Azure Storage Account
This page shows how to write Terraform and Azure Resource Manager for Storage Account and write them securely.
azurerm_storage_account (Terraform)
The Account in Storage can be configured in Terraform with the resource name azurerm_storage_account
. The following sections describe 6 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_storage_account" "bb_Premium_ZRS" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_kind = "BlockBlobStorage"
account_tier = "Premium"
resource "azurerm_storage_account" "allowed" {
account_kind = "BlobStorage"
}
resource "azurerm_storage_account" "allowed_2" {
account_kind = "BlockBlobStorage"
resource "azurerm_storage_account" "default" {
name = "staspcmpgitops"
resource_group_name = azurerm_resource_group.default.name
location = azurerm_resource_group.default.location
account_tier = "Standard"
resource "azurerm_storage_account" "good_example" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
min_tls_version = "TLS1_2"
}
resource "azurerm_storage_account" "tamops-sa" {
name = "tamopssa"
resource_group_name = azurerm_resource_group.tamops-rg.name
location = azurerm_resource_group.tamops-rg.location
account_tier = "Standard"
resource "azurerm_storage_account" "dev" {
name = var.storage_dev
resource_group_name = azurerm_resource_group.dev.name
location = azurerm_resource_group.dev.location
account_tier = "Standard"
account_replication_type = "LRS"
Security Best Practices for azurerm_storage_account
There are 6 settings in azurerm_storage_account that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure to use HTTPS connections
It is better to use HTTPS instead of HTTP, which could be vulnerable to person-in-the-middle attacks.
Ensure to allow Trusted Microsoft Services to bypass
It is better to allow Trusted Microsoft Services to bypass. They are not able to access storage account unless rules are set to allow them explicitly.
Ensure to enable the latest TLS/SSL policy for the load balancer
It is better to enable the latest TLS/SSL policy for the load balancer. Three versions of the TLS protocol, 1.0, 1.1, and 1.2 are available at the moment. TLS 1.2 should be selected if you do not have special reasons.
Ensure to set the default action on the network rules to deny
It is better to set the "Deny" as the default action on the network rules. The default_action for network rules will be executed when any rules are not matched.
Ensure to set the default action on the network rules to deny
It is better to set the "Deny" as the default action on the network rules. The default_action for network rules will be executed when any rules are not matched.
Ensure to enable logging for queue services
It is better to enable logging for queue services indicating the details of successful and failed requests to storage services.
Parameters
-
access_tier
optional computed - string -
account_kind
optional - string -
account_replication_type
required - string -
account_tier
required - string -
allow_blob_public_access
optional - bool -
enable_https_traffic_only
optional - bool -
id
optional computed - string -
is_hns_enabled
optional - bool -
large_file_share_enabled
optional computed - bool -
location
required - string -
min_tls_version
optional - string -
name
required - string -
primary_access_key
optional computed - string -
primary_blob_connection_string
optional computed - string -
primary_blob_endpoint
optional computed - string -
primary_blob_host
optional computed - string -
primary_connection_string
optional computed - string -
primary_dfs_endpoint
optional computed - string -
primary_dfs_host
optional computed - string -
primary_file_endpoint
optional computed - string -
primary_file_host
optional computed - string -
primary_location
optional computed - string -
primary_queue_endpoint
optional computed - string -
primary_queue_host
optional computed - string -
primary_table_endpoint
optional computed - string -
primary_table_host
optional computed - string -
primary_web_endpoint
optional computed - string -
primary_web_host
optional computed - string -
resource_group_name
required - string -
secondary_access_key
optional computed - string -
secondary_blob_connection_string
optional computed - string -
secondary_blob_endpoint
optional computed - string -
secondary_blob_host
optional computed - string -
secondary_connection_string
optional computed - string -
secondary_dfs_endpoint
optional computed - string -
secondary_dfs_host
optional computed - string -
secondary_file_endpoint
optional computed - string -
secondary_file_host
optional computed - string -
secondary_location
optional computed - string -
secondary_queue_endpoint
optional computed - string -
secondary_queue_host
optional computed - string -
secondary_table_endpoint
optional computed - string -
secondary_table_host
optional computed - string -
secondary_web_endpoint
optional computed - string -
secondary_web_host
optional computed - string -
tags
optional - map from string to string -
blob_properties
list block-
container_delete_retention_policy
list block-
days
optional - number
-
-
cors_rule
list block-
allowed_headers
required - list of string -
allowed_methods
required - list of string -
allowed_origins
required - list of string -
exposed_headers
required - list of string -
max_age_in_seconds
required - number
-
-
delete_retention_policy
list block-
days
optional - number
-
-
-
custom_domain
list block-
name
required - string -
use_subdomain
optional - bool
-
-
identity
list block-
principal_id
optional computed - string -
tenant_id
optional computed - string -
type
required - string
-
-
network_rules
list block-
bypass
optional computed - set of string -
default_action
required - string -
ip_rules
optional computed - set of string -
virtual_network_subnet_ids
optional computed - set of string
-
-
queue_properties
list block-
cors_rule
list block-
allowed_headers
required - list of string -
allowed_methods
required - list of string -
allowed_origins
required - list of string -
exposed_headers
required - list of string -
max_age_in_seconds
required - number
-
-
hour_metrics
list block-
enabled
required - bool -
include_apis
optional - bool -
retention_policy_days
optional - number -
version
required - string
-
-
logging
list block-
delete
required - bool -
read
required - bool -
retention_policy_days
optional - number -
version
required - string -
write
required - bool
-
-
minute_metrics
list block-
enabled
required - bool -
include_apis
optional - bool -
retention_policy_days
optional - number -
version
required - string
-
-
-
static_website
list block-
error_404_document
optional - string -
index_document
optional - string
-
-
timeouts
single block
Explanation in Terraform Registry
Manages an Azure Storage Account.
Tips: Best Practices for The Other Azure Storage Resources
In addition to the azurerm_storage_account_network_rules, Azure Storage has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_storage_account_network_rules
Ensure to allow Trusted Microsoft Services to bypass
It is better to allow Trusted Microsoft Services to bypass. They are not able to access storage account unless rules are set to allow them explicitly.
Microsoft.Storage/storageAccounts (Azure Resource Manager)
The storageAccounts in Microsoft.Storage can be configured in Azure Resource Manager with the resource name Microsoft.Storage/storageAccounts
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"location": "[parameters('location')]",
"kind": "StorageV2",
"sku": {
"name": "[variables('skuName')]",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"location": "[parameters('location')]",
"kind": "StorageV2",
"sku": {
"name": "[variables('skuName')]",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-01-01",
"name": "[parameters('storageAccounts_kohithdiagstrg_name')]",
"location": "centralus",
"sku": {
"name": "Standard_LRS",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-01-01",
"name": "[parameters('storageAccounts_cs1100320011af67746_name')]",
"location": "southeastasia",
"tags": {
"ms-resource-usage": "azure-cloud-shell"
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2020-08-01-preview",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"dependsOn": [
],
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "veeraprathap465",
"location": "eastus",
"sku": {
"name": "Standard_LRS"
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-04-01",
"name": "[parameters('storageAccounts_1sinkstorageaccountmgs_name')]",
"location": "eastus",
"sku": {
"name": "Standard_LRS",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2020-08-01-preview",
"name": "[parameters('storageAccountName')]",
"location": "eastus",
"sku": {
"name": "Standard_LRS",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccounts_sardniceaccountname_name')]",
"location": "westindia",
"sku": {
"name": "Standard_RAGRS",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-04-01",
"name": "[parameters('storageAccounts_tpisprod_name')]",
"location": "eastus",
"tags": {
"System Owner": "IA-TPIS",
Parameters
apiVersion
required - stringextendedLocation
optionalname
optional - stringThe name of the extended location.
type
optional - stringThe type of the extended location.
identity
optionaltype
required - stringThe identity type.
userAssignedIdentities
optional - undefinedGets or sets a list of key value pairs that describe the set of User Assigned identities that will be used with this storage account. The key is the ARM resource identifier of the identity. Only 1 User Assigned identity is permitted here.
kind
required - stringRequired. Indicates the type of storage account.
location
required - stringRequired. Gets or sets the location of the resource. This will be one of the supported and registered Azure Geo Regions (e.g. West US, East US, Southeast Asia, etc.). The geo region of a resource cannot be changed once it is created, but if an identical geo region is specified on update, the request will succeed.
name
required - stringThe name of the storage account within the specified resource group. Storage account names must be between 3 and 24 characters in length and use numbers and lower-case letters only.
properties
optionalaccessTier
optional - stringRequired for storage accounts where kind = BlobStorage. The access tier used for billing.
allowBlobPublicAccess
optional - booleanAllow or disallow public access to all blobs or containers in the storage account. The default interpretation is true for this property.
allowCrossTenantReplication
optional - booleanAllow or disallow cross AAD tenant object replication. The default interpretation is true for this property.
allowSharedKeyAccess
optional - booleanIndicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true.
azureFilesIdentityBasedAuthentication
optionalactiveDirectoryProperties
optionalazureStorageSid
required - stringSpecifies the security identifier (SID) for Azure Storage.
domainGuid
required - stringSpecifies the domain GUID.
domainName
required - stringSpecifies the primary domain that the AD DNS server is authoritative for.
domainSid
required - stringSpecifies the security identifier (SID).
forestName
required - stringSpecifies the Active Directory forest to get.
netBiosDomainName
required - stringSpecifies the NetBIOS domain name.
defaultSharePermission
optional - stringDefault share permission for users using Kerberos authentication if RBAC role is not assigned.
directoryServiceOptions
required - stringIndicates the directory service used.
customDomain
optionalname
required - stringGets or sets the custom domain name assigned to the storage account. Name is the CNAME source.
