Azure Storage Account Terraform Module

Terraform Module to create an Azure storage account with a set of containers (and access level), set of file shares (and quota), tables, queues, Network policies and, lifecycle management, private endpoints, Azure Monitor diagnostics as well as RBAC roles assignments.

This module is built with a composition pattern and is mainly based on https://github.com/kumarvna/terraform-azurerm-storage. For more information and more detailed documentation on configuration options, please visit the module link.

We help companies turn their data into assets

---

Usage

module "resource_group" {
  source  = "getindata/resource-group/azurerm"
  version = "1.2.0"
  context = module.this.context

  name     = "example-rg"
  location = "West Europe"
}

module "storage_account" {
  source  = "getindata/storage-account/azurerm"
  version = "1.4.0"
  context = module.this.context

  name = "example"

  location            = module.resource_group.location
  resource_group_name = module.resource_group.name

  # Container lists with access_type to create
  containers_list = [
    {
      name        = "container"
      access_type = "private"
    }
  ]

  depends_on = [module.resource_group]
}

Inputs

Name	Description	Type	Default	Required
access_tier	Defines the access tier for BlobStorage and StorageV2 accounts. Valid options are Hot and Cool	string	"Hot"	no
account_kind	The type of storage account. Valid options are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2	string	"StorageV2"	no
additional_tag_map	Additional key-value pairs to add to each map in tags_as_list_of_maps. Not added to tags or id. This is for some rare cases where resources want additional configuration of tags and therefore take a list of maps with tag key, value, and additional configuration.	map(string)	{}	no
attributes	ID element. Additional attributes (e.g. workers or cluster) to add to id, in the order they appear in the list. New attributes are appended to the end of the list. The elements of the list are joined by the delimiter and treated as a single ID element.	list(string)	[]	no
blob_soft_delete_retention_days	Specifies the number of days that the blob should be retained, between 1 and 365 days. Defaults to 7	number	7	no
change_feed_enabled	Is the blob service properties for change feed events enabled?	bool	false	no
container_soft_delete_retention_days	Specifies the number of days that the blob should be retained, between 1 and 365 days. Defaults to 7	number	7	no
containers_list	List of containers to create and their access levels	list(object({ name = string, access_type = string }))	[]	no
context	Single object for setting entire context at once. See description of individual variables for details. Leave string and numeric variables as null to use default value. Individual variable settings (non-null) override settings in context object, except for attributes, tags, and additional_tag_map, which are merged.	any	{ "additional_tag_map": {}, "attributes": [], "delimiter": null, "descriptor_formats": {}, "enabled": true, "environment": null, "id_length_limit": null, "label_key_case": null, "label_order": [], "label_value_case": null, "labels_as_tags": [ "unset" ], "name": null, "namespace": null, "regex_replace_chars": null, "stage": null, "tags": {}, "tenant": null }	no
cors_rule	A map of CORS rules to add to the storage account	object({ allowed_origins = optional(list(string)) allowed_methods = optional(list(string)) allowed_headers = optional(list(string)) exposed_headers = optional(list(string)) max_age_in_seconds = optional(number) })	null	no
create_resource_group	Whether to create resource group and use it for storage resources	bool	false	no
delimiter	Delimiter to be used between ID elements. Defaults to - (hyphen). Set to "" to use no delimiter at all.	string	null	no
descriptor_formats	Describe additional descriptors to be output in the descriptors output map. Map of maps. Keys are names of descriptors. Values are maps of the form {<br> format = string<br> labels = list(string)<br>} (Type is any so the map values can later be enhanced to provide additional options.) format is a Terraform format string to be passed to the format() function. labels is a list of labels, in order, to pass to format() function. Label values will be normalized before being passed to format() so they will be identical to how they appear in id. Default is {} (descriptors output will be empty).	any	{}	no
descriptor_name	Descriptor name	string	"storage-account"	no
diagnostics_log_analytics_workspace_id	Resource ID of the log analytics workspace. Used for diagnostics logs and metrics. If not provided, diagnostics will not be enabled	string	null	no
enable_advanced_threat_protection	Boolean flag which controls if advanced threat protection is enabled	bool	false	no
enable_versioning	Is versioning enabled? Default to false	bool	false	no
enabled	Set to false to prevent the module from creating any resources	bool	null	no
environment	ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'	string	null	no
file_shares	List of containers to create and their access levels	list(object({ name = string, quota = number }))	[]	no
id_length_limit	Limit id to this many characters (minimum 6). Set to 0 for unlimited length. Set to null for keep the existing setting, which defaults to 0. Does not affect id_full.	number	null	no
is_hns_enabled	Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2	bool	false	no
label_key_case	Controls the letter case of the tags keys (label names) for tags generated by this module. Does not affect keys of tags passed in via the tags input. Possible values: lower, title, upper. Default value: title.	string	null	no
label_order	The order in which the labels (ID elements) appear in the id. Defaults to ["namespace", "environment", "stage", "name", "attributes"]. You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.	list(string)	null	no
label_value_case	Controls the letter case of ID elements (labels) as included in id, set as tag values, and output by this module individually. Does not affect values of tags passed in via the tags input. Possible values: lower, title, upper and none (no transformation). Set this to title and set delimiter to "" to yield Pascal Case IDs. Default value: lower.	string	null	no
labels_as_tags	Set of labels (ID elements) to include as tags in the tags output. Default is to include all labels. Tags with empty values will not be included in the tags output. Set to [] to suppress all generated tags. Notes: The value of the name tag, if included, will be the id, not the name. Unlike other null-label inputs, the initial setting of labels_as_tags cannot be changed in later chained modules. Attempts to change it will be silently ignored.	set(string)	[ "default" ]	no
last_access_time_enabled	Is the last access time based tracking enabled? Default to false	bool	false	no
lifecycles	Configure Azure Storage lifecycles	list(object({ prefix_match = set(string), tier_to_cool_after_days = number, tier_to_archive_after_days = number, delete_after_days = number, snapshot_delete_after_days = number }))	[]	no
local_users	List of SFTP users.	list(object({ name = string home_directory = optional(string) ssh_password_enabled = optional(bool) permissions = list(object({ container = string service = optional(string, "blob") permissions = optional(list(string), ["All"]) })) }))	[]	no
location	Azure datacenter location, where resources will be deployed	string	null	no
managed_identity_ids	A list of User Managed Identity ID's which should be assigned to the Linux Virtual Machine	list(string)	null	no
managed_identity_type	The type of Managed Identity which should be assigned to the Linux Virtual Machine. Possible values are SystemAssigned, UserAssigned and SystemAssigned, UserAssigned	string	null	no
min_tls_version	The minimum supported TLS version for the storage account	string	"TLS1_2"	no
name	ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. This is the only ID element not also included as a tag. The "name" tag is set to the full id string. There is no tag with the value of the name input.	string	null	no
namespace	ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique	string	null	no
network_rules	Network rules restricing access to the storage account	object({ bypass = list(string), ip_rules = list(string), subnet_ids = list(string) })	null	no
private_endpoint_enabled	Should Private Endpoint for this storage account be enabled	bool	false	no
private_endpoint_private_dns_zone_ids	Private DNS Zone Ids associated with the Private Endpoint. They need to match the subresource name	list(string)	[]	no
private_endpoint_subnet_id	Subnet ID associated with the Private Endpoint	string	null	no
private_endpoint_subresource_name	Subresource name for the Private Endpoint	string	"blob"	no
queues	List of storages queues	list(string)	[]	no
regex_replace_chars	Terraform regular expression (regex) string. Characters matching the regex will be removed from the ID elements. If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits.	string	null	no
resource_group_name	A container that holds related resources for an Azure solution	string	n/a	yes
sftp_enabled	Enable SFTP for the storage account	bool	false	no
skuname	The SKUs supported by Microsoft Azure Storage. Valid options are Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS	string	"Standard_RAGRS"	no
stage	ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'	string	null	no
storage_blob_data_contributors	List of principal IDs that will have data contributor role	list(string)	[]	no
storage_blob_data_readers	List of principal IDs that will have data reader role	list(string)	[]	no
tables	List of storage tables	list(string)	[]	no
tags	Additional tags (e.g. {'BusinessUnit': 'XYZ'}). Neither the tag keys nor the tag values will be modified by this module.	map(string)	{}	no
tenant	ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for	string	null	no
use_raw_name	Don't add module naming convention	bool	false	no

Modules

Name	Source	Version
diagnostic_settings	claranet/diagnostic-settings/azurerm	6.2.0
resource_group	getindata/resource-group/azurerm	1.1.0
storage	github.com/getindata/terraform-azurerm-storage	2.9.0
this	cloudposse/label/null	0.25.0
this_private_endpoint_label	cloudposse/label/null	0.25.0

Outputs

Name	Description
containers	Map of containers
file_shares	Map of Storage SMB file shares
local_users	Map of created sftp users.
local_users_credentials	Map of created sftp users credentials.
queues	Map of Storage SMB file shares
resource_group_id	The id of the resource group in which resources are created
resource_group_location	The location of the resource group in which resources are created
resource_group_name	The name of the resource group in which resources are created
storage_account_id	The ID of the storage account
storage_account_name	The name of the storage account
storage_account_primary_blob_endpoint	The endpoint URL for blob storage in the primary location
storage_account_primary_location	The primary location of the storage account
storage_account_primary_web_endpoint	The endpoint URL for web storage in the primary location
storage_account_primary_web_host	The hostname with port if applicable for web storage in the primary location
storage_primary_access_key	The primary access key for the storage account
storage_primary_connection_string	The primary connection string for the storage account
storage_secondary_access_key	The primary access key for the storage account
tables	Map of Storage SMB file shares

Providers

Name	Version
azurerm	>= 3.39

Requirements

Name	Version
terraform	>= 1.3
azurerm	>= 3.39

Resources

Name	Type
azurerm_private_endpoint.this	resource
azurerm_role_assignment.storage_blob_data_readers	resource
azurerm_role_assignment.this	resource
azurerm_storage_account_local_user.this	resource

CONTRIBUTING

Contributions are very welcomed!

Start by reviewing contribution guide and our code of conduct. After that, start coding and ship your changes by creating a new PR.

LICENSE

Apache 2 Licensed. See LICENSE for full details.

AUTHORS

Made with contrib.rocks.