An open API service indexing awesome lists of open source software.

https://github.com/launchbynttdata/tf-azurerm-module_reference-storage_account


https://github.com/launchbynttdata/tf-azurerm-module_reference-storage_account

azure infrastructure-as-code platform-automation reference terraform

Last synced: 13 days ago
JSON representation

Awesome Lists containing this project

README

          

# tf-azurerm-module_primitive-storage_account (Azure Storage Account)

## Overview

This terraform module will install storage account in the Azure portal. User can also create containers and file shares by passing in appropriate input variables.

## Pre-Commit hooks
[.pre-commit-config.yaml](.pre-commit-config.yaml) file defines certain `pre-commit` hooks that are relevant to terraform, golang and common linting tasks. There are no custom hooks added.

`commitlint` hook enforces commit message in certain format. The commit contains the following structural elements, to communicate intent to the consumers of your commit messages:

- **fix**: a commit of the type `fix` patches a bug in your codebase (this correlates with PATCH in Semantic Versioning).
- **feat**: a commit of the type `feat` introduces a new feature to the codebase (this correlates with MINOR in Semantic Versioning).
- **BREAKING CHANGE**: a commit that has a footer `BREAKING CHANGE:`, or appends a `!` after the type/scope, introduces a breaking API change (correlating with MAJOR in Semantic Versioning). A BREAKING CHANGE can be part of commits of any type.
footers other than BREAKING CHANGE: may be provided and follow a convention similar to git trailer format.
- **build**: a commit of the type `build` adds changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
- **chore**: a commit of the type `chore` adds changes that don't modify src or test files
- **ci**: a commit of the type `ci` adds changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
- **docs**: a commit of the type `docs` adds documentation only changes
- **perf**: a commit of the type `perf` adds code change that improves performance
- **refactor**: a commit of the type `refactor` adds code change that neither fixes a bug nor adds a feature
- **revert**: a commit of the type `revert` reverts a previous commit
- **style**: a commit of the type `style` adds code changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
- **test**: a commit of the type `test` adds missing tests or correcting existing tests

Base configuration used for this project is [commitlint-config-conventional (based on the Angular convention)](https://github.com/conventional-changelog/commitlint/tree/master/@commitlint/config-conventional#type-enum)

If you are a developer using vscode, [this](https://marketplace.visualstudio.com/items?itemName=joshbolduc.commitlint) plugin may be helpful.

`detect-secrets-hook` prevents new secrets from being introduced into the baseline. TODO: INSERT DOC LINK ABOUT HOOKS

In order for `pre-commit` hooks to work properly
- You need to have the pre-commit package manager installed. [Here](https://pre-commit.com/#install) are the installation instructions.
- `pre-commit` would install all the hooks when commit message is added by default except for `commitlint` hook. `commitlint` hook would need to be installed manually using the command below
```
pre-commit install --hook-type commit-msg
```

## To test the resource group module locally

1. For development/enhancements to this module locally, you'll need to install all of its components. This is controlled by the `configure` target in the project's [`Makefile`](./Makefile). Before you can run `configure`, familiarize yourself with the variables in the `Makefile` and ensure they're pointing to the right places.

```
make configure
```

This adds in several files and directories that are ignored by `git`. They expose many new Make targets.

2. The first target you care about is `env`. This is the common interface for setting up environment variables. The values of the environment variables will be used to authenticate with cloud provider from local development workstation.

`make configure` command will bring down `azure_env.sh` file on local workstation. Devloper would need to modify this file, replace the environment variable values with relevant values.

These environment variables are used by `terratest` integration suit.

Service principle used for authentication(value of ARM_CLIENT_ID) should have below privileges on resource group within the subscription.

```
"Microsoft.Resources/subscriptions/resourceGroups/write"
"Microsoft.Resources/subscriptions/resourceGroups/read"
"Microsoft.Resources/subscriptions/resourceGroups/delete"
```

Then run this make target to set the environment variables on developer workstation.

```
make env
```

3. The first target you care about is `check`.

**Pre-requisites**
Before running this target it is important to ensure that, developer has created files mentioned below on local workstation under root directory of git repository that contains code for primitives/segments. Note that these files are `azure` specific. If primitive/segment under development uses any other cloud provider than azure, this section may not be relevant.
- A file named `provider.tf` with contents below

```
provider "azurerm" {
features {}
}
```
- A file named `terraform.tfvars` which contains key value pair of variables used.

