Add storage defender support (#2030)

* Add storage defender support * Update modules/storage_account/storage_defender.tf Co-authored-by: Arnaud Lheureux <arnaudlh@users.noreply.github.com> * Update modules/storage_account/storage_defender.tf Co-authored-by: Arnaud Lheureux <arnaudlh@users.noreply.github.com> * Update modules/storage_account/storage_defender.tf Co-authored-by: Arnaud Lheureux <arnaudlh@users.noreply.github.com> * Update modules/storage_account/storage_defender.tf Co-authored-by: Arnaud Lheureux <arnaudlh@users.noreply.github.com> * Added example --------- Co-authored-by: Arnaud Lheureux <arnaudlh@users.noreply.github.com>
aztfmod · Jul 23, 2024 · edf2616 · edf2616
1 parent 9706af0
commit edf2616
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 0 deletions.
diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json
@@ -119,6 +119,7 @@
     "storage_accounts/107-storage-account-management-policy",
     "storage_accounts/109-storage-account-advanced-options-cmk",
     "storage_accounts/110-file-share-with-acl",
+    "storage_accounts/112-storage-account-with-defender",
     "storage_container/101-storage_container",
     "synapse_analytics/100-synapse",
     "synapse_analytics/101-synapse-sparkpool",

diff --git a/examples/storage_accounts/112-storage-account-with-defender/configuration.tfvars b/examples/storage_accounts/112-storage-account-with-defender/configuration.tfvars
@@ -0,0 +1,49 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "australiaeast"
+  }
+}
+
+resource_groups = {
+  test = {
+    name = "storage-account-defender"
+  }
+}
+
+# https://docs.microsoft.com/en-us/azure/storage/
+storage_accounts = {
+  sa1 = {
+    name = "sa1dev"
+    # This option is to enable remote RG reference
+    # resource_group = {
+    #   lz_key = ""
+    #   key    = ""
+    # }
+
+    resource_group_key = "test"
+    # Account types are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Defaults to StorageV2
+    account_kind = "BlobStorage"
+    # Account Tier options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid.
+    account_tier = "Standard"
+    #  Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS
+    account_replication_type = "LRS" # https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
+    tags = {
+      environment = "dev"
+      team        = "IT"
+      ##
+    }
+    containers = {
+      dev = {
+        name = "random"
+      }
+    }
+
+    defender = {
+      override_subscription_settings              = true
+      malware_scanning_on_upload                  = true
+      malware_scanning_on_upload_cap_gb_per_month = 10
+      sensitive_data_discovery_enabled            = false
+    }
+  }
+}
diff --git a/modules/storage_account/storage_defender.tf b/modules/storage_account/storage_defender.tf
@@ -0,0 +1,9 @@
+resource "azurerm_security_center_storage_defender" "defender" {
+  count = can(var.storage_account.defender) ? 1 : 0
+
+  storage_account_id                          = azurerm_storage_account.stg.id
+  override_subscription_settings_enabled      = try(var.storage_account.defender.override_subscription_settings, null)
+  malware_scanning_on_upload_enabled          = try(var.storage_account.defender.malware_scanning_on_upload, null)
+  malware_scanning_on_upload_cap_gb_per_month = try(var.storage_account.defender.malware_scanning_on_upload_cap_gb_per_month, null)
+  sensitive_data_discovery_enabled            = try(var.storage_account.defender.sensitive_data_discovery_enabled, null)
+}