Azure Storage Blob Inventory Policy
This page shows how to write Terraform and Azure Resource Manager for Storage Blob Inventory Policy and write them securely.
azurerm_storage_blob_inventory_policy (Terraform)
The Blob Inventory Policy in Storage can be configured in Terraform with the resource name azurerm_storage_blob_inventory_policy
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
The following arguments are supported:
storage_account_id
- (Required) The ID of the storage account to apply this Blob Inventory Policy to. Changing this forces a new Storage Blob Inventory Policy to be created.storage_container_name
- (Required) The storage container name to store the blob inventory files. Changing this forces a new Storage Blob Inventory Policy to be created.rules
- (Required) One or morerules
blocks as defined below.
A filter
block supports the following:
blob_types
- (Required) A set of blob types. Possible values areblockBlob
,appendBlob
, andpageBlob
. The storage account withis_hns_enabled
istrue
doesn't supportpageBlob
.include_blob_versions
- (Optional) Includes blob versions in blob inventory or not? Defaults tofalse
.include_snapshots
- (Optional) Includes blob snapshots in blob inventory or not? Defaults tofalse
.prefix_match
- (Optional) A set of strings for blob prefixes to be matched.
A rules
block supports the following:
filter
- (Required) Afilter
block as defined above.name
- (Required) The name which should be used for this Blob Inventory Policy Rule.
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the Storage Blob Inventory Policy.
Explanation in Terraform Registry
Manages a Storage Blob Inventory Policy.
Tips: Best Practices for The Other Azure Storage Resources
In addition to the azurerm_storage_account, Azure Storage has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_storage_account
Ensure to use HTTPS connections
It is better to use HTTPS instead of HTTP, which could be vulnerable to person-in-the-middle attacks.
azurerm_storage_account_network_rules
Ensure to allow Trusted Microsoft Services to bypass
It is better to allow Trusted Microsoft Services to bypass. They are not able to access storage account unless rules are set to allow them explicitly.
Microsoft.Storage/storageAccounts/inventoryPolicies (Azure Resource Manager)
The storageAccounts/inventoryPolicies in Microsoft.Storage can be configured in Azure Resource Manager with the resource name Microsoft.Storage/storageAccounts/inventoryPolicies
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
apiVersion
required - stringname
required - stringThe name of the storage account blob inventory policy. It should always be 'default'
properties
optionalpolicy
requiredenabled
required - booleanPolicy is enabled if set to true.
rules
required arraydefinition
requiredfilters
optionalblobTypes
optional - arrayAn array of predefined enum values. Valid values include blockBlob, appendBlob, pageBlob. Hns accounts does not support pageBlobs. This field is required when definition.objectType property is set to 'Blob'.
includeBlobVersions
optional - booleanIncludes blob versions in blob inventory when value is set to true. The definition.schemaFields values 'VersionId and IsCurrentVersion' are required if this property is set to true, else they must be excluded.
includeSnapshots
optional - booleanIncludes blob snapshots in blob inventory when value is set to true. The definition.schemaFields value 'Snapshot' is required if this property is set to true, else it must be excluded.
prefixMatch
optional - arrayAn array of strings for blob prefixes to be matched.
format
required - stringThis is a required field, it specifies the format for the inventory files.
objectType
required - stringThis is a required field. This field specifies the scope of the inventory created either at the blob or container level.
schedule
required - stringThis is a required field. This field is used to schedule an inventory formation.
schemaFields
required - arrayThis is a required field. This field specifies the fields and properties of the object to be included in the inventory. The Schema field value 'Name' is always required. The valid values for this field for the 'Blob' definition.objectType include 'Name, Creation-Time, Last-Modified, Content-Length, Content-MD5, BlobType, AccessTier, AccessTierChangeTime, AccessTierInferred, Tags, Expiry-Time, hdi_isfolder, Owner, Group, Permissions, Acl, Snapshot, VersionId, IsCurrentVersion, Metadata, LastAccessTime'. The valid values for 'Container' definition.objectType include 'Name, Last-Modified, Metadata, LeaseStatus, LeaseState, LeaseDuration, PublicAccess, HasImmutabilityPolicy, HasLegalHold'. Schema field values 'Expiry-Time, hdi_isfolder, Owner, Group, Permissions, Acl' are valid only for Hns enabled accounts.'Tags' field is only valid for non Hns accounts
destination
required - stringContainer name where blob inventory files are stored. Must be pre-created.
enabled
required - booleanRule is enabled when set to true.
name
required - stringA rule name can contain any combination of alpha numeric characters. Rule name is case-sensitive. It must be unique within a policy.
type
required - stringThe valid value is Inventory
systemData
optionalcreatedAt
optional - stringThe timestamp of resource creation (UTC).
createdBy
optional - stringThe identity that created the resource.
createdByType
optional - stringThe type of identity that created the resource.
lastModifiedAt
optional - stringThe timestamp of resource last modification (UTC)
lastModifiedBy
optional - stringThe identity that last modified the resource.
lastModifiedByType
optional - stringThe type of identity that last modified the resource.
type
required - string