Merge pull request #8 from kumarvna/develop

Identity and blob properties update
kumarvna · Jul 21, 2021 · 42df775 · 42df775
2 parents 9d9becd + 3f92c28
commit 42df775
Show file tree

Hide file tree

Showing 11 changed files with 67 additions and 30 deletions.
diff --git a/.gitignore b/.gitignore
@@ -5,6 +5,7 @@
 # .tfstate files
 *.tfstate
 *.tfstate.*
+*.terraform.lock.hcl
 
 # Crash log files
 crash.log

diff --git a/README.md b/README.md
@@ -4,10 +4,10 @@ Terraform Module to create an Azure storage account with a set of containers (an
 
 To defines the kind of account, set the argument to `account_kind = "StorageV2"`. Account kind defaults to `StorageV2`. If you want to change this value to other storage accounts kind, then this module automatically computes the appropriate values for `account_tier`, `account_replication_type`. The valid options are `BlobStorage`, `BlockBlobStorage`, `FileStorage`, `Storage` and `StorageV2`. `static_website` can only be set when the account_kind is set to `StorageV2`.
 
-> **[NOTE]**
+> **[!NOTE]**
 > **This module now supports the meta arguments including `providers`, `depends_on`, `count`, and `for_each`.**
 
-## resources are supported:
+## resources are supported
 
 * [Storage Account](https://www.terraform.io/docs/providers/azurerm/r/storage_account.html)
 * [Storage Advanced Threat Protection](https://www.terraform.io/docs/providers/azurerm/r/advanced_threat_protection.html)
@@ -28,7 +28,7 @@ provider "azurerm" {
 
 module "storage" {
   source  = "kumarvna/storage/azurerm"
-  version = "2.3.0"
+  version = "2.4.0"
 
   # By default, this module will not create a resource group
   # proivde a name to use an existing resource group, specify the existing resource group name,
@@ -75,7 +75,8 @@ module "storage" {
 
 By default, this module will not create a resource group and the name of an existing resource group to be given in an argument `resource_group_name`. If you want to create a new resource group, set the argument `create_resource_group = true`.
 
-*If you are using an existing resource group, then this module uses the same resource group location to create all resources in this module.*
+> [!NOTE]
+> *If you are using an existing resource group, then this module uses the same resource group location to create all resources in this module.*
 
 ## BlockBlobStorage accounts
 
@@ -105,11 +106,16 @@ Azure Files offers fully managed file shares in the cloud that are accessible vi
 
 This module creates the SMB file shares based on your input within an Azure Storage Account.  Configure the `quota` for this file share as per your preference. The maximum size of the share, in gigabytes. For Standard storage accounts, this must be greater than `0` and less than `5120` GB (5 TB). For Premium FileStorage storage accounts, this must be greater than `100` GB and less than `102400` GB (100 TB).
 
-## Soft delete for Blob storage
+## Soft delete for Blobs or Containers
 
-Soft delete protects blob data from being accidentally or erroneously modified or deleted. When soft delete is enabled for a storage account, blobs, blob versions (preview), and snapshots in that storage account may be recovered after they are deleted, within a retention period that you specify.
+Soft delete protects blob data from being accidentally or erroneously modified or deleted. When soft delete is enabled for a storage account, containers, blobs, blob versions, and snapshots in that storage account may be recovered after they are deleted, within a retention period that you specify.
 
-This module allows you to specify the number of days that the blob should be retained period using `soft_delete_retention` argument between 1 and 365 days.
+This module allows you to specify the number of days that the blob or container should be retained period using `blob_soft_delete_retention_days` and `container_soft_delete_retention_days` arguments between 1 and 365 days. Default is `7` days.
+
+> [!WARNING]
+> Container soft delete can restore only whole containers and their contents at the time of deletion. You cannot restore a deleted blob within a container by using container soft delete. Microsoft recommends also enabling blob soft delete and blob versioning to protect individual blobs in a container.
+>
+> When you restore a container, you must restore it to its original name. If the original name has been used to create a new container, then you will not be able to restore the soft-deleted container.
 
 ## Configure Azure Storage firewalls and virtual networks
 
@@ -120,7 +126,7 @@ The default action set to `Allow` when no network rules matched. A `subnet_ids`
 ```hcl
 module "storage" {
   source  = "kumarvna/storage/azurerm"
-  version = "2.3.0"
+  version = "2.4.0"
 
   # .... omitted
 
@@ -153,7 +159,7 @@ This module supports the implementation of storage lifecycle management. If spec
 ```hcl
 module "storage" {
   source  = "kumarvna/storage/azurerm"
-  version = "2.3.0"
+  version = "2.4.0"
 
   # .... omitted
 
@@ -185,8 +191,8 @@ module "storage" {
 Applying tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. Each tag consists of a name and a value pair. For example, you can apply the name `Environment` and the value `Production` to all the resources in production.
 For recommendations on how to implement a tagging strategy, see Resource naming and tagging decision guide.
 
->**Important** :
-Tag names are case-insensitive for operations. A tag with a tag name, regardless of the casing, is updated or retrieved. However, the resource provider might keep the casing you provide for the tag name. You'll see that casing in cost reports. **Tag values are case-sensitive.**
+> [!IMPORTANT]
+> Tag names are case-insensitive for operations. A tag with a tag name, regardless of the casing, is updated or retrieved. However, the resource provider might keep the casing you provide for the tag name. You'll see that casing in cost reports. **Tag values are case-sensitive.**
 
 An effective naming convention assembles resource names by using important resource information as parts of a resource's name. For example, using these [recommended naming conventions](https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging#example-names), a public IP resource for a production SharePoint workload is named like this: `pip-sharepoint-prod-westus-001`.
 
@@ -215,8 +221,11 @@ Name | Description | Type | Default
 `skuname`|The SKUs supported by Microsoft Azure Storage. Valid options are Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS|string|`Standard_RAGRS`
 `access_tier`|Defines the access tier for BlobStorage and StorageV2 accounts. Valid options are Hot and Cool.|string|`"Hot"`
 `min_tls_version`|The minimum supported TLS version for the storage account. Possible values are `TLS1_0`, `TLS1_1`, and `TLS1_2` |string|`"TLS1_2"`
-`assign_identity`|Set to `true` to enable system-assigned managed identity, or `false` to disable it.|string|`true`
-`soft_delete_retention`|Number of retention days for soft delete. If set to null it will disable soft delete all together.|number|`30`
+`blob_soft_delete_retention_days`|Specifies the number of days that the blob should be retained, between `1` and `365` days.|number|`7`
+`container_soft_delete_retention_days`|Specifies the number of days that the blob should be retained, between `1` and `365` days.|number|`7`
+`enable_versioning`|Is versioning enabled?|string|`false`
+`last_access_time_enabled`|Is the last access time based tracking enabled?|string|`false`
+`change_feed_enabled`|Is the blob service properties for change feed events enabled?|string|`false`
 `enable_advanced_threat_protection`|Controls Advance threat protection plan for Storage account!string|`false`
 `network_rules`|Configure Azure storage firewalls and virtual networks|list|`null`
 `containers_list`| List of container|list|`[]`

diff --git a/examples/README.md b/examples/README.md
@@ -14,7 +14,7 @@ provider "azurerm" {
 
 module "storage" {
   source  = "kumarvna/storage/azurerm"
-  version = "2.3.0"
+  version = "2.4.0"
 
   # By default, this module will not create a resource group
   # proivde a name to use an existing resource group, specify the existing resource group name,
@@ -54,7 +54,7 @@ provider "azurerm" {
 
 module "storage" {
   source  = "kumarvna/storage/azurerm"
-  version = "2.3.0"
+  version = "2.4.0"
 
   # By default, this module will not create a resource group
   # proivde a name to use an existing resource group, specify the existing resource group name,
@@ -94,7 +94,7 @@ provider "azurerm" {
 
 module "storage" {
   source  = "kumarvna/storage/azurerm"
-  version = "2.3.0"
+  version = "2.4.0"
 
   # By default, this module will not create a resource group
   # proivde a name to use an existing resource group, specify the existing resource group name,

diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -10,7 +10,7 @@ provider "azurerm" {
 
 module "storage" {
   source  = "kumarvna/storage/azurerm"
-  version = "2.3.0"
+  version = "2.4.0"
 
   # By default, this module will not create a resource group
   # proivde a name to use an existing resource group, specify the existing resource group name,

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -5,7 +5,7 @@ provider "azurerm" {
 
 module "storage" {
   source  = "kumarvna/storage/azurerm"
-  version = "2.3.0"
+  version = "2.4.0"
 
   # By default, this module will not create a resource group
   # proivde a name to use an existing resource group, specify the existing resource group name, 

diff --git a/examples/storage_account_with_containers/README.md b/examples/storage_account_with_containers/README.md
@@ -12,7 +12,7 @@ provider "azurerm" {
 
 module "storage" {
   source  = "kumarvna/storage/azurerm"
-  version = "2.3.0"
+  version = "2.4.0"
 
   # By default, this module will not create a resource group
   # proivde a name to use an existing resource group, specify the existing resource group name,

diff --git a/examples/storage_account_with_containers/main.tf b/examples/storage_account_with_containers/main.tf
@@ -5,7 +5,7 @@ provider "azurerm" {
 
 module "storage" {
   source  = "kumarvna/storage/azurerm"
-  version = "2.3.0"
+  version = "2.4.0"
 
   # By default, this module will not create a resource group
   # proivde a name to use an existing resource group, specify the existing resource group name, 

diff --git a/examples/storage_account_with_fileshares/README.md b/examples/storage_account_with_fileshares/README.md
@@ -12,7 +12,7 @@ provider "azurerm" {
 
 module "storage" {
   source  = "kumarvna/storage/azurerm"
-  version = "2.3.0"
+  version = "2.4.0"
 
   # By default, this module will not create a resource group
   # proivde a name to use an existing resource group, specify the existing resource group name,

diff --git a/examples/storage_account_with_fileshares/main.tf b/examples/storage_account_with_fileshares/main.tf
@@ -5,7 +5,7 @@ provider "azurerm" {
 
 module "storage" {
   source  = "kumarvna/storage/azurerm"
-  version = "2.3.0"
+  version = "2.4.0"
 
   # By default, this module will not create a resource group
   # proivde a name to use an existing resource group, specify the existing resource group name, 

diff --git a/main.tf b/main.tf
@@ -45,13 +45,20 @@ resource "azurerm_storage_account" "storeacc" {
   tags                      = merge({ "ResourceName" = substr(format("sta%s%s", lower(replace(var.storage_account_name, "/[[:^alnum:]]/", "")), random_string.unique.result), 0, 24) }, var.tags, )
 
   identity {
-    type = var.assign_identity ? "SystemAssigned" : null
+    type         = var.identity_ids != null ? "SystemAssigned, UserAssigned" : "SystemAssigned"
+    identity_ids = var.identity_ids
   }
 
   blob_properties {
     delete_retention_policy {
-      days = var.soft_delete_retention
+      days = var.blob_soft_delete_retention_days
     }
+    container_delete_retention_policy {
+      days = var.container_soft_delete_retention_days
+    }
+    versioning_enabled = var.enable_versioning
+    last_access_time_enabled = var.last_access_time_enabled
+    change_feed_enabled = var.change_feed_enabled
   }
 
   dynamic "network_rules" {

diff --git a/variables.tf b/variables.tf
@@ -38,14 +38,29 @@ variable "min_tls_version" {
   default     = "TLS1_2"
 }
 
-variable "assign_identity" {
-  description = "Set to `true` to enable system-assigned managed identity, or `false` to disable it."
-  default     = true
+variable "blob_soft_delete_retention_days" {
+  description = "Specifies the number of days that the blob should be retained, between `1` and `365` days. Defaults to `7`"
+  default     = 7
 }
 
-variable "soft_delete_retention" {
-  description = "Number of retention days for soft delete. If set to null it will disable soft delete all together."
-  default     = 30
+variable "container_soft_delete_retention_days" {
+  description = "Specifies the number of days that the blob should be retained, between `1` and `365` days. Defaults to `7`"
+  default     = 7
+}
+
+variable "enable_versioning" {
+  description = "Is versioning enabled? Default to `false`"
+  default     = false
+}
+
+variable "last_access_time_enabled" {
+  description = "Is the last access time based tracking enabled? Default to `false`"
+  default     = false
+}
+
+variable "change_feed_enabled" {
+  description = "Is the blob service properties for change feed events enabled?"
+  default     = false
 }
 
 variable "enable_advanced_threat_protection" {
@@ -88,6 +103,11 @@ variable "lifecycles" {
   default     = []
 }
 
+variable "identity_ids" {
+  description = "Specifies a list of user managed identity ids to be assigned. This is required when `type` is set to `UserAssigned` or `SystemAssigned, UserAssigned`"
+  default     = null
+}
+
 variable "tags" {
   description = "A map of tags to add to all resources"
   type        = map(string)