[Storage] Support Encryption Scope and key rotation

src/EventGrid/EventGrid.Test/EventGrid.Test.csproj

@@ -15,7 +15,7 @@
     <PackageReference Include="Microsoft.Azure.Management.EventHub" Version="2.5.0" />
     <PackageReference Include="Microsoft.Azure.Management.Relay" Version="2.0.2" />
     <PackageReference Include="Microsoft.Azure.Management.ServiceBus" Version="2.1.0" />
-    <PackageReference Include="Microsoft.Azure.Management.Storage" Version="14.5.0" />
+    <PackageReference Include="Microsoft.Azure.Management.Storage" Version="15.0.0" />
   </ItemGroup>
 
 </Project>

src/Storage/Storage.Management.Test/ScenarioTests/StorageBlobTests.cs

@@ -38,6 +38,13 @@ public void TestStorageBlobContainer()
             TestController.NewInstance.RunPsTest(_logger, "Test-StorageBlobContainer");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestStorageBlobContainerEncryptionScope()
+        {
+            TestController.NewInstance.RunPsTest(_logger, "Test-StorageBlobContainerEncryptionScope");
+        }        
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         public void TestStorageBlobContainerLegalHold()

src/Storage/Storage.Management.Test/ScenarioTests/StorageBlobTests.ps1

@@ -98,6 +98,78 @@ function Test-StorageBlobContainer
     }
 }
 
+<#
+.SYNOPSIS
+Test StorageAccount container with Encryption Scope
+.DESCRIPTION
+SmokeTest
+#>
+function Test-StorageBlobContainerEncryptionScope
+{
+    # Setup
+    $rgname = Get-StorageManagementTestResourceName;
+
+    try
+    {
+        # Test
+        $stoname = 'sto' + $rgname;
+        $stotype = 'Standard_LRS';
+        $loc = Get-ProviderLocation ResourceManagement;
+        $kind = 'StorageV2'
+		$containerName = "container"+ $rgname
+		$containerName2 = "container2"+ $rgname
+		$scopeName = "testscope"
+		$scopeName2 = "testscope2"
+
+        Write-Verbose "RGName: $rgname | Loc: $loc"
+        New-AzResourceGroup -Name $rgname -Location $loc;
+
+        New-AzStorageAccount -ResourceGroupName $rgname -Name $stoname -Location $loc -Type $stotype -Kind $kind 
+        $stos = Get-AzStorageAccount -ResourceGroupName $rgname;
+
+		# create Scope
+		New-AzStorageEncryptionScope -ResourceGroupName $rgname -StorageAccountName $stoname -EncryptionScopeName $scopeName -StorageEncryption
+		$scope = Get-AzStorageEncryptionScope -ResourceGroupName $rgname -StorageAccountName $stoname -EncryptionScopeName $scopeName
+		Assert-AreEqual $rgname $scope.ResourceGroupName
+		Assert-AreEqual $stoname $scope.StorageAccountName
+		Assert-AreEqual $scopeName $scope.Name
+		Assert-AreEqual "Microsoft.Storage" $scope.Source
+		Assert-AreEqual "Enabled" $scope.State
+
+		# update Scope
+		$scope = Update-AzStorageEncryptionScope -ResourceGroupName $rgname -StorageAccountName $stoname -EncryptionScopeName $scopeName -State Disabled 
+		Assert-AreEqual "Disabled" $scope.State
+		$scope = Update-AzStorageEncryptionScope -ResourceGroupName $rgname -StorageAccountName $stoname -EncryptionScopeName $scopeName -State Enabled
+		Assert-AreEqual "Enabled" $scope.State
+
+		#List Scope
+		New-AzStorageEncryptionScope -ResourceGroupName $rgname -StorageAccountName $stoname -EncryptionScopeName $scopeName2 -StorageEncryption
+		$scopes = Get-AzStorageEncryptionScope -ResourceGroupName $rgname -StorageAccountName $stoname 
+		Assert-AreEqual 2 $scopes.Count
+
+		#create container
+		New-AzRmStorageContainer -ResourceGroupName $rgname -StorageAccountName $stoname -Name $containerName -DefaultEncryptionScope $scopename -PreventEncryptionScopeOverride $true 
+		$container = Get-AzRmStorageContainer -ResourceGroupName $rgname -StorageAccountName $stoname -Name $containerName
+		Assert-AreEqual $rgname $container.ResourceGroupName
+		Assert-AreEqual $stoname $container.StorageAccountName
+		Assert-AreEqual $containerName $container.Name
+		Assert-AreEqual $scopename $container.DefaultEncryptionScope
+		Assert-AreEqual $true $container.DenyEncryptionScopeOverride
+		New-AzRmStorageContainer -ResourceGroupName $rgname -StorageAccountName $stoname -Name $containerName2 -DefaultEncryptionScope $scopename2 -PreventEncryptionScopeOverride $false 
+		$container2 = Get-AzRmStorageContainer -ResourceGroupName $rgname -StorageAccountName $stoname -Name $containerName2
+		Assert-AreEqual $rgname $container2.ResourceGroupName
+		Assert-AreEqual $stoname $container2.StorageAccountName
+		Assert-AreEqual $containerName2 $container2.Name
+		Assert-AreEqual $scopename2 $container2.DefaultEncryptionScope
+		Assert-AreEqual false $container2.DenyEncryptionScopeOverride
+
+    }
+    finally
+    {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+    }
+}
 
