[Security] Revert manual HISTORY.rst edits (changelog generated at re…
422a1c5 
…lease)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@necusjz necusjz necusjz left review comments

Copilot code review Copilot Copilot left review comments

@DanielMicrosoft DanielMicrosoft Awaiting requested review from DanielMicrosoft DanielMicrosoft is a code owner

@yonzhan yonzhan Awaiting requested review from yonzhan yonzhan is a code owner

@bebound bebound Awaiting requested review from bebound

@jiasli jiasli Awaiting requested review from jiasli

@evelyn-ys evelyn-ys Awaiting requested review from evelyn-ys

@calvinhzy calvinhzy Awaiting requested review from calvinhzy

@jsntcy jsntcy Awaiting requested review from jsntcy

At least 1 approving review is required to merge this pull request.

Assignees

@jsntcy jsntcy

Labels

act-codegen-extensibility-squad Auto-Assign Auto assign by bot SQL az sql Synapse

Projects

None yet

Milestone

July 2026 (2026-07-07)

Development

Successfully merging this pull request may close these issues.

7 participants

@GalGoldi72 @yonzhan @necusjz @evelyn-ys @jsntcy @calvinhzy