/terraform-azurerm-storage-account

Terraform module for Azure Storage

Primary LanguageHCLApache License 2.0Apache-2.0

Azure Storage Account

Changelog Notice Apache V2 License TF Registry

Common Azure terraform module to create a Storage Account and manage related parameters (Threat protection, Network Rules, Blob Containers, File Shares, etc.)

Azure File share authentication

If you need to enable Active Directory or AAD DS authentication for Azure File on this Storage Account, please read the Microsoft documentation and set the required values in the file_share_authentication variable.

Global versioning rule for Claranet Azure modules

Module version Terraform version AzureRM version
>= 7.x.x 1.3.x >= 3.0
>= 6.x.x 1.x >= 3.0
>= 5.x.x 0.15.x >= 2.0
>= 4.x.x 0.13.x / 0.14.x >= 2.0
>= 3.x.x 0.12.x >= 2.0
>= 2.x.x 0.12.x < 2.0
< 2.x.x 0.11.x < 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

data "http" "my_ip" {
  url = "http://ip4.clara.net/?raw"
}

module "azure_region" {
  source  = "claranet/regions/azurerm"
  version = "x.x.x"

  azure_region = var.azure_region
}

module "rg" {
  source  = "claranet/rg/azurerm"
  version = "x.x.x"

  client_name = var.client_name
  environment = var.environment
  location    = module.azure_region.location
  stack       = var.stack
}

module "run" {
  source  = "claranet/run/azurerm"
  version = "x.x.x"

  client_name    = var.client_name
  environment    = var.environment
  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  stack          = var.stack

  monitoring_function_enabled = false

  resource_group_name = module.rg.resource_group_name
}

module "storage_account" {
  source  = "claranet/storage-account/azurerm"
  version = "x.x.x"

  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  client_name    = var.client_name
  environment    = var.environment
  stack          = var.stack

  resource_group_name = module.rg.resource_group_name

  allowed_cidrs = [format("%s/32", data.http.my_ip.body)]

  account_replication_type = "LRS"

  storage_blob_data_protection = {
    change_feed_enabled                       = true
    versioning_enabled                        = true
    delete_retention_policy_in_days           = 42
    container_delete_retention_policy_in_days = 42
    container_point_in_time_restore           = true
  }

  # Disabled by default
  storage_blob_cors_rule = {
    allowed_headers    = ["*"]
    allowed_methods    = ["GET", "HEAD"]
    allowed_origins    = ["https://example.com"]
    exposed_headers    = ["*"]
    max_age_in_seconds = 3600
  }

  logs_destinations_ids = [
    module.run.logs_storage_account_id,
    module.run.log_analytics_workspace_id,
  ]

  # Set by default
  queue_properties_logging = {
    delete                = true
    read                  = true
    write                 = true
    version               = "1.0"
    retention_policy_days = 10
  }

  containers = [
    {
      name = "container1"
    },
    {
      name = "container2"
      # container_access_type = "blob"
    }
  ]

  file_shares = [
    {
      name        = "share1smb"
      quota_in_gb = 50
    }
  ]

  tables = [
    {
      name = "table1"
    }
  ]

  queues = [
    {
      name = "queue1"
    }
  ]

  extra_tags = {
    foo = "bar"
  }
}

Providers

Name Version
azurecaf ~> 1.2, >= 1.2.22
azurerm ~> 3.39

Modules

Name Source Version
diagnostics claranet/diagnostic-settings/azurerm ~> 6.4.1
diagnostics_type claranet/diagnostic-settings/azurerm ~> 6.4.1

Resources

Name Type
azurerm_advanced_threat_protection.threat_protection resource
azurerm_storage_account.storage resource
azurerm_storage_account_network_rules.network_rules resource
azurerm_storage_container.container resource
azurerm_storage_queue.queue resource
azurerm_storage_share.share resource
azurerm_storage_table.table resource
azurecaf_name.sa data source

Inputs

Name Description Type Default Required
access_tier Defines the access tier for BlobStorage, FileStorage and StorageV2 accounts. Valid options are Hot and Cool, defaults to Hot. string "Hot" no
account_kind Defines the Kind of account. Valid options are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Changing this forces a new resource to be created. Defaults to StorageV2. string "StorageV2" no
account_replication_type Defines the type of replication to use for this Storage Account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS. string "ZRS" no
account_tier Defines the Tier to use for this Storage Account. Valid options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid. Changing this forces a new resource to be created. string "Standard" no
advanced_threat_protection_enabled Boolean flag which controls if advanced threat protection is enabled, see documentation for more information. bool false no
allowed_cidrs List of CIDR to allow access to that Storage Account. list(string) [] no
client_name Client name/account used in naming string n/a yes
containers List of objects to create some Blob containers in this Storage Account. 
list(object({
    name                  = string
    container_access_type = optional(string, "private")
    metadata              = optional(map(string))
  }))
 [] no
custom_diagnostic_settings_name Custom name of the diagnostics settings, name will be 'default' if not set. string "default" no
custom_domain_name The Custom Domain Name to use for the Storage Account, which will be validated by Azure. string null no
default_firewall_action Which default firewalling policy to apply. Valid values are Allow or Deny. string "Deny" no
default_tags_enabled Option to enable or disable default tags. bool true no
environment Project environment string n/a yes
extra_tags Additional tags to associate with your Azure Storage Account. map(string) {} no
file_share_authentication Storage Account file shares authentication configuration. 
object({
    directory_type = string
    active_directory = optional(object({
      storage_sid         = string
      domain_name         = string
      domain_sid          = string
      domain_guid         = string
      forest_name         = string
      netbios_domain_name = string
    }))
  })
 null no
file_share_cors_rules Storage Account file shares CORS rule. Please refer to the documentation for more information. 
object({
    allowed_headers    = list(string)
    allowed_methods    = list(string)
    allowed_origins    = list(string)
    exposed_headers    = list(string)
    max_age_in_seconds = number
  })
 null no
file_share_properties_smb Storage Account file shares smb properties. 
object({
    versions                        = optional(list(string), null)
    authentication_types            = optional(list(string), null)
    kerberos_ticket_encryption_type = optional(list(string), null)
    channel_encryption_type         = optional(list(string), null)
    multichannel_enabled            = optional(bool, null)
  })
 null no
file_share_retention_policy_in_days Storage Account file shares retention policy in days. Enabling this may require additional directory permissions. number null no
file_shares List of objects to create some File Shares in this Storage Account. 
list(object({
    name             = string
    quota_in_gb      = number
    enabled_protocol = optional(string)
    metadata         = optional(map(string))
    acl = optional(list(object({
      id          = string
      permissions = string
      start       = optional(string)
      expiry      = optional(string)
    })))
  }))
 [] no
hns_enabled Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 and must be true if nfsv3_enabled or sftp_enabled is set to true. Changing this forces a new resource to be created. bool false no
https_traffic_only_enabled Boolean flag which forces HTTPS if enabled. bool true no
identity_ids Specifies a list of User Assigned Managed Identity IDs to be assigned to this Storage Account. list(string) null no
identity_type Specifies the type of Managed Service Identity that should be configured on this Storage Account. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both). string "SystemAssigned" no
location Azure location string n/a yes
location_short Short string for Azure location string n/a yes
logs_categories Log categories to send to destinations. list(string) null no
logs_destinations_ids List of destination resources IDs for logs diagnostic destination.
Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set.
If you want to specify an Azure EventHub to send logs and metrics to, you need to provide a formated string with both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the `		 ` character. list(string) n/a
logs_metrics_categories Metrics categories to send to destinations. list(string) null no
logs_retention_days Number of days to keep logs on storage account. number 30 no
min_tls_version The minimum supported TLS version for the Storage Account. Possible values are TLS1_0, TLS1_1, and TLS1_2. string "TLS1_2" no
name_prefix Optional prefix for the generated name string "" no
name_suffix Optional suffix for the generated name string "" no
network_bypass Specifies whether traffic is bypassed for 'Logging', 'Metrics', 'AzureServices' or 'None'. list(string) 
[
  "Logging",
  "Metrics",
  "AzureServices"
]
 no
network_rules_enabled Boolean to enable Network Rules on the Storage Account, requires network_bypass, allowed_cidrs, subnet_ids or default_firewall_action correctly set if enabled. bool true no
nfsv3_enabled Is NFSv3 protocol enabled? Changing this forces a new resource to be created. bool false no
private_link_access List of Privatelink objects to allow access from. 
list(object({
    endpoint_resource_id = string
    endpoint_tenant_id   = optional(string, null)
  }))
 [] no
public_nested_items_allowed Allow or disallow nested items within this Account to opt into being public. bool false no
queue_properties_logging Logging queue properties 
object({
    delete                = optional(bool, true)
    read                  = optional(bool, true)
    write                 = optional(bool, true)
    version               = optional(string, "1.0")
    retention_policy_days = optional(number, 10)
  })
 {} no
queues List of objects to create some Queues in this Storage Account. 
list(object({
    name     = string
    metadata = optional(map(string))
  }))
 [] no
resource_group_name Resource group name string n/a yes
sftp_enabled Is SFTP enabled? bool false no
shared_access_key_enabled Indicates whether the Storage Account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). bool true no
stack Project stack name string n/a yes
static_website_config Static website configuration. Can only be set when the account_kind is set to StorageV2 or BlockBlobStorage. 
object({
    index_document     = optional(string)
    error_404_document = optional(string)
  })
 null no
storage_account_custom_name Custom Azure Storage Account name, generated if not set string "" no
storage_blob_cors_rule Storage Account blob CORS rule. Please refer to the documentation for more information. 
object({
    allowed_headers    = list(string)
    allowed_methods    = list(string)
    allowed_origins    = list(string)
    exposed_headers    = list(string)
    max_age_in_seconds = number
  })
 null no
storage_blob_data_protection Storage account blob Data protection parameters. 
object({
    change_feed_enabled                       = optional(bool, false)
    versioning_enabled                        = optional(bool, false)
    last_access_time_enabled                  = optional(bool, false)
    delete_retention_policy_in_days           = optional(number, 0)
    container_delete_retention_policy_in_days = optional(number, 0)
    container_point_in_time_restore           = optional(bool, false)
  })
 
{
  "change_feed_enabled": true,
  "container_delete_retention_policy_in_days": 30,
  "container_point_in_time_restore": true,
  "delete_retention_policy_in_days": 30,
  "last_access_time_enabled": true,
  "versioning_enabled": true
}
 no
subnet_ids Subnets to allow access to that Storage Account. list(string) [] no
tables List of objects to create some Tables in this Storage Account. 
list(object({
    name = string
    acl = optional(list(object({
      id          = string
      permissions = string
      start       = optional(string)
      expiry      = optional(string)
    })))
  }))
 [] no
use_caf_naming Use the Azure CAF naming provider to generate default resource name. storage_account_custom_name override this if set. Legacy default name is used if this is set to false. bool true no
use_subdomain Should the Custom Domain Name be validated by using indirect CNAME validation? bool false no

Outputs

Name Description
storage_account_id Created Storage Account ID.
storage_account_identity Created Storage Account identity block.
storage_account_name Created Storage Account name.
storage_account_network_rules Network rules of the associated Storage Account.
storage_account_properties Created Storage Account properties.
storage_blob_containers Created blob containers in the Storage Account.
storage_file_queues Created queues in the Storage Account.
storage_file_shares Created file shares in the Storage Account.
storage_file_tables Created tables in the Storage Account.