Common Azure terraform module to create a Storage Account and manage related parameters (Threat protection, Network Rules, Blob Containers, File Shares, etc.)
If you need to enable Active Directory or AAD DS authentication for Azure File on this Storage Account, please read the Microsoft documentation and set the required values in the file_share_authentication variable.
| Module version | Terraform version | AzureRM version |
|---|---|---|
| >= 7.x.x | 1.3.x | >= 3.0 |
| >= 6.x.x | 1.x | >= 3.0 |
| >= 5.x.x | 0.15.x | >= 2.0 |
| >= 4.x.x | 0.13.x / 0.14.x | >= 2.0 |
| >= 3.x.x | 0.12.x | >= 2.0 |
| >= 2.x.x | 0.12.x | < 2.0 |
| < 2.x.x | 0.11.x | < 2.0 |
If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper available in the documentation.
data "http" "my_ip" {
url = "http://ip4.clara.net/?raw"
}
module "azure_region" {
source = "claranet/regions/azurerm"
version = "x.x.x"
azure_region = var.azure_region
}
module "rg" {
source = "claranet/rg/azurerm"
version = "x.x.x"
client_name = var.client_name
environment = var.environment
location = module.azure_region.location
stack = var.stack
}
module "run" {
source = "claranet/run/azurerm"
version = "x.x.x"
client_name = var.client_name
environment = var.environment
location = module.azure_region.location
location_short = module.azure_region.location_short
stack = var.stack
monitoring_function_enabled = false
resource_group_name = module.rg.resource_group_name
}
module "storage_account" {
source = "claranet/storage-account/azurerm"
version = "x.x.x"
location = module.azure_region.location
location_short = module.azure_region.location_short
client_name = var.client_name
environment = var.environment
stack = var.stack
resource_group_name = module.rg.resource_group_name
allowed_cidrs = [format("%s/32", data.http.my_ip.body)]
account_replication_type = "LRS"
storage_blob_data_protection = {
change_feed_enabled = true
versioning_enabled = true
delete_retention_policy_in_days = 42
container_delete_retention_policy_in_days = 42
container_point_in_time_restore = true
}
# Disabled by default
storage_blob_cors_rules = [{
allowed_headers = ["*"]
allowed_methods = ["GET", "HEAD"]
allowed_origins = ["https://example.com"]
exposed_headers = ["*"]
max_age_in_seconds = 3600
}]
logs_destinations_ids = [
module.run.logs_storage_account_id,
module.run.log_analytics_workspace_id,
]
# Set by default
queue_properties_logging = {
delete = true
read = true
write = true
version = "1.0"
retention_policy_days = 10
}
containers = [
{
name = "container1"
},
{
name = "container2"
# container_access_type = "blob"
}
]
file_shares = [
{
name = "share1smb"
quota_in_gb = 50
}
]
tables = [
{
name = "table1"
}
]
queues = [
{
name = "queue1"
}
]
extra_tags = {
foo = "bar"
}
}| Name | Version |
|---|---|
| azurecaf | ~> 1.2, >= 1.2.22 |
| azurerm | ~> 3.39 |
| Name | Source | Version |
|---|---|---|
| diagnostics | claranet/diagnostic-settings/azurerm | ~> 6.5.0 |
| diagnostics_type | claranet/diagnostic-settings/azurerm | ~> 6.5.0 |
| Name | Type |
|---|---|
| azurerm_advanced_threat_protection.threat_protection | resource |
| azurerm_storage_account.storage | resource |
| azurerm_storage_account_network_rules.network_rules | resource |
| azurerm_storage_container.container | resource |
| azurerm_storage_queue.queue | resource |
| azurerm_storage_share.share | resource |
| azurerm_storage_table.table | resource |
| azurecaf_name.sa | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_tier | Defines the access tier for BlobStorage, FileStorage and StorageV2 accounts. Valid options are Hot and Cool, defaults to Hot. |
string |
"Hot" |
no |
| account_kind | Defines the Kind of account. Valid options are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Changing this forces a new resource to be created. Defaults to StorageV2. |
string |
"StorageV2" |
no |
| account_replication_type | Defines the type of replication to use for this Storage Account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS. |
string |
"ZRS" |
no |
| account_tier | Defines the Tier to use for this Storage Account. Valid options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid. Changing this forces a new resource to be created. |
string |
"Standard" |
no |
| advanced_threat_protection_enabled | Boolean flag which controls if advanced threat protection is enabled, see documentation for more information. | bool |
false |
no |
| allowed_cidrs | List of CIDR to allow access to that Storage Account. | list(string) |
[] |
no |
| client_name | Client name/account used in naming | string |
n/a | yes |
| containers | List of objects to create some Blob containers in this Storage Account. | list(object({ |
[] |
no |
| cross_tenant_replication_enabled | Enable cross tenant replication. | bool |
false |
no |
| custom_diagnostic_settings_name | Custom name of the diagnostics settings, name will be 'default' if not set. | string |
"default" |
no |
| custom_domain_name | The Custom Domain Name to use for the Storage Account, which will be validated by Azure. | string |
null |
no |
| default_firewall_action | Which default firewalling policy to apply. Valid values are Allow or Deny. |
string |
"Deny" |
no |
| default_tags_enabled | Option to enable or disable default tags. | bool |
true |
no |
| environment | Project environment | string |
n/a | yes |