 function Test-StorageBlobContainerLegalHold
 {

src/Storage/Storage.Management.Test/Storage.Management.Test.csproj

@@ -12,7 +12,8 @@
 
   <ItemGroup>
     <PackageReference Include="Azure.Storage.Blobs" Version="12.4.0" />
-    <PackageReference Include="Microsoft.Azure.Management.Storage" Version="14.5.0" />
+    <PackageReference Include="Azure.Storage.Files.DataLake" Version="12.0.0" />
+    <PackageReference Include="Microsoft.Azure.Management.Storage" Version="15.0.0" />
   </ItemGroup>
 
 </Project>

src/Storage/Storage.Management/Az.Storage.psd1

@@ -69,7 +69,7 @@ RequiredAssemblies = 'Microsoft.Azure.Management.Storage.dll',
                'Microsoft.Azure.KeyVault.Core.dll','Azure.Storage.Blobs.dll',
                'Azure.Storage.Common.dll', 'Azure.Storage.Files.DataLake.dll',
                'Azure.Core.dll', 'Microsoft.Bcl.AsyncInterfaces.dll',
-               'System.Text.Json.dll',"System.Threading.Tasks.Extensions.dll"
+               'System.Text.Json.dll', 'System.Threading.Tasks.Extensions.dll'
 
 # Script files (.ps1) that are run in the caller's environment prior to importing this module.
 # ScriptsToProcess = @()
@@ -169,7 +169,9 @@ CmdletsToExport = 'Get-AzStorageAccount', 'Get-AzStorageAccountKey',
                'Set-AzDataLakeGen2ItemAclObject', 'Get-AzDataLakeGen2ItemContent', 
                'Enable-AzStorageBlobRestorePolicy', 
                'Disable-AzStorageBlobRestorePolicy', 
-               'New-AzStorageBlobRangeToRestore', 'Restore-AzStorageBlobRange'
+               'New-AzStorageBlobRangeToRestore', 'Restore-AzStorageBlobRange',
+               'New-AzStorageEncryptionScope','Update-AzStorageEncryptionScope',
+               'Get-AzStorageEncryptionScope'
 
 # Variables to export from this module
 # VariablesToExport = @()

src/Storage/Storage.Management/Blob/NewAzureStorageContainer.cs

@@ -31,16 +31,31 @@ public class NewAzureStorageContainerCommand : StorageBlobBaseCmdlet
         private const string AccountNameParameterSet = "AccountName";
 
         /// <summary>
-        /// Account object parameter set 
+        /// Account object EncryptionScope parameter set 
         /// </summary>
         private const string AccountObjectParameterSet = "AccountObject";
+        /// <summary>
+        /// AccountName EncryptionScope Parameter Set
+        /// </summary>
+        private const string AccountNameEncryptionScopeParameterSet = "AccountNameEncryptionScope";
+
+        /// <summary>
+        /// Account object parameter set 
+        /// </summary>
+        private const string AccountObjectEncryptionScopeParameterSet = "AccountObjectEncryptionScope";
 
         [Parameter(
             Position = 0,
             Mandatory = true,
             ValueFromPipelineByPropertyName = true,
             HelpMessage = "Resource Group Name.",
             ParameterSetName = AccountNameParameterSet)]
+        [Parameter(
+            Position = 0,
+            Mandatory = true,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "Resource Group Name.",
+            ParameterSetName = AccountNameEncryptionScopeParameterSet)]
         [ValidateNotNullOrEmpty]
         public string ResourceGroupName { get; set; }
 
@@ -50,6 +65,12 @@ public class NewAzureStorageContainerCommand : StorageBlobBaseCmdlet
             ValueFromPipelineByPropertyName = true,
             HelpMessage = "Storage Account Name.",
             ParameterSetName = AccountNameParameterSet)]
+        [Parameter(
+            Position = 1,
+            Mandatory = true,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "Storage Account Name.",
+            ParameterSetName = AccountNameEncryptionScopeParameterSet)]
         [Alias(AccountNameAlias)]
         [ValidateNotNullOrEmpty]
         public string StorageAccountName { get; set; }
@@ -59,6 +80,11 @@ public class NewAzureStorageContainerCommand : StorageBlobBaseCmdlet
             ValueFromPipeline = true,
             ValueFromPipelineByPropertyName = true,
             ParameterSetName = AccountObjectParameterSet)]
+        [Parameter(Mandatory = true,
+            HelpMessage = "Storage account object",
+            ValueFromPipeline = true,
+            ValueFromPipelineByPropertyName = true,
+            ParameterSetName = AccountObjectEncryptionScopeParameterSet)]
         [ValidateNotNullOrEmpty]
         public PSStorageAccount StorageAccount { get; set; }
 
@@ -70,6 +96,34 @@ public class NewAzureStorageContainerCommand : StorageBlobBaseCmdlet
         [ValidateNotNullOrEmpty]
         public string Name { get; set; }
 
+        [Parameter(HelpMessage = "Default the container to use specified encryption scope for all writes.",
+            Mandatory = true,
+            ParameterSetName = AccountNameEncryptionScopeParameterSet)]
+        [Parameter(HelpMessage = "Default the container to use specified encryption scope for all writes.",
+            Mandatory = true,
+            ParameterSetName = AccountObjectEncryptionScopeParameterSet)]
+        public string DefaultEncryptionScope { get; set; }
+
+        [Parameter(HelpMessage = "Block override of encryption scope from the container default.",
+            Mandatory = true,
+            ParameterSetName = AccountNameEncryptionScopeParameterSet)]
+        [Parameter(HelpMessage = "Block override of encryption scope from the container default.",
+            Mandatory = true,
+            ParameterSetName = AccountObjectEncryptionScopeParameterSet)]
+        [ValidateNotNullOrEmpty]
+        public bool PreventEncryptionScopeOverride
+        {
+            get
+            {
+                return preventEncryptionScopeOverride is null ? false : preventEncryptionScopeOverride.Value;
+            }
+            set
+            {
+                preventEncryptionScopeOverride = value;
+            }
+        }
+        private bool? preventEncryptionScopeOverride;
+
         [Parameter(HelpMessage = "Container PublicAccess", Mandatory = false)]
         [ValidateNotNullOrEmpty]
         public PSPublicAccess PublicAccess
@@ -111,8 +165,11 @@ public override void ExecuteCmdlet()
                             this.ResourceGroupName,
                             this.StorageAccountName,
                             this.Name,
-                            (PublicAccess?)this.publicAccess,
-                            MetadataDictionary);
+                            new BlobContainer(
+                                defaultEncryptionScope: this.DefaultEncryptionScope,
+                                denyEncryptionScopeOverride: this.preventEncryptionScopeOverride,
+                                publicAccess: (PublicAccess?)this.publicAccess,
+                                metadata: MetadataDictionary));
 
                 WriteObject(new PSContainer(contaienr));
             }

src/Storage/Storage.Management/Blob/UpdateAzureStorageContainer.cs

@@ -138,8 +138,9 @@ public override void ExecuteCmdlet()
                                     this.ResourceGroupName,
                                     this.StorageAccountName,
                                     this.Name,
-                                    (PublicAccess?)this.publicAccess,
-                                    MetadataDictionary);
+                                    new BlobContainer(
+                                        publicAccess: (PublicAccess?)this.publicAccess,
+                                        metadata: MetadataDictionary));
 
                 WriteObject(new PSContainer(container));
             }

src/Storage/Storage.Management/ChangeLog.md

@@ -18,6 +18,14 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Support create/update/get/list EncryptionScope of a Storage account
+    -  New-AzStorageEncryptionScope
+    -  Update-AzStorageEncryptionScope
+    -  Get-AzStorageEncryptionScope
+* Support create Storage Container with EncryptionScope settings
+    -  New-AzRmStorageContainer
+* Support update Storage account with encryted by Keyvault without Keyversion
+    -  Set-AzStorageAccount
 
 ## Version 1.13.3
 * Upgrade DataLake Gen2 cmdlets to use new SDK "Azure.Storage.Files.DataLake", and remove 2 parameter -ServerTimeoutPerRequest, -ClientTimeoutPerRequest

src/Storage/Storage.Management/Models/PSContainer.cs

@@ -45,6 +45,8 @@ public PSContainer(StorageModels.ListContainerItem container)
             this.LeaseDuration = container.LeaseDuration;
             this.HasLegalHold = container.HasLegalHold;
             this.HasImmutabilityPolicy = container.HasImmutabilityPolicy;
+            this.DefaultEncryptionScope = container.DefaultEncryptionScope;
+            this.DenyEncryptionScopeOverride = container.DenyEncryptionScopeOverride;
         }
 
         public PSContainer(BlobContainer container)
@@ -65,6 +67,8 @@ public PSContainer(BlobContainer container)
             this.LeaseDuration = container.LeaseDuration;
             this.HasLegalHold = container.HasLegalHold;
             this.HasImmutabilityPolicy = container.HasImmutabilityPolicy;
+            this.DefaultEncryptionScope = container.DefaultEncryptionScope;
+            this.DenyEncryptionScopeOverride = container.DenyEncryptionScopeOverride;
         }
 
         [Ps1Xml(Label = "ResourceGroupName", Target = ViewControl.List, Position = 0)]
@@ -106,6 +110,10 @@ public PSContainer(BlobContainer container)
         [Ps1Xml(Label = "HasImmutabilityPolicy", Target = ViewControl.List, Position = 6)]
         public bool? HasImmutabilityPolicy { get; set; }
 
+        public string DefaultEncryptionScope { get; set; }
+
+        public bool? DenyEncryptionScopeOverride { get; set; }
+
 
         public static string ParseResourceGroupFromId(string idFromServer)
         {