Sunday, June 6, 2021

Azure networking and storage accounts

 HOWTO

 

Github 

Create Storage account with  Network Rules

Terraform plan

resource "azurerm_storage_account" "davestorageaccounttf" {
  name                = "davestorageaccounttf"
  resource_group_name = azurerm_resource_group.daveterraformgroup.name

  location                 = "westeurope"
  account_tier             = "Standard"
  account_replication_type = "LRS"

  network_rules {
    default_action             = "Deny"
    ip_rules                   = ["100.0.0.1"]
    virtual_network_subnet_ids = [azurerm_subnet.daveterraformsubnet.id]
    bypass                     = ["Metrics", "AzureServices"]
  }

  tags = {
    environment = "staging"
  }
} 
Add container
resource "azurerm_storage_container" "example" {
  name                  = "${var.prefix}storagecontainer"
  storage_account_name  = azurerm_storage_account.davestorageaccounttf.name
  container_access_type = "blob"
}
# azurerm_storage_account.daveterraformsa will be created
  + resource "azurerm_storage_account" "daveterraformsa" {
      + access_tier                      = (known after apply)
      + account_kind                     = "StorageV2"
      + account_replication_type         = "LRS"
      + account_tier                     = "Standard"
      + allow_blob_public_access         = false
      + enable_https_traffic_only        = true
      + id                               = (known after apply)
      + is_hns_enabled                   = false
      + large_file_share_enabled         = (known after apply)
      + location                         = "westeurope"
      + min_tls_version                  = "TLS1_0"
      + name                             = "davestorageaccount"
      + nfsv3_enabled                    = false
      + primary_access_key               = (sensitive value)
      + primary_blob_connection_string   = (sensitive value)
      + primary_blob_endpoint            = (known after apply)
      + primary_blob_host                = (known after apply)
      + primary_connection_string        = (sensitive value)
      + primary_dfs_endpoint             = (known after apply)
      + primary_dfs_host                 = (known after apply)
      + primary_file_endpoint            = (known after apply)
      + primary_file_host                = (known after apply)
      + primary_location                 = (known after apply)
      + primary_queue_endpoint           = (known after apply)
      + primary_queue_host               = (known after apply)
      + primary_table_endpoint           = (known after apply)
      + primary_table_host               = (known after apply)
      + primary_web_endpoint             = (known after apply)
      + primary_web_host                 = (known after apply)
      + resource_group_name              = "rg-dave-terraform-test"
      + secondary_access_key             = (sensitive value)
      + secondary_blob_connection_string = (sensitive value)
      + secondary_blob_endpoint          = (known after apply)
      + secondary_blob_host              = (known after apply)
      + secondary_connection_string      = (sensitive value)
      + secondary_dfs_endpoint           = (known after apply)
      + secondary_dfs_host               = (known after apply)
      + secondary_file_endpoint          = (known after apply)
      + secondary_file_host              = (known after apply)
      + secondary_location               = (known after apply)
      + secondary_queue_endpoint         = (known after apply)
      + secondary_queue_host             = (known after apply)
      + secondary_table_endpoint         = (known after apply)
      + secondary_table_host             = (known after apply)
      + secondary_web_endpoint           = (known after apply)
      + secondary_web_host               = (known after apply)
      + tags                             = {
          + "environment" = "Development"
        }

      + blob_properties {
          + change_feed_enabled      = (known after apply)
          + default_service_version  = (known after apply)
          + last_access_time_enabled = (known after apply)
          + versioning_enabled       = (known after apply)

          + container_delete_retention_policy {
              + days = (known after apply)
            }

          + cors_rule {
              + allowed_headers    = (known after apply)
              + allowed_methods    = (known after apply)
              + allowed_origins    = (known after apply)
              + exposed_headers    = (known after apply)
              + max_age_in_seconds = (known after apply)
            }

          + delete_retention_policy {
              + days = (known after apply)
            }
        }

      + identity {
          + principal_id = (known after apply)
          + tenant_id    = (known after apply)
          + type         = (known after apply)
        }

      + network_rules {
          + bypass                     = (known after apply)
          + default_action             = "Deny"
          + ip_rules                   = [
              + "100.0.0.1",
            ]
          + virtual_network_subnet_ids = [
              + "/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/virtualNetworks/daveVnet/subnets/daveSubnet",
            ]
        }

