feat: Configure SFTP local user accounts (#13)

* feature: Configure SFTP local user accounts

* update the docs

* lint

* terraform-docs: automated action

* review

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

README.md

@@ -88,6 +88,7 @@ module "storage_account" {
 | <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>**Notes:**<br>  The value of the `name` tag, if included, will be the `id`, not the `name`.<br>  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br>  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br>  "default"<br>]</pre> | no |
 | <a name="input_last_access_time_enabled"></a> [last\_access\_time\_enabled](#input\_last\_access\_time\_enabled) | Is the last access time based tracking enabled? Default to `false` | `bool` | `false` | no |
 | <a name="input_lifecycles"></a> [lifecycles](#input\_lifecycles) | Configure Azure Storage lifecycles | `list(object({ prefix_match = set(string), tier_to_cool_after_days = number, tier_to_archive_after_days = number, delete_after_days = number, snapshot_delete_after_days = number }))` | `[]` | no |
+| <a name="input_local_users"></a> [local\_users](#input\_local\_users) | List of SFTP users. | <pre>list(object({<br>    name                 = string<br>    home_directory       = optional(string)<br>    ssh_password_enabled = optional(bool)<br>    permissions = list(object({<br>      container   = string<br>      service     = optional(string, "blob")<br>      permissions = optional(list(string), ["All"])<br>    }))<br>  }))</pre> | `[]` | no |
 | <a name="input_location"></a> [location](#input\_location) | Azure datacenter location, where resources will be deployed | `string` | `null` | no |
 | <a name="input_managed_identity_ids"></a> [managed\_identity\_ids](#input\_managed\_identity\_ids) | A list of User Managed Identity ID's which should be assigned to the Linux Virtual Machine | `list(string)` | `null` | no |
 | <a name="input_managed_identity_type"></a> [managed\_identity\_type](#input\_managed\_identity\_type) | The type of Managed Identity which should be assigned to the Linux Virtual Machine. Possible values are `SystemAssigned`, `UserAssigned` and `SystemAssigned, UserAssigned` | `string` | `null` | no |
@@ -128,6 +129,8 @@ module "storage_account" {
 |------|-------------|
 | <a name="output_containers"></a> [containers](#output\_containers) | Map of containers |
 | <a name="output_file_shares"></a> [file\_shares](#output\_file\_shares) | Map of Storage SMB file shares |
+| <a name="output_local_users"></a> [local\_users](#output\_local\_users) | Map of created sftp users. |
+| <a name="output_local_users_credentials"></a> [local\_users\_credentials](#output\_local\_users\_credentials) | Map of created sftp users credentials. |
 | <a name="output_queues"></a> [queues](#output\_queues) | Map of Storage SMB file shares |
 | <a name="output_resource_group_id"></a> [resource\_group\_id](#output\_resource\_group\_id) | The id of the resource group in which resources are created |
 | <a name="output_resource_group_location"></a> [resource\_group\_location](#output\_resource\_group\_location) | The location of the resource group in which resources are created |
@@ -147,14 +150,14 @@ module "storage_account" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >= 3.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >= 3.39 |
 
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.39 |
 
 ## Resources
 
@@ -163,6 +166,7 @@ module "storage_account" {
 | [azurerm_private_endpoint.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |
 | [azurerm_role_assignment.storage_blob_data_readers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_storage_account_local_user.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_local_user) | resource |
 <!-- END_TF_DOCS -->
 
 ## CONTRIBUTING

locals.tf

@@ -13,4 +13,6 @@ locals {
 
   storage_account_id   = one(module.storage[*].storage_account_id)
   storage_account_name = one(module.storage[*].storage_account_name)
+
+  local_users = { for user in var.local_users : user.name => user }
 }

main.tf

@@ -106,3 +106,27 @@ resource "azurerm_private_endpoint" "this" {
 
   tags = module.this.tags
 }
+
+resource "azurerm_storage_account_local_user" "this" {
+  for_each = local.local_users
+
+  name                 = each.value.name
+  storage_account_id   = local.storage_account_id
+  ssh_password_enabled = each.value.ssh_password_enabled
+  home_directory       = each.value.home_directory
+
+  dynamic "permission_scope" {
+    for_each = each.value.permissions
+    content {
+      service       = permission_scope.value.service
+      resource_name = permission_scope.value.container
+      permissions {
+        read   = contains(permission_scope.value.permissions, "All") || contains(permission_scope.value.permissions, "Read")
+        write  = contains(permission_scope.value.permissions, "All") || contains(permission_scope.value.permissions, "Write")
+        delete = contains(permission_scope.value.permissions, "All") || contains(permission_scope.value.permissions, "Delete")
+        list   = contains(permission_scope.value.permissions, "All") || contains(permission_scope.value.permissions, "List")
+        create = contains(permission_scope.value.permissions, "All") || contains(permission_scope.value.permissions, "Create")
+      }
+    }
+  }
+}

outputs.tf

@@ -80,3 +80,23 @@ output "queues" {
   description = "Map of Storage SMB file shares"
   value       = one(module.storage[*].queues)
 }
+
+output "local_users" {
+  description = "Map of created sftp users."
+  value = {
+    for user_name, user in azurerm_storage_account_local_user.this : user_name => {
+      id   = user.id
+      name = user.name
+    }
+  }
+}
+
+output "local_users_credentials" {
+  description = "Map of created sftp users credentials."
+  value = {
+    for user_name, user in azurerm_storage_account_local_user.this : user_name => {
+      password = user.password
+    }
+  }
+  sensitive = true
+}

variables.tf

@@ -199,3 +199,18 @@ variable "descriptor_name" {
   type        = string
   default     = "storage-account" #For backward compatibility reasons
 }
+
+variable "local_users" {
+  description = "List of SFTP users."
+  type = list(object({
+    name                 = string
+    home_directory       = optional(string)
+    ssh_password_enabled = optional(bool)
+    permissions = list(object({
+      container   = string
+      service     = optional(string, "blob")
+      permissions = optional(list(string), ["All"])
+    }))
+  }))
+  default = []
+}

versions.tf

@@ -6,7 +6,7 @@ terraform {
     # tflint-ignore: terraform_unused_required_providers
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.0"
+      version = ">= 3.39"
     }
   }
 }