[Safeguards] Fix verb tense in help text and add pre-existence check

src/aks-preview/HISTORY.rst

@@ -11,10 +11,15 @@ To release a new version, please select a new version number (usually plus 1 to
 
 Pending
 +++++++
-* `az aks bastion`: Correctly configure `$KUBECONFIG` values for tunneling traffic into a private AKS cluster.
+
+19.0.0b17
++++++++
+* `az aks safeguards create`: Add pre-existence check to prevent duplicate resource creation and guide users to use update command instead.
+* `az aks safeguards`: Fix verb tense in help text and examples to use first-person imperative verbs per Azure CLI guidelines.
 
 19.0.0b16
 +++++++
+* `az aks bastion`: Correctly configure `$KUBECONFIG` values for tunneling traffic into a private AKS cluster.
 * Update --enable-container-network-logs DCR to ContainerNetworkLogs instead of RetinaNetworkFlowLogs
 
 19.0.0b15

src/aks-preview/azext_aks_preview/aaz/latest/aks/safeguards/_create.py

@@ -17,16 +17,16 @@
 class Create(AAZCommand):
     """Enable Deployment Safeguards for a Managed Cluster
 
-    :example: Creates a DeploymentSafeguards resource at Warn level with a managed cluster resource id
+    :example: Create a DeploymentSafeguards resource at Warn level with a managed cluster resource id
         az aks safeguards create --resource /subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.ContainerService/managedClusters/cluster1 --level Warn
 
-    :example: Creates a DeploymentSafeguards resource at Warn level using subscription, resourcegroup, and name tags
+    :example: Create a DeploymentSafeguards resource at Warn level using subscription, resourcegroup, and name tags
         az aks safeguards create --subscription subid1 -g rg1 -n cluster1 --level Warn
 
     :example: Create a DeploymentSafeguards resource at Warn level with ignored namespaces
         az aks safeguards create -g rg1 -n mc1 --excluded-ns ns1 ns2 --level Warn
 
-    :example: Creates a DeploymentSafeguards resource at Warn level with pod security standards level set to Baseline
+    :example: Create a DeploymentSafeguards resource at Warn level with pod security standards level set to Baseline
         az aks safeguards create --managed-cluster subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.ContainerService/managedClusters/cluster1 --level Warn --pss-level Baseline
     """
 
@@ -87,6 +87,49 @@ def _build_arguments_schema(cls, *args, **kwargs):
         return cls._args_schema
 
     def _execute_operations(self):
+        # Check if Deployment Safeguards already exists BEFORE attempting create
+        from azure.cli.core.util import send_raw_request
+        from knack.util import CLIError
+
+        # Get the resource URI - check if managed_cluster is set, otherwise build from -g/-n
+        resource_uri = self.ctx.args.managed_cluster
+
+        # If managed_cluster is "Undefined" or not set, build from resource_group and cluster_name
+        if not resource_uri or str(resource_uri) == "Undefined":
+            # Access raw data which has resource_group and cluster_name from -g/-n
+            data = self.ctx.args._data
+            if 'resource_group' in data and 'cluster_name' in data:
+                subscription = self.ctx.subscription_id
+                resource_uri = f"/subscriptions/{subscription}/resourceGroups/{data['resource_group']}/providers/Microsoft.ContainerService/managedClusters/{data['cluster_name']}"
+
+        if not resource_uri or str(resource_uri) == "Undefined":
+            raise CLIError("Resource URI not found. Please provide either --managed-cluster or both --resource-group and --name.")
+
+        # Construct the GET URL to check if resource already exists
+        safeguards_url = f"https://management.azure.com{resource_uri}/providers/Microsoft.ContainerService/deploymentSafeguards/default?api-version=2025-05-02-preview"
+
+        # Check if resource already exists
+        resource_exists = False
+        try:
+            response = send_raw_request(self.ctx.cli_ctx, "GET", safeguards_url)
+            if response.status_code == 200:
+                resource_exists = True
+        except Exception as ex:
+            # Any exception (404, etc) means resource doesn't exist - that's fine for create
+            error_str = str(ex).lower()
+            if "404" not in error_str and "not found" not in error_str and "resourcenotfound" not in error_str:
+                # If it's not a "not found" error, it might be a real problem - but let the create operation handle it
+                pass
+
+        # If resource exists, block the create
+        if resource_exists:
+            raise CLIError(
+                f"Deployment Safeguards instance already exists for this cluster. "
+                f"Please use 'az aks safeguards update' to modify the configuration, "
+                f"or 'az aks safeguards delete' to remove it before creating a new one."
+            )
+
+        # If we get here, resource doesn't exist - proceed with create
         self.pre_operations()
         yield self.DeploymentSafeguardsCreate(ctx=self.ctx)()
         self.post_operations()

src/aks-preview/azext_aks_preview/aaz/latest/aks/safeguards/_delete.py

@@ -18,10 +18,10 @@
 class Delete(AAZCommand):
     """Disable Deployment Safeguards for a Managed Cluster
 
-    :example: Deletes a DeploymentSafeguard resource by managed cluster id
+    :example: Delete a DeploymentSafeguard resource by managed cluster id
         az aks safeguards delete -c subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.ContainerService/managedClusters/cluster1
 
-    :example: Deletes a DeploymentSafeguard resource with resourceGroup and clusterName arguments
+    :example: Delete a DeploymentSafeguard resource with resourceGroup and clusterName arguments
         az aks safeguards delete -g rg1 -n cluster1
     """
 

src/aks-preview/azext_aks_preview/aaz/latest/aks/safeguards/_show.py

@@ -17,10 +17,10 @@
 class Show(AAZCommand):
     """Show Deployment Safeguards Configuration for a Managed Cluster
 
-    :example: Gets a DeploymentSafeguard resource by managed cluster id
+    :example: Get a DeploymentSafeguard resource by managed cluster id
         az aks safeguards show --managed-cluster subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.ContainerService/managedClusters/cluster1
 
-    :example: Gets a DeploymentSafeguard resource with resourceGroup and clusterName arguments
+    :example: Get a DeploymentSafeguard resource with resourceGroup and clusterName arguments
         az aks safeguards show -g rg1 -n cluster1
     """
 

src/aks-preview/setup.py

@@ -9,7 +9,7 @@
 
 from setuptools import find_packages, setup
 
-VERSION = "19.0.0b16"
+VERSION = "19.0.0b17"
 
 CLASSIFIERS = [
     "Development Status :: 4 - Beta",