      + queue_properties {
          + cors_rule {
              + allowed_headers    = (known after apply)
              + allowed_methods    = (known after apply)
              + allowed_origins    = (known after apply)
              + exposed_headers    = (known after apply)
              + max_age_in_seconds = (known after apply)
            }

          + hour_metrics {
              + enabled               = (known after apply)
              + include_apis          = (known after apply)
              + retention_policy_days = (known after apply)
              + version               = (known after apply)
            }

          + logging {
              + delete                = (known after apply)
              + read                  = (known after apply)
              + retention_policy_days = (known after apply)
              + version               = (known after apply)
              + write                 = (known after apply)
            }

          + minute_metrics {
              + enabled               = (known after apply)
              + include_apis          = (known after apply)
              + retention_policy_days = (known after apply)
              + version               = (known after apply)
            }
        }

      + routing {
          + choice                      = (known after apply)
          + publish_internet_endpoints  = (known after apply)
          + publish_microsoft_endpoints = (known after apply)
        }
    }

Plan: 1 to add, 1 to change, 0 to destroy.

Terraform apply
[dave@dave azure]$ terraform apply
azurerm_resource_group.daveterraformgroup: Refreshing state... [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test]
azurerm_public_ip.daveterraformpublicip: Refreshing state... [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/publicIPAddresses/davePublicIP]
azurerm_virtual_network.daveterraformnetwork: Refreshing state... [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/virtualNetworks/daveVnet]
azurerm_network_security_group.daveterraformnsg: Refreshing state... [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/networkSecurityGroups/daveNetworkSecurityGroup]
azurerm_subnet.daveterraformsubnet: Refreshing state... [id=/subscriptions/3434434-343-40/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/virtualNetworks/daveVnet/subnets/daveSubnet]
azurerm_network_interface.daveterraformnic: Refreshing state... [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/networkInterfaces/daveNIC]
azurerm_network_interface_security_group_association.dave: Refreshing state... [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/networkInterfaces/daveNIC|/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/networkSecurityGroups/daveNetworkSecurityGroup]
azurerm_linux_virtual_machine.daveterraformvm: Refreshing state... [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Compute/virtualMachines/dave-terraform-test]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # azurerm_storage_account.davestorageaccounttf will be created
  + resource "azurerm_storage_account" "davestorageaccounttf" {
      + access_tier                      = (known after apply)
      + account_kind                     = "StorageV2"
      + account_replication_type         = "LRS"
      + account_tier                     = "Standard"
      + allow_blob_public_access         = false
      + enable_https_traffic_only        = true
      + id                               = (known after apply)
      + is_hns_enabled                   = false
      + large_file_share_enabled         = (known after apply)
      + location                         = "westeurope"
      + min_tls_version                  = "TLS1_0"
      + name                             = "davestorageaccounttf"
      + nfsv3_enabled                    = false
      + primary_access_key               = (sensitive value)
      + primary_blob_connection_string   = (sensitive value)
      + primary_blob_endpoint            = (known after apply)
      + primary_blob_host                = (known after apply)
      + primary_connection_string        = (sensitive value)
      + primary_dfs_endpoint             = (known after apply)
      + primary_dfs_host                 = (known after apply)
      + primary_file_endpoint            = (known after apply)
      + primary_file_host                = (known after apply)
      + primary_location                 = (known after apply)
      + primary_queue_endpoint           = (known after apply)
      + primary_queue_host               = (known after apply)
      + primary_table_endpoint           = (known after apply)
      + primary_table_host               = (known after apply)
      + primary_web_endpoint             = (known after apply)
      + primary_web_host                 = (known after apply)
      + resource_group_name              = "rg-dave-terraform-test"
      + secondary_access_key             = (sensitive value)
      + secondary_blob_connection_string = (sensitive value)
      + secondary_blob_endpoint          = (known after apply)
      + secondary_blob_host              = (known after apply)
      + secondary_connection_string      = (sensitive value)
      + secondary_dfs_endpoint           = (known after apply)
      + secondary_dfs_host               = (known after apply)
      + secondary_file_endpoint          = (known after apply)
      + secondary_file_host              = (known after apply)
      + secondary_location               = (known after apply)
      + secondary_queue_endpoint         = (known after apply)
      + secondary_queue_host             = (known after apply)
      + secondary_table_endpoint         = (known after apply)
      + secondary_table_host             = (known after apply)
      + secondary_web_endpoint           = (known after apply)
      + secondary_web_host               = (known after apply)
      + tags                             = {
          + "environment" = "staging"
        }