useSubDomainName
optional - booleanIndicates whether indirect CName validation is enabled. Default value is false. This should only be set on updates.
defaultToOAuthAuthentication
optional - booleanA boolean flag which indicates whether the default authentication is OAuth or not. The default interpretation is false for this property.
encryption
optionalidentity
optionaluserAssignedIdentity
optional - stringResource identifier of the UserAssigned identity to be associated with server-side encryption on the storage account.
keySource
required - stringThe encryption keySource (provider). Possible values (case-insensitive): Microsoft.Storage, Microsoft.Keyvault.
keyvaultproperties
optionalkeyname
optional - stringThe name of KeyVault key.
keyvaulturi
optional - stringThe Uri of KeyVault.
keyversion
optional - stringThe version of KeyVault key.
requireInfrastructureEncryption
optional - booleanA boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest.
services
optionalblob
optionalenabled
optional - booleanA boolean indicating whether or not the service encrypts the data as it is stored.
keyType
optional - stringEncryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used.
file
optionalenabled
optional - booleanA boolean indicating whether or not the service encrypts the data as it is stored.
keyType
optional - stringEncryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used.
queue
optionalenabled
optional - booleanA boolean indicating whether or not the service encrypts the data as it is stored.
keyType
optional - stringEncryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used.
table
optionalenabled
optional - booleanA boolean indicating whether or not the service encrypts the data as it is stored.
keyType
optional - stringEncryption key type to be used for the encryption service. 'Account' key type implies that an account-scoped encryption key will be used. 'Service' key type implies that a default service key is used.
immutableStorageWithVersioning
optionalenabled
optional - booleanA boolean flag which enables account-level immutability. All the containers under such an account have object-level immutability enabled by default.
immutabilityPolicy
optionalallowProtectedAppendWrites
optional - booleanThis property can only be changed for disabled and unlocked time-based retention policies. When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted.
immutabilityPeriodSinceCreationInDays
optional - integerThe immutability period for the blobs in the container since the policy creation, in days.
state
optional - stringThe ImmutabilityPolicy state defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allowProtectedAppendWrites property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.
isHnsEnabled
optional - booleanAccount HierarchicalNamespace enabled if sets to true.
isNfsV3Enabled
optional - booleanNFS 3.0 protocol support enabled if set to true.
keyPolicy
optionalkeyExpirationPeriodInDays
required - integerThe key expiration period in days.
largeFileSharesState
optional - stringAllow large file shares if sets to Enabled. It cannot be disabled once it is enabled.
minimumTlsVersion
optional - stringSet the minimum TLS version to be permitted on requests to storage. The default interpretation is TLS 1.0 for this property.
networkAcls
optionalbypass
optional - stringSpecifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging|Metrics|AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics.
defaultAction
required - stringSpecifies the default action of allow or deny when no other rules match.
ipRules
optional arrayaction
optional - stringThe action of IP ACL rule.
value
required - stringSpecifies the IP or IP range in CIDR format. Only IPV4 address is allowed.
resourceAccessRules
optional arrayresourceId
optional - stringResource Id
tenantId
optional - stringTenant Id
virtualNetworkRules
optional arrayaction
optional - stringThe action of virtual network rule.
id
required - stringResource ID of a subnet, for example: /subscriptions/{subscriptionId}/resourceGroups/{groupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}.
state
optional - stringGets the state of virtual network rule.
publicNetworkAccess
optional - stringAllow or disallow public network access to Storage Account. Value is optional but if passed in, must be 'Enabled' or 'Disabled'.
routingPreference
optionalpublishInternetEndpoints
optional - booleanA boolean flag which indicates whether internet routing storage endpoints are to be published
publishMicrosoftEndpoints
optional - booleanA boolean flag which indicates whether microsoft routing storage endpoints are to be published
routingChoice
optional - stringRouting Choice defines the kind of network routing opted by the user.
sasPolicy
optionalexpirationAction
required - stringThe SAS expiration action. Can only be Log.
sasExpirationPeriod
required - stringThe SAS expiration period, DD.HH:MM:SS.
supportsHttpsTrafficOnly
optional - booleanAllows https traffic only to storage service if sets to true. The default value is true since API version 2019-04-01.
sku
requiredname
required - stringtier
optional - string
tags
optional - stringGets or sets a list of key value pairs that describe the resource. These tags can be used for viewing and grouping this resource (across resource groups). A maximum of 15 tags can be provided for a resource. Each tag must have a key with a length no greater than 128 characters and a value with a length no greater than 256 characters.
type
required - string
Frequently asked questions
What is Azure Storage Account?
Azure Storage Account is a resource for Storage of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Storage Account?
For Terraform, the gilyas/infracost, snyk-labs/infrastructure-as-code-goof and CMPGitOpsInnovation/logic-app-ase source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the prash280887/GDTools, prashantakhouri/GDTools and kohithreddy/Samples source code examples are useful. See the Azure Resource Manager Example section for further details.