-
Notifications
You must be signed in to change notification settings - Fork 0
/
r-storage-account.tf
83 lines (70 loc) · 2.74 KB
/
r-storage-account.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
resource "random_string" "stlaunchpadprd_suffix" {
length = 3
special = false
upper = false
}
resource "azurerm_management_lock" "storage_account_lock" {
count = var.init ? 0 : 1
name = "storage_account_lock"
scope = azurerm_storage_account.this.id
lock_level = "CanNotDelete"
notes = "For safety reasons, the Storage Account can not be deleted."
}
resource "azurerm_storage_account" "this" {
name = join("", compact(["st", var.name, "prd", local.location_short[var.location], random_string.stlaunchpadprd_suffix.result]))
location = var.location
resource_group_name = var.resource_group_name
tags = var.tags
account_kind = "StorageV2"
account_tier = "Standard"
account_replication_type = "RAGRS"
allow_nested_items_to_be_public = false
cross_tenant_replication_enabled = false
default_to_oauth_authentication = true
https_traffic_only_enabled = true
infrastructure_encryption_enabled = true
is_hns_enabled = false
large_file_share_enabled = false
min_tls_version = "TLS1_2"
public_network_access_enabled = var.init ? true : false
shared_access_key_enabled = false
dynamic "network_rules" {
for_each = var.init ? [true] : []
content {
default_action = "Deny"
ip_rules = [var.init_access_ip_address]
bypass = ["AzureServices"]
}
}
blob_properties {
versioning_enabled = true
}
lifecycle {
ignore_changes = [network_rules[0].private_link_access]
}
}
resource "azurerm_storage_container" "this" {
name = "tfstate"
storage_account_name = azurerm_storage_account.this.name
container_access_type = "private"
}
resource "azurerm_private_endpoint" "storage_account" {
name = join("-", compact(["pe", azurerm_storage_account.this.name, "prd", local.location_short[var.location], var.name_suffix]))
location = var.location
resource_group_name = var.resource_group_name
tags = var.tags
subnet_id = azurerm_subnet.this.id
private_service_connection {
name = "blob"
private_connection_resource_id = azurerm_storage_account.this.id
subresource_names = ["blob"]
is_manual_connection = false
}
}
resource "azurerm_role_assignment" "storage_account_blob_owner_current_user" {
count = var.init ? 1 : 0
description = "Temporary role assignment. Delete this assignment if unsure why it is still existing."
principal_id = local.init_access_azure_principal_id
role_definition_name = "Storage Blob Data Owner"
scope = azurerm_storage_account.this.id
}