feat(misconf): Update azure storage schema

pkg/iac/adapters/arm/storage/adapt.go

@@ -49,6 +49,36 @@ func adaptAccounts(deployment azure.Deployment) []storage.Account {
 			MinimumTLSVersion: resource.Properties.GetMapValue("minimumTlsVersion").
 				AsStringValue("TLS1_0", resource.Properties.GetMetadata()),
 			Queues: queues,
+			BlobProperties: storage.BlobProperties{
+				Metadata: resource.Properties.GetMetadata(),
+				DeleteRetentionPolicy: storage.DeleteRetentionPolicy{
+					Metadata: resource.Properties.GetMetadata(),
+					Days:     resource.Properties.GetMapValue("blobServices").GetMapValue("properties").GetMapValue("deleteRetentionPolicy").GetMapValue("days").AsIntValue(0, resource.Properties.GetMetadata()),
+				},
+			},
+			AccountReplicationType:          resource.Properties.GetMapValue("sku").GetMapValue("name").AsStringValue("", resource.Properties.GetMetadata()),
+			InfrastructureEncryptionEnabled: resource.Properties.GetMapValue("encryption").GetMapValue("requireInfrastructureEncryption").AsBoolValue(false, resource.Properties.GetMetadata()),
+			CustomerManagedKey: storage.CustomerManagedKey{
+				Metadata:               resource.Properties.GetMetadata(),
+				KeyVaultKeyId:          resource.Properties.GetMapValue("encryption").GetMapValue("keyVaultProperties").GetMapValue("keyUri").AsStringValue("", resource.Properties.GetMetadata()),
+				UserAssignedIdentityId: resource.Properties.GetMapValue("encryption").GetMapValue("identity").GetMapValue("userAssignedIdentity").AsStringValue("", resource.Properties.GetMetadata()),
+			},
+		}
+
+		// Adapt queue properties logging
+		queueServiceLogging := resource.Properties.GetMapValue("queueServices").GetMapValue("properties").GetMapValue("logging")
+		if !queueServiceLogging.IsNull() {
+			account.QueueProperties.Logging = storage.QueueLogging{
+				Metadata:            queueServiceLogging.GetMetadata(),
+				Delete:              queueServiceLogging.GetMapValue("delete").AsBoolValue(false, queueServiceLogging.GetMetadata()),
+				Read:                queueServiceLogging.GetMapValue("read").AsBoolValue(false, queueServiceLogging.GetMetadata()),
+				Write:               queueServiceLogging.GetMapValue("write").AsBoolValue(false, queueServiceLogging.GetMetadata()),
+				Version:             queueServiceLogging.GetMapValue("version").AsStringValue("", queueServiceLogging.GetMetadata()),
+				RetentionPolicyDays: queueServiceLogging.GetMapValue("retentionPolicy").GetMapValue("days").AsIntValue(0, queueServiceLogging.GetMetadata()),
+			}
+			if account.QueueProperties.Logging.Delete.IsTrue() || account.QueueProperties.Logging.Read.IsTrue() || account.QueueProperties.Logging.Write.IsTrue() {
+				account.QueueProperties.EnableLogging = types.Bool(true, queueServiceLogging.GetMetadata())
+			}
 		}
 
 		publicNetworkAccess := resource.Properties.GetMapValue("publicNetworkAccess")

