Top / Microsoft Azure / Azure Storage / Management Policy

Azure Storage Management Policy

This page shows how to write Terraform and Azure Resource Manager for Storage Management Policy and write them securely.

terraform-logo

Review your .tf file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

azurerm_storage_management_policy (Terraform)

The Management Policy in Storage can be configured in Terraform with the resource name azurerm_storage_management_policy. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L7
resource "azurerm_storage_management_policy" "move_to_cold" {
  storage_account_id = var.storage_account_id

  rule {
    name    = "moveToCold"
    enabled = true
storage.tf#L16
resource "azurerm_storage_management_policy" "example" {
  storage_account_id = azurerm_storage_account.example.id
  rule {
    name    = "global-policy"
    enabled = true
    filters {
remote_state.tf#L23
resource "azurerm_storage_management_policy" "life_cycle_management" {
  count              = var.enable_remote_state ? 1 : 0
  storage_account_id = azurerm_storage_account.terraform_storage_account.*.id[0]

  rule {
    name    = "terraformstateexpiration"
main.tf#L37
resource "azurerm_storage_management_policy" "upload" {
  storage_account_id = azurerm_storage_account.files.id

  rule {
    name    = "cleanUploads"
    enabled = true
main.tf#L28
resource "azurerm_storage_management_policy" "claim-check-example-storage-management-policy" {
  storage_account_id = azurerm_storage_account.storage-account.id

  rule {
    name    = "data-retention"
    enabled = true
storage-mgmt.tf#L10
resource "azurerm_storage_management_policy" "example" {
  storage_account_id = azurerm_storage_account.example.id

  rule {
    name    = "rule1"
    enabled = true
site.tf#L37
resource "azurerm_storage_management_policy" "products" {
  storage_account_id = azurerm_storage_account.products.id

  rule {
    name    = "removeTemporaryBlobs"
    enabled = true
remote_state.tf#L22
resource "azurerm_storage_management_policy" "life_cycle_management" {
  count              = var.enable_remote_state ? 1 : 0
  storage_account_id = azurerm_storage_account.terraform_storage_account.*.id[0]

  rule {
    name    = "terraformstateexpiration"
main.tf#L7
resource "azurerm_storage_management_policy" "move_to_cold" {
  storage_account_id = var.storage_account_id

  rule {
    name    = "moveToCold"
    enabled = true
management_policy.tf#L1
resource "azurerm_storage_management_policy" "mgmt_policy" {
  storage_account_id = var.storage_account_id

  dynamic "rule" {
    for_each = var.settings.rules

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Manages an Azure Storage Account Management Policy.

>> from Terraform Registry

Tips: Best Practices for The Other Azure Storage Resources

In addition to the azurerm_storage_account, Azure Storage has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_storage_account

Ensure to use HTTPS connections

It is better to use HTTPS instead of HTTP, which could be vulnerable to person-in-the-middle attacks.

risk-label

azurerm_storage_account_network_rules

Ensure to allow Trusted Microsoft Services to bypass

It is better to allow Trusted Microsoft Services to bypass. They are not able to access storage account unless rules are set to allow them explicitly.

Review your Azure Storage settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.Storage/storageAccounts/managementPolicies (Azure Resource Manager)

The storageAccounts/managementPolicies in Microsoft.Storage can be configured in Azure Resource Manager with the resource name Microsoft.Storage/storageAccounts/managementPolicies. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Parameters

  • apiVersion required - string
  • name required - string

    The name of the Storage Account Management Policy. It should always be 'default'

  • properties optional
      • policy required
          • rules required array
              • definition required
                  • actions required
                      • baseBlob optional
                          • delete optional
                              • daysAfterLastAccessTimeGreaterThan optional - number

                                Value indicating the age in days after last blob access. This property can only be used in conjunction with last access time tracking policy

                              • daysAfterModificationGreaterThan optional - number

                                Value indicating the age in days after last modification

                          • enableAutoTierToHotFromCool optional - boolean

                            This property enables auto tiering of a blob from cool to hot on a blob access. This property requires tierToCool.daysAfterLastAccessTimeGreaterThan.

                          • tierToArchive optional
                              • daysAfterLastAccessTimeGreaterThan optional - number

                                Value indicating the age in days after last blob access. This property can only be used in conjunction with last access time tracking policy

                              • daysAfterModificationGreaterThan optional - number

                                Value indicating the age in days after last modification

                          • tierToCool optional
                              • daysAfterLastAccessTimeGreaterThan optional - number

                                Value indicating the age in days after last blob access. This property can only be used in conjunction with last access time tracking policy

                              • daysAfterModificationGreaterThan optional - number

                                Value indicating the age in days after last modification

                      • snapshot optional
                          • delete optional
                              • daysAfterCreationGreaterThan required - number

                                Value indicating the age in days after creation

                          • tierToArchive optional
                              • daysAfterCreationGreaterThan required - number

                                Value indicating the age in days after creation

                          • tierToCool optional
                              • daysAfterCreationGreaterThan required - number

                                Value indicating the age in days after creation

                      • version optional
                          • delete optional
                              • daysAfterCreationGreaterThan required - number

                                Value indicating the age in days after creation

                          • tierToArchive optional
                              • daysAfterCreationGreaterThan required - number

                                Value indicating the age in days after creation

                          • tierToCool optional
                              • daysAfterCreationGreaterThan required - number

                                Value indicating the age in days after creation

                  • filters optional
                      • blobIndexMatch optional array
                          • name required - string

                            This is the filter tag name, it can have 1 - 128 characters

                          • op required - string

                            This is the comparison operator which is used for object comparison and filtering. Only == (equality operator) is currently supported

                          • value required - string

                            This is the filter tag value field used for tag based filtering, it can have 0 - 256 characters

                      • blobTypes required - array

                        An array of predefined enum values. Currently blockBlob supports all tiering and delete actions. Only delete actions are supported for appendBlob.

                      • prefixMatch optional - array

                        An array of strings for prefixes to be match.

              • enabled optional - boolean

                Rule is enabled if set to true.

              • name required - string

                A rule name can contain any combination of alpha numeric characters. Rule name is case-sensitive. It must be unique within a policy.

              • type required - string

                The valid value is Lifecycle

  • type required - string

>> from Azure Resource Manager Documentation

The Other Related Azure Storage Resources

Frequently asked questions

What is Azure Storage Management Policy?

Azure Storage Management Policy is a resource for Storage of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Storage Management Policy?

For Terraform, the sal12oni/aws_azure_migration, thecomalley/homelab-remote-backup and tmeadon/clippings source code examples are useful. See the Terraform Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents