This module manages an Azure Storage Account, lifecycle policies, containers and storage shares. It is used in the Coalfire-Azure-RAMPpak FedRAMP Framework.
Learn more at Coalfire OpenSource.
- Security-Core
- Storage Account
- Containers
- Storage share
- Lifecycle policy
- CMK key and RBAC Role Assignment
- Monitor diagnostic setting
This module can be called as outlined below.
- Create a
local
folder underterraform/azure
. - Create a
main.tf
file in thelocal
folder. - Copy the code below into
main.tf
. - From the
terraform/azure/local
directory runterraform init
. - Run
terraform plan
to review the resources being created. - If everything looks correct in the plan output, run
terraform apply
.
provider "azurerm" {
features {}
}
module "core_sa" {
source = "github.com/Coalfire-CF/terraform-azurerm-storage-account?ref=v1.2.11"
name = "${replace(var.resource_prefix, "-", "")}tfstatesa"
resource_group_name = azurerm_resource_group.management.name
location = var.location
account_kind = "StorageV2"
ip_rules = var.ip_for_remote_access
diag_log_analytics_id = azurerm_log_analytics_workspace.core-la.id
virtual_network_subnet_ids = var.fw_virtual_network_subnet_ids
tags = var.tags
#OPTIONAL
public_network_access_enabled = true
enable_customer_managed_key = true
cmk_key_vault_id = module.core_kv.id
cmk_key_vault_key_name = azurerm_key_vault_key.tfstate-cmk.name
storage_containers = [
"tfstate"
]
storage_shares = [
{
name = "test"
quota = 500
}
]
lifecycle_policies = [
{
prefix_match = ["tfstate"]
version = {
delete_after_days_since_creation = 90
}
}
]
}
No requirements.
Name | Version |
---|---|
azurerm | 3.73.0 |
Name | Source | Version |
---|---|---|
diag | github.com/Coalfire-CF/terraform-azurerm-diagnostics | n/a |
Name | Type |
---|---|
azurerm_advanced_threat_protection.main | resource |
azurerm_key_vault_key.cmk | resource |
azurerm_private_endpoint.sa | resource |
azurerm_role_assignment.sa_crypto_user | resource |
azurerm_storage_account.main | resource |
azurerm_storage_account_customer_managed_key.main | resource |
azurerm_storage_container.main | resource |
azurerm_storage_management_policy.main | resource |
azurerm_storage_share.main | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
account_kind | Account Kind for the Storage Account | string |
"Storagev2" |
no |
account_tier | Defines the Tier to use for this storage account. Valid options are Standard and Premium. | string |
"Standard" |
no |
cmk_key_vault_id | The ID of the Key Vault for Customer Managed Key encryption. | string |
null |
no |
cross_tenant_replication_enabled | Should cross Tenant replication be enabled? Source storage account is in one AAD tenant, and the destination account is in a different tenant. | bool |
false |
no |
diag_log_analytics_id | ID of the Log Analytics workspace diag settings should be stored in. | string |
n/a | yes |
enable_advanced_threat_protection | Whether advanced threat protection is enabled. | bool |
false |
no |
enable_customer_managed_key | Whether the storage account should be encrypted with customer managed keys. | bool |
false |
no |
endpoint_subnet_id | The ID of the Subnet from which Private IP Addresses will be allocated for this Private Endpoint. | string |
null |
no |
identity_ids | Specifies a list of User Assigned Managed Identity IDs to be assigned to this Storage Account. | list(string) |
null |
no |
ip_rules | List of public IP or IP ranges in CIDR Format. Only IPv4 addresses are allowed. Private IP address ranges are not allowed. | list(string) |
null |
no |
is_hns_enabled | Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2. | bool |
false |
no |
lifecycle_policies | List of lifecycle policies to apply to the storage account. Refer to the documentation for more information. | list(object({ |
null |
no |
location | The Azure location/region to create resources in. | string |
n/a | yes |
name | The storage account name | string |
n/a | yes |
network_rules_bypass | Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination of Logging, Metrics, AzureServices, or None. | list(string) |
null |
no |
nfsv3_enabled | Is NFSv3 protocol enabled. | bool |
false |
no |
private_dns_zone_id | The ID of the private DNS zone to link to the private endpoint if applicable. | string |
null |
no |
private_endpoint_subresource_names | Subresource name which the private endpoint is able to connect to. | list(string) |
[] |
no |
private_link_access | List of the resource ids of the endpoint resource to be granted access. | list(string) |
[] |
no |
public_network_access_enabled | Whether the public network access is enabled. | bool |
false |
no |
replication_type | Defines the type of replication to use for this storage account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS. Unless you have a specific reason for data without alternate site requirements you should minimum use ZRS | string |
"GRS" |
no |
resource_group_name | The name of the resource group in which to create the resource in. | string |
n/a | yes |
static_website | Enable and configure static website on the storage account. | map(string) |
null |
no |
storage_containers | List of storage containers to create. | list(string) |
[] |
no |
storage_shares | List of storage shares to create and their quotas. | list(object({ |
[] |
no |
tags | The tags to associate with the resources. | map(string) |
n/a | yes |
virtual_network_subnet_ids | A list of resource ids for subnets to allow access to the storage account. | list(string) |
null |
no |
Name | Description |
---|---|
container_ids | The IDs of the storage containers |
container_names | The names of the storage containers |
id | Storage Account ID. |
managed_principal_id | System Assigned Managed Identity for the Storage Account. |
name | Storage Account Name. |
primary_access_key | The primary access key for the storage account. |
primary_blob_endpoint | The primary blob endpoint for the storage account. |
primary_connection_string | Primary SA connection string. |
primary_web_endpoint | The primary web endpoint for the storage account. |
storage_shares_ids | Map with storage share ids. |
Copyright © 2023 Coalfire Systems Inc.