pkg/iac/adapters/arm/storage/adapt_test.go

@@ -32,7 +32,18 @@ func TestAdapt(t *testing.T) {
 						Bypass:         []types.StringValue{types.StringTest("AzureServices")},
 						AllowByDefault: types.BoolTest(true),
 					}},
-					PublicNetworkAccess: types.BoolTest(true),
+					PublicNetworkAccess:             types.BoolTest(true),
+					AccountReplicationType:          types.StringTest(""),
+					InfrastructureEncryptionEnabled: types.BoolTest(false),
+					BlobProperties: storage.BlobProperties{
+						DeleteRetentionPolicy: storage.DeleteRetentionPolicy{
+							Days: types.IntTest(0),
+						},
+					},
+					CustomerManagedKey: storage.CustomerManagedKey{
+						KeyVaultKeyId:          types.StringTest(""),
+						UserAssignedIdentityId: types.StringTest(""),
+					},
 				}},
 			},
 		},
@@ -57,16 +68,27 @@ func TestAdapt(t *testing.T) {
 }`,
 			expected: storage.Storage{
 				Accounts: []storage.Account{{
-					MinimumTLSVersion:   types.StringTest("TLS1_2"),
-					EnforceHTTPS:        types.BoolTest(true),
-					PublicNetworkAccess: types.BoolTest(false),
+					MinimumTLSVersion:               types.StringTest("TLS1_2"),
+					EnforceHTTPS:                    types.BoolTest(true),
+					PublicNetworkAccess:             types.BoolTest(false),
+					AccountReplicationType:          types.StringTest(""),
+					InfrastructureEncryptionEnabled: types.BoolTest(false),
 					NetworkRules: []storage.NetworkRule{{
 						Bypass: []types.StringValue{
 							types.StringTest("Logging"),
 							types.StringTest("Metrics"),
 						},
 						AllowByDefault: types.BoolTest(true),
 					}},
+					BlobProperties: storage.BlobProperties{
+						DeleteRetentionPolicy: storage.DeleteRetentionPolicy{
+							Days: types.IntTest(0),
+						},
+					},
+					CustomerManagedKey: storage.CustomerManagedKey{
+						KeyVaultKeyId:          types.StringTest(""),
+						UserAssignedIdentityId: types.StringTest(""),
+					},
 				}},
 			},
 		},

pkg/iac/adapters/terraform/azure/storage/adapt.go

@@ -21,6 +21,20 @@ func Adapt(modules terraform.Modules) storage.Storage {
 			EnableLogging: iacTypes.BoolDefault(false, iacTypes.NewUnmanagedMetadata()),
 		},
 		MinimumTLSVersion: iacTypes.StringDefault("", iacTypes.NewUnmanagedMetadata()),
+		BlobProperties: storage.BlobProperties{
+			Metadata: iacTypes.NewUnmanagedMetadata(),
+			DeleteRetentionPolicy: storage.DeleteRetentionPolicy{
+				Metadata: iacTypes.NewUnmanagedMetadata(),
+				Days:     iacTypes.IntDefault(0, iacTypes.NewUnmanagedMetadata()),
+			},
+		},
+		AccountReplicationType:          iacTypes.StringDefault("", iacTypes.NewUnmanagedMetadata()),
+		InfrastructureEncryptionEnabled: iacTypes.BoolDefault(false, iacTypes.NewUnmanagedMetadata()),
+		CustomerManagedKey: storage.CustomerManagedKey{
+			Metadata:               iacTypes.NewUnmanagedMetadata(),
+			KeyVaultKeyId:          iacTypes.StringDefault("", iacTypes.NewUnmanagedMetadata()),
+			UserAssignedIdentityId: iacTypes.StringDefault("", iacTypes.NewUnmanagedMetadata()),
+		},
 	}
 
 	accounts = append(accounts, orphanAccount)
@@ -110,6 +124,20 @@ func adaptAccount(resource *terraform.Block) storage.Account {
 		},
 		MinimumTLSVersion:   iacTypes.StringDefault(minimumTlsVersionOneTwo, resource.GetMetadata()),
 		PublicNetworkAccess: resource.GetAttribute("public_network_access_enabled").AsBoolValueOrDefault(true, resource),
+		BlobProperties: storage.BlobProperties{
+			Metadata: resource.GetMetadata(),
+			DeleteRetentionPolicy: storage.DeleteRetentionPolicy{
+				Metadata: resource.GetMetadata(),
+				Days:     iacTypes.IntDefault(0, resource.GetMetadata()),
+			},
+		},
+		AccountReplicationType:          resource.GetAttribute("account_replication_type").AsStringValueOrDefault("", resource),
+		InfrastructureEncryptionEnabled: resource.GetAttribute("infrastructure_encryption_enabled").AsBoolValueOrDefault(false, resource),
+		CustomerManagedKey: storage.CustomerManagedKey{
+			Metadata:               resource.GetMetadata(),
+			KeyVaultKeyId:          iacTypes.StringDefault("", resource.GetMetadata()),
+			UserAssignedIdentityId: iacTypes.StringDefault("", resource.GetMetadata()),
+		},
 	}
 
