Azure Storage Account

Common Azure terraform module to create a Storage Account and manage related parameters (Threat protection, Network Rules, Blob Containers, File Shares, etc.)

Azure File share authentication

If you need to enable Active Directory or AAD DS authentication for Azure File on this Storage Account, please read the Microsoft documentation and set the required values in the file_share_authentication variable.

Global versioning rule for Claranet Azure modules

Module version	Terraform version	AzureRM version
>= 7.x.x	1.3.x	>= 3.0
>= 6.x.x	1.x	>= 3.0
>= 5.x.x	0.15.x	>= 2.0
>= 4.x.x	0.13.x / 0.14.x	>= 2.0
>= 3.x.x	0.12.x	>= 2.0
>= 2.x.x	0.12.x	< 2.0
< 2.x.x	0.11.x	< 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

data "http" "my_ip" {
  url = "http://ip4.clara.net/?raw"
}

module "azure_region" {
  source  = "claranet/regions/azurerm"
  version = "x.x.x"

  azure_region = var.azure_region
}

module "rg" {
  source  = "claranet/rg/azurerm"
  version = "x.x.x"

  client_name = var.client_name
  environment = var.environment
  location    = module.azure_region.location
  stack       = var.stack
}

module "run" {
  source  = "claranet/run/azurerm"
  version = "x.x.x"

  client_name    = var.client_name
  environment    = var.environment
  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  stack          = var.stack

  monitoring_function_enabled = false

  resource_group_name = module.rg.resource_group_name
}

module "storage_account" {
  source  = "claranet/storage-account/azurerm"
  version = "x.x.x"

  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  client_name    = var.client_name
  environment    = var.environment
  stack          = var.stack

  resource_group_name = module.rg.resource_group_name

  allowed_cidrs = [format("%s/32", data.http.my_ip.body)]

  account_replication_type = "LRS"

  storage_blob_data_protection = {
    change_feed_enabled                       = true
    versioning_enabled                        = true
    delete_retention_policy_in_days           = 42
    container_delete_retention_policy_in_days = 42
    container_point_in_time_restore           = true
  }

  # Disabled by default
  storage_blob_cors_rules = [{
    allowed_headers    = ["*"]
    allowed_methods    = ["GET", "HEAD"]
    allowed_origins    = ["https://example.com"]
    exposed_headers    = ["*"]
    max_age_in_seconds = 3600
  }]

  logs_destinations_ids = [
    module.run.logs_storage_account_id,
    module.run.log_analytics_workspace_id,
  ]

  # Set by default
  queue_properties_logging = {
    delete                = true
    read                  = true
    write                 = true
    version               = "1.0"
    retention_policy_days = 10
  }

  containers = [
    {
      name = "container1"
    },
    {
      name = "container2"
      # container_access_type = "blob"
    }
  ]

  file_shares = [
    {
      name        = "share1smb"
      quota_in_gb = 50
    }
  ]

  tables = [
    {
      name = "table1"
    }
  ]

  queues = [
    {
      name = "queue1"
    }
  ]

  extra_tags = {
    foo = "bar"
  }
}

Providers

Name	Version
azurecaf	~> 1.2, >= 1.2.22
azurerm	~> 3.39

Modules

Name	Source	Version
diagnostics	claranet/diagnostic-settings/azurerm	~> 6.5.0
diagnostics_type	claranet/diagnostic-settings/azurerm	~> 6.5.0

Resources

Name	Type
azurerm_advanced_threat_protection.threat_protection	resource
azurerm_storage_account.storage	resource
azurerm_storage_account_network_rules.network_rules	resource
azurerm_storage_container.container	resource
azurerm_storage_queue.queue	resource
azurerm_storage_share.share	resource
azurerm_storage_table.table	resource
azurecaf_name.sa	data source

Inputs

Name	Description	Type	Default	Required
access_tier	Defines the access tier for `BlobStorage`, `FileStorage` and `StorageV2` accounts. Valid options are `Hot` and `Cool`, defaults to `Hot`.	`string`	`"Hot"`	no
account_kind	Defines the Kind of account. Valid options are `BlobStorage`, `BlockBlobStorage`, `FileStorage`, `Storage` and `StorageV2`. Changing this forces a new resource to be created. Defaults to StorageV2.	`string`	`"StorageV2"`	no
account_replication_type	Defines the type of replication to use for this Storage Account. Valid options are `LRS`, `GRS`, `RAGRS`, `ZRS`, `GZRS` and `RAGZRS`.	`string`	`"ZRS"`	no
account_tier	Defines the Tier to use for this Storage Account. Valid options are `Standard` and `Premium`. For `BlockBlobStorage` and `FileStorage` accounts only `Premium` is valid. Changing this forces a new resource to be created.	`string`	`"Standard"`	no
advanced_threat_protection_enabled	Boolean flag which controls if advanced threat protection is enabled, see documentation for more information.	`bool`	`false`	no
allowed_cidrs	List of CIDR to allow access to that Storage Account.	`list(string)`	`[]`	no
client_name	Client name/account used in naming	`string`	n/a	yes
containers	List of objects to create some Blob containers in this Storage Account.	list(object({ name = string container_access_type = optional(string, "private") metadata = optional(map(string)) }))	`[]`	no
cross_tenant_replication_enabled	Enable cross tenant replication.	`bool`	`false`	no
custom_diagnostic_settings_name	Custom name of the diagnostics settings, name will be 'default' if not set.	`string`	`"default"`	no
custom_domain_name	The Custom Domain Name to use for the Storage Account, which will be validated by Azure.	`string`	`null`	no
default_firewall_action	Which default firewalling policy to apply. Valid values are `Allow` or `Deny`.	`string`	`"Deny"`	no
default_tags_enabled	Option to enable or disable default tags.	`bool`	`true`	no
environment	Project environment	`string`	n/a	yes
extra_tags	Additional tags to associate with your Azure Storage Account.	`map(string)`	`{}`	no
file_share_authentication	Storage Account file shares authentication configuration.	object({ directory_type = string active_directory = optional(object({ storage_sid = string domain_name = string domain_sid = string domain_guid = string forest_name = string netbios_domain_name = string })) })	`null`	no
file_share_cors_rules	Storage Account file shares CORS rule. Please refer to the documentation for more information.	object({ allowed_headers = list(string) allowed_methods = list(string) allowed_origins = list(string) exposed_headers = list(string) max_age_in_seconds = number })	`null`	no
file_share_properties_smb	Storage Account file shares smb properties.	object({ versions = optional(list(string), null) authentication_types = optional(list(string), null) kerberos_ticket_encryption_type = optional(list(string), null) channel_encryption_type = optional(list(string), null) multichannel_enabled = optional(bool, null) })	`null`	no
file_share_retention_policy_in_days	Storage Account file shares retention policy in days. Enabling this may require additional directory permissions.	`number`	`null`	no
file_shares	List of objects to create some File Shares in this Storage Account.	list(object({ name = string quota_in_gb = number enabled_protocol = optional(string) metadata = optional(map(string)) acl = optional(list(object({ id = string permissions = string start = optional(string) expiry = optional(string) }))) }))	`[]`	no
hns_enabled	Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 and must be `true` if `nfsv3_enabled` or `sftp_enabled` is set to `true`. Changing this forces a new resource to be created.	`bool`	`false`	no
https_traffic_only_enabled	Boolean flag which forces HTTPS if enabled.	`bool`	`true`	no
identity_ids	Specifies a list of User Assigned Managed Identity IDs to be assigned to this Storage Account.	`list(string)`	`null`	no
identity_type	Specifies the type of Managed Service Identity that should be configured on this Storage Account. Possible values are `SystemAssigned`, `UserAssigned`, `SystemAssigned, UserAssigned` (to enable both).	`string`	`"SystemAssigned"`	no
location	Azure location	`string`	n/a	yes
location_short	Short string for Azure location	`string`	n/a	yes
logs_categories	Log categories to send to destinations.	`list(string)`	`null`	no
logs_destinations_ids	List of destination resources IDs for logs diagnostic destination. Can be `Storage Account`, `Log Analytics Workspace` and `Event Hub`. No more than one of each can be set. If you want to specify an Azure EventHub to send logs and metrics to, you need to provide a formated string with both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the `	` character.	`list(string)`	n/a
logs_metrics_categories	Metrics categories to send to destinations.	`list(string)`	`null`	no
min_tls_version	The minimum supported TLS version for the Storage Account. Possible values are `TLS1_0`, `TLS1_1`, and `TLS1_2`.	`string`	`"TLS1_2"`	no
name_prefix	Optional prefix for the generated name	`string`	`""`	no
name_suffix	Optional suffix for the generated name	`string`	`""`	no
network_bypass	Specifies whether traffic is bypassed for 'Logging', 'Metrics', 'AzureServices' or 'None'.	`list(string)`	[ "Logging", "Metrics", "AzureServices" ]	no
network_rules_enabled	Boolean to enable Network Rules on the Storage Account, requires `network_bypass`, `allowed_cidrs`, `subnet_ids` or `default_firewall_action` correctly set if enabled.	`bool`	`true`	no
nfsv3_enabled	Is NFSv3 protocol enabled? Changing this forces a new resource to be created.	`bool`	`false`	no
private_link_access	List of Privatelink objects to allow access from.	list(object({ endpoint_resource_id = string endpoint_tenant_id = optional(string, null) }))	`[]`	no
public_nested_items_allowed	Allow or disallow nested items within this Account to opt into being public.	`bool`	`false`	no
public_network_access_enabled	Whether the public network access is enabled?	`bool`	`true`	no
queue_properties_logging	Logging queue properties	object({ delete = optional(bool, true) read = optional(bool, true) write = optional(bool, true) version = optional(string, "1.0") retention_policy_days = optional(number, 10) })	`{}`	no
queues	List of objects to create some Queues in this Storage Account.	list(object({ name = string metadata = optional(map(string)) }))	`[]`	no
resource_group_name	Resource group name	`string`	n/a	yes
sftp_enabled	Is SFTP enabled?	`bool`	`false`	no
shared_access_key_enabled	Indicates whether the Storage Account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD).	`bool`	`true`	no
stack	Project stack name	`string`	n/a	yes
static_website_config	Static website configuration. Can only be set when the `account_kind` is set to `StorageV2` or `BlockBlobStorage`.	object({ index_document = optional(string) error_404_document = optional(string) })	`null`	no
storage_account_custom_name	Custom Azure Storage Account name, generated if not set	`string`	`""`	no
storage_blob_cors_rules	Storage Account blob CORS rules. Please refer to the documentation for more information.	list(object({ allowed_headers = list(string) allowed_methods = list(string) allowed_origins = list(string) exposed_headers = list(string) max_age_in_seconds = number }))	`[]`	no
storage_blob_data_protection	Storage account blob Data protection parameters.	object({ change_feed_enabled = optional(bool, false) versioning_enabled = optional(bool, false) last_access_time_enabled = optional(bool, false) delete_retention_policy_in_days = optional(number, 0) container_delete_retention_policy_in_days = optional(number, 0) container_point_in_time_restore = optional(bool, false) })	{ "change_feed_enabled": true, "container_delete_retention_policy_in_days": 30, "container_point_in_time_restore": true, "delete_retention_policy_in_days": 30, "last_access_time_enabled": true, "versioning_enabled": true }	no
subnet_ids	Subnets to allow access to that Storage Account.	`list(string)`	`[]`	no
tables	List of objects to create some Tables in this Storage Account.	list(object({ name = string acl = optional(list(object({ id = string permissions = string start = optional(string) expiry = optional(string) }))) }))	`[]`	no
use_caf_naming	Use the Azure CAF naming provider to generate default resource name. `storage_account_custom_name` override this if set. Legacy default name is used if this is set to `false`.	`bool`	`true`	no
use_subdomain	Should the Custom Domain Name be validated by using indirect CNAME validation?	`bool`	`false`	no

Outputs

Name	Description
storage_account_id	Created Storage Account ID.
storage_account_identity	Created Storage Account identity block.
storage_account_name	Created Storage Account name.
storage_account_network_rules	Network rules of the associated Storage Account.
storage_account_properties	Created Storage Account properties.
storage_blob_containers	Created blob containers in the Storage Account.
storage_file_queues	Created queues in the Storage Account.
storage_file_shares	Created file shares in the Storage Account.
storage_file_tables	Created tables in the Storage Account.

claranet / terraform-azurerm-storage-account