[Storage] support create Storage account with RequireInfrastructureEncryption (#12096)

* [Storage] Upgrade to SRP SDK 17.0.0

* [Storage] Support double Encryption

Author: blueww

src/ApplicationInsights/ApplicationInsights.Test/ApplicationInsights.Test.csproj

@@ -12,7 +12,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Azure.Management.ApplicationInsights" Version="0.3.0-preview" />
-    <PackageReference Include="Microsoft.Azure.Management.Storage" Version="14.5.0" />
+    <PackageReference Include="Microsoft.Azure.Management.Storage" Version="17.0.0" />
   </ItemGroup>
 
 </Project>

src/EventGrid/EventGrid.Test/EventGrid.Test.csproj

@@ -15,7 +15,7 @@
     <PackageReference Include="Microsoft.Azure.Management.EventHub" Version="2.5.0" />
     <PackageReference Include="Microsoft.Azure.Management.Relay" Version="2.0.2" />
     <PackageReference Include="Microsoft.Azure.Management.ServiceBus" Version="2.1.0" />
-    <PackageReference Include="Microsoft.Azure.Management.Storage" Version="14.5.0" />
+    <PackageReference Include="Microsoft.Azure.Management.Storage" Version="17.0.0" />
   </ItemGroup>
 
 </Project>

src/OperationalInsights/OperationalInsights.Test/OperationalInsights.Test.csproj

@@ -13,7 +13,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.Azure.Management.OperationalInsights" Version="0.21.0-preview" />
     <PackageReference Include="Microsoft.Azure.OperationalInsights" Version="0.10.0-preview" />
-    <PackageReference Include="Microsoft.Azure.Management.Storage" Version="14.5.0" />
+    <PackageReference Include="Microsoft.Azure.Management.Storage" Version="17.0.0" />
   </ItemGroup>
 
 </Project>

src/Storage/Storage.Management.Test/ScenarioTests/StorageAccountTests.ps1

@@ -156,20 +156,21 @@ function Test-GetAzureStorageAccount
         # Test
         $stoname = 'sto' + $rgname;
         $stotype = 'Standard_GRS';
-        $loc = Get-ProviderLocation ResourceManagement;
+        $loc = Get-ProviderLocation_Canary ResourceManagement;
         $kind = 'StorageV2'
 
         New-AzResourceGroup -Name $rgname -Location $loc;
         Write-Output ("Resource Group created")
 
-        New-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -Location $loc -Type $stotype ;
+        New-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -Location $loc -Type $stotype -RequireInfrastructureEncryption;
 
         Retry-IfException { $global:sto = Get-AzStorageAccount -ResourceGroupName $rgname -Name $stoname; }
         Assert-AreEqual $stoname $sto.StorageAccountName;
         Assert-AreEqual $stotype $sto.Sku.Name;
         Assert-AreEqual $loc.ToLower().Replace(" ", "") $sto.Location;
         Assert-AreEqual $kind $sto.Kind;
         Assert-AreEqual $true $sto.EnableHttpsTrafficOnly;
+		Assert-AreEqual $true $sto.Encryption.RequireInfrastructureEncryption
 
         $stos = Get-AzStorageAccount -ResourceGroupName $rgname;
         Assert-AreEqual $stoname $stos[0].StorageAccountName;

src/Storage/Storage.Management.Test/SessionRecords/Microsoft.Azure.Commands.Management.Storage.Test.ScenarioTests.StorageAccountTests/TestGetAzureStorageAccount.json

@@ -15,7 +15,7 @@
     <PackageReference Include="Azure.Storage.Files.DataLake" Version="12.0.0" />
     <PackageReference Include="Azure.Storage.Files.Shares" Version="12.2.0" />
     <PackageReference Include="Azure.Storage.Queues" Version="12.3.0" />
-    <PackageReference Include="Microsoft.Azure.Management.Storage" Version="14.5.0" />
+    <PackageReference Include="Microsoft.Azure.Management.Storage" Version="17.0.0" />
   </ItemGroup>
 
 </Project>

src/Storage/Storage.Management.Test/Storage.Management.Test.csproj

@@ -111,8 +111,9 @@ public override void ExecuteCmdlet()
                             this.ResourceGroupName,
                             this.StorageAccountName,
                             this.Name,
-                            (PublicAccess?)this.publicAccess,
-                            MetadataDictionary);
+                            new BlobContainer(
+                                publicAccess: (PublicAccess?)this.publicAccess,
+                                metadata: MetadataDictionary));
 
                 WriteObject(new PSContainer(contaienr));
             }

src/Storage/Storage.Management/Blob/NewAzureStorageContainer.cs

@@ -138,8 +138,9 @@ public override void ExecuteCmdlet()
                                     this.ResourceGroupName,
                                     this.StorageAccountName,
                                     this.Name,
-                                    (PublicAccess?)this.publicAccess,
-                                    MetadataDictionary);
+                                    new BlobContainer(
+                                        publicAccess: (PublicAccess?)this.publicAccess,
+                                        metadata: MetadataDictionary));
 
