Skip to content

Latest commit

 

History

History
239 lines (204 loc) · 21.5 KB

File metadata and controls

239 lines (204 loc) · 21.5 KB

Azure Storage Account

Changelog Notice Apache V2 License OpenTofu Registry

Common Azure terraform module to create a Storage Account and manage related parameters (Threat protection, Network Rules, Blob Containers, File Shares, etc.)

Azure File share authentication

If you need to enable Active Directory or AAD DS authentication for Azure File on this Storage Account, please read the Microsoft documentation and set the required values in the file_share_authentication variable.

Global versioning rule for Claranet Azure modules

Module version Terraform version OpenTofu version AzureRM version
>= 8.x.x Unverified 1.8.x >= 4.0
>= 7.x.x 1.3.x >= 3.0
>= 6.x.x 1.x >= 3.0
>= 5.x.x 0.15.x >= 2.0
>= 4.x.x 0.13.x / 0.14.x >= 2.0
>= 3.x.x 0.12.x >= 2.0
>= 2.x.x 0.12.x < 2.0
< 2.x.x 0.11.x < 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

module "storage_account" {
  source  = "claranet/storage-account/azurerm"
  version = "x.x.x"

  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  client_name    = var.client_name
  environment    = var.environment
  stack          = var.stack

  resource_group_name = module.rg.name

  allowed_cidrs = [format("%s/32", data.http.my_ip.body)]

  account_replication_type = "ZRS"

  blob_data_protection = {
    change_feed_enabled                       = true
    versioning_enabled                        = true
    delete_retention_policy_in_days           = 42
    container_delete_retention_policy_in_days = 42
    container_point_in_time_restore           = true
  }

  # Disabled by default
  blob_cors_rules = [{
    allowed_headers    = ["*"]
    allowed_methods    = ["GET", "HEAD"]
    allowed_origins    = ["https://example.com"]
    exposed_headers    = ["*"]
    max_age_in_seconds = 3600
  }]

  logs_destinations_ids = [
    # module.run.logs_storage_account_id,
    # module.run.log_analytics_workspace_id,
  ]

  # Set by default
  queue_properties_logging = {
    delete                = true
    read                  = true
    write                 = true
    version               = "1.0"
    retention_policy_days = 10
  }

  containers = [
    {
      name = "container1"
    },
    {
      name = "container2"
      # container_access_type = "blob"
    }
  ]

  file_shares = [
    {
      name        = "share1smb"
      quota_in_gb = 50
    }
  ]

  tables = [
    {
      name = "table1"
    }
  ]

  queues = [
    {
      name = "queue1"
    }
  ]

  extra_tags = {
    foo = "bar"
  }
}

Providers

Name Version
azurecaf ~> 1.2.28
azurerm ~> 4.9

Modules

Name Source Version
diagnostics claranet/diagnostic-settings/azurerm ~> 8.0.0
diagnostics_type claranet/diagnostic-settings/azurerm ~> 8.0.0

Resources

Name Type
azurerm_advanced_threat_protection.main resource
azurerm_role_assignment.sta_blob_contributor resource
azurerm_role_assignment.sta_blob_owner resource
azurerm_role_assignment.sta_blob_reader resource
azurerm_role_assignment.sta_contributor resource
azurerm_role_assignment.sta_file_priv_contributor resource
azurerm_role_assignment.sta_file_priv_reader resource
azurerm_role_assignment.sta_file_smb_contributor resource
azurerm_role_assignment.sta_file_smb_owner resource
azurerm_role_assignment.sta_file_smb_reader resource
azurerm_role_assignment.sta_queue_contributor resource
azurerm_role_assignment.sta_queue_reader resource
azurerm_role_assignment.sta_table_contributor resource
azurerm_role_assignment.sta_table_reader resource
azurerm_storage_account.main resource
azurerm_storage_account_network_rules.main resource
azurerm_storage_container.main resource
azurerm_storage_queue.main resource
azurerm_storage_share.main resource
azurerm_storage_table.main resource
azurecaf_name.sa data source