      + blob_properties {
          + change_feed_enabled      = (known after apply)
          + default_service_version  = (known after apply)
          + last_access_time_enabled = (known after apply)
          + versioning_enabled       = (known after apply)

          + container_delete_retention_policy {
              + days = (known after apply)
            }

          + cors_rule {
              + allowed_headers    = (known after apply)
              + allowed_methods    = (known after apply)
              + allowed_origins    = (known after apply)
              + exposed_headers    = (known after apply)
              + max_age_in_seconds = (known after apply)
            }

          + delete_retention_policy {
              + days = (known after apply)
            }
        }

      + identity {
          + principal_id = (known after apply)
          + tenant_id    = (known after apply)
          + type         = (known after apply)
        }

      + network_rules {
          + bypass                     = [
              + "AzureServices",
              + "Metrics",
            ]
          + default_action             = "Deny"
          + ip_rules                   = [
              + "100.0.0.1",
            ]
          + virtual_network_subnet_ids = [
              + "/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/virtualNetworks/daveVnet/subnets/daveSubnet",
            ]
        }

      + queue_properties {
          + cors_rule {
              + allowed_headers    = (known after apply)
              + allowed_methods    = (known after apply)
              + allowed_origins    = (known after apply)
              + exposed_headers    = (known after apply)
              + max_age_in_seconds = (known after apply)
            }

          + hour_metrics {
              + enabled               = (known after apply)
              + include_apis          = (known after apply)
              + retention_policy_days = (known after apply)
              + version               = (known after apply)
            }

          + logging {
              + delete                = (known after apply)
              + read                  = (known after apply)
              + retention_policy_days = (known after apply)
              + version               = (known after apply)
              + write                 = (known after apply)
            }

          + minute_metrics {
              + enabled               = (known after apply)
              + include_apis          = (known after apply)
              + retention_policy_days = (known after apply)
              + version               = (known after apply)
            }
        }

      + routing {
          + choice                      = (known after apply)
          + publish_internet_endpoints  = (known after apply)
          + publish_microsoft_endpoints = (known after apply)
        }
    }

  # azurerm_storage_account_network_rules.davenetworkrules will be created
  + resource "azurerm_storage_account_network_rules" "davenetworkrules" {
      + bypass                     = [
          + "AzureServices",
          + "Metrics",
        ]
      + default_action             = "Allow"
      + id                         = (known after apply)
      + ip_rules                   = [
          + "127.0.0.1",
        ]
      + resource_group_name        = "rg-dave-terraform-test"
      + storage_account_name       = "davestorageaccounttf"
      + virtual_network_subnet_ids = [
          + "/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/virtualNetworks/daveVnet/subnets/daveSubnet",
        ]
    }

  # azurerm_subnet.daveterraformsubnet will be updated in-place
  ~ resource "azurerm_subnet" "daveterraformsubnet" {
        id                                             = "/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/virtualNetworks/daveVnet/subnets/daveSubnet"
        name                                           = "daveSubnet"
      ~ service_endpoints                              = [
          + "Microsoft.Storage",
        ]
        # (7 unchanged attributes hidden)
    }

Plan: 2 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

azurerm_subnet.daveterraformsubnet: Modifying... [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/virtualNetworks/daveVnet/subnets/daveSubnet]
azurerm_subnet.daveterraformsubnet: Modifications complete after 4s [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Network/virtualNetworks/daveVnet/subnets/daveSubnet]
azurerm_storage_account.davestorageaccounttf: Creating...
azurerm_storage_account.davestorageaccounttf: Still creating... [10s elapsed]
azurerm_storage_account.davestorageaccounttf: Still creating... [20s elapsed]
azurerm_storage_account.davestorageaccounttf: Creation complete after 22s [id=/subscriptions/3434434-343-4/resourceGroups/rg-dave-terraform-test/providers/Microsoft.Storage/storageAccounts/davestorageaccounttf]


Azure Storage Account

Azure list of resources



Azure VM network topology




No comments:

Post a Comment