Azure Storage Management Policy
This page shows how to write Terraform and Azure Resource Manager for Storage Management Policy and write them securely.
azurerm_storage_management_policy (Terraform)
The Management Policy in Storage can be configured in Terraform with the resource name azurerm_storage_management_policy
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_storage_management_policy" "move_to_cold" {
storage_account_id = var.storage_account_id
rule {
name = "moveToCold"
enabled = true
resource "azurerm_storage_management_policy" "example" {
storage_account_id = azurerm_storage_account.example.id
rule {
name = "global-policy"
enabled = true
filters {
resource "azurerm_storage_management_policy" "life_cycle_management" {
count = var.enable_remote_state ? 1 : 0
storage_account_id = azurerm_storage_account.terraform_storage_account.*.id[0]
rule {
name = "terraformstateexpiration"
resource "azurerm_storage_management_policy" "upload" {
storage_account_id = azurerm_storage_account.files.id
rule {
name = "cleanUploads"
enabled = true
resource "azurerm_storage_management_policy" "claim-check-example-storage-management-policy" {
storage_account_id = azurerm_storage_account.storage-account.id
rule {
name = "data-retention"
enabled = true
resource "azurerm_storage_management_policy" "example" {
storage_account_id = azurerm_storage_account.example.id
rule {
name = "rule1"
enabled = true
resource "azurerm_storage_management_policy" "products" {
storage_account_id = azurerm_storage_account.products.id
rule {
name = "removeTemporaryBlobs"
enabled = true
resource "azurerm_storage_management_policy" "life_cycle_management" {
count = var.enable_remote_state ? 1 : 0
storage_account_id = azurerm_storage_account.terraform_storage_account.*.id[0]
rule {
name = "terraformstateexpiration"
resource "azurerm_storage_management_policy" "move_to_cold" {
storage_account_id = var.storage_account_id
rule {
name = "moveToCold"
enabled = true
resource "azurerm_storage_management_policy" "mgmt_policy" {
storage_account_id = var.storage_account_id
dynamic "rule" {
for_each = var.settings.rules
Parameters
-
id
optional computed - string -
storage_account_id
required - string -
rule
list block-
enabled
required - bool -
name
required - string -
actions
list block-
base_blob
list block-
delete_after_days_since_modification_greater_than
optional - number -
tier_to_archive_after_days_since_modification_greater_than
optional - number -
tier_to_cool_after_days_since_modification_greater_than
optional - number
-
-
snapshot
list block-
delete_after_days_since_creation_greater_than
optional - number
-
-
-
filters
list block-
blob_types
optional - set of string -
prefix_match
optional - set of string
-
-
-
timeouts
single block
Explanation in Terraform Registry
Manages an Azure Storage Account Management Policy.
Tips: Best Practices for The Other Azure Storage Resources
In addition to the azurerm_storage_account, Azure Storage has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_storage_account
Ensure to use HTTPS connections
It is better to use HTTPS instead of HTTP, which could be vulnerable to person-in-the-middle attacks.
azurerm_storage_account_network_rules
Ensure to allow Trusted Microsoft Services to bypass
It is better to allow Trusted Microsoft Services to bypass. They are not able to access storage account unless rules are set to allow them explicitly.
Microsoft.Storage/storageAccounts/managementPolicies (Azure Resource Manager)
The storageAccounts/managementPolicies in Microsoft.Storