Azure Storage Account

Common Azure terraform module to create a Storage Account and manage related parameters (Threat protection, Network Rules, Blob Containers, File Shares, etc.)

Global versioning rule for Claranet Azure modules

Module version	Terraform version	AzureRM version
>= 6.x.x	1.x	>= 3.0
>= 5.x.x	0.15.x	>= 2.0
>= 4.x.x	0.13.x / 0.14.x	>= 2.0
>= 3.x.x	0.12.x	>= 2.0
>= 2.x.x	0.12.x	< 2.0
< 2.x.x	0.11.x	< 2.0

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

module "azure_region" {
  source  = "claranet/regions/azurerm"
  version = "x.x.x"

  azure_region = var.azure_region
}

module "rg" {
  source  = "claranet/rg/azurerm"
  version = "x.x.x"

  location    = module.azure_region.location
  client_name = var.client_name
  environment = var.environment
  stack       = var.stack
}

module "logs" {
  source  = "claranet/run-common/azurerm//modules/logs"
  version = "x.x.x"

  client_name         = var.client_name
  environment         = var.environment
  stack               = var.stack
  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  resource_group_name = module.rg.resource_group_name
}

module "storage_account" {
  source  = "claranet/storage-account/azurerm"
  version = "x.x.x"

  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  client_name    = var.client_name
  environment    = var.environment
  stack          = var.stack

  resource_group_name = module.rg.resource_group_name

  account_replication_type = "LRS"

  storage_blob_data_protection = {
    change_feed_enabled                       = true
    versioning_enabled                        = true
    delete_retention_policy_in_days           = 42
    container_delete_retention_policy_in_days = 42
    container_point_in_time_restore           = true
  }

  logs_destinations_ids = [
    module.logs.logs_storage_account_id,
    module.logs.log_analytics_workspace_id
  ]

  containers = [
    {
      name = "bloc1"
    },
    {
      name                  = "bloc2"
      container_access_type = "blob"
    }
  ]

  file_shares = [
    {
      name        = "share1smb"
      quota_in_gb = 50
    }
  ]

  tables = [
    {
      name = "table1"
    }
  ]

  queues = [
    {
      name = "mystoragequeue"
    }
  ]

  extra_tags = {
    foo = "bar"
  }
}

Providers

Name	Version
azapi	~> 0.1
azurecaf	~> 1.1
azurerm	~> 3.0

Modules

Name	Source	Version
diagnostics	claranet/diagnostic-settings/azurerm	5.0.0
diagnostics_type	claranet/diagnostic-settings/azurerm	5.0.0

Resources

Name	Type
azapi_update_resource.sa_pitr	resource
azurecaf_name.sa	resource
azurerm_advanced_threat_protection.threat_protection	resource
azurerm_storage_account.storage	resource
azurerm_storage_account_network_rules.network_rules	resource
azurerm_storage_container.container	resource
azurerm_storage_queue.queue	resource
azurerm_storage_share.share	resource
azurerm_storage_table.table	resource

Inputs

Name	Description	Type	Default	Required
access_tier	Defines the access tier for `BlobStorage`, `FileStorage` and `StorageV2` accounts. Valid options are `Hot` and `Cool`, defaults to `Hot`.	`string`	`"Hot"`	no
account_kind	Defines the Kind of account. Valid options are `BlobStorage`, `BlockBlobStorage`, `FileStorage`, `Storage` and `StorageV2`. Changing this forces a new resource to be created. Defaults to StorageV2.	`string`	`"StorageV2"`	no
account_replication_type	Defines the type of replication to use for this storage account. Valid options are `LRS`, `GRS`, `RAGRS`, `ZRS`, `GZRS` and `RAGZRS`.	`string`	`"ZRS"`	no
account_tier	Defines the Tier to use for this storage account. Valid options are `Standard` and `Premium`. For `BlockBlobStorage` and `FileStorage` accounts only `Premium` is valid. Changing this forces a new resource to be created.	`string`	`"Standard"`	no
advanced_threat_protection_enabled	Boolean flag which controls if advanced threat protection is enabled, see documentation for more information.	`bool`	`false`	no
allowed_cidrs	List of CIDR to allow access to that storage account.	`list(string)`	`[]`	no
client_name	Client name/account used in naming	`string`	n/a	yes
containers	List of objects to create some Blob containers in this Storage Account.	list(object({ name = string container_access_type = optional(string) metadata = optional(map(string)) }))	`[]`	no
custom_diagnostic_settings_name	Custom name of the diagnostics settings, name will be 'default' if not set.	`string`	`"default"`	no
custom_domain_name	The Custom Domain Name to use for the Storage Account, which will be validated by Azure.	`string`	`null`	no
default_firewall_action	Which default firewalling policy to apply. Valid values are `Allow` or `Deny`.	`string`	`"Deny"`	no
default_tags_enabled	Option to enable or disable default tags.	`bool`	`true`	no
environment	Project environment	`string`	n/a	yes
extra_tags	Additional tags to associate with your Azure Container Registry.	`map(string)`	`{}`	no
file_shares	List of objects to create some File Shares in this Storage Account.	list(object({ name = string quota_in_gb = number enabled_protocol = optional(string) metadata = optional(map(string)) acl = optional(list(object({ id = string permissions = string start = optional(string) expiry = optional(string) }))) }))	`[]`	no
hns_enabled	Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 and must be `true` if `nfsv3_enabled` is set to `true`. Changing this forces a new resource to be created.	`bool`	`false`	no
https_traffic_only_enabled	Boolean flag which forces HTTPS if enabled.	`bool`	`true`	no
identity_ids	Specifies a list of User Assigned Managed Identity IDs to be assigned to this Storage Account.	`list(string)`	`null`	no
identity_type	Specifies the type of Managed Service Identity that should be configured on this Storage Account. Possible values are `SystemAssigned`, `UserAssigned`, `SystemAssigned, UserAssigned` (to enable both).	`string`	`"SystemAssigned"`	no
location	Azure location	`string`	n/a	yes
location_short	Short string for Azure location	`string`	n/a	yes
logs_categories	Log categories to send to destinations.	`list(string)`	`null`	no
logs_destinations_ids	List of destination resources Ids for logs diagnostics destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set. Empty list to disable logging.	`list(string)`	n/a	yes
logs_metrics_categories	Metrics categories to send to destinations.	`list(string)`	`null`	no
logs_retention_days	Number of days to keep logs on storage account	`number`	`30`	no
min_tls_version	The minimum supported TLS version for the storage account. Possible values are `TLS1_0`, `TLS1_1`, and `TLS1_2`.	`string`	`"TLS1_2"`	no
name_prefix	Optional prefix for the generated name	`string`	`""`	no
name_suffix	Optional suffix for the generated name	`string`	`""`	no
network_bypass	Specifies whether traffic is bypassed for 'Logging', 'Metrics', 'AzureServices' or 'None'.	`list(string)`	[ "None" ]	no
network_rules_enabled	Boolean to enable Network Rules on the Storage Account, requires `network_bypass`, `ip_rules`, `subnet_ids` or `default_firewall_action` correctly set if enabled.	`bool`	`true`	no
nfsv3_enabled	Is NFSv3 protocol enabled? Changing this forces a new resource to be created.	`bool`	`false`	no
public_nested_items_allowed	Allow or disallow nested items within this Account to opt into being public.	`bool`	`false`	no
queues	List of objects to create some Queues in this Storage Account.	list(object({ name = string metadata = optional(map(string)) }))	`[]`	no
resource_group_name	Resource group name	`string`	n/a	yes
shared_access_key_enabled	Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD).	`bool`	`true`	no
stack	Project stack name	`string`	n/a	yes
static_website_config	Static website configuration. Can only be set when the `account_kind` is set to `StorageV2` or `BlockBlobStorage`.	object({ index_document = optional(string) error_404_document = optional(string) })	`null`	no
storage_account_custom_name	Custom Azure Storage Account name, generated if not set	`string`	`""`	no
storage_blob_data_protection	Storage account blob Data protection parameters.	object({ change_feed_enabled = bool versioning_enabled = bool delete_retention_policy_in_days = number container_delete_retention_policy_in_days = number container_point_in_time_restore = bool })	{ "change_feed_enabled": true, "container_delete_retention_policy_in_days": 30, "container_point_in_time_restore": true, "delete_retention_policy_in_days": 30, "versioning_enabled": true }	no
subnet_ids	Subnets to allow access to that storage account.	`list(string)`	`[]`	no
tables	List of objects to create some Tables in this Storage Account.	list(object({ name = string acl = optional(list(object({ id = string permissions = string start = optional(string) expiry = optional(string) }))) }))	`[]`	no
use_caf_naming	Use the Azure CAF naming provider to generate default resource name. `storage_account_custom_name` override this if set. Legacy default name is used if this is set to `false`.	`bool`	`true`	no
use_subdomain	Should the Custom Domain Name be validated by using indirect CNAME validation?	`bool`	`false`	no

Outputs

Name	Description
storage_account_id	Created storage account ID
storage_account_identity	Created Storage Account identity block
storage_account_name	Created storage account name
storage_account_network_rules	Network rules of the associated Storage Account
storage_account_properties	Created Storage Account properties
storage_blob_containers	Created blob containers in the Storage Account
storage_file_queues	Created queues in the Storage Account
storage_file_shares	Created file shares in the Storage Account
storage_file_tables	Created tables in the Storage Account

taoufik07 / terraform-azurerm-storage-account