Inputs

Name Description Type Default Required
access_tier Defines the access tier for BlobStorage, FileStorage and StorageV2 accounts. Valid options are Hot and Cool, defaults to Hot. string "Hot" no
account_kind Defines the Kind of account. Valid options are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Changing this forces a new resource to be created. Defaults to StorageV2. string "StorageV2" no
account_replication_type Defines the type of replication to use for this Storage Account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS. string "ZRS" no
account_tier Defines the Tier to use for this Storage Account. Valid options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid. Changing this forces a new resource to be created. string "Standard" no
advanced_threat_protection_enabled Boolean flag which controls if advanced threat protection is enabled, see documentation for more information. bool false no
allowed_cidrs List of CIDR to allow access to that Storage Account. list(string) [] no
blob_cors_rules Storage Account blob CORS rules. Please refer to the documentation for more information.
list(object({
allowed_headers = list(string)
allowed_methods = list(string)
allowed_origins = list(string)
exposed_headers = list(string)
max_age_in_seconds = number
}))
[] no
blob_data_protection Storage account blob Data protection parameters.
object({
change_feed_enabled = optional(bool, false)
versioning_enabled = optional(bool, false)
last_access_time_enabled = optional(bool, false)
delete_retention_policy_in_days = optional(number, 0)
container_delete_retention_policy_in_days = optional(number, 0)
container_point_in_time_restore = optional(bool, false)
})
{
"change_feed_enabled": true,
"container_delete_retention_policy_in_days": 30,
"container_point_in_time_restore": true,
"delete_retention_policy_in_days": 30,
"last_access_time_enabled": true,
"versioning_enabled": true
}
no
client_name Client name/account used in naming. string n/a yes
containers List of objects to create some Blob containers in this Storage Account.
list(object({
name = string
container_access_type = optional(string, "private")
metadata = optional(map(string))
}))
[] no
cross_tenant_replication_enabled Enable cross tenant replication. bool false no
custom_domain_name The custom domain name to use for the Storage Account, which will be validated by Azure. string null no
custom_name Custom Azure Storage Account name, generated if not set. string "" no
customer_managed_key Customer Managed Key. Please refer to the documentation for more information.
object({
key_vault_key_id = optional(string, null)
managed_hsm_key_id = optional(string, null)
user_assigned_identity_id = string
})
null no
default_firewall_action Which default firewalling policy to apply. Valid values are Allow or Deny. string "Deny" no
default_tags_enabled Option to enable or disable default tags. bool true no
diagnostic_settings_custom_name Custom name of the diagnostics settings, name will be default if not set. string "default" no
environment Project environment. string n/a yes
extra_tags Additional tags to associate with your Azure Storage Account. map(string) {} no
file_share_authentication Storage Account file shares authentication configuration.
object({
directory_type = string
active_directory = optional(object({
storage_sid = string
domain_name = string
domain_sid = string
domain_guid = string
forest_name = string
netbios_domain_name = string
}))
})
null no
file_share_cors_rules Storage Account file shares CORS rule. Please refer to the documentation for more information.
object({
allowed_headers = list(string)
allowed_methods = list(string)
allowed_origins = list(string)
exposed_headers = list(string)
max_age_in_seconds = number
})
null no
file_share_properties_smb Storage Account file shares smb properties.
object({
versions = optional(list(string), null)
authentication_types = optional(list(string), null)
kerberos_ticket_encryption_type = optional(list(string), null)
channel_encryption_type = optional(list(string), null)
multichannel_enabled = optional(bool, null)
})
null no
file_share_retention_policy_in_days Storage Account file shares retention policy in days. Enabling this may require additional directory permissions. number null no
file_shares List of objects to create some File Shares in this Storage Account.
list(object({
name = string
quota_in_gb = number
enabled_protocol = optional(string)
metadata = optional(map(string))
acl = optional(list(object({
id = string
permissions = string
start = optional(string)
expiry = optional(string)
})))
}))
[] no
hns_enabled Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 and must be true if nfsv3_enabled or sftp_enabled is set to true. Changing this forces a new resource to be created. bool false no
https_traffic_only_enabled Boolean flag which forces HTTPS if enabled. bool true no
identity_ids Specifies a list of User Assigned Managed Identity IDs to be assigned to this Storage Account. list(string) null no
identity_type Specifies the type of Managed Service Identity that should be configured on this Storage Account. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both). string "SystemAssigned" no
infrastructure_encryption_enabled Boolean flag which enables infrastructure encryption. Please refer to the documentation for more information. bool false no
location Azure location. string n/a yes
location_short Short string for Azure location. string n/a yes
logs_categories Log categories to send to destinations. list(string) null no
logs_destinations_ids List of destination resources IDs for logs diagnostic destination.
Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set.
If you want to use Azure EventHub as a destination, you must provide a formatted string containing both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the | character.
list(string) n/a yes
logs_metrics_categories Metrics categories to send to destinations. list(string) null no
min_tls_version The minimum supported TLS version for the Storage Account. Possible values are TLS1_0, TLS1_1, and TLS1_2. string "TLS1_2" no
name_prefix Optional prefix for the generated name. string "" no
name_suffix Optional suffix for the generated name. string "" no
network_bypass Specifies whether traffic is bypassed for 'Logging', 'Metrics', 'AzureServices' or 'None'. list(string)
[
"Logging",
"Metrics",
"AzureServices"
]
no
network_rules_enabled Boolean to enable Network Rules on the Storage Account, requires network_bypass, allowed_cidrs, subnet_ids or default_firewall_action correctly set if enabled. bool true no
nfsv3_enabled Is NFSv3 protocol enabled? Changing this forces a new resource to be created. bool false no
private_link_access List of Privatelink objects to allow access from.
list(object({
endpoint_resource_id = string
endpoint_tenant_id = optional(string, null)
}))
[] no
public_nested_items_allowed Allow or disallow nested items within this Account to opt into being public. bool false no
public_network_access_enabled Whether the public network access is enabled. bool true no
queue_properties_logging Logging queue properties
object({
delete = optional(bool, true)
read = optional(bool, true)
write = optional(bool, true)
version = optional(string, "1.0")
retention_policy_days = optional(number, 10)
})
{} no
queues List of objects to create some Queues in this Storage Account.
list(object({
name = string
metadata = optional(map(string))
}))
[] no
rbac_storage_blob_role_principal_ids The principal IDs of the users, groups, and service principals to assign the Storage Blob Data * different roles to if Blob containers are created.
object({
owners = optional(list(string), [])
contributors = optional(list(string), [])
readers = optional(list(string), [])
})
{} no
rbac_storage_contributor_role_principal_ids The principal IDs of the users, groups, and service principals to assign the Storage Account Contributor role to. list(string) [] no
rbac_storage_file_role_principal_ids The principal IDs of the users, groups, and service principals to assign the Storage File Data * different roles to if File Shares are created.
object({
privileged_contributors = optional(list(string), [])
privileged_readers = optional(list(string), [])
smb_owners = optional(list(string), [])
smb_contributors = optional(list(string), [])
smb_readers = optional(list(string), [])
})
{} no
rbac_storage_queue_contributor_role_principal_ids The principal IDs of the users, groups, and service principals to assign the Storage Queue Data * role to.
object({
contributors = optional(list(string), [])
readers = optional(list(string), [])
})
{} no
rbac_storage_table_role_principal_ids The principal IDs of the users, groups, and service principals to assign the Storage Table Data * role to.
object({
contributors = optional(list(string), [])
readers = optional(list(string), [])
})
{} no
resource_group_name Resource group name. string n/a yes
sftp_enabled Is SFTP enabled? bool false no
shared_access_key_enabled Indicates whether the Storage Account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Entra ID). bool false no
stack Project stack name. string n/a yes
static_website_config Static website configuration. Can only be set when the account_kind is set to StorageV2 or BlockBlobStorage.
object({
index_document = optional(string)
error_404_document = optional(string)
})
null no
subnet_ids Subnets to allow access to that Storage Account. list(string) [] no
tables List of objects to create some Tables in this Storage Account.
list(object({
name = string
acl = optional(list(object({
id = string
permissions = string
start = optional(string)
expiry = optional(string)
})))
}))
[] no
use_subdomain Whether the custom domain name should be validated by using indirect CNAME validation. bool false no

Outputs

Name Description
id Storage Account ID.
identity_principal_id Storage Account system identity principal ID.
module_diagnostics Diagnostics settings module outputs.
name Storage Account name.
resource Storage Account resource object.
resource_blob_containers Created blob containers in the Storage Account.
resource_file_shares Created file shares in the Storage Account.
resource_queues Created queues in the Storage Account.
resource_tables Created tables in the Storage Account.