-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
361 lines (339 loc) · 15 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
data "azurerm_client_config" "this" {}
data "azurerm_resource_group" "rg" {
name = var.resource_group_name
}
resource "azurerm_storage_account" "this" {
account_replication_type = var.account_replication_type
account_tier = var.account_tier
location = local.location
name = var.name
resource_group_name = var.resource_group_name
access_tier = var.access_tier
account_kind = var.account_kind
allow_nested_items_to_be_public = var.allow_nested_items_to_be_public
allowed_copy_scope = var.allowed_copy_scope
cross_tenant_replication_enabled = var.cross_tenant_replication_enabled
default_to_oauth_authentication = var.default_to_oauth_authentication
edge_zone = var.edge_zone
enable_https_traffic_only = var.enable_https_traffic_only
infrastructure_encryption_enabled = var.infrastructure_encryption_enabled
is_hns_enabled = var.is_hns_enabled
large_file_share_enabled = var.large_file_share_enabled
min_tls_version = var.min_tls_version
nfsv3_enabled = var.nfsv3_enabled
public_network_access_enabled = var.public_network_access_enabled
queue_encryption_key_type = var.queue_encryption_key_type
sftp_enabled = var.sftp_enabled
shared_access_key_enabled = var.shared_access_key_enabled
table_encryption_key_type = var.table_encryption_key_type
tags = var.tags
dynamic "azure_files_authentication" {
for_each = var.azure_files_authentication == null ? [] : [
var.azure_files_authentication
]
content {
directory_type = azure_files_authentication.value.directory_type
dynamic "active_directory" {
for_each = azure_files_authentication.value.active_directory == null ? [] : [
azure_files_authentication.value.active_directory
]
content {
domain_guid = active_directory.value.domain_guid
domain_name = active_directory.value.domain_name
domain_sid = active_directory.value.domain_sid
forest_name = active_directory.value.forest_name
netbios_domain_name = active_directory.value.netbios_domain_name
storage_sid = active_directory.value.storage_sid
}
}
}
}
dynamic "blob_properties" {
for_each = var.blob_properties == null ? [] : [var.blob_properties]
content {
change_feed_enabled = blob_properties.value.change_feed_enabled
change_feed_retention_in_days = blob_properties.value.change_feed_retention_in_days
default_service_version = blob_properties.value.default_service_version
last_access_time_enabled = blob_properties.value.last_access_time_enabled
versioning_enabled = blob_properties.value.versioning_enabled
dynamic "container_delete_retention_policy" {
for_each = blob_properties.value.container_delete_retention_policy == null ? [] : [
blob_properties.value.container_delete_retention_policy
]
content {
days = container_delete_retention_policy.value.days
}
}
dynamic "cors_rule" {
for_each = blob_properties.value.cors_rule == null ? [] : blob_properties.value.cors_rule
content {
allowed_headers = cors_rule.value.allowed_headers
allowed_methods = cors_rule.value.allowed_methods
allowed_origins = cors_rule.value.allowed_origins
exposed_headers = cors_rule.value.exposed_headers
max_age_in_seconds = cors_rule.value.max_age_in_seconds
}
}
dynamic "delete_retention_policy" {
for_each = blob_properties.value.delete_retention_policy == null ? [] : [
blob_properties.value.delete_retention_policy
]
content {
days = delete_retention_policy.value.days
}
}
dynamic "restore_policy" {
for_each = blob_properties.value.restore_policy == null ? [] : [blob_properties.value.restore_policy]
content {
days = restore_policy.value.days
}
}
}
}
dynamic "custom_domain" {
for_each = var.custom_domain == null ? [] : [var.custom_domain]
content {
name = custom_domain.value.name
use_subdomain = custom_domain.value.use_subdomain
}
}
dynamic "identity" {
for_each = (var.managed_identities.system_assigned || length(var.managed_identities.user_assigned_resource_ids) > 0) ? { this = var.managed_identities } : {}
content {
type = identity.value.system_assigned && length(identity.value.user_assigned_resource_ids) > 0 ? "SystemAssigned, UserAssigned" : length(identity.value.user_assigned_resource_ids) > 0 ? "UserAssigned" : "SystemAssigned"
identity_ids = identity.value.user_assigned_resource_ids
}
}
dynamic "immutability_policy" {
for_each = var.immutability_policy == null ? [] : [var.immutability_policy]
content {
allow_protected_append_writes = immutability_policy.value.allow_protected_append_writes
period_since_creation_in_days = immutability_policy.value.period_since_creation_in_days
state = immutability_policy.value.state
}
}
dynamic "network_rules" {
# for_each = var.network_rules == null ? [] : [var.network_rules]
for_each = var.use_nested_nacl ? (var.network_rules != null ? [var.network_rules] : []) : []
content {
default_action = network_rules.value.default_action
bypass = network_rules.value.bypass
ip_rules = network_rules.value.ip_rules
virtual_network_subnet_ids = network_rules.value.virtual_network_subnet_ids
dynamic "private_link_access" {
for_each = var.network_rules.private_link_access == null ? [] : var.network_rules.private_link_access
content {
endpoint_resource_id = private_link_access.value.endpoint_resource_id
endpoint_tenant_id = private_link_access.value.endpoint_tenant_id
}
}
}
}
dynamic "queue_properties" {
for_each = var.queue_properties == null ? [] : [var.queue_properties]
content {
dynamic "cors_rule" {
for_each = queue_properties.value.cors_rule == null ? [] : queue_properties.value.cors_rule
content {
allowed_headers = cors_rule.value.allowed_headers
allowed_methods = cors_rule.value.allowed_methods
allowed_origins = cors_rule.value.allowed_origins
exposed_headers = cors_rule.value.exposed_headers
max_age_in_seconds = cors_rule.value.max_age_in_seconds
}
}
dynamic "hour_metrics" {
for_each = queue_properties.value.hour_metrics == null ? [] : [queue_properties.value.hour_metrics]
content {
enabled = hour_metrics.value.enabled
version = hour_metrics.value.version
include_apis = hour_metrics.value.include_apis
retention_policy_days = hour_metrics.value.retention_policy_days
}
}
dynamic "logging" {
for_each = queue_properties.value.logging == null ? [] : [queue_properties.value.logging]
content {
delete = logging.value.delete
read = logging.value.read
version = logging.value.version
write = logging.value.write
retention_policy_days = logging.value.retention_policy_days
}
}
dynamic "minute_metrics" {
for_each = queue_properties.value.minute_metrics == null ? [] : [queue_properties.value.minute_metrics]
content {
enabled = minute_metrics.value.enabled
version = minute_metrics.value.version
include_apis = minute_metrics.value.include_apis
retention_policy_days = minute_metrics.value.retention_policy_days
}
}
}
}
dynamic "routing" {
for_each = var.routing == null ? [] : [var.routing]
content {
choice = routing.value.choice
publish_internet_endpoints = routing.value.publish_internet_endpoints
publish_microsoft_endpoints = routing.value.publish_microsoft_endpoints
}
}
dynamic "sas_policy" {
for_each = var.sas_policy == null ? [] : [var.sas_policy]
content {
expiration_period = sas_policy.value.expiration_period
expiration_action = sas_policy.value.expiration_action
}
}
dynamic "share_properties" {
for_each = var.share_properties == null ? [] : [var.share_properties]
content {
dynamic "cors_rule" {
for_each = share_properties.value.cors_rule == null ? [] : share_properties.value.cors_rule
content {
allowed_headers = cors_rule.value.allowed_headers
allowed_methods = cors_rule.value.allowed_methods
allowed_origins = cors_rule.value.allowed_origins
exposed_headers = cors_rule.value.exposed_headers
max_age_in_seconds = cors_rule.value.max_age_in_seconds
}
}
dynamic "retention_policy" {
for_each = share_properties.value.retention_policy == null ? [] : [share_properties.value.retention_policy]
content {
days = retention_policy.value.days
}
}
dynamic "smb" {
for_each = share_properties.value.smb == null ? [] : [share_properties.value.smb]
content {
authentication_types = smb.value.authentication_types
channel_encryption_type = smb.value.channel_encryption_type
kerberos_ticket_encryption_type = smb.value.kerberos_ticket_encryption_type
multichannel_enabled = smb.value.multichannel_enabled
versions = smb.value.versions
}
}
}
}
dynamic "static_website" {
for_each = var.static_website == null ? [] : [var.static_website]
content {
error_404_document = static_website.value.error_404_document
