-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
149 lines (125 loc) · 5.91 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
data "azurerm_client_config" "current" {}
resource "azurerm_storage_account" "this" {
resource_group_name = var.resource_group_name
location = var.location
name = var.name
account_tier = var.account_tier
account_replication_type = var.account_replication_type
account_kind = var.account_kind
access_tier = var.access_tier
shared_access_key_enabled = var.shared_access_key_enabled
public_network_access_enabled = var.network_configuration.public_network_access_enabled
https_traffic_only_enabled = var.network_configuration.https_traffic_only_enabled
min_tls_version = var.min_tls_version
default_to_oauth_authentication = var.default_to_oauth_authentication
infrastructure_encryption_enabled = var.infrastructure_encryption_enabled
cross_tenant_replication_enabled = var.cross_tenant_replication_enabled
allowed_copy_scope = var.allowed_copy_scope == "Unrestricted" ? null : var.allowed_copy_scope
sftp_enabled = var.sftp_enabled
allow_nested_items_to_be_public = var.network_configuration.allow_nested_items_to_be_public
queue_encryption_key_type = (var.enable_cmk_encryption || var.cmk_key_vault_id != null) ? "Account" : "Service"
table_encryption_key_type = (var.enable_cmk_encryption || var.cmk_key_vault_id != null) ? "Account" : "Service"
blob_properties {
delete_retention_policy {
days = var.storage_management_policy.blob_delete_retention_days
}
container_delete_retention_policy {
days = var.storage_management_policy.container_delete_retention_days
}
versioning_enabled = var.versioning_enabled
change_feed_enabled = var.change_feed_enabled
}
dynamic "identity" {
for_each = coalesce(local.identity_system_assigned_user_assigned, local.identity_system_assigned, local.identity_user_assigned, {})
content {
type = identity.value.type
identity_ids = identity.value.user_assigned_resource_ids
}
}
dynamic "immutability_policy" {
for_each = var.immutability_policy != null ? { this = var.immutability_policy } : {}
content {
allow_protected_append_writes = immutability_policy.value.allow_protected_append_writes
state = immutability_policy.value.state
period_since_creation_in_days = immutability_policy.value.period_since_creation_in_days
}
}
tags = merge(
try(var.tags),
tomap({
"Resource Type" = "Storage Account"
})
)
lifecycle {
ignore_changes = [
customer_managed_key
]
}
}
resource "azurerm_storage_account_network_rules" "this" {
storage_account_id = azurerm_storage_account.this.id
default_action = var.network_configuration.default_action
ip_rules = var.network_configuration.ip_rules
virtual_network_subnet_ids = var.network_configuration.virtual_network_subnet_ids
bypass = var.network_configuration.bypass
}
resource "azurerm_storage_management_policy" "this" {
count = length(compact([var.storage_management_policy.move_to_cool_after_days, var.storage_management_policy.move_to_cold_after_days, var.storage_management_policy.move_to_archive_after_days, var.storage_management_policy.delete_after_days])) > 0 ? 1 : 0
storage_account_id = azurerm_storage_account.this.id
rule {
name = "Storage Account Module builtin management policy"
enabled = true
filters {
blob_types = ["blockBlob"]
}
actions {
base_blob {
tier_to_cool_after_days_since_modification_greater_than = var.storage_management_policy.move_to_cool_after_days
tier_to_cold_after_days_since_creation_greater_than = var.storage_management_policy.move_to_cold_after_days
tier_to_archive_after_days_since_creation_greater_than = var.storage_management_policy.move_to_archive_after_days
delete_after_days_since_modification_greater_than = var.storage_management_policy.delete_after_days
}
}
}
}
resource "azurerm_storage_container" "this" {
for_each = var.storage_containers
name = each.key
storage_account_id = azurerm_storage_account.this.id
container_access_type = each.value.access_type
}
resource "azurerm_storage_share" "this" {
for_each = var.storage_file_shares
name = each.key
storage_account_id = azurerm_storage_account.this.id
access_tier = each.value.access_tier
enabled_protocol = each.value.enabled_protocol
quota = each.value.quota
}
resource "azurerm_role_assignment" "this" {
scope = azurerm_storage_account.this.id
role_definition_name = "Storage Blob Data Owner"
principal_id = data.azurerm_client_config.current.object_id
}
resource "azurerm_role_assignment" "extra" {
for_each = { for idx, val in var.contributors : idx => val }
scope = azurerm_storage_account.this.id
role_definition_name = "Storage Blob Data Contributor"
principal_id = each.value
}
resource "azurerm_storage_account_customer_managed_key" "this" {
count = var.cmk_key_vault_id != null ? 1 : 0
storage_account_id = azurerm_storage_account.this.id
user_assigned_identity_id = local.identity_user_assigned != null ? var.user_assigned_identities[0] : null
key_vault_id = var.cmk_key_vault_id
key_name = var.cmk_key_name
depends_on = [
azurerm_role_assignment.cmk
]
}
resource "azurerm_role_assignment" "cmk" {
count = (var.cmk_key_vault_id != null && (local.identity_system_assigned != null || local.identity_system_assigned_user_assigned != null)) ? 1 : 0
scope = var.cmk_key_vault_id
role_definition_name = "Key Vault Crypto Service Encryption User"
principal_id = azurerm_storage_account.this.identity[0].principal_id
}