-
Notifications
You must be signed in to change notification settings - Fork 0
/
variables.storageaccount.tf
322 lines (285 loc) · 14.3 KB
/
variables.storageaccount.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
variable "access_tier" {
type = string
default = "Hot"
description = "(Optional) Defines the access tier for `BlobStorage`, `FileStorage` and `StorageV2` accounts. Valid options are `Hot` and `Cool`, defaults to `Hot`."
validation {
condition = contains(["Hot", "Cool"], var.access_tier)
error_message = "Invalid value for access tier. Valid options are 'Hot' or 'Cool'."
}
}
variable "account_kind" {
type = string
default = "StorageV2"
description = "(Optional) Defines the Kind of account. Valid options are `BlobStorage`, `BlockBlobStorage`, `FileStorage`, `Storage` and `StorageV2`. Defaults to `StorageV2`."
validation {
condition = contains(["BlobStorage", "BlockBlobStorage", "FileStorage", "Storage", "StorageV2"], var.account_kind)
error_message = "Invalid value for account kind. Valid options are `BlobStorage`, `BlockBlobStorage`, `FileStorage`, `Storage` and `StorageV2`. Defaults to `StorageV2`."
}
}
variable "account_replication_type" {
type = string
description = "(Required) Defines the type of replication to use for this storage account. Valid options are `LRS`, `GRS`, `RAGRS`, `ZRS`, `GZRS` and `RAGZRS`. Defaults to `ZRS`"
nullable = false
default = "RAGZRS"
validation {
condition = contains(["LRS", "GRS", "RAGRS", "ZRS", "GZRS", "RAGZRS"], var.account_replication_type)
error_message = "Invalid value for replication type. Valid options are `LRS`, `GRS`, `RAGRS`, `ZRS`, `GZRS` and `RAGZRS`."
}
}
variable "account_tier" {
type = string
description = "(Required) Defines the Tier to use for this storage account. Valid options are `Standard` and `Premium`. For `BlockBlobStorage` and `FileStorage` accounts only `Premium` is valid. Changing this forces a new resource to be created."
default = "Standard"
nullable = false
validation {
condition = contains(["Standard", "Premium"], var.account_tier)
error_message = "Invalid value for account tier. Valid options are `Standard` and `Premium`. For `BlockBlobStorage` and `FileStorage` accounts only `Premium` is valid. Changing this forces a new resource to be created."
}
}
variable "allow_nested_items_to_be_public" {
type = bool
default = false
description = "(Optional) Allow or disallow nested items within this Account to opt into being public. Defaults to `false`."
}
variable "allowed_copy_scope" {
type = string
default = null
description = "(Optional) Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet. Possible values are `AAD` and `PrivateLink`."
}
variable "cross_tenant_replication_enabled" {
type = bool
default = false
description = "(Optional) Should cross Tenant replication be enabled? Defaults to `false`."
}
variable "custom_domain" {
type = object({
name = string
use_subdomain = optional(bool)
})
default = null
description = <<-EOT
- `name` - (Required) The Custom Domain Name to use for the Storage Account, which will be validated by Azure.
- `use_subdomain` - (Optional) Should the Custom Domain Name be validated by using indirect CNAME validation?
EOT
}
variable "default_to_oauth_authentication" {
type = bool
default = null
description = "(Optional) Default to Azure Active Directory authorization in the Azure portal when accessing the Storage Account. The default value is `false`"
}
variable "edge_zone" {
type = string
default = null
description = "(Optional) Specifies the Edge Zone within the Azure Region where this Storage Account should exist. Changing this forces a new Storage Account to be created."
}
variable "enable_https_traffic_only" {
type = bool
default = true
description = "(Optional) Boolean flag which forces HTTPS if enabled, see [here](https://docs.microsoft.com/azure/storage/storage-require-secure-transfer/) for more information. Defaults to `true`."
}
variable "infrastructure_encryption_enabled" {
type = bool
default = false
description = "(Optional) Is infrastructure encryption enabled? Changing this forces a new resource to be created. Defaults to `false`."
}
variable "local_user" {
type = map(object({
home_directory = optional(string)
name = string
ssh_key_enabled = optional(bool)
ssh_password_enabled = optional(bool)
permission_scope = optional(list(object({
resource_name = string
service = string
permissions = object({
create = optional(bool)
delete = optional(bool)
list = optional(bool)
read = optional(bool)
write = optional(bool)
})
})))
ssh_authorized_key = optional(list(object({
description = optional(string)
key = string
})))
timeouts = optional(object({
create = optional(string)
delete = optional(string)
read = optional(string)
update = optional(string)
}))
}))
default = {}
description = <<-EOT
- `home_directory` - (Optional) The home directory of the Storage Account Local User.
- `name` - (Required) The name which should be used for this Storage Account Local User. Changing this forces a new Storage Account Local User to be created.
- `ssh_key_enabled` - (Optional) Specifies whether SSH Key Authentication is enabled. Defaults to `false`.
- `ssh_password_enabled` - (Optional) Specifies whether SSH Password Authentication is enabled. Defaults to `false`.
---
`permission_scope` block supports the following:
- `resource_name` - (Required) The container name (when `service` is set to `blob`) or the file share name (when `service` is set to `file`), used by the Storage Account Local User.
- `service` - (Required) The storage service used by this Storage Account Local User. Possible values are `blob` and `file`.
---
`permissions` block supports the following:
- `create` - (Optional) Specifies if the Local User has the create permission for this scope. Defaults to `false`.
- `delete` - (Optional) Specifies if the Local User has the delete permission for this scope. Defaults to `false`.
- `list` - (Optional) Specifies if the Local User has the list permission for this scope. Defaults to `false`.
- `read` - (Optional) Specifies if the Local User has the read permission for this scope. Defaults to `false`.
- `write` - (Optional) Specifies if the Local User has the write permission for this scope. Defaults to `false`.
---
`ssh_authorized_key` block supports the following:
- `description` - (Optional) The description of this SSH authorized key.
- `key` - (Required) The public key value of this SSH authorized key.
---
`timeouts` block supports the following:
- `create` - (Defaults to 30 minutes) Used when creating the Storage Account Local User.
- `delete` - (Defaults to 30 minutes) Used when deleting the Storage Account Local User.
- `read` - (Defaults to 5 minutes) Used when retrieving the Storage Account Local User.
- `update` - (Defaults to 30 minutes) Used when updating the Storage Account Local User.
EOT
nullable = false
}
variable "min_tls_version" {
type = string
default = "TLS1_2"
description = "(Optional) The minimum supported TLS version for the storage account. Possible values are `TLS1_0`, `TLS1_1`, and `TLS1_2`. Defaults to `TLS1_2` for new storage accounts."
}
variable "network_rules" {
type = object({
bypass = optional(set(string), [])
default_action = optional(string, "Deny")
ip_rules = optional(set(string), [])
virtual_network_subnet_ids = optional(set(string), [])
private_link_access = optional(list(object({
endpoint_resource_id = string
endpoint_tenant_id = optional(string)
})))
timeouts = optional(object({
create = optional(string)
delete = optional(string)
read = optional(string)
update = optional(string)
}))
})
default = null
description = <<-EOT
> Note the default value for this variable will block all public access to the storage account. If you want to disable all network rules, set this value to `null`.
- `bypass` - (Optional) Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination of `Logging`, `Metrics`, `AzureServices`, or `None`.
- `default_action` - (Required) Specifies the default action of allow or deny when no other rules match. Valid options are `Deny` or `Allow`.
- `ip_rules` - (Optional) List of public IP or IP ranges in CIDR Format. Only IPv4 addresses are allowed. Private IP address ranges (as defined in [RFC 1918](https://tools.ietf.org/html/rfc1918#section-3)) are not allowed.
- `storage_account_id` - (Required) Specifies the ID of the storage account. Changing this forces a new resource to be created.
- `virtual_network_subnet_ids` - (Optional) A list of virtual network subnet ids to secure the storage account.
---
`private_link_access` block supports the following:
- `endpoint_resource_id` - (Required) The resource id of the resource access rule to be granted access.
- `endpoint_tenant_id` - (Optional) The tenant id of the resource of the resource access rule to be granted access. Defaults to the current tenant id.
---
`timeouts` block supports the following:
- `create` - (Defaults to 60 minutes) Used when creating the Network Rules for this Storage Account.
- `delete` - (Defaults to 60 minutes) Used when deleting the Network Rules for this Storage Account.
- `read` - (Defaults to 5 minutes) Used when retrieving the Network Rules for this Storage Account.
