HOWTO
- https://docs.microsoft.com/en-us/learn/modules/azure-networking-fundamentals/
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account
- Authorize access https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-data-operations-portal
Github
- https://github.com/dveselka/devops-terraform/blob/master/azure/sa.tf
- https://github.com/terraform-providers/terraform-provider-azurerm/blob/master/examples/storage/storage-container/main.tf
- https://github.com/terraform-providers/terraform-provider-azurerm/blob/master/examples/storage/storage-account/main.tf
Create Storage account with Network Rules
Terraform plan
resource "azurerm_storage_account" "davestorageaccounttf" {
name = "davestorageaccounttf"
resource_group_name = azurerm_resource_group.daveterraformgroup.name
location = "westeurope"
account_tier = "Standard"
account_replication_type = "LRS"
network_rules {
default_action = "Deny"
ip_rules = ["100.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.daveterraformsubnet.id]
bypass = ["Metrics", "AzureServices"]
}
tags = {
environment = "staging"
}
} resource "azurerm_storage_container" "example" {
name = "${var.prefix}storagecontainer"
storage_account_name = azurerm_storage_account.davestorageaccounttf.name
container_access_type = "blob"
}
# azurerm_storage_account.daveterraformsa will be created
+ resource "azurerm_storage_account" "daveterraformsa" {
+ access_tier = (known after apply)
+ account_kind = "StorageV2"
+ account_replication_type = "LRS"
+ account_tier = "Standard"
+ allow_blob_public_access = false
+ enable_https_traffic_only = true
+ id = (known after apply)
+ is_hns_enabled = false
+ large_file_share_enabled = (known after apply)
+ location = "westeurope"
+ min_tls_version = "TLS1_0"
+ name = "davestorageaccount"
+ nfsv3_enabled = false
+ primary_access_key = (sensitive value)
+ primary_blob_connection_string = (sensitive value)
+ primary_blob_endpoint = (known after apply)
+ primary_blob_host = (known after apply)
+ primary_connection_string = (sensitive value)
+ primary_dfs_endpoint = (known after apply)
+ primary_dfs_host = (known after apply)
+ primary_file_endpoint = (known after apply)
+ primary_file_host = (known after apply)
+ primary_location = (known after apply)
+ primary_queue_endpoint = (known after apply)
+ primary_queue_host = (known after apply)
+ primary_table_endpoint = (known after apply)
+ primary_table_host = (known after apply)
+ primary_web_endpoint = (known after apply)
+ primary_web_host = (known after apply)
+ resource_group_name = "rg-dave-terraform-test"
+ secondary_access_key = (sensitive value)
+ secondary_blob_connection_string = (sensitive value)
+ secondary_blob_endpoint = (known after apply)
+ secondary_blob_host = (known after apply)
+ secondary_connection_string = (sensitive value)
+ secondary_dfs_endpoint = (known after apply)
+ secondary_dfs_host = (known after apply)
+ secondary_file_endpoint = (known after apply)
+ secondary_file_host = (known after apply)
+ secondary_location = (known after apply)
+ secondary_queue_endpoint = (known after apply)
+ secondary_queue_host = (known after apply)
+ secondary_table_endpoint = (known after apply)
+ secondary_table_host = (known after apply)
+ secondary_web_endpoint = (known after apply)
+ secondary_web_host = (known after apply)
+ tags = {
+ "environment" = "Development"
}
+ blob_properties {
+ change_feed_enabled = (known after apply)
+ default_service_version = (known after apply)
+ last_access_time_enabled = (known after apply)
+ versioning_enabled = (known after apply)
+ container_delete_retention_policy {
+ days = (known after apply)
}
+ cors_rule {
+ allowed_headers = (known after apply)
+ allowed_methods = (known after apply)
+ allowed_origins = (known after apply)
+ exposed_headers = (known after apply)
+ max_age_in_seconds = (known after apply)
}
+ delete_retention_policy {
+ days = (known after apply)
}
}
+ identity {
+ principal_id = (known after apply)
+ tenant_id = (known after apply)
+ type = (known after apply)
}
+ network_rules {
+ bypass = (known after apply)
+ default_action = "Deny"