index_document = static_website.value.index_document
}
}
dynamic "timeouts" {
for_each = var.timeouts == null ? [] : [var.timeouts]
content {
create = timeouts.value.create
delete = timeouts.value.delete
read = timeouts.value.read
update = timeouts.value.update
}
}
lifecycle {
ignore_changes = [
customer_managed_key
]
}
}
resource "azurerm_storage_account_local_user" "this" {
for_each = var.local_user
name = each.value.name
storage_account_id = azurerm_storage_account.this.id
home_directory = each.value.home_directory
ssh_key_enabled = each.value.ssh_key_enabled
ssh_password_enabled = each.value.ssh_password_enabled
dynamic "permission_scope" {
for_each = each.value.permission_scope == null ? [] : each.value.permission_scope
content {
resource_name = permission_scope.value.resource_name
service = permission_scope.value.service
dynamic "permissions" {
for_each = [permission_scope.value.permissions]
content {
create = permissions.value.create
delete = permissions.value.delete
list = permissions.value.list
read = permissions.value.read
write = permissions.value.write
}
}
}
}
dynamic "ssh_authorized_key" {
for_each = each.value.ssh_authorized_key == null ? [] : each.value.ssh_authorized_key
content {
key = ssh_authorized_key.value.key
description = ssh_authorized_key.value.description
}
}
dynamic "timeouts" {
for_each = each.value.timeouts == null ? [] : [each.value.timeouts]
content {
create = timeouts.value.create
delete = timeouts.value.delete
read = timeouts.value.read
update = timeouts.value.update
}
}
}
resource "azurerm_storage_account_customer_managed_key" "this" {
count = var.customer_managed_key != null ? 1 : 0
key_name = var.customer_managed_key.key_name
storage_account_id = azurerm_storage_account.this.id
key_vault_id = var.customer_managed_key.key_vault_resource_id
key_version = var.customer_managed_key.key_version
user_assigned_identity_id = var.customer_managed_key.user_assigned_identity_resource_id
lifecycle {
precondition {
condition = (var.account_kind == "StorageV2" || var.account_tier == "Premium")
error_message = "`var.customer_managed_key` can only be set when the `account_kind` is set to `StorageV2` or `account_tier` set to `Premium`, and the identity type is `UserAssigned`."
}
}
}
resource "azurerm_role_assignment" "storage_account" {
for_each = var.role_assignments
principal_id = each.value.principal_id
scope = azurerm_storage_account.this.id
condition = each.value.condition
condition_version = each.value.condition_version
delegated_managed_identity_resource_id = each.value.delegated_managed_identity_resource_id
role_definition_id = strcontains(lower(each.value.role_definition_id_or_name), lower(local.role_definition_resource_substring)) ? each.value.role_definition_id_or_name : null
role_definition_name = strcontains(lower(each.value.role_definition_id_or_name), lower(local.role_definition_resource_substring)) ? null : each.value.role_definition_id_or_name
skip_service_principal_aad_check = each.value.skip_service_principal_aad_check
}
resource "azurerm_storage_account_network_rules" "this" {
count = var.use_nested_nacl ? 0 : var.network_rules == null ? 0 : 1
default_action = var.network_rules.default_action
storage_account_id = azurerm_storage_account.this.id
bypass = var.network_rules.bypass
ip_rules = var.network_rules.ip_rules
virtual_network_subnet_ids = var.network_rules.virtual_network_subnet_ids
dynamic "private_link_access" {
for_each = var.network_rules.private_link_access == null ? [] : var.network_rules.private_link_access
content {
endpoint_resource_id = private_link_access.value.endpoint_resource_id
endpoint_tenant_id = private_link_access.value.endpoint_tenant_id
}
}
dynamic "timeouts" {
for_each = var.network_rules.timeouts == null ? [] : [var.network_rules.timeouts]
content {
create = timeouts.value.create
delete = timeouts.value.delete
read = timeouts.value.read
update = timeouts.value.update
}
}
depends_on = [azurerm_private_endpoint.this]
lifecycle {
precondition {
condition = var.private_endpoints == null || var.network_rules.private_link_access == null
error_message = "Cannot set `private_link_access` when `var.private_endpoints` is not `null`."
}
}
}