[Storage] Support double encryption for encryption scope

src/azure-cli/azure/cli/command_modules/storage/_params.py

@@ -369,6 +369,10 @@ def load_arguments(self, _):  # pylint: disable=too-many-locals, too-many-statem
                        help='The object identifier for a key vault key object. When applied, the encryption scope will '
                        'use the key referenced by the identifier to enable customer-managed key support on this '
                        'encryption scope.')
+            c.argument('require_infrastructure_encryption', options_list=['--require-infrastructure-encryption', '-i'],
+                   arg_type=get_three_state_flag(), min_api='2021-01-01',
+                   help='A boolean indicating whether or not the service applies a secondary layer of encryption with '
+                   'platform managed keys for data at rest.')
 
     with self.argument_context('storage account encryption-scope update') as c:
         t_state = self.get_models("EncryptionScopeState", resource_type=ResourceType.MGMT_STORAGE)

src/azure-cli/azure/cli/command_modules/storage/operations/account.py

@@ -571,7 +571,7 @@ def update_file_service_properties(cmd, instance, enable_delete_retention=None,
 
 
 def create_encryption_scope(cmd, client, resource_group_name, account_name, encryption_scope_name,
-                            key_source=None, key_uri=None):
+                            key_source=None, key_uri=None, require_infrastructure_encryption=None):
     EncryptionScope = cmd.get_models('EncryptionScope')
 
     if key_source:
@@ -581,6 +581,9 @@ def create_encryption_scope(cmd, client, resource_group_name, account_name, encr
         EncryptionScopeKeyVaultProperties = cmd.get_models('EncryptionScopeKeyVaultProperties')
         encryption_scope.key_vault_properties = EncryptionScopeKeyVaultProperties(key_uri=key_uri)
 
+    if require_infrastructure_encryption is not None:
+        encryption_scope.require_infrastructure_encryption = require_infrastructure_encryption
+
     return client.put(resource_group_name=resource_group_name, account_name=account_name,
                       encryption_scope_name=encryption_scope_name, encryption_scope=encryption_scope)
 

src/azure-cli/azure/cli/command_modules/storage/tests/latest/test_storage_encryption_scope_scenarios.py

@@ -32,11 +32,12 @@ def test_storage_account_encryption_scope(self, resource_group, storage_account)
             self.cmd("storage account encryption-scope update --account-name {sa} -g {rg} -n {encryption} -u keyuri")
 
         # Create with default Microsoft.Storage key source
-        self.cmd("storage account encryption-scope create --account-name {sa} -g {rg} -n {encryption}", checks=[
+        self.cmd("storage account encryption-scope create -i --account-name {sa} -g {rg} -n {encryption}", checks=[
             JMESPathCheck("name", self.kwargs["encryption"]),
             JMESPathCheck("resourceGroup", self.kwargs["rg"]),
             JMESPathCheck("source", "Microsoft.Storage"),
-            JMESPathCheck("state", "Enabled")
+            JMESPathCheck("state", "Enabled"),
+            JMESPathCheck("requireInfrastructureEncryption", True)
         ])
 
         # Show properties of specified encryption scope
@@ -45,7 +46,8 @@ def test_storage_account_encryption_scope(self, resource_group, storage_account)
             JMESPathCheck("resourceGroup", self.kwargs["rg"]),
             JMESPathCheck("source", "Microsoft.Storage"),
             JMESPathCheck("state", "Enabled"),
-            JMESPathCheck("keyVaultProperties.keyUri", None)
+            JMESPathCheck("keyVaultProperties.keyUri", None),
+            JMESPathCheck("requireInfrastructureEncryption", True)
         ])
 
         # List encryption scopes in storage account