Skip to content

Commit

Permalink
[Storage] support create Storage account with RequireInfrastructureEn…
Browse files Browse the repository at this point in the history
…cryption (#12096)

* [Storage] Upgrade to SRP SDK 17.0.0

* [Storage] Support double Encryption
  • Loading branch information
blueww authored Jun 10, 2020
1 parent 0a15e8a commit 54327cc
Show file tree
Hide file tree
Showing 15 changed files with 199 additions and 337 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@

<ItemGroup>
<PackageReference Include="Microsoft.Azure.Management.ApplicationInsights" Version="0.3.0-preview" />
<PackageReference Include="Microsoft.Azure.Management.Storage" Version="14.5.0" />
<PackageReference Include="Microsoft.Azure.Management.Storage" Version="17.0.0" />
</ItemGroup>

</Project>
2 changes: 1 addition & 1 deletion src/EventGrid/EventGrid.Test/EventGrid.Test.csproj
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
<PackageReference Include="Microsoft.Azure.Management.EventHub" Version="2.5.0" />
<PackageReference Include="Microsoft.Azure.Management.Relay" Version="2.0.2" />
<PackageReference Include="Microsoft.Azure.Management.ServiceBus" Version="2.1.0" />
<PackageReference Include="Microsoft.Azure.Management.Storage" Version="14.5.0" />
<PackageReference Include="Microsoft.Azure.Management.Storage" Version="17.0.0" />
</ItemGroup>

</Project>
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
<ItemGroup>
<PackageReference Include="Microsoft.Azure.Management.OperationalInsights" Version="0.21.0-preview" />
<PackageReference Include="Microsoft.Azure.OperationalInsights" Version="0.10.0-preview" />
<PackageReference Include="Microsoft.Azure.Management.Storage" Version="14.5.0" />
<PackageReference Include="Microsoft.Azure.Management.Storage" Version="17.0.0" />
</ItemGroup>

</Project>
Original file line number Diff line number Diff line change
Expand Up @@ -156,20 +156,21 @@ function Test-GetAzureStorageAccount
# Test
$stoname = 'sto' + $rgname;
$stotype = 'Standard_GRS';
$loc = Get-ProviderLocation ResourceManagement;
$loc = Get-ProviderLocation_Canary ResourceManagement;
$kind = 'StorageV2'

New-AzResourceGroup -Name $rgname -Location $loc;
Write-Output ("Resource Group created")

New-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -Location $loc -Type $stotype ;
New-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -Location $loc -Type $stotype -RequireInfrastructureEncryption;

Retry-IfException { $global:sto = Get-AzStorageAccount -ResourceGroupName $rgname -Name $stoname; }
Assert-AreEqual $stoname $sto.StorageAccountName;
Assert-AreEqual $stotype $sto.Sku.Name;
Assert-AreEqual $loc.ToLower().Replace(" ", "") $sto.Location;
Assert-AreEqual $kind $sto.Kind;
Assert-AreEqual $true $sto.EnableHttpsTrafficOnly;
Assert-AreEqual $true $sto.Encryption.RequireInfrastructureEncryption

$stos = Get-AzStorageAccount -ResourceGroupName $rgname;
Assert-AreEqual $stoname $stos[0].StorageAccountName;
Expand Down

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
<PackageReference Include="Azure.Storage.Files.DataLake" Version="12.0.0" />
<PackageReference Include="Azure.Storage.Files.Shares" Version="12.2.0" />
<PackageReference Include="Azure.Storage.Queues" Version="12.3.0" />
<PackageReference Include="Microsoft.Azure.Management.Storage" Version="14.5.0" />
<PackageReference Include="Microsoft.Azure.Management.Storage" Version="17.0.0" />
</ItemGroup>

</Project>
Original file line number Diff line number Diff line change
Expand Up @@ -111,8 +111,9 @@ public override void ExecuteCmdlet()
this.ResourceGroupName,
this.StorageAccountName,
this.Name,
(PublicAccess?)this.publicAccess,
MetadataDictionary);
new BlobContainer(
publicAccess: (PublicAccess?)this.publicAccess,
metadata: MetadataDictionary));

WriteObject(new PSContainer(contaienr));
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -138,8 +138,9 @@ public override void ExecuteCmdlet()
this.ResourceGroupName,
this.StorageAccountName,
this.Name,
(PublicAccess?)this.publicAccess,
MetadataDictionary);
new BlobContainer(
publicAccess: (PublicAccess?)this.publicAccess,
metadata: MetadataDictionary));

WriteObject(new PSContainer(container));
}
Expand Down
2 changes: 2 additions & 0 deletions src/Storage/Storage.Management/ChangeLog.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@
- Additional information about change #1
-->
## Upcoming Release
* Supported create Storage account with RequireInfrastructureEncryption
- `New-AzStorageAccount`
* Moved the logic of loading Azure.Core to Az.Accounts

## Version 2.1.0
Expand Down
5 changes: 3 additions & 2 deletions src/Storage/Storage.Management/File/NewAzureStorageShare.cs
Original file line number Diff line number Diff line change
Expand Up @@ -111,8 +111,9 @@ public override void ExecuteCmdlet()
this.ResourceGroupName,
this.StorageAccountName,
this.Name,
MetadataDictionary,
shareQuota);
new FileShare(
metadata: MetadataDictionary,
shareQuota: shareQuota));

WriteObject(new PSShare(share));
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -151,8 +151,9 @@ public override void ExecuteCmdlet()
this.ResourceGroupName,
this.StorageAccountName,
this.Name,
MetadataDictionary,
shareQuota);
new FileShare(
metadata: MetadataDictionary,
shareQuota: shareQuota));

WriteObject(new PSShare(Share));
}
Expand Down
2 changes: 1 addition & 1 deletion src/Storage/Storage.Management/Storage.Management.csproj
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
<RootNamespace>$(LegacyAssemblyPrefix)$(PsModuleName)</RootNamespace>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Azure.Management.Storage" Version="14.5.0" />
<PackageReference Include="Microsoft.Azure.Management.Storage" Version="17.0.0" />
<PackageReference Include="Microsoft.Azure.Storage.Blob" Version="11.1.1" />
<PackageReference Include="Microsoft.Azure.Storage.File" Version="11.1.1" />
<PackageReference Include="Microsoft.Azure.Storage.Queue" Version="11.1.1" />
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -272,6 +272,9 @@ public bool EnableActiveDirectoryDomainServicesForFile
IgnoreCase = true)]
public string EncryptionKeyTypeForQueue { get; set; }

[Parameter(Mandatory = false, HelpMessage = "The service will apply a secondary layer of encryption with platform managed keys for data at rest.")]
public SwitchParameter RequireInfrastructureEncryption { get; set; }

public override void ExecuteCmdlet()
{
base.ExecuteCmdlet();
Expand Down Expand Up @@ -368,18 +371,30 @@ public override void ExecuteCmdlet()
{
createParameters.LargeFileSharesState = LargeFileSharesState.Enabled;
}
if(this.EncryptionKeyTypeForQueue != null || this.EncryptionKeyTypeForTable != null)
if(this.EncryptionKeyTypeForQueue != null || this.EncryptionKeyTypeForTable != null || this.RequireInfrastructureEncryption.IsPresent)
{
createParameters.Encryption = new Encryption();
createParameters.Encryption.KeySource = KeySource.MicrosoftStorage;
createParameters.Encryption.Services = new EncryptionServices();
if (this.EncryptionKeyTypeForQueue != null)
if (this.EncryptionKeyTypeForQueue != null || this.EncryptionKeyTypeForTable != null)
{
createParameters.Encryption.Services.Queue = new EncryptionService(keyType: this.EncryptionKeyTypeForQueue);
createParameters.Encryption.Services = new EncryptionServices();
if (this.EncryptionKeyTypeForQueue != null)
{
createParameters.Encryption.Services.Queue = new EncryptionService(keyType: this.EncryptionKeyTypeForQueue);
}
if (this.EncryptionKeyTypeForTable != null)
{
createParameters.Encryption.Services.Table = new EncryptionService(keyType: this.EncryptionKeyTypeForTable);
}
}
if (this.EncryptionKeyTypeForTable != null)
if (this.RequireInfrastructureEncryption.IsPresent)
{
createParameters.Encryption.Services.Table = new EncryptionService(keyType: this.EncryptionKeyTypeForTable);
createParameters.Encryption.RequireInfrastructureEncryption = true;
if (createParameters.Encryption.Services is null)
{
createParameters.Encryption.Services = new EncryptionServices();
createParameters.Encryption.Services.Blob = new EncryptionService();
}
}
}