+ ip_rules = [
+ "100.0.0.1",
]
+ virtual_network_subnet_ids = [
+ "/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/virtualNetworks/daveVnet/subnets/daveSubnet",
]
}
+ queue_properties {
+ cors_rule {
+ allowed_headers = (known after apply)
+ allowed_methods = (known after apply)
+ allowed_origins = (known after apply)
+ exposed_headers = (known after apply)
+ max_age_in_seconds = (known after apply)
}
+ hour_metrics {
+ enabled = (known after apply)
+ include_apis = (known after apply)
+ retention_policy_days = (known after apply)
+ version = (known after apply)
}
+ logging {
+ delete = (known after apply)
+ read = (known after apply)
+ retention_policy_days = (known after apply)
+ version = (known after apply)
+ write = (known after apply)
}
+ minute_metrics {
+ enabled = (known after apply)
+ include_apis = (known after apply)
+ retention_policy_days = (known after apply)
+ version = (known after apply)
}
}
+ routing {
+ choice = (known after apply)
+ publish_internet_endpoints = (known after apply)
+ publish_microsoft_endpoints = (known after apply)
}
}
Plan: 1 to add, 1 to change, 0 to destroy.
[dave@dave azure]$ terraform apply
azurerm_resource_group.daveterraformgroup: Refreshing state... [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test]
azurerm_public_ip.daveterraformpublicip: Refreshing state... [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/publicIPAddresses/davePublicIP]
azurerm_virtual_network.daveterraformnetwork: Refreshing state... [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/virtualNetworks/daveVnet]
azurerm_network_security_group.daveterraformnsg: Refreshing state... [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/networkSecurityGroups/daveNetworkSecurityGroup]
azurerm_subnet.daveterraformsubnet: Refreshing state... [id=/subscriptions/3434434-343-40/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/virtualNetworks/daveVnet/subnets/daveSubnet]
azurerm_network_interface.daveterraformnic: Refreshing state... [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/networkInterfaces/daveNIC]
azurerm_network_interface_security_group_association.dave: Refreshing state... [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/networkInterfaces/daveNIC|/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/networkSecurityGroups/daveNetworkSecurityGroup]
azurerm_linux_virtual_machine.daveterraformvm: Refreshing state... [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Compute/virtualMachines/dave-terraform-test]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
# azurerm_storage_account.davestorageaccounttf will be created
+ resource "azurerm_storage_account" "davestorageaccounttf" {
+ access_tier = (known after apply)
+ account_kind = "StorageV2"
+ account_replication_type = "LRS"
+ account_tier = "Standard"
+ allow_blob_public_access = false
+ enable_https_traffic_only = true
+ id = (known after apply)
+ is_hns_enabled = false
+ large_file_share_enabled = (known after apply)
+ location = "westeurope"
+ min_tls_version = "TLS1_0"
+ name = "davestorageaccounttf"
+ nfsv3_enabled = false
+ primary_access_key = (sensitive value)
+ primary_blob_connection_string = (sensitive value)
+ primary_blob_endpoint = (known after apply)
+ primary_blob_host = (known after apply)
+ primary_connection_string = (sensitive value)
+ primary_dfs_endpoint = (known after apply)
+ primary_dfs_host = (known after apply)
+ primary_file_endpoint = (known after apply)
+ primary_file_host = (known after apply)
+ primary_location = (known after apply)
+ primary_queue_endpoint = (known after apply)
+ primary_queue_host = (known after apply)
+ primary_table_endpoint = (known after apply)
+ primary_table_host = (known after apply)
+ primary_web_endpoint = (known after apply)
+ primary_web_host = (known after apply)
+ resource_group_name = "rg-dave-terraform-test"
+ secondary_access_key = (sensitive value)
+ secondary_blob_connection_string = (sensitive value)
+ secondary_blob_endpoint = (known after apply)
+ secondary_blob_host = (known after apply)
+ secondary_connection_string = (sensitive value)
+ secondary_dfs_endpoint = (known after apply)
+ secondary_dfs_host = (known after apply)
+ secondary_file_endpoint = (known after apply)
+ secondary_file_host = (known after apply)
+ secondary_location = (known after apply)
+ secondary_queue_endpoint = (known after apply)
+ secondary_queue_host = (known after apply)
+ secondary_table_endpoint = (known after apply)
+ secondary_table_host = (known after apply)
+ secondary_web_endpoint = (known after apply)
+ secondary_web_host = (known after apply)
+ tags = {
+ "environment" = "staging"
}
+ blob_properties {
+ change_feed_enabled = (known after apply)
+ default_service_version = (known after apply)
+ last_access_time_enabled = (known after apply)
+ versioning_enabled = (known after apply)
+ container_delete_retention_policy {
+ days = (known after apply)
}
+ cors_rule {
+ allowed_headers = (known after apply)
+ allowed_methods = (known after apply)
+ allowed_origins = (known after apply)
+ exposed_headers = (known after apply)
+ max_age_in_seconds = (known after apply)
}
+ delete_retention_policy {
+ days = (known after apply)
}
}
+ identity {
+ principal_id = (known after apply)
+ tenant_id = (known after apply)
+ type = (known after apply)
}
+ network_rules {
+ bypass = [
+ "AzureServices",
+ "Metrics",
]
+ default_action = "Deny"
+ ip_rules = [
+ "100.0.0.1",
]
+ virtual_network_subnet_ids = [
+ "/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/virtualNetworks/daveVnet/subnets/daveSubnet",
]
}
+ queue_properties {
+ cors_rule {
+ allowed_headers = (known after apply)
+ allowed_methods = (known after apply)
+ allowed_origins = (known after apply)
+ exposed_headers = (known after apply)
+ max_age_in_seconds = (known after apply)
}
+ hour_metrics {
+ enabled = (known after apply)
+ include_apis = (known after apply)
+ retention_policy_days = (known after apply)
+ version = (known after apply)
}
+ logging {
+ delete = (known after apply)
+ read = (known after apply)
+ retention_policy_days = (known after apply)
+ version = (known after apply)
+ write = (known after apply)
}
+ minute_metrics {
+ enabled = (known after apply)
+ include_apis = (known after apply)
+ retention_policy_days = (known after apply)
+ version = (known after apply)
}
}
+ routing {
+ choice = (known after apply)
+ publish_internet_endpoints = (known after apply)
+ publish_microsoft_endpoints = (known after apply)
}
}
# azurerm_storage_account_network_rules.davenetworkrules will be created
+ resource "azurerm_storage_account_network_rules" "davenetworkrules" {
+ bypass = [
+ "AzureServices",
+ "Metrics",
]
+ default_action = "Allow"
+ id = (known after apply)
+ ip_rules = [
+ "127.0.0.1",
]
+ resource_group_name = "rg-dave-terraform-test"
+ storage_account_name = "davestorageaccounttf"
+ virtual_network_subnet_ids = [
+ "/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/virtualNetworks/daveVnet/subnets/daveSubnet",
]
}
# azurerm_subnet.daveterraformsubnet will be updated in-place
~ resource "azurerm_subnet" "daveterraformsubnet" {
id = "/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/virtualNetworks/daveVnet/subnets/daveSubnet"
name = "daveSubnet"
~ service_endpoints = [
+ "Microsoft.Storage",
]
# (7 unchanged attributes hidden)
}
Plan: 2 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
azurerm_subnet.daveterraformsubnet: Modifying... [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/virtualNetworks/daveVnet/subnets/daveSubnet]
azurerm_subnet.daveterraformsubnet: Modifications complete after 4s [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/virtualNetworks/daveVnet/subnets/daveSubnet]
azurerm_storage_account.davestorageaccounttf: Creating...
azurerm_storage_account.davestorageaccounttf: Still creating... [10s elapsed]
azurerm_storage_account.davestorageaccounttf: Still creating... [20s elapsed]
azurerm_storage_account.davestorageaccounttf: Creation complete after 22s [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Storage/storageAccounts/davestorageaccounttf]
Azure Storage Account
Azure list of resources
Azure VM network topology