                 WriteObject(new PSContainer(container));
             }

src/Storage/Storage.Management/Blob/UpdateAzureStorageContainer.cs

@@ -18,6 +18,8 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Supported create Storage account with RequireInfrastructureEncryption
+    -  `New-AzStorageAccount`
 * Moved the logic of loading Azure.Core to Az.Accounts
 
 ## Version 2.1.0

src/Storage/Storage.Management/ChangeLog.md

@@ -111,8 +111,9 @@ public override void ExecuteCmdlet()
                             this.ResourceGroupName,
                             this.StorageAccountName,
                             this.Name,
-                            MetadataDictionary,
-                            shareQuota);
+                            new FileShare(
+                                metadata: MetadataDictionary,
+                                shareQuota: shareQuota));
 
                 WriteObject(new PSShare(share));
             }

src/Storage/Storage.Management/File/NewAzureStorageShare.cs

@@ -151,8 +151,9 @@ public override void ExecuteCmdlet()
                                     this.ResourceGroupName,
                                     this.StorageAccountName,
                                     this.Name,
-                                    MetadataDictionary,
-                                    shareQuota);
+                                    new FileShare(
+                                        metadata: MetadataDictionary,
+                                        shareQuota: shareQuota));
 
                 WriteObject(new PSShare(Share));
             }

src/Storage/Storage.Management/File/UpdateAzureStorageShare.cs

@@ -14,7 +14,7 @@
     <RootNamespace>$(LegacyAssemblyPrefix)$(PsModuleName)</RootNamespace>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Microsoft.Azure.Management.Storage" Version="14.5.0" />
+    <PackageReference Include="Microsoft.Azure.Management.Storage" Version="17.0.0" />
     <PackageReference Include="Microsoft.Azure.Storage.Blob" Version="11.1.1" />
     <PackageReference Include="Microsoft.Azure.Storage.File" Version="11.1.1" />
     <PackageReference Include="Microsoft.Azure.Storage.Queue" Version="11.1.1" />

src/Storage/Storage.Management/Storage.Management.csproj

@@ -272,6 +272,9 @@ public bool EnableActiveDirectoryDomainServicesForFile
             IgnoreCase = true)]
         public string EncryptionKeyTypeForQueue { get; set; }
 
+        [Parameter(Mandatory = false, HelpMessage = "The service will apply a secondary layer of encryption with platform managed keys for data at rest.")]
+        public SwitchParameter  RequireInfrastructureEncryption { get; set; }
+
         public override void ExecuteCmdlet()
         {
             base.ExecuteCmdlet();
@@ -368,18 +371,30 @@ public override void ExecuteCmdlet()
             {
                 createParameters.LargeFileSharesState = LargeFileSharesState.Enabled;
             }
-            if(this.EncryptionKeyTypeForQueue != null || this.EncryptionKeyTypeForTable != null)
+            if(this.EncryptionKeyTypeForQueue != null || this.EncryptionKeyTypeForTable != null || this.RequireInfrastructureEncryption.IsPresent)
             {
                 createParameters.Encryption = new Encryption();
                 createParameters.Encryption.KeySource = KeySource.MicrosoftStorage;
-                createParameters.Encryption.Services = new EncryptionServices();
-                if (this.EncryptionKeyTypeForQueue != null)
+                if (this.EncryptionKeyTypeForQueue != null || this.EncryptionKeyTypeForTable != null)
                 {
-                    createParameters.Encryption.Services.Queue = new EncryptionService(keyType: this.EncryptionKeyTypeForQueue);
+                    createParameters.Encryption.Services = new EncryptionServices();
+                    if (this.EncryptionKeyTypeForQueue != null)
+                    {
+                        createParameters.Encryption.Services.Queue = new EncryptionService(keyType: this.EncryptionKeyTypeForQueue);
+                    }
+                    if (this.EncryptionKeyTypeForTable != null)
+                    {
+                        createParameters.Encryption.Services.Table = new EncryptionService(keyType: this.EncryptionKeyTypeForTable);
+                    }
                 }
-                if (this.EncryptionKeyTypeForTable != null)
+                if (this.RequireInfrastructureEncryption.IsPresent)
                 {
-                    createParameters.Encryption.Services.Table = new EncryptionService(keyType: this.EncryptionKeyTypeForTable);
+                    createParameters.Encryption.RequireInfrastructureEncryption = true;
+                    if (createParameters.Encryption.Services is null)
+                    {
+                        createParameters.Encryption.Services = new EncryptionServices();
+                        createParameters.Encryption.Services.Blob = new EncryptionService();
+                    }
                 }
             }
 

src/Storage/Storage.Management/StorageAccount/NewAzureStorageAccount.cs

@@ -20,7 +20,7 @@ New-AzStorageAccount [-ResourceGroupName] <String> [-Name] <String> [-SkuName] <
  [-Tag <Hashtable>] [-EnableHttpsTrafficOnly <Boolean>] [-AssignIdentity] [-NetworkRuleSet <PSNetworkRuleSet>]
  [-EnableHierarchicalNamespace <Boolean>] [-EnableAzureActiveDirectoryDomainServicesForFile <Boolean>]
  [-EnableLargeFileShare] [-AsJob] [-EncryptionKeyTypeForTable <String>] [-EncryptionKeyTypeForQueue <String>]
- [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
+ [-RequireInfrastructureEncryption] [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
 ```
 
 ### ActiveDirectoryDomainServicesForFile
@@ -32,8 +32,9 @@ New-AzStorageAccount [-ResourceGroupName] <String> [-Name] <String> [-SkuName] <
  [-EnableActiveDirectoryDomainServicesForFile <Boolean>] [-ActiveDirectoryDomainName <String>]
  [-ActiveDirectoryNetBiosDomainName <String>] [-ActiveDirectoryForestName <String>]
  [-ActiveDirectoryDomainGuid <String>] [-ActiveDirectoryDomainSid <String>]
- [-ActiveDirectoryAzureStorageSid <String>] [-AsJob] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ActiveDirectoryAzureStorageSid <String>] [-AsJob] [-EncryptionKeyTypeForTable <String>]
+ [-EncryptionKeyTypeForQueue <String>] [-RequireInfrastructureEncryption]
+ [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -101,9 +102,9 @@ PS C:\>New-AzStorageAccount -ResourceGroupName "MyResourceGroup" -AccountName "m
 
 This command creates a Storage account withenable Files Active Directory Domain Service Authentication.
 
-### Example 7: Create a Storage account with Queue and Table Service use account-scoped encryption key.
+### Example 7: Create a Storage account with Queue and Table Service use account-scoped encryption key, and Require Infrastructure Encryption.
 ```powershell
-PS C:\>New-AzStorageAccount -ResourceGroupName "MyResourceGroup" -AccountName "mystorageaccount" -Location "eastus2euap" -SkuName "Standard_LRS" -Kind StorageV2  -EncryptionKeyTypeForTable Account -EncryptionKeyTypeForQueue Account
+PS C:\>New-AzStorageAccount -ResourceGroupName "MyResourceGroup" -AccountName "mystorageaccount" -Location "eastus2euap" -SkuName "Standard_LRS" -Kind StorageV2  -EncryptionKeyTypeForTable Account -EncryptionKeyTypeForQueue Account -RequireInfrastructureEncryption
 
 PS C:\>$account = get-AzStorageAccount -ResourceGroupName $rgname -StorageAccountName $accountName
 
@@ -118,9 +119,13 @@ PS C:\>$account.Encryption.Services.Table
 Enabled LastEnabledTime     KeyType
 ------- ---------------     -------
    True 1/9/2020 6:09:11 AM Account
+
+PS C:\> $account.Encryption.RequireInfrastructureEncryption
+True
 ```
 
-This command creates a Storage account with Queue and Table Service use account-scoped encryption key, so Queue and Table will use same encryption key with Blob and File service. Then get the Storage account properties, and view the encryption keytype of Queue and Table Service.
+This command creates a Storage account with Queue and Table Service use account-scoped encryption key and Require Infrastructure Encryption, so Queue and Table will use same encryption key with Blob and File service, and the service will apply a secondary layer of encryption with platform managed keys for data at rest.
+Then get the Storage account properties, and view the encryption keytype of Queue and Table Service, and RequireInfrastructureEncryption value.
 
 ## PARAMETERS
 
@@ -477,6 +482,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -RequireInfrastructureEncryption
+The service will apply a secondary layer of encryption with platform managed keys for data at rest.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -ResourceGroupName
 Specifies the name of the resource group in which to add the Storage account.
 
@@ -549,7 +569,7 @@ Accept wildcard characters: False
 ```
 
 ### CommonParameters
-This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
 
 ## INPUTS
 

src/Storage/Storage.Management/help/New-AzStorageAccount.md

@@ -13,7 +13,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.Azure.Management.Synapse" Version="0.1.0-preview.2" />
     <PackageReference Include="Microsoft.Azure.Synapse" Version="0.1.0-preview" />
-    <PackageReference Include="Microsoft.Azure.Management.Storage" Version="14.5.0" />
+    <PackageReference Include="Microsoft.Azure.Management.Storage" Version="17.0.0" />
   </ItemGroup>
 
 </Project>