From 182e7246858eca993e30ed2b94eef4d755dafefb Mon Sep 17 00:00:00 2001
From: Tanmay Satam <tsatam@redhat.com>
Date: Tue, 17 Oct 2023 13:26:50 -0400
Subject: [PATCH] Enable Double (infrastructure) Encryption on ARO-provisioned
 storage accounts  (#3216)

* Upgrade Microsoft.Storage API Version to 2019-06-01

* Explicitly set encryption Enabled=True on all storage account services

This is not strictly necessary, as the Storage API will default these to True.
This change is just to reconcile expected with actual.

* Update generated deployment assets
---
 pkg/cluster/deploybaseresources_additional.go | 4 ++++
 pkg/deploy/assets/gateway-production.json     | 2 +-
 pkg/deploy/assets/rp-production-global.json   | 6 +++---
 pkg/deploy/assets/rp-production.json          | 2 +-
 pkg/util/azureclient/apiversions.go           | 2 +-
 5 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/pkg/cluster/deploybaseresources_additional.go b/pkg/cluster/deploybaseresources_additional.go
index 5073787d849..e947f33d907 100644
--- a/pkg/cluster/deploybaseresources_additional.go
+++ b/pkg/cluster/deploybaseresources_additional.go
@@ -153,15 +153,19 @@ func (m *manager) storageAccount(name, region string, ocpSubnets []string, encry
 			Services: &mgmtstorage.EncryptionServices{
 				Blob: &mgmtstorage.EncryptionService{
 					KeyType: mgmtstorage.KeyTypeAccount,
+					Enabled: to.BoolPtr(true),
 				},
 				File: &mgmtstorage.EncryptionService{
 					KeyType: mgmtstorage.KeyTypeAccount,
+					Enabled: to.BoolPtr(true),
 				},
 				Table: &mgmtstorage.EncryptionService{
 					KeyType: mgmtstorage.KeyTypeAccount,
+					Enabled: to.BoolPtr(true),
 				},
 				Queue: &mgmtstorage.EncryptionService{
 					KeyType: mgmtstorage.KeyTypeAccount,
+					Enabled: to.BoolPtr(true),
 				},
 			},
 			KeySource: mgmtstorage.KeySourceMicrosoftStorage,
diff --git a/pkg/deploy/assets/gateway-production.json b/pkg/deploy/assets/gateway-production.json
index b413dd2d974..2712fa68ac1 100644
--- a/pkg/deploy/assets/gateway-production.json
+++ b/pkg/deploy/assets/gateway-production.json
@@ -113,7 +113,7 @@
             "location": "[resourceGroup().location]",
             "name": "[substring(parameters('gatewayStorageAccountDomain'), 0, indexOf(parameters('gatewayStorageAccountDomain'), '.'))]",
             "type": "Microsoft.Storage/storageAccounts",
-            "apiVersion": "2019-04-01"
+            "apiVersion": "2019-06-01"
         },
         {
             "sku": {
diff --git a/pkg/deploy/assets/rp-production-global.json b/pkg/deploy/assets/rp-production-global.json
index e208fcfd301..4e9df2d25d9 100644
--- a/pkg/deploy/assets/rp-production-global.json
+++ b/pkg/deploy/assets/rp-production-global.json
@@ -107,7 +107,7 @@
             "location": "[resourceGroup().location]",
             "name": "[parameters('rpVersionStorageAccountName')]",
             "type": "Microsoft.Storage/storageAccounts",
-            "apiVersion": "2019-04-01"
+            "apiVersion": "2019-06-01"
         },
         {
             "properties": {
@@ -116,7 +116,7 @@
             },
             "name": "[concat(parameters('rpVersionStorageAccountName'), '/default/rpversion')]",
             "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
-            "apiVersion": "2019-04-01",
+            "apiVersion": "2019-06-01",
             "dependsOn": [
                 "[resourceId('Microsoft.Storage/storageAccounts', parameters('rpVersionStorageAccountName'))]"
             ]
@@ -128,7 +128,7 @@
             },
             "name": "[concat(parameters('rpVersionStorageAccountName'), '/default/ocpversions')]",
             "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
-            "apiVersion": "2019-04-01",
+            "apiVersion": "2019-06-01",
             "dependsOn": [
                 "[resourceId('Microsoft.Storage/storageAccounts', parameters('rpVersionStorageAccountName'))]"
             ]
diff --git a/pkg/deploy/assets/rp-production.json b/pkg/deploy/assets/rp-production.json
index 2e6712b1a02..91032884c50 100644
--- a/pkg/deploy/assets/rp-production.json
+++ b/pkg/deploy/assets/rp-production.json
@@ -552,7 +552,7 @@
             "location": "[resourceGroup().location]",
             "name": "[substring(parameters('storageAccountDomain'), 0, indexOf(parameters('storageAccountDomain'), '.'))]",
             "type": "Microsoft.Storage/storageAccounts",
-            "apiVersion": "2019-04-01"
+            "apiVersion": "2019-06-01"
         },
         {
             "properties": {
diff --git a/pkg/util/azureclient/apiversions.go b/pkg/util/azureclient/apiversions.go
index f524c58cc30..b80bb5afc48 100644
--- a/pkg/util/azureclient/apiversions.go
+++ b/pkg/util/azureclient/apiversions.go
@@ -27,7 +27,7 @@ var apiVersions = map[string]string{
 	"microsoft.network":                        "2020-08-01",
 	"microsoft.network/dnszones":               "2018-05-01",
 	"microsoft.network/privatednszones":        "2018-09-01",
-	"microsoft.storage":                        "2019-04-01",
+	"microsoft.storage":                        "2019-06-01",
 }
 
 // APIVersion gets the APIVersion from a full resource type