Creates a new Storage Account with option to create containers and Blob Private Endpoint.
This module does not currently support implenmentation of Access Policies for tables, Containers, queues etc. Please use RBAC instead.
Changes in this version:
- Breaking changes from v2.x
- Removed Private Endpoint resources. Use the separate private_endpoint module if you need a PE.
Future changes to include:
- Update Azurerm provider to use 3.29.x, Additional attributes available.
- Add options for choosing different file authentication methods (AD)
- Options to change tier and protocol for shares.
- Identity-based authentication (Active Directory) for Azure file shares
- Add dynamic block for Table Access Policy
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "= 3.20.0"
}
}
}
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "rg_testpe" {
name = "rg-test-sa"
location = "uksouth"
}
# Creates Storage Account in default location (WestEurope).
module "storage_account" {
source = "andrewCluey/storage-account/azurerm"
version = "2.0.0"
storage_account_name = "sasimple83e32q"
sa_resource_group_name = azurerm_resource_group.rg_testpe.name
}terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "= 3.20.0"
}
http = {
source = "hashicorp/http"
version = "3.2.0"
}
}
}
provider "http" {}
provider "azurerm" {
features {}
}
# ---------------------------------------------------------------
# Get TF client Public IP for subsequent access to locked down SA
# ---------------------------------------------------------------
data "http" "ip" {
url = "https://ifconfig.me/ip"
}
# --------------------------------------------------------------
# Storage Account Module needs a Resource Group
# --------------------------------------------------------------
resource "azurerm_resource_group" "rg" {
name = "rg-exfull-sa"
location = "uksouth"
}
# --------------------------------------------------------------
# Deploy the module being tested (Storage Account)
# --------------------------------------------------------------
module "storage_account" {
# source is set to use local path for testing the latest version.
source = "../../"
#source = "andrewCluey/storage-account/azurerm"
#version = "3.0.0"
storage_account_name = "samodexdev87t7t"
location = azurerm_resource_group.rg.location
sa_resource_group_name = azurerm_resource_group.rg.name
blob_containers = ["z-blob", "default", "autotest", "x-blob"]
storage_queues = ["dev-queue", "app-queue"]
storage_tables = ["appTable", "devTable"]
storage_shares = ["share-f", "s-drive"]
default_action = "Deny"
bypass_services = []
allowed_public_ip = [data.http.ip.response_body] # If default_action is set to `Deny`, ensure the public IP where Terraform runs from still has access.
}
# --------------------------------------------------------------
# Example Outputs
# --------------------------------------------------------------
output "queues_created" {
description = "A list of all the Storage Queues created."
value = module.storage_account.queues
}
output "primary_blob_endpoint" {
description = "The URL of the Primary Storage Account Blob Endpoint."
value = module.storage_account.primary_blob_endpoint
}
output "my_ip" {
value = data.http.ip.response_body
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_tier | The Storage Tier for the new Account. Options are 'Standard' or 'Premium' | string |
"Standard" |
no |
| allowed_public_ip | A list of public IP or IP ranges in CIDR Format. Private IP Addresses are not permitted. | list(string) |
[] |
no |
| allowed_subnet_ids | A list of virtual network subnet ids to to secure the storage account. | list(string) |
[] |
no |
| blob_containers | List all the blob containers to create. | list(any) |
[] |
no |
| bypass_services | Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination of Logging, Metrics, AzureServices. Empty list to remove it. | list(string) |
[] |
no |
| datalake_v2 | Enabled Hierarchical name space for Data Lake Storage Gen 2 | bool |
false |
no |
| default_action | Specifies the default action of allow or deny when no other rules match. Valid options are Deny or Allow. | string |
"Allow" |
no |
| location | The Azure Region of where the Storage Account & Private Endpoint are to be created. | string |
"uksouth" |
no |
| repl_type | The replication type required for the new Storage Account. Options are LRS; GRS; RAGRS; ZRS | string |
"GRS" |
no |
| sa_resource_group_name | The name of a Resource Group to deploy the new Storage Account into. | string |
n/a | yes |
| storage_account_name | The name to assign to the new Storage Account. | string |
n/a | yes |
| storage_queues | A list of Storage Queues to be created. | list(string) |
[] |
no |
| storage_shares | A list of Shares to create within the new Storage Acount. | list(string) |
[] |
no |
| storage_tables | A list of Storage Tables to be created. | list(string) |
[] |
no |
| tags | tags to apply to the new resources | map(string) |
null |
no |
| tls_ver | Minimum version of TLS that must be used to connect to the storage account | string |
"TLS1_2" |
no |
| Name | Description |
|---|---|
| containers | A list of all the blob containers that have been created (if specified). |
| id | The ID of the newly created Storage Account. |
| primary_blob_endpoint | The endpoint URL for blob storage in the primary location. |
| queues | A list of all the storage queues that have been created (if specified). |
| shares | A list of all the File Shares that have been created (if specified). |
| storage_account_name | The name of the new Storage Account. |
| storage_name | The primary blob endpoint. |
| tables | A list of all the storage tables that have been created (if specified). |