 	networkRulesBlocks := resource.GetBlocks("network_rules")
@@ -120,12 +148,49 @@ func adaptAccount(resource *terraform.Block) storage.Account {
 	httpsOnlyAttr := resource.GetAttribute("enable_https_traffic_only")
 	account.EnforceHTTPS = httpsOnlyAttr.AsBoolValueOrDefault(true, resource)
 
+	// Adapt blob properties
+	blobPropertiesBlock := resource.GetBlock("blob_properties")
+	if blobPropertiesBlock.IsNotNil() {
+		account.BlobProperties.Metadata = blobPropertiesBlock.GetMetadata()
+		deleteRetentionPolicyBlock := blobPropertiesBlock.GetBlock("delete_retention_policy")
+		if deleteRetentionPolicyBlock.IsNotNil() {
+			account.BlobProperties.DeleteRetentionPolicy.Metadata = deleteRetentionPolicyBlock.GetMetadata()
+			daysAttr := deleteRetentionPolicyBlock.GetAttribute("days")
+			if daysAttr.IsNotNil() {
+				account.BlobProperties.DeleteRetentionPolicy.Days = daysAttr.AsIntValueOrDefault(0, deleteRetentionPolicyBlock)
+			}
+		}
+	}
+
+	// Adapt customer managed key
+	customerManagedKeyBlock := resource.GetBlock("customer_managed_key")
+	if customerManagedKeyBlock.IsNotNil() {
+		account.CustomerManagedKey.Metadata = customerManagedKeyBlock.GetMetadata()
+		keyVaultKeyIdAttr := customerManagedKeyBlock.GetAttribute("key_vault_key_id")
+		if keyVaultKeyIdAttr.IsNotNil() {
+			account.CustomerManagedKey.KeyVaultKeyId = keyVaultKeyIdAttr.AsStringValueOrDefault("", customerManagedKeyBlock)
+		}
+		userAssignedIdentityIdAttr := customerManagedKeyBlock.GetAttribute("user_assigned_identity_id")
+		if userAssignedIdentityIdAttr.IsNotNil() {
+			account.CustomerManagedKey.UserAssignedIdentityId = userAssignedIdentityIdAttr.AsStringValueOrDefault("", customerManagedKeyBlock)
+		}
+	}
+
+	// Adapt queue properties
 	queuePropertiesBlock := resource.GetBlock("queue_properties")
 	if queuePropertiesBlock.IsNotNil() {
 		account.QueueProperties.Metadata = queuePropertiesBlock.GetMetadata()
 		loggingBlock := queuePropertiesBlock.GetBlock("logging")
 		if loggingBlock.IsNotNil() {
 			account.QueueProperties.EnableLogging = iacTypes.Bool(true, loggingBlock.GetMetadata())
+			account.QueueProperties.Logging = storage.QueueLogging{
+				Metadata:            loggingBlock.GetMetadata(),
+				Delete:              loggingBlock.GetAttribute("delete").AsBoolValueOrDefault(false, loggingBlock),
+				Read:                loggingBlock.GetAttribute("read").AsBoolValueOrDefault(false, loggingBlock),
+				Write:               loggingBlock.GetAttribute("write").AsBoolValueOrDefault(false, loggingBlock),
+				Version:             loggingBlock.GetAttribute("version").AsStringValueOrDefault("", loggingBlock),
+				RetentionPolicyDays: loggingBlock.GetAttribute("retention_policy_days").AsIntValueOrDefault(0, loggingBlock),
+			}
 		}
 	}
 

