Azure Storage Blob Inventory Policy

This page shows how to write Terraform and Azure Resource Manager for Storage Blob Inventory Policy and write them securely.

azurerm_storage_blob_inventory_policy (Terraform)

The Blob Inventory Policy in Storage can be configured in Terraform with the resource name azurerm_storage_blob_inventory_policy. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

The following arguments are supported:

  • storage_account_id - (Required) The ID of the storage account to apply this Blob Inventory Policy to. Changing this forces a new Storage Blob Inventory Policy to be created.

  • storage_container_name - (Required) The storage container name to store the blob inventory files. Changing this forces a new Storage Blob Inventory Policy to be created.

  • rules - (Required) One or more rules blocks as defined below.


A filter block supports the following:

  • blob_types - (Required) A set of blob types. Possible values are blockBlob, appendBlob, and pageBlob. The storage account with is_hns_enabled is true doesn't support pageBlob.

  • include_blob_versions - (Optional) Includes blob versions in blob inventory or not? Defaults to false.

  • include_snapshots - (Optional) Includes blob snapshots in blob inventory or not? Defaults to false.

  • prefix_match - (Optional) A set of strings for blob prefixes to be matched.


A rules block supports the following:

  • filter - (Required) A filter block as defined above.

  • name - (Required) The name which should be used for this Blob Inventory Policy Rule.

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Storage Blob Inventory Policy.

Explanation in Terraform Registry

Manages a Storage Blob Inventory Policy.

Tips: Best Practices for The Other Azure Storage Resources

In addition to the azurerm_storage_account, Azure Storage has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_storage_account

Ensure to use HTTPS connections

It is better to use HTTPS instead of HTTP, which could be vulnerable to person-in-the-middle attacks.

risk-label

azurerm_storage_account_network_rules

Ensure to allow Trusted Microsoft Services to bypass

It is better to allow Trusted Microsoft Services to bypass. They are not able to access storage account unless rules are set to allow them explicitly.

Review your Azure Storage settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.Storage/storageAccounts/inventoryPolicies (Azure Resource Manager)

The storageAccounts/inventoryPolicies in Microsoft.Storage can be configured in Azure Resource Manager with the resource name Microsoft.Storage/storageAccounts/inventoryPolicies. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Parameters

  • apiVersion required - string
  • name required - string

    The name of the storage account blob inventory policy. It should always be 'default'

  • properties optional
      • policy required
          • enabled required - boolean

            Policy is enabled if set to true.

          • rules required array
              • definition required
                  • filters optional
                      • blobTypes optional - array

                        An array of predefined enum values. Valid values include blockBlob, appendBlob, pageBlob. Hns accounts does not support pageBlobs. This field is required when definition.objectType property is set to 'Blob'.

                      • includeBlobVersions optional - boolean

                        Includes blob versions in blob inventory when value is set to true. The definition.schemaFields values 'VersionId and IsCurrentVersion' are required if this property is set to true, else they must be excluded.

                      • includeSnapshots optional - boolean

                        Includes blob snapshots in blob inventory when value is set to true. The definition.schemaFields value 'Snapshot' is required if this property is set to true, else it must be excluded.

                      • prefixMatch optional - array

                        An array of strings for blob prefixes to be matched.

                  • format required - string

                    This is a required field, it specifies the format for the inventory files.

                  • objectType required - string

                    This is a required field. This field specifies the scope of the inventory created either at the blob or container level.

                  • schedule required - string

                    This is a required field. This field is used to schedule an inventory formation.

                  • schemaFields required - array

                    This is a required field. This field specifies the fields and properties of the object to be included in the inventory. The Schema field value 'Name' is always required. The valid values for this field for the 'Blob' definition.objectType include 'Name, Creation-Time, Last-Modified, Content-Length, Content-MD5, BlobType, AccessTier, AccessTierChangeTime, AccessTierInferred, Tags, Expiry-Time, hdi_isfolder, Owner, Group, Permissions, Acl, Snapshot, VersionId, IsCurrentVersion, Metadata, LastAccessTime'. The valid values for 'Container' definition.objectType include 'Name, Last-Modified, Metadata, LeaseStatus, LeaseState, LeaseDuration, PublicAccess, HasImmutabilityPolicy, HasLegalHold'. Schema field values 'Expiry-Time, hdi_isfolder, Owner, Group, Permissions, Acl' are valid only for Hns enabled accounts.'Tags' field is only valid for non Hns accounts

              • destination required - string

                Container name where blob inventory files are stored. Must be pre-created.

              • enabled required - boolean

                Rule is enabled when set to true.

              • name required - string

                A rule name can contain any combination of alpha numeric characters. Rule name is case-sensitive. It must be unique within a policy.

          • type required - string

            The valid value is Inventory

  • systemData optional
      • createdAt optional - string

        The timestamp of resource creation (UTC).

      • createdBy optional - string

        The identity that created the resource.

      • createdByType optional - string

        The type of identity that created the resource.

      • lastModifiedAt optional - string

        The timestamp of resource last modification (UTC)

      • lastModifiedBy optional - string

        The identity that last modified the resource.

      • lastModifiedByType optional - string

        The type of identity that last modified the resource.

  • type required - string

Frequently asked questions

What is Azure Storage Blob Inventory Policy?

Azure Storage Blob Inventory Policy is a resource for Storage of Microsoft Azure. Settings can be wrote in Terraform.