Note that since these files are added in `gitgnore` they would not be checked in into primitive/segment's git repo.

After creating these files, for running tests associated with the primitive/segment, run

```
make check
```

If `make check` target is successful, developer is good to commit the code to primitive/segment's git repo.

`make check` target
- runs `terraform commands` to `lint`,`validate` and `plan` terraform code.
- runs `conftests`. `conftests` make sure `policy` checks are successful.
- runs `terratest`. This is integration test suit.
- runs `opa` tests

## Requirements

| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | ~> 1.5 |
| [azurerm](#requirement\_azurerm) | ~> 3.77 |
| [random](#requirement\_random) | ~> 3.6 |
| [time](#requirement\_time) | ~> 0.11 |

## Providers

| Name | Version |
|------|---------|
| [time](#provider\_time) | 0.13.1 |

## Modules

| Name | Source | Version |
|------|--------|---------|
| [resource\_names](#module\_resource\_names) | terraform.registry.launch.nttdata.com/module_library/resource_name/launch | ~> 2.0 |
| [resource\_group](#module\_resource\_group) | terraform.registry.launch.nttdata.com/module_primitive/resource_group/azurerm | ~> 1.1 |
| [storage\_account](#module\_storage\_account) | terraform.registry.launch.nttdata.com/module_primitive/storage_account/azurerm | ~> 1.3.6 |
| [monitor\_action\_group](#module\_monitor\_action\_group) | terraform.registry.launch.nttdata.com/module_primitive/monitor_action_group/azurerm | ~> 1.0.1 |
| [monitor\_metric\_alert](#module\_monitor\_metric\_alert) | terraform.registry.launch.nttdata.com/module_primitive/monitor_metric_alert/azurerm | ~> 2.0 |
| [log\_analytics\_workspace](#module\_log\_analytics\_workspace) | terraform.registry.launch.nttdata.com/module_primitive/log_analytics_workspace/azurerm | ~> 1.2.5 |
| [diagnostic\_setting](#module\_diagnostic\_setting) | terraform.registry.launch.nttdata.com/module_primitive/monitor_diagnostic_setting/azurerm | ~> 3.1.2 |
| [recovery\_services\_vault](#module\_recovery\_services\_vault) | terraform.registry.launch.nttdata.com/module_primitive/recovery_services_vault/azurerm | ~> 1.0.2 |
| [backup\_container\_storage\_account](#module\_backup\_container\_storage\_account) | terraform.registry.launch.nttdata.com/module_primitive/backup_container_storage_account/azurerm | ~> 1.0.0 |
| [data\_protection\_backup\_vault](#module\_data\_protection\_backup\_vault) | terraform.registry.launch.nttdata.com/module_primitive/data_protection_backup_vault/azurerm | ~> 0.1.3 |
| [data\_protection\_backup\_policy\_blob\_storage](#module\_data\_protection\_backup\_policy\_blob\_storage) | terraform.registry.launch.nttdata.com/module_primitive/data_protection_backup_policy_blob_storage/azurerm | ~> 1.0.2 |
| [backup\_storage\_reader](#module\_backup\_storage\_reader) | terraform.registry.launch.nttdata.com/module_primitive/role_assignment/azurerm | ~> 1.2.1 |
| [backup\_storage\_backup\_contributor](#module\_backup\_storage\_backup\_contributor) | terraform.registry.launch.nttdata.com/module_primitive/role_assignment/azurerm | ~> 1.2.1 |
| [backup\_blob\_data\_contributor](#module\_backup\_blob\_data\_contributor) | terraform.registry.launch.nttdata.com/module_primitive/role_assignment/azurerm | ~> 1.2.1 |
| [backup\_policy\_file\_share](#module\_backup\_policy\_file\_share) | terraform.registry.launch.nttdata.com/module_primitive/backup_policy_file_share/azurerm | ~> 1.0.1 |
| [backup\_protected\_file\_share](#module\_backup\_protected\_file\_share) | terraform.registry.launch.nttdata.com/module_primitive/backup_protected_file_share/azurerm | ~> 0.1.3 |
| [backup\_instance\_blob\_storage](#module\_backup\_instance\_blob\_storage) | terraform.registry.launch.nttdata.com/module_primitive/data_protection_backup_instance_blob_storage/azurerm | ~> 1.0.1 |

## Resources

| Name | Type |
|------|------|
| [time_sleep.wait_for_backup_rbac](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [time_sleep.wait_for_storage_monitoring](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [resource\_group\_name](#input\_resource\_group\_name) | target resource group resource mask | `string` | n/a | yes |
| [create\_resource\_group](#input\_create\_resource\_group) | Optional override for creating resource group in this module. When null, behavior follows resource\_group\_name nullability. | `bool` | `null` | no |
| [location](#input\_location) | (Required) Specifies the supported Azure location where the resource exists. | `string` | n/a | yes |
| [resource\_names\_map](#input\_resource\_names\_map) | A map of keys to resource\_name that will be used by tf-launch-module\_library-resource\_name to generate resource names |

map(object({
name = string
max_length = optional(number, 60)
}))
|
{
"log_analytics_workspace": {
"max_length": 80,
"name": "law"
},
"resource_group": {
"max_length": 80,
"name": "rg"
},
"storage_account": {
"max_length": 24,
"name": "sa"
}
}
| no |
| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
| [instance\_env](#input\_instance\_env) | Number that represents the instance of the environment. | `number` | `0` | no |
| [instance\_resource](#input\_instance\_resource) | Number that represents the instance of the resource. | `number` | `0` | no |
| [logical\_product\_family](#input\_logical\_product\_family) | (Required) Name of the product family for which the resource is created.
Example: org\_name, department\_name. | `string` | `"launch"` | no |
| [logical\_product\_service](#input\_logical\_product\_service) | (Required) Name of the product service for which the resource is created.
For example, backend, frontend, middleware etc. | `string` | `"sta"` | no |
| [class\_env](#input\_class\_env) | (Required) Environment where resource is going to be deployed. For example. dev, qa, uat | `string` | `"dev"` | no |
| [use\_azure\_region\_abbr](#input\_use\_azure\_region\_abbr) | Use Azure region abbreviation in resource names. | `bool` | `true` | no |
| [storage\_account\_name](#input\_storage\_account\_name) | The name of the storage account. | `string` | `null` | no |
| [account\_tier](#input\_account\_tier) | value of the account\_tier | `string` | `"Standard"` | no |
| [account\_replication\_type](#input\_account\_replication\_type) | value of the account\_replication\_type | `string` | `"LRS"` | no |
| [storage\_containers](#input\_storage\_containers) | map of storage container configs, keyed polymorphically |
map(object({
name = string
container_access_type = string
}))
| `{}` | no |
| [storage\_shares](#input\_storage\_shares) | map of storage file shares configs, keyed polymorphically |
map(object({
name = string
quota = number
metadata = optional(map(string))
}))
| `{}` | no |
| [storage\_queues](#input\_storage\_queues) | map of storage queue configs, keyed polymorphically |
map(object({
name = string
}))
| `{}` | no |
| [static\_website](#input\_static\_website) | The static website details if the storage account needs to be used as a static website |
object({
index_document = string
error_404_document = string
})
| `null` | no |
| [enable\_https\_traffic\_only](#input\_enable\_https\_traffic\_only) | Boolean flag that forces HTTPS traffic only | `bool` | `true` | no |
| [access\_tier](#input\_access\_tier) | Choose between Hot or Cool | `string` | `"Hot"` | no |
| [account\_kind](#input\_account\_kind) | Defines the kind of account | `string` | `"StorageV2"` | no |
| [blob\_cors\_rule](#input\_blob\_cors\_rule) | Blob cors rules |
map(object({
allowed_headers = list(string)
allowed_methods = list(string)
allowed_origins = list(string)
exposed_headers = list(string)
max_age_in_seconds = number
}))
| `null` | no |
| [blob\_delete\_retention\_policy](#input\_blob\_delete\_retention\_policy) | Number of days the blob should be retained. Set 0 to disable | `number` | `0` | no |
| [blob\_versioning\_enabled](#input\_blob\_versioning\_enabled) | Is blob versioning enabled for blob | `bool` | `false` | no |
| [blob\_change\_feed\_enabled](#input\_blob\_change\_feed\_enabled) | Is the blob service properties for change feed enabled for blob | `bool` | `false` | no |
| [blob\_change\_feed\_retention\_in\_days](#input\_blob\_change\_feed\_retention\_in\_days) | Number of days to retain blob change feed. Set 0 to disable | `number` | `0` | no |
| [blob\_last\_access\_time\_enabled](#input\_blob\_last\_access\_time\_enabled) | Is the last access time based tracking enabled | `bool` | `false` | no |
| [blob\_container\_delete\_retention\_policy](#input\_blob\_container\_delete\_retention\_policy) | Specify the number of days that the container should be retained. Set 0 to disable | `number` | `0` | no |
| [public\_network\_access\_enabled](#input\_public\_network\_access\_enabled) | Whether the public network access is enabled. Defaults to `true`. | `bool` | `true` | no |
| [network\_rules](#input\_network\_rules) | An object defining rules around network access for the Storage Account. |
object({
default_action = optional(string, "Deny")
bypass = optional(list(string), ["AzureServices", "Logging", "Metrics"])
ip_rules = optional(list(string), [])
virtual_network_subnet_ids = optional(list(string), [])
private_link_access = optional(list(object({
endpoint_resource_id = string
endpoint_tenant_id = optional(string, null)
})), [])
})
| `null` | no |
| [action\_group](#input\_action\_group) | An action group object. Each action group can have:
- short\_name: (Required) The short name of the action group
- arm\_role\_receivers: (Optional) List of ARM role receivers
- email\_receivers: (Optional) List of email receivers |
object({
name = string
short_name = string
arm_role_receivers = optional(list(object({
name = string
role_id = string
use_common_alert_schema = optional(bool)
})), [])
email_receivers = optional(list(object({
name = string
email_address = string
use_common_alert_schema = optional(bool)
})), [])
})
| `null` | no |
| [action\_group\_ids](#input\_action\_group\_ids) | A list of action group IDs. | `list(string)` | `[]` | no |
| [metric\_alerts](#input\_metric\_alerts) | Monitor Metric Alert Properties |
map(object({
description = string
action_groups = optional(set(string), [])
frequency = optional(string, "PT1M")
severity = optional(number, 3)
enabled = optional(bool, true)
webhook_properties = optional(map(string))
criteria = optional(list(object({
metric_namespace = string
metric_name = string
aggregation = string
operator = string
threshold = number
skip_metric_validation = optional(bool, false)
dimensions = optional(list(object({
name = string
operator = string
values = list(string)
})))
})))
dynamic_criteria = optional(object({
metric_namespace = string
metric_name = string
aggregation = string
operator = string
alert_sensitivity = string
ignore_data_before = optional(string)
skip_metric_validation = optional(bool, false)
dimensions = optional(list(object({
name = string
operator = string
values = list(string)
})))
}))
}))
| `{}` | no |
| [diagnostic\_settings](#input\_diagnostic\_settings) | n/a |
map(object({
enabled_log = optional(list(object({
category_group = optional(string, "allLogs")
category = optional(string, null)
})))
metrics = optional(list(object({
category = string
enabled = optional(bool)
})))
}))
| `{}` | no |
| [log\_analytics\_workspace](#input\_log\_analytics\_workspace) | n/a |
object({
sku = string
retention_in_days = number
daily_quota_gb = number
identity = optional(object({
type = string
identity_ids = optional(list(string))
}))
local_authentication_disabled = optional(bool)
})
| `null` | no |
| [log\_analytics\_workspace\_id](#input\_log\_analytics\_workspace\_id) | (Optional) The ID of the Log Analytics Workspace. | `string` | `null` | no |
| [recovery\_services\_vault](#input\_recovery\_services\_vault) | Recovery Services Vault configuration |
object({
name = optional(string)
sku = optional(string, "Standard")
public_network_access_enabled = optional(bool, true)
immutability = optional(string)
storage_mode_type = optional(string, "GeoRedundant")
cross_region_restore_enabled = optional(bool, false)
soft_delete_enabled = optional(bool, true)
classic_vmware_replication_enabled = optional(bool)

identity = optional(object({
type = string
identity_ids = optional(list(string))
}))

encryption = optional(object({
key_id = string
infrastructure_encryption_enabled = bool
user_assigned_identity_id = optional(string)
use_system_assigned_identity = optional(bool, true)
}))

monitoring = optional(map(any))
})
| `null` | no |
| [data\_protection\_backup\_vault](#input\_data\_protection\_backup\_vault) | Data Protection Backup Vault configuration |
object({
name = optional(string)
datastore_type = optional(string, "VaultStore")
redundancy = optional(string, "LocallyRedundant")
retention_duration_in_days = optional(number, 14)
soft_delete = optional(string, "On")

identity = optional(object({
type = string
}))
})
| `null` | no |
| [blob\_backup\_policies](#input\_blob\_backup\_policies) | Blob storage backup policies |
map(object({
policy_name = string

backup_repeating_time_intervals = optional(list(string))
operational_default_retention_duration = optional(string)
vault_default_retention_duration = optional(string)
time_zone = optional(string)

retention_rules = optional(list(object({
name = string
priority = number

life_cycle = object({
data_store_type = string
duration = string
})

criteria = object({
absolute_criteria = optional(string)
days_of_month = optional(list(number))
days_of_week = optional(list(string))
months_of_year = optional(list(string))
scheduled_backup_times = optional(list(string))
weeks_of_month = optional(list(string))
})
})), [])

timeouts = optional(object({
create = optional(string, "30m")
read = optional(string, "5m")
delete = optional(string, "30m")
}), {})
}))
| `{}` | no |
| [file\_share\_backups](#input\_file\_share\_backups) | n/a |
map(object({
file_share_name = string
policy_key = string
}))
| `{}` | no |
| [file\_share\_backup\_policies](#input\_file\_share\_backup\_policies) | File share backup policy configuration |
map(object({
name = string
frequency = string
time = string
retention_daily_count = number
}))
| `{}` | no |
| [blob\_backup\_instances](#input\_blob\_backup\_instances) | Blob backup instances |
map(object({
policy_key = string
storage_account_container_names = optional(list(string))
timeouts = optional(object({
create = optional(string, "30m")
read = optional(string, "5m")
update = optional(string, "30m")
delete = optional(string, "30m")
}), {})
}))
| `{}` | no |

## Outputs

| Name | Description |
|------|-------------|
| [id](#output\_id) | The ID of the Storage Account. |
| [name](#output\_name) | Name of the storage account. |
| [resource\_group\_name](#output\_resource\_group\_name) | The name of the resource group in which the storage account is created. |
| [primary\_location](#output\_primary\_location) | The primary location of the storage account. |
| [primary\_blob\_endpoint](#output\_primary\_blob\_endpoint) | The endpoint URL for blob storage in the primary location. |
| [primary\_web\_endpoint](#output\_primary\_web\_endpoint) | Storage account primary web endpoint. |
| [primary\_connection\_string](#output\_primary\_connection\_string) | Primary connection string of the storage account. |
| [secondary\_connection\_string](#output\_secondary\_connection\_string) | Secondary connection string of the storage account. |
| [primary\_access\_key](#output\_primary\_access\_key) | Primary access key of the storage account. |
| [secondary\_access\_key](#output\_secondary\_access\_key) | Secondary access key of the storage account. |
| [storage\_containers](#output\_storage\_containers) | Storage container resource map. |
| [storage\_queues](#output\_storage\_queues) | Storage queues resource map. |
| [storage\_shares](#output\_storage\_shares) | Storage share resource map. |
| [recovery\_services\_vault\_id](#output\_recovery\_services\_vault\_id) | The ID of the Recovery Services Vault. |
| [data\_protection\_backup\_vault\_id](#output\_data\_protection\_backup\_vault\_id) | The ID of the Data Protection Backup Vault. |
| [backup\_policy\_file\_share\_ids](#output\_backup\_policy\_file\_share\_ids) | Map of file share backup policy names to their IDs. |
| [data\_protection\_backup\_policy\_blob\_storage\_ids](#output\_data\_protection\_backup\_policy\_blob\_storage\_ids) | Map of blob storage backup policy names to their IDs. |
| [backup\_protected\_file\_share\_ids](#output\_backup\_protected\_file\_share\_ids) | Map of protected file share names to their IDs. |
| [backup\_instance\_blob\_storage\_ids](#output\_backup\_instance\_blob\_storage\_ids) | Map of blob storage backup instance names to their IDs. |