feat: Add storage accounts with encryption examples

GeekMasher · GeekMasher · commit 5e73204e6c0d · 2025-06-12T12:59:42.000+01:00
diff --git a/ql/test/library-tests/frameworks/storage/Storage.expected b/ql/test/library-tests/frameworks/storage/Storage.expected
@@ -1,7 +1,16 @@
 storage
-| app.bicep:2:1:10:1 | StorageAccount |
-| app.bicep:13:1:34:1 | StorageAccount |
-| app.bicep:37:1:48:1 | StorageAccount |
+| app.bicep:2:1:10:1 | StorageAccount[examplestorage1] |
+| app.bicep:13:1:34:1 | StorageAccount[examplestorage2] |
+| app.bicep:37:1:48:1 | StorageAccount[examplestorage3] |
+| app.bicep:51:1:63:1 | StorageAccount[examplestorage4] |
+| app.bicep:66:1:83:1 | StorageAccount[examplestorage5] |
+| app.bicep:86:1:117:1 | StorageAccount[examplestorage6] |
 poolDisks
-| app.bicep:86:1:104:1 | DiskPools | app.bicep:51:1:64:1 | ResourceDeclaration |
-| app.bicep:86:1:104:1 | DiskPools | app.bicep:67:1:83:1 | ResourceDeclaration |
+| app.bicep:155:1:173:1 | DiskPools | app.bicep:120:1:133:1 | Disks |
+| app.bicep:155:1:173:1 | DiskPools | app.bicep:136:1:152:1 | Disks |
+diskEncryption
+| app.bicep:136:1:152:1 | Disks | app.bicep:148:17:150:5 | EncryptionSettings |
+accountEncryption
+| app.bicep:51:1:63:1 | StorageAccount[examplestorage4] | app.bicep:59:17:61:5 | EncryptionSettings |
+| app.bicep:66:1:83:1 | StorageAccount[examplestorage5] | app.bicep:74:17:81:5 | EncryptionSettings |
+| app.bicep:86:1:117:1 | StorageAccount[examplestorage6] | app.bicep:94:17:115:5 | EncryptionSettings |
diff --git a/ql/test/library-tests/frameworks/storage/Storage.ql b/ql/test/library-tests/frameworks/storage/Storage.ql
@@ -1,9 +1,18 @@
 import bicep
 
-query predicate storage(Storage::StorageAccounts storageAccount) {
-  any() 
+query predicate storage(Storage::StorageAccounts storageAccount) { any() }
+
+query predicate poolDisks(Storage::DiskPools pool, Storage::Disks disk) { pool.getDisks() = disk }
+
+query predicate diskEncryption(
+  Storage::Disks disk, Storage::DiskEncryption::EncryptionSettings encryptionSettings
+) {
+  disk.getEncryptionSettings() = encryptionSettings
 }
 
-query predicate poolDisks(Storage::DiskPools pool, Storage::Disks disk) {
-  pool.getDisks() = disk
+query predicate accountEncryption(
+  Storage::StorageAccounts storageAccount,
+  Storage::DiskEncryption::EncryptionSettings encryptionSettings
+) {
+  storageAccount.getEncryptionSettings() = encryptionSettings
 }
diff --git a/ql/test/library-tests/frameworks/storage/app.bicep b/ql/test/library-tests/frameworks/storage/app.bicep
@@ -47,6 +47,75 @@ resource storageAccount3 'Microsoft.Storage/storageAccounts@2022-09-01' = {
   }
 }
 
+// Example 4: Storage account with Microsoft-managed keys (default encryption)
+resource storageAccount4 'Microsoft.Storage/storageAccounts@2022-09-01' = {
+  name: 'examplestorage4'
+  location: 'eastus2'
+  sku: {
+    name: 'Standard_LRS'
+  }
+  kind: 'StorageV2'
+  properties: {
+    encryption: {
+      keySource: 'Microsoft.Storage'
+    }
+  }
+}
+
+// Example 5: Storage account with customer-managed keys from Key Vault
+resource storageAccount5 'Microsoft.Storage/storageAccounts@2022-09-01' = {
+  name: 'examplestorage5'
+  location: 'uksouth'
+  sku: {
+    name: 'Standard_GRS'
+  }
+  kind: 'StorageV2'
+  properties: {
+    encryption: {
+      keySource: 'Microsoft.Keyvault'
+      keyvaultproperties: {
+        keyname: 'my-key'
+        keyvaulturi: 'https://myvault.vault.azure.net/'
+        keyversion: '1234567890abcdef'
+      }
+    }
+  }
+}
+
+// Example 6: Storage account with per-service encryption and infrastructure encryption
+resource storageAccount6 'Microsoft.Storage/storageAccounts@2022-09-01' = {
+  name: 'examplestorage6'
+  location: 'australiaeast'
+  sku: {
+    name: 'Standard_ZRS'
+  }
+  kind: 'StorageV2'
+  properties: {
+    encryption: {
+      keySource: 'Microsoft.Storage'
+      requireInfrastructureEncryption: true
+      services: {
+        blob: {
+          enabled: true
+          keyType: 'Account'
+        }
+        file: {
+          enabled: true
+          keyType: 'Service'
+        }
+        queue: {
+          enabled: false
+          keyType: 'Account'
+        }
+        table: {
+          enabled: true
+          keyType: 'Account'
+        }
+      }
+    }
+  }
+}
+
 // Example 1: Managed disk with Standard_LRS
 resource disk1 'Microsoft.Compute/disks@2022-07-02' = {
   name: 'exampledisk1'
