From ffbfd53af6b56062dc9e8b7f06d9b2cd56a4f87a Mon Sep 17 00:00:00 2001 From: Hauke Brandt Date: Fri, 19 Jul 2024 09:01:04 +0200 Subject: [PATCH] feat: Storage account resource now includes all attributes from newest azurerm provider version feat: Module now inclues a resource for storage management policy --- main.tf | 95 ++++++++++++++++++++++++++++++++++++++++++--- outputs.tf | 45 ++++++++++++++++++++++ variables.tf | 106 ++++++++++++++++++++++++++++++++++++++++++++++++--- versions.tf | 4 +- 4 files changed, 237 insertions(+), 13 deletions(-) diff --git a/main.tf b/main.tf index c41d406..1dbf00f 100644 --- a/main.tf +++ b/main.tf @@ -27,11 +27,13 @@ resource "azurerm_storage_account" "storage_account" { is_hns_enabled = local.storage_account[each.key].is_hns_enabled nfsv3_enabled = local.storage_account[each.key].nfsv3_enabled large_file_share_enabled = local.storage_account[each.key].large_file_share_enabled + local_user_enabled = local.storage_account[each.key].local_user_enabled queue_encryption_key_type = local.storage_account[each.key].queue_encryption_key_type table_encryption_key_type = local.storage_account[each.key].table_encryption_key_type infrastructure_encryption_enabled = local.storage_account[each.key].infrastructure_encryption_enabled allowed_copy_scope = local.storage_account[each.key].allowed_copy_scope sftp_enabled = local.storage_account[each.key].sftp_enabled + dns_endpoint_type = local.storage_account[each.key].dns_endpoint_type dynamic "custom_domain" { for_each = length(compact(values(local.storage_account[each.key].custom_domain))) > 0 ? [0] : [] @@ -43,10 +45,11 @@ resource "azurerm_storage_account" "storage_account" { } dynamic "customer_managed_key" { - for_each = local.storage_account[each.key].customer_managed_key == {} ? [] : [0] + for_each = length(compact(values(local.storage_account[each.key].customer_managed_key))) > 0 ? [0] : [] content { key_vault_key_id = local.storage_account[each.key].customer_managed_key.key_vault_key_id + managed_hsm_key_id = local.storage_account[each.key].customer_managed_key.managed_hsm_key_id user_assigned_identity_id = local.storage_account[each.key].customer_managed_key.user_assigned_identity_id } } @@ -86,7 +89,8 @@ resource "azurerm_storage_account" "storage_account" { for_each = local.storage_account[each.key].blob_properties.delete_retention_policy == {} ? [] : [0] content { - days = local.storage_account[each.key].blob_properties.delete_retention_policy.days + days = local.storage_account[each.key].blob_properties.delete_retention_policy.days + permanent_delete_enabled = local.storage_account[each.key].blob_properties.delete_retention_policy.permanent_delete_enabled } } @@ -280,13 +284,92 @@ resource "azurerm_storage_account" "storage_account" { tags = local.storage_account[each.key].tags } +resource "azurerm_storage_management_policy" "storage_management_policy" { + for_each = var.storage_management_policy + + storage_account_id = local.storage_management_policy[each.key].storage_account_id + + dynamic "rule" { + for_each = local.storage_management_policy[each.key].rule + + content { + name = local.storage_management_policy[each.key].rule[rule.key].name == "" ? rule.key : local.storage_management_policy[each.key].rule[rule.key].name + enabled = local.storage_management_policy[each.key].rule[rule.key].enabled + + filters { + blob_types = local.storage_management_policy[each.key].rule[rule.key].filters.blob_types + prefix_match = local.storage_management_policy[each.key].rule[rule.key].filters.prefix_match + + dynamic "match_blob_index_tag" { + for_each = length(compact(values(local.storage_management_policy[each.key].rule[rule.key].filters.match_blob_index_tag))) > 0 ? [0] : [] + + content { + name = local.storage_management_policy[each.key].rule[rule.key].filters.match_blob_index_tag.name + value = local.storage_management_policy[each.key].rule[rule.key].filters.match_blob_index_tag.value + operation = local.storage_management_policy[each.key].rule[rule.key].filters.match_blob_index_tag.operation + } + } + } + + actions { + dynamic "base_blob" { + for_each = length(compact(values(local.storage_management_policy[each.key].rule[rule.key].actions.base_blob))) > 0 ? [0] : [] + + content { + tier_to_cool_after_days_since_modification_greater_than = local.storage_management_policy[each.key].rule[rule.key].actions.base_blob.tier_to_cool_after_days_since_modification_greater_than + tier_to_cool_after_days_since_last_access_time_greater_than = local.storage_management_policy[each.key].rule[rule.key].actions.base_blob.tier_to_cool_after_days_since_last_access_time_greater_than + tier_to_cool_after_days_since_creation_greater_than = local.storage_management_policy[each.key].rule[rule.key].actions.base_blob.tier_to_cool_after_days_since_creation_greater_than + auto_tier_to_hot_from_cool_enabled = local.storage_management_policy[each.key].rule[rule.key].actions.base_blob.auto_tier_to_hot_from_cool_enabled + tier_to_archive_after_days_since_modification_greater_than = local.storage_management_policy[each.key].rule[rule.key].actions.base_blob.tier_to_archive_after_days_since_modification_greater_than + tier_to_archive_after_days_since_last_access_time_greater_than = local.storage_management_policy[each.key].rule[rule.key].actions.base_blob.tier_to_archive_after_days_since_last_access_time_greater_than + tier_to_archive_after_days_since_creation_greater_than = local.storage_management_policy[each.key].rule[rule.key].actions.base_blob.tier_to_archive_after_days_since_creation_greater_than + tier_to_archive_after_days_since_last_tier_change_greater_than = local.storage_management_policy[each.key].rule[rule.key].actions.base_blob.tier_to_archive_after_days_since_last_tier_change_greater_than + tier_to_cold_after_days_since_modification_greater_than = local.storage_management_policy[each.key].rule[rule.key].actions.base_blob.tier_to_cold_after_days_since_modification_greater_than + tier_to_cold_after_days_since_last_access_time_greater_than = local.storage_management_policy[each.key].rule[rule.key].actions.base_blob.tier_to_cold_after_days_since_last_access_time_greater_than + tier_to_cold_after_days_since_creation_greater_than = local.storage_management_policy[each.key].rule[rule.key].actions.base_blob.tier_to_cold_after_days_since_creation_greater_than + delete_after_days_since_modification_greater_than = local.storage_management_policy[each.key].rule[rule.key].actions.base_blob.delete_after_days_since_modification_greater_than + delete_after_days_since_last_access_time_greater_than = local.storage_management_policy[each.key].rule[rule.key].actions.base_blob.delete_after_days_since_last_access_time_greater_than + delete_after_days_since_creation_greater_than = local.storage_management_policy[each.key].rule[rule.key].actions.base_blob.delete_after_days_since_creation_greater_than + } + } + + dynamic "snapshot" { + for_each = length(compact(values(local.storage_management_policy[each.key].rule[rule.key].actions.snapshot))) > 0 ? [0] : [] + + content { + change_tier_to_archive_after_days_since_creation = local.storage_management_policy[each.key].rule[rule.key].actions.snapshot.change_tier_to_archive_after_days_since_creation + tier_to_archive_after_days_since_last_tier_change_greater_than = local.storage_management_policy[each.key].rule[rule.key].actions.snapshot.tier_to_archive_after_days_since_last_tier_change_greater_than + change_tier_to_cool_after_days_since_creation = local.storage_management_policy[each.key].rule[rule.key].actions.snapshot.change_tier_to_cool_after_days_since_creation + tier_to_cold_after_days_since_creation_greater_than = local.storage_management_policy[each.key].rule[rule.key].actions.snapshot.tier_to_cold_after_days_since_creation_greater_than + delete_after_days_since_creation_greater_than = local.storage_management_policy[each.key].rule[rule.key].actions.snapshot.delete_after_days_since_creation_greater_than + } + } + + dynamic "version" { + for_each = length(compact(values(local.storage_management_policy[each.key].rule[rule.key].actions.version))) > 0 ? [0] : [] + + content { + change_tier_to_archive_after_days_since_creation = local.storage_management_policy[each.key].rule[rule.key].actions.version.change_tier_to_archive_after_days_since_creation + tier_to_archive_after_days_since_last_tier_change_greater_than = local.storage_management_policy[each.key].rule[rule.key].actions.version.tier_to_archive_after_days_since_last_tier_change_greater_than + change_tier_to_cool_after_days_since_creation = local.storage_management_policy[each.key].rule[rule.key].actions.version.change_tier_to_cool_after_days_since_creation + tier_to_cold_after_days_since_creation_greater_than = local.storage_management_policy[each.key].rule[rule.key].actions.version.tier_to_cold_after_days_since_creation_greater_than + delete_after_days_since_creation = local.storage_management_policy[each.key].rule[rule.key].actions.version.delete_after_days_since_creation + } + } + } + } + } +} + resource "azurerm_storage_container" "storage_container" { for_each = var.storage_container - name = local.storage_container[each.key].name == "" ? each.key : local.storage_container[each.key].name - storage_account_name = local.storage_container[each.key].storage_account_name - container_access_type = local.storage_container[each.key].container_access_type - metadata = local.storage_container[each.key].metadata + name = local.storage_container[each.key].name == "" ? each.key : local.storage_container[each.key].name + storage_account_name = local.storage_container[each.key].storage_account_name + container_access_type = local.storage_container[each.key].container_access_type + default_encryption_scope = local.storage_container[each.key].default_encryption_scope + encryption_scope_override_enabled = local.storage_container[each.key].encryption_scope_override_enabled + metadata = local.storage_container[each.key].metadata } resource "azurerm_storage_share" "storage_share" { diff --git a/outputs.tf b/outputs.tf index 505ede1..bf99df2 100644 --- a/outputs.tf +++ b/outputs.tf @@ -9,6 +9,17 @@ output "storage_account" { } } +output "storage_management_policy" { + description = "Outputs all attributes of resource_type." + value = { + for storage_management_policy in keys(azurerm_storage_management_policy.storage_management_policy) : + storage_management_policy => { + for key, value in azurerm_storage_management_policy.storage_management_policy[storage_management_policy] : + key => value + } + } +} + output "storage_container" { description = "Outputs all attributes of resource_type." value = { @@ -54,6 +65,10 @@ output "variables" { for key in keys(var.storage_account) : key => local.storage_account[key] } + storage_management_policy = { + for key in keys(var.storage_management_policy) : + key => local.storage_management_policy[key] + } storage_container = { for key in keys(var.storage_container) : key => local.storage_container[key] @@ -67,11 +82,41 @@ output "variables" { key => local.storage_share_directory[key] } } + values = { + storage_account = { + for key in keys(var.storage_account) : + key => local.storage_account_values[key] + } + storage_management_policy = { + for key in keys(var.storage_management_policy) : + key => local.storage_management_policy_values[key] + } + storage_share = { + for key in keys(var.storage_share) : + key => local.storage_share_values[key] + } + } variable = { storage_account = { for key in keys(var.storage_account) : key => var.storage_account[key] } + storage_management_policy = { + for key in keys(var.storage_management_policy) : + key => var.storage_management_policy[key] + } + storage_container = { + for key in keys(var.storage_container) : + key => var.storage_container[key] + } + storage_share = { + for key in keys(var.storage_share) : + key => var.storage_share[key] + } + storage_share_directory = { + for key in keys(var.storage_share_directory) : + key => var.storage_share_directory[key] + } } } } diff --git a/variables.tf b/variables.tf index e155d39..455886c 100644 --- a/variables.tf +++ b/variables.tf @@ -3,6 +3,11 @@ variable "storage_account" { default = {} description = "Resource definition, default settings are defined within locals and merged with var settings. For more information look at [Outputs](#Outputs)." } +variable "storage_management_policy" { + type = any + default = {} + description = "Resource definition, default settings are defined within locals and merged with var settings. For more information look at [Outputs](#Outputs)." +} variable "storage_container" { type = any default = {} @@ -39,16 +44,21 @@ locals { is_hns_enabled = null nfsv3_enabled = null large_file_share_enabled = null + local_user_enabled = null queue_encryption_key_type = null table_encryption_key_type = null infrastructure_encryption_enabled = null allowed_copy_scope = null sftp_enabled = null + dns_endpoint_type = null custom_domain = { name = "" use_subdomain = null } - customer_managed_key = {} + customer_managed_key = { + key_vault_key_id = null + managed_hsm_key_id = null + } identity = { identity_ids = null } @@ -60,7 +70,8 @@ locals { last_access_time_enabled = null cors_rule = {} delete_retention_policy = { - days = null + days = null + permanent_delete_enabled = null } restore_policy = {} container_delete_retention_policy = { @@ -122,10 +133,56 @@ locals { } tags = {} } + storage_management_policy = { + rule = { + name = "" + enabled = true // defined default + filters = { + prefix_match = [] + match_blob_index_tag = { + operation = null + } + } + actions = { + base_blob = { + tier_to_cool_after_days_since_modification_greater_than = null + tier_to_cool_after_days_since_last_access_time_greater_than = null + tier_to_cool_after_days_since_creation_greater_than = null + auto_tier_to_hot_from_cool_enabled = null + tier_to_archive_after_days_since_modification_greater_than = null + tier_to_archive_after_days_since_last_access_time_greater_than = null + tier_to_archive_after_days_since_creation_greater_than = null + tier_to_archive_after_days_since_last_tier_change_greater_than = null + tier_to_cold_after_days_since_modification_greater_than = null + tier_to_cold_after_days_since_last_access_time_greater_than = null + tier_to_cold_after_days_since_creation_greater_than = null + delete_after_days_since_modification_greater_than = null + delete_after_days_since_last_access_time_greater_than = null + delete_after_days_since_creation_greater_than = null + } + snapshot = { + change_tier_to_archive_after_days_since_creation = null + tier_to_archive_after_days_since_last_tier_change_greater_than = null + change_tier_to_cool_after_days_since_creation = null + tier_to_cold_after_days_since_creation_greater_than = null + delete_after_days_since_creation_greater_than = null + } + version = { + change_tier_to_archive_after_days_since_creation = null + tier_to_archive_after_days_since_last_tier_change_greater_than = null + change_tier_to_cool_after_days_since_creation = null + tier_to_cold_after_days_since_creation_greater_than = null + delete_after_days_since_creation = null + } + } + } + } storage_container = { - name = "" - container_access_type = null - metadata = null + name = "" + container_access_type = null + default_encryption_scope = null + encryption_scope_override_enabled = null + metadata = null } storage_share = { name = "" @@ -150,6 +207,10 @@ locals { for storage_account in keys(var.storage_account) : storage_account => merge(local.default.storage_account, var.storage_account[storage_account]) } + storage_management_policy_values = { + for storage_management_policy in keys(var.storage_management_policy) : + storage_management_policy => merge(local.default.storage_management_policy, var.storage_management_policy[storage_management_policy]) + } storage_share_values = { for storage_share in keys(var.storage_share) : storage_share => merge(local.default.storage_share, var.storage_share[storage_share]) @@ -215,6 +276,41 @@ locals { } ) } + storage_management_policy = { + for storage_management_policy in keys(var.storage_management_policy) : + storage_management_policy => merge( + local.storage_management_policy_values[storage_management_policy], + { + for config in ["rule"] : + config => lookup(var.storage_management_policy[storage_management_policy], config, {}) == {} ? {} : { + for key in keys(local.storage_management_policy_values[storage_management_policy][config]) : + key => merge( + merge(local.default.storage_management_policy[config], local.storage_management_policy_values[storage_management_policy][config][key]), + { + for subconfig in ["filters"] : + subconfig => merge( + merge(local.default.storage_management_policy[config][subconfig], local.storage_management_policy_values[storage_management_policy][config][key][subconfig]), + { + for subsubconfig in ["match_blob_index_tag"] : + subsubconfig => merge(local.default.storage_management_policy[config][subconfig][subsubconfig], lookup(local.storage_management_policy_values[storage_management_policy][config][key][subconfig], subsubconfig, {})) + } + ) + }, + { + for subconfig in ["actions"] : + subconfig => merge( + merge(local.default.storage_management_policy[config][subconfig], local.storage_management_policy_values[storage_management_policy][config][key][subconfig]), + { + for subsubconfig in ["base_blob", "snapshot", "version"] : + subsubconfig => merge(local.default.storage_management_policy[config][subconfig][subsubconfig], lookup(local.storage_management_policy_values[storage_management_policy][config][key][subconfig], subsubconfig, {})) + } + ) + } + ) + } + } + ) + } storage_container = { for storage_container in keys(var.storage_container) : storage_container => merge(local.default.storage_container, var.storage_container[storage_container]) diff --git a/versions.tf b/versions.tf index 4c7e2d2..6ed8269 100644 --- a/versions.tf +++ b/versions.tf @@ -2,8 +2,8 @@ terraform { required_providers { azurerm = { source = "registry.terraform.io/hashicorp/azurerm" - version = ">=3.46.0" + version = ">=3.103.0" } } - required_version = ">=1.3" + required_version = ">=1.5" }