pkg/iac/adapters/terraform/azure/storage/adapt_test.go

@@ -24,9 +24,20 @@ func Test_Adapt(t *testing.T) {
 			expected: storage.Storage{
 				Accounts: []storage.Account{
 					{
-						PublicNetworkAccess: iacTypes.BoolTest(true),
-						MinimumTLSVersion:   iacTypes.StringTest(minimumTlsVersionOneTwo),
-						EnforceHTTPS:        iacTypes.BoolTest(true),
+						PublicNetworkAccess:             iacTypes.BoolTest(true),
+						MinimumTLSVersion:               iacTypes.StringTest(minimumTlsVersionOneTwo),
+						EnforceHTTPS:                    iacTypes.BoolTest(true),
+						AccountReplicationType:          iacTypes.StringTest(""),
+						InfrastructureEncryptionEnabled: iacTypes.BoolTest(false),
+						BlobProperties: storage.BlobProperties{
+							DeleteRetentionPolicy: storage.DeleteRetentionPolicy{
+								Days: iacTypes.IntTest(0),
+							},
+						},
+						CustomerManagedKey: storage.CustomerManagedKey{
+							KeyVaultKeyId:          iacTypes.StringTest(""),
+							UserAssignedIdentityId: iacTypes.StringTest(""),
+						},
 					},
 					{},
 				},
@@ -104,6 +115,24 @@ func Test_Adapt(t *testing.T) {
 						QueueProperties: storage.QueueProperties{
 							Metadata:      iacTypes.NewTestMetadata(),
 							EnableLogging: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
+							Logging: storage.QueueLogging{
+								Delete:              iacTypes.Bool(true, iacTypes.NewTestMetadata()),
+								Read:                iacTypes.Bool(true, iacTypes.NewTestMetadata()),
+								Write:               iacTypes.Bool(true, iacTypes.NewTestMetadata()),
+								Version:             iacTypes.String("1.0", iacTypes.NewTestMetadata()),
+								RetentionPolicyDays: iacTypes.Int(10, iacTypes.NewTestMetadata()),
+							},
+						},
+						AccountReplicationType:          iacTypes.StringTest(""),
+						InfrastructureEncryptionEnabled: iacTypes.BoolTest(false),
+						BlobProperties: storage.BlobProperties{
+							DeleteRetentionPolicy: storage.DeleteRetentionPolicy{
+								Days: iacTypes.IntTest(0),
+							},
+						},
+						CustomerManagedKey: storage.CustomerManagedKey{
+							KeyVaultKeyId:          iacTypes.StringTest(""),
+							UserAssignedIdentityId: iacTypes.StringTest(""),
 						},
 						Containers: []storage.Container{
 							{
@@ -119,7 +148,18 @@ func Test_Adapt(t *testing.T) {
 							Metadata:      iacTypes.NewUnmanagedMetadata(),
 							EnableLogging: iacTypes.BoolDefault(false, iacTypes.NewUnmanagedMetadata()),
 						},
-						MinimumTLSVersion: iacTypes.StringDefault("", iacTypes.NewUnmanagedMetadata()),
+						MinimumTLSVersion:               iacTypes.StringDefault("", iacTypes.NewUnmanagedMetadata()),
+						AccountReplicationType:          iacTypes.StringDefault("", iacTypes.NewUnmanagedMetadata()),
+						InfrastructureEncryptionEnabled: iacTypes.BoolDefault(false, iacTypes.NewUnmanagedMetadata()),
+						BlobProperties: storage.BlobProperties{
+							DeleteRetentionPolicy: storage.DeleteRetentionPolicy{
+								Days: iacTypes.IntDefault(0, iacTypes.NewUnmanagedMetadata()),
+							},
+						},
+						CustomerManagedKey: storage.CustomerManagedKey{
+							KeyVaultKeyId:          iacTypes.StringDefault("", iacTypes.NewUnmanagedMetadata()),
+							UserAssignedIdentityId: iacTypes.StringDefault("", iacTypes.NewUnmanagedMetadata()),
+						},
 					},
 				},
 			},
@@ -154,7 +194,18 @@ func Test_Adapt(t *testing.T) {
 							Metadata:      iacTypes.NewUnmanagedMetadata(),
 							EnableLogging: iacTypes.BoolDefault(false, iacTypes.NewUnmanagedMetadata()),
 						},
-						MinimumTLSVersion: iacTypes.StringDefault("", iacTypes.NewUnmanagedMetadata()),
+						MinimumTLSVersion:               iacTypes.StringDefault("", iacTypes.NewUnmanagedMetadata()),
+						AccountReplicationType:          iacTypes.StringDefault("", iacTypes.NewUnmanagedMetadata()),
+						InfrastructureEncryptionEnabled: iacTypes.BoolDefault(false, iacTypes.NewUnmanagedMetadata()),
+						BlobProperties: storage.BlobProperties{
+							DeleteRetentionPolicy: storage.DeleteRetentionPolicy{
+								Days: iacTypes.IntDefault(0, iacTypes.NewUnmanagedMetadata()),
+							},
+						},
+						CustomerManagedKey: storage.CustomerManagedKey{
+							KeyVaultKeyId:          iacTypes.StringDefault("", iacTypes.NewUnmanagedMetadata()),
+							UserAssignedIdentityId: iacTypes.StringDefault("", iacTypes.NewUnmanagedMetadata()),
+						},
 						Containers: []storage.Container{
 							{
 								Metadata:     iacTypes.NewTestMetadata(),

pkg/iac/providers/azure/storage/storage.go

@@ -9,14 +9,18 @@ type Storage struct {
 }
 
 type Account struct {
-	Metadata            iacTypes.Metadata
-	NetworkRules        []NetworkRule
-	EnforceHTTPS        iacTypes.BoolValue
-	Containers          []Container
-	QueueProperties     QueueProperties
-	MinimumTLSVersion   iacTypes.StringValue
-	Queues              []Queue
-	PublicNetworkAccess iacTypes.BoolValue
+	Metadata                        iacTypes.Metadata
+	NetworkRules                    []NetworkRule
+	EnforceHTTPS                    iacTypes.BoolValue
+	Containers                      []Container
+	QueueProperties                 QueueProperties
+	MinimumTLSVersion               iacTypes.StringValue
+	Queues                          []Queue
+	PublicNetworkAccess             iacTypes.BoolValue
+	BlobProperties                  BlobProperties
+	AccountReplicationType          iacTypes.StringValue
+	InfrastructureEncryptionEnabled iacTypes.BoolValue
+	CustomerManagedKey              CustomerManagedKey
 }
 
 type Queue struct {
@@ -27,6 +31,16 @@ type Queue struct {
 type QueueProperties struct {
 	Metadata      iacTypes.Metadata
 	EnableLogging iacTypes.BoolValue
+	Logging       QueueLogging
+}
+
+type QueueLogging struct {
+	Metadata            iacTypes.Metadata
+	Delete              iacTypes.BoolValue
+	Read                iacTypes.BoolValue
+	Write               iacTypes.BoolValue
+	Version             iacTypes.StringValue
+	RetentionPolicyDays iacTypes.IntValue
 }
 
 type NetworkRule struct {
@@ -45,3 +59,19 @@ type Container struct {
 	Metadata     iacTypes.Metadata
 	PublicAccess iacTypes.StringValue
 }
+
+type BlobProperties struct {
+	Metadata              iacTypes.Metadata
+	DeleteRetentionPolicy DeleteRetentionPolicy
+}
+
+type DeleteRetentionPolicy struct {
+	Metadata iacTypes.Metadata
+	Days     iacTypes.IntValue
+}
+
+type CustomerManagedKey struct {
+	Metadata               iacTypes.Metadata
+	KeyVaultKeyId          iacTypes.StringValue
+	UserAssignedIdentityId iacTypes.StringValue
+}