-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.bicep
122 lines (110 loc) · 3.29 KB
/
main.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
@description('The name of the Storage account to create.')
param storageAccountName string
@description('The name of the blob container to create.')
param containerName string = 'tfstate'
@description('An array of IP addresses or IP ranges that should be allowed to bypass the firewall of the Terraform backend. If empty, the firewall will be disabled.')
param ipRules array = []
@description('An array of object IDs of user, group or service principals that should have access to the Terraform backend.')
param principalIds array = []
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-05-01' = {
name: storageAccountName
location: resourceGroup().location
sku: {
name: 'Standard_GRS'
}
kind: 'StorageV2'
properties: {
accessTier: 'Hot'
supportsHttpsTrafficOnly: true
minimumTlsVersion: 'TLS1_2'
allowBlobPublicAccess: false
allowSharedKeyAccess: false
allowCrossTenantReplication: false
networkAcls: {
defaultAction: length(ipRules) == 0 ? 'Allow' : 'Deny'
virtualNetworkRules: []
ipRules: [
for ipRule in ipRules: {
value: ipRule
action: 'Allow'
}
]
}
}
resource blobService 'blobServices' = {
name: 'default'
properties: {
deleteRetentionPolicy: {
allowPermanentDelete: false
enabled: true
days: 30
}
containerDeleteRetentionPolicy: {
enabled: true
days: 30
}
isVersioningEnabled: true
changeFeed: {
enabled: true
}
}
resource container 'containers' = {
name: containerName
}
}
resource managementPolicy 'managementPolicies' = {
name: 'default'
properties: {
policy: {
rules: [
{
name: 'Delete old tfstate versions'
enabled: true
type: 'Lifecycle'
definition: {
actions: {
version: {
delete: {
daysAfterCreationGreaterThan: 30
}
}
}
filters: {
blobTypes: [
'blockBlob'
]
}
}
}
]
}
}
}
}
resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2022-05-01-preview' existing = {
name: 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b' // Storage Blob Data Owner
scope: subscription()
}
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
for principalId in principalIds: {
name: guid(storageAccount.id, principalId, roleDefinition.id)
scope: storageAccount
properties: {
principalId: principalId
roleDefinitionId: roleDefinition.id
}
}
]
resource lock 'Microsoft.Authorization/locks@2020-05-01' = {
name: 'Terraform'
scope: storageAccount
dependsOn: [storageAccount::blobService, storageAccount::managementPolicy, roleAssignment] // Lock must be created last
properties: {
level: 'ReadOnly'
notes: 'Prevent changes to Terraform backend configuration'
}
}
@description('The name of the Storage account that was created.')
output storageAccountName string = storageAccount.name
@description('The name of the blob container that was created.')
output containerName string = storageAccount::blobService::container.name