| extra_tags | Additional tags to associate with your Azure Storage Account. | map(string) |
{} |
no |
| file_share_authentication | Storage Account file shares authentication configuration. | object({ |
null |
no |
| file_share_cors_rules | Storage Account file shares CORS rule. Please refer to the documentation for more information. | object({ |
null |
no |
| file_share_properties_smb | Storage Account file shares smb properties. | object({ |
null |
no |
| file_share_retention_policy_in_days | Storage Account file shares retention policy in days. Enabling this may require additional directory permissions. | number |
null |
no |
| file_shares | List of objects to create some File Shares in this Storage Account. | list(object({ |
[] |
no |
| hns_enabled | Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 and must be true if nfsv3_enabled or sftp_enabled is set to true. Changing this forces a new resource to be created. |
bool |
false |
no |
| https_traffic_only_enabled | Boolean flag which forces HTTPS if enabled. | bool |
true |
no |
| identity_ids | Specifies a list of User Assigned Managed Identity IDs to be assigned to this Storage Account. | list(string) |
null |
no |
| identity_type | Specifies the type of Managed Service Identity that should be configured on this Storage Account. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both). |
string |
"SystemAssigned" |
no |
| location | Azure location | string |
n/a | yes |
| location_short | Short string for Azure location | string |
n/a | yes |
| logs_categories | Log categories to send to destinations. | list(string) |
null |
no |
| logs_destinations_ids | List of destination resources IDs for logs diagnostic destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set.If you want to specify an Azure EventHub to send logs and metrics to, you need to provide a formated string with both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the ` |
` character. | list(string) |
n/a |
| logs_metrics_categories | Metrics categories to send to destinations. | list(string) |
null |
no |
| min_tls_version | The minimum supported TLS version for the Storage Account. Possible values are TLS1_0, TLS1_1, and TLS1_2. |
string |
"TLS1_2" |
no |
| name_prefix | Optional prefix for the generated name | string |
"" |
no |
| name_suffix | Optional suffix for the generated name | string |
"" |
no |
| network_bypass | Specifies whether traffic is bypassed for 'Logging', 'Metrics', 'AzureServices' or 'None'. | list(string) |
[ |
no |
| network_rules_enabled | Boolean to enable Network Rules on the Storage Account, requires network_bypass, allowed_cidrs, subnet_ids or default_firewall_action correctly set if enabled. |
bool |
true |
no |
| nfsv3_enabled | Is NFSv3 protocol enabled? Changing this forces a new resource to be created. | bool |
false |
no |
| private_link_access | List of Privatelink objects to allow access from. | list(object({ |
[] |
no |
| public_nested_items_allowed | Allow or disallow nested items within this Account to opt into being public. | bool |
false |
no |
| public_network_access_enabled | Whether the public network access is enabled? | bool |
true |
no |
| queue_properties_logging | Logging queue properties | object({ |
{} |
no |
| queues | List of objects to create some Queues in this Storage Account. | list(object({ |
[] |
no |
| resource_group_name | Resource group name | string |
n/a | yes |
| sftp_enabled | Is SFTP enabled? | bool |
false |
no |
| shared_access_key_enabled | Indicates whether the Storage Account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). | bool |
true |
no |
| stack | Project stack name | string |
n/a | yes |
| static_website_config | Static website configuration. Can only be set when the account_kind is set to StorageV2 or BlockBlobStorage. |
object({ |
null |
no |
| storage_account_custom_name | Custom Azure Storage Account name, generated if not set | string |
"" |
no |
| storage_blob_cors_rules | Storage Account blob CORS rules. Please refer to the documentation for more information. | list(object({ |
[] |
no |
| storage_blob_data_protection | Storage account blob Data protection parameters. | object({ |
{ |
no |
| subnet_ids | Subnets to allow access to that Storage Account. | list(string) |
[] |
no |
| tables | List of objects to create some Tables in this Storage Account. | list(object({ |
[] |
no |
| use_caf_naming | Use the Azure CAF naming provider to generate default resource name. storage_account_custom_name override this if set. Legacy default name is used if this is set to false. |
bool |
true |
no |
| use_subdomain | Should the Custom Domain Name be validated by using indirect CNAME validation? | bool |
false |
no |
| Name | Description |
|---|---|
| storage_account_id | Created Storage Account ID. |
| storage_account_identity | Created Storage Account identity block. |
| storage_account_name | Created Storage Account name. |
| storage_account_network_rules | Network rules of the associated Storage Account. |
| storage_account_properties | Created Storage Account properties. |
| storage_blob_containers | Created blob containers in the Storage Account. |
| storage_file_queues | Created queues in the Storage Account. |
| storage_file_shares | Created file shares in the Storage Account. |
| storage_file_tables | Created tables in the Storage Account. |
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent