terraform-azurerm-storage-account

Description

This module manages an Azure Storage Account, lifecycle policies, containers and storage shares. It is used in the Coalfire-Azure-RAMPpak FedRAMP Framework.

Learn more at Coalfire OpenSource.

Dependencies

• Security-Core

Resource List

• Storage Account
• Containers
• Storage share
• Lifecycle policy
• CMK key and RBAC Role Assignment
• Monitor diagnostic setting

Usage

This module can be called as outlined below.

• Create a local folder under terraform/azure.
• Create a main.tf file in the local folder.
• Copy the code below into main.tf.
• From the terraform/azure/local directory run terraform init.
• Run terraform plan to review the resources being created.
• If everything looks correct in the plan output, run terraform apply.

provider "azurerm" {
  features {}
}

module "core_sa" {
  source                    = "github.com/Coalfire-CF/terraform-azurerm-storage-account?ref=v1.2.11"
  name                       = "${replace(var.resource_prefix, "-", "")}tfstatesa"
  resource_group_name        = azurerm_resource_group.management.name
  location                   = var.location
  account_kind               = "StorageV2"
  ip_rules                   = var.ip_for_remote_access
  diag_log_analytics_id      = azurerm_log_analytics_workspace.core-la.id
  virtual_network_subnet_ids = var.fw_virtual_network_subnet_ids
  tags                       = var.tags

  #OPTIONAL
  public_network_access_enabled = true
  enable_customer_managed_key   = true
  cmk_key_vault_id              = module.core_kv.id
  cmk_key_vault_key_name        = azurerm_key_vault_key.tfstate-cmk.name
  storage_containers = [
    "tfstate"
  ]
  storage_shares = [
    {
      name = "test"
      quota = 500
    }
  ]
  lifecycle_policies = [
    {
      prefix_match = ["tfstate"]
      version = {
        delete_after_days_since_creation = 90
      }
    }
  ]
}

Requirements

No requirements.

Providers

Name	Version
azurerm	3.73.0

Modules

Name	Source	Version
diag	github.com/Coalfire-CF/terraform-azurerm-diagnostics	n/a

Resources

Name	Type
azurerm_advanced_threat_protection.main	resource
azurerm_key_vault_key.cmk	resource
azurerm_private_endpoint.sa	resource
azurerm_role_assignment.sa_crypto_user	resource
azurerm_storage_account.main	resource
azurerm_storage_account_customer_managed_key.main	resource
azurerm_storage_container.main	resource
azurerm_storage_management_policy.main	resource
azurerm_storage_share.main	resource

Inputs

Name	Description	Type	Default	Required
account_kind	Account Kind for the Storage Account	string	"Storagev2"	no
account_tier	Defines the Tier to use for this storage account. Valid options are Standard and Premium.	string	"Standard"	no
cmk_key_vault_id	The ID of the Key Vault for Customer Managed Key encryption.	string	null	no
cross_tenant_replication_enabled	Should cross Tenant replication be enabled? Source storage account is in one AAD tenant, and the destination account is in a different tenant.	bool	false	no
diag_log_analytics_id	ID of the Log Analytics workspace diag settings should be stored in.	string	n/a	yes
enable_advanced_threat_protection	Whether advanced threat protection is enabled.	bool	false	no
enable_customer_managed_key	Whether the storage account should be encrypted with customer managed keys.	bool	false	no
endpoint_subnet_id	The ID of the Subnet from which Private IP Addresses will be allocated for this Private Endpoint.	string	null	no
identity_ids	Specifies a list of User Assigned Managed Identity IDs to be assigned to this Storage Account.	list(string)	null	no
ip_rules	List of public IP or IP ranges in CIDR Format. Only IPv4 addresses are allowed. Private IP address ranges are not allowed.	list(string)	null	no
is_hns_enabled	Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2.	bool	false	no
lifecycle_policies	List of lifecycle policies to apply to the storage account. Refer to the documentation for more information.	list(object({ prefix_match = set(string) base_blob = optional(object({ tier_to_cool_after_days_since_modification_greater_than = optional(number) tier_to_cool_after_days_since_last_access_time_greater_than = optional(number) tier_to_archive_after_days_since_modification_greater_than = optional(number) tier_to_archive_after_days_since_last_access_time_greater_than = optional(number) tier_to_archive_after_days_since_last_tier_change_greater_than = optional(number) delete_after_days_since_modification_greater_than = optional(number) delete_after_days_since_last_access_time_greater_than = optional(number) })) version = optional(object({ tier_to_cool_after_days_since_modification_greater_than = optional(number) change_tier_to_archive_after_days_since_creation = optional(number) tier_to_archive_after_days_since_last_tier_change_greater_than = optional(number) change_tier_to_cool_after_days_since_creation = optional(number) delete_after_days_since_creation = optional(number) })) snapshot = optional(object({ change_tier_to_archive_after_days_since_creation = optional(number) tier_to_archive_after_days_since_last_tier_change_greater_than = optional(number) change_tier_to_cool_after_days_since_creation = optional(number) delete_after_days_since_creation_greater_than = optional(number) })) }))	null	no
location	The Azure location/region to create resources in.	string	n/a	yes
name	The storage account name	string	n/a	yes
network_rules_bypass	Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination of Logging, Metrics, AzureServices, or None.	list(string)	null	no
nfsv3_enabled	Is NFSv3 protocol enabled.	bool	false	no
private_dns_zone_id	The ID of the private DNS zone to link to the private endpoint if applicable.	string	null	no
private_endpoint_subresource_names	Subresource name which the private endpoint is able to connect to.	list(string)	[]	no
private_link_access	List of the resource ids of the endpoint resource to be granted access.	list(string)	[]	no
public_network_access_enabled	Whether the public network access is enabled.	bool	false	no
replication_type	Defines the type of replication to use for this storage account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS. Unless you have a specific reason for data without alternate site requirements you should minimum use ZRS	string	"GRS"	no
resource_group_name	The name of the resource group in which to create the resource in.	string	n/a	yes
static_website	Enable and configure static website on the storage account.	map(string)	null	no
storage_containers	List of storage containers to create.	list(string)	[]	no
storage_shares	List of storage shares to create and their quotas.	list(object({ name = string quota = number }))	[]	no
tags	The tags to associate with the resources.	map(string)	n/a	yes
virtual_network_subnet_ids	A list of resource ids for subnets to allow access to the storage account.	list(string)	null	no

Outputs

Name	Description
container_ids	The IDs of the storage containers
container_names	The names of the storage containers
id	Storage Account ID.
managed_principal_id	System Assigned Managed Identity for the Storage Account.
name	Storage Account Name.
primary_access_key	The primary access key for the storage account.
primary_blob_endpoint	The primary blob endpoint for the storage account.
primary_connection_string	Primary SA connection string.
primary_web_endpoint	The primary web endpoint for the storage account.
storage_shares_ids	Map with storage share ids.

Contributing

Start Here

License

Contact Us

Coalfire

Copyright

Copyright © 2023 Coalfire Systems Inc.