- `update` - (Defaults to 60 minutes) Used when updating the Network Rules for this Storage Account.
EOT
}
variable "nfsv3_enabled" {
type = bool
default = false
description = "(Optional) Is NFSv3 protocol enabled? Changing this forces a new resource to be created. Defaults to `false`."
}
variable "public_network_access_enabled" {
type = bool
default = false
description = "(Optional) Whether the public network access is enabled? Defaults to `false`."
}
variable "routing" {
type = object({
choice = optional(string, "MicrosoftRouting")
publish_internet_endpoints = optional(bool, false)
publish_microsoft_endpoints = optional(bool, false)
})
default = null
description = <<-EOT
- `choice` - (Optional) Specifies the kind of network routing opted by the user. Possible values are `InternetRouting` and `MicrosoftRouting`. Defaults to `MicrosoftRouting`.
- `publish_internet_endpoints` - (Optional) Should internet routing storage endpoints be published? Defaults to `false`.
- `publish_microsoft_endpoints` - (Optional) Should Microsoft routing storage endpoints be published? Defaults to `false`.
EOT
}
variable "sas_policy" {
type = object({
expiration_action = optional(string, "Log")
expiration_period = string
})
default = null
description = <<-EOT
- `expiration_action` - (Optional) The SAS expiration action. The only possible value is `Log` at this moment. Defaults to `Log`.
- `expiration_period` - (Required) The SAS expiration period in format of `DD.HH:MM:SS`.
EOT
}
variable "sftp_enabled" {
type = bool
default = false
description = "(Optional) Boolean, enable SFTP for the storage account. Defaults to `false`."
}
variable "shared_access_key_enabled" {
type = bool
default = false
description = "(Optional) Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is `false`."
}
variable "static_website" {
type = object({
error_404_document = optional(string)
index_document = optional(string)
})
default = null
description = <<-EOT
- `error_404_document` - (Optional) The absolute path to a custom webpage that should be used when a request is made which does not correspond to an existing file.
- `index_document` - (Optional) The webpage that Azure Storage serves for requests to the root of a website or any subfolder. For example, index.html. The value is case-sensitive.
EOT
}
variable "timeouts" {
type = object({
create = optional(string)
delete = optional(string)
read = optional(string)
update = optional(string)
})
default = null
description = <<-EOT
- `create` - (Defaults to 60 minutes) Used when creating the Storage Account.
- `delete` - (Defaults to 60 minutes) Used when deleting the Storage Account.
- `read` - (Defaults to 5 minutes) Used when retrieving the Storage Account.
- `update` - (Defaults to 60 minutes) Used when updating the Storage Account.
EOT
}
variable "key_vault_access_policy" {
type = map(object({
key_permissions = optional(list(string), [
"Get",
"UnwrapKey",
"WrapKey"
])
identity_principle_id = string
identity_tenant_id = string
timeouts = optional(object({
create = optional(string)
delete = optional(string)
read = optional(string)
update = optional(string)
}))
}))
default = {}
description = <<-EOT
Since storage account's customer managed key might require key vault permission, you can create the corresponding permission by setting this variable.
- `key_permissions` - (Optional) A map of list of key permissions, key is user assigned identity id, the element in value list must be one or more from the following: `Backup`, `Create`, `Decrypt`, Delete, `Encrypt`, `Get`, `Import`, `List`, `Purge`, `Recover`, `Restore`, `Sign`, `UnwrapKey`, `Update`, `Verify`, `WrapKey`, `Release`, `Rotate`, `GetRotationPolicy` and `SetRotationPolicy`. Defaults to `["Get", "UnwrapKey", "WrapKey"]`
- `identity_principle_id` - (Required) The principal ID of managed identity. Changing this forces a new resource to be created.
- `identity_tenant_id` - (Required) The tenant ID of managed identity. Changing this forces a new resource to be created.
---
`timeouts` block supports the following:
- `create` - (Defaults to 30 minutes) Used when creating the Key Vault Access Policy.
- `delete` - (Defaults to 30 minutes) Used when deleting the Key Vault Access Policy.
- `read` - (Defaults to 5 minutes) Used when retrieving the Key Vault Access Policy.
- `update` - (Defaults to 30 minutes) Used when updating the Key Vault Access Policy.
EOT
nullable = false
}