Expand Down
34 changes: 27 additions & 7 deletions src/Storage/Storage.Management/help/New-AzStorageAccount.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ New-AzStorageAccount [-ResourceGroupName] <String> [-Name] <String> [-SkuName] <
[-Tag <Hashtable>] [-EnableHttpsTrafficOnly <Boolean>] [-AssignIdentity] [-NetworkRuleSet <PSNetworkRuleSet>]
[-EnableHierarchicalNamespace <Boolean>] [-EnableAzureActiveDirectoryDomainServicesForFile <Boolean>]
[-EnableLargeFileShare] [-AsJob] [-EncryptionKeyTypeForTable <String>] [-EncryptionKeyTypeForQueue <String>]
[-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
[-RequireInfrastructureEncryption] [-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
```

### ActiveDirectoryDomainServicesForFile
Expand All @@ -32,8 +32,9 @@ New-AzStorageAccount [-ResourceGroupName] <String> [-Name] <String> [-SkuName] <
[-EnableActiveDirectoryDomainServicesForFile <Boolean>] [-ActiveDirectoryDomainName <String>]
[-ActiveDirectoryNetBiosDomainName <String>] [-ActiveDirectoryForestName <String>]
[-ActiveDirectoryDomainGuid <String>] [-ActiveDirectoryDomainSid <String>]
[-ActiveDirectoryAzureStorageSid <String>] [-AsJob] [-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
[-ActiveDirectoryAzureStorageSid <String>] [-AsJob] [-EncryptionKeyTypeForTable <String>]
[-EncryptionKeyTypeForQueue <String>] [-RequireInfrastructureEncryption]
[-DefaultProfile <IAzureContextContainer>] [<CommonParameters>]
```

## DESCRIPTION
Expand Down Expand Up @@ -101,9 +102,9 @@ PS C:\>New-AzStorageAccount -ResourceGroupName "MyResourceGroup" -AccountName "m

This command creates a Storage account withenable Files Active Directory Domain Service Authentication.

### Example 7: Create a Storage account with Queue and Table Service use account-scoped encryption key.
### Example 7: Create a Storage account with Queue and Table Service use account-scoped encryption key, and Require Infrastructure Encryption.
```powershell
PS C:\>New-AzStorageAccount -ResourceGroupName "MyResourceGroup" -AccountName "mystorageaccount" -Location "eastus2euap" -SkuName "Standard_LRS" -Kind StorageV2 -EncryptionKeyTypeForTable Account -EncryptionKeyTypeForQueue Account
PS C:\>New-AzStorageAccount -ResourceGroupName "MyResourceGroup" -AccountName "mystorageaccount" -Location "eastus2euap" -SkuName "Standard_LRS" -Kind StorageV2 -EncryptionKeyTypeForTable Account -EncryptionKeyTypeForQueue Account -RequireInfrastructureEncryption
PS C:\>$account = get-AzStorageAccount -ResourceGroupName $rgname -StorageAccountName $accountName
Expand All @@ -118,9 +119,13 @@ PS C:\>$account.Encryption.Services.Table
Enabled LastEnabledTime KeyType
------- --------------- -------
True 1/9/2020 6:09:11 AM Account
PS C:\> $account.Encryption.RequireInfrastructureEncryption
True
```

This command creates a Storage account with Queue and Table Service use account-scoped encryption key, so Queue and Table will use same encryption key with Blob and File service. Then get the Storage account properties, and view the encryption keytype of Queue and Table Service.
This command creates a Storage account with Queue and Table Service use account-scoped encryption key and Require Infrastructure Encryption, so Queue and Table will use same encryption key with Blob and File service, and the service will apply a secondary layer of encryption with platform managed keys for data at rest.
Then get the Storage account properties, and view the encryption keytype of Queue and Table Service, and RequireInfrastructureEncryption value.

## PARAMETERS

Expand Down Expand Up @@ -477,6 +482,21 @@ Accept pipeline input: False
Accept wildcard characters: False
```
### -RequireInfrastructureEncryption
The service will apply a secondary layer of encryption with platform managed keys for data at rest.
```yaml
Type: System.Management.Automation.SwitchParameter
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -ResourceGroupName
Specifies the name of the resource group in which to add the Storage account.
Expand Down Expand Up @@ -549,7 +569,7 @@ Accept wildcard characters: False
```
### CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
## INPUTS
Expand Down
2 changes: 1 addition & 1 deletion src/Synapse/Synapse.Test/Synapse.Test.csproj
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
<ItemGroup>
<PackageReference Include="Microsoft.Azure.Management.Synapse" Version="0.1.0-preview.2" />
<PackageReference Include="Microsoft.Azure.Synapse" Version="0.1.0-preview" />
<PackageReference Include="Microsoft.Azure.Management.Storage" Version="14.5.0" />
<PackageReference Include="Microsoft.Azure.Management.Storage" Version="17.0.0" />
</ItemGroup>

</Project>

0 comments on commit 54327cc

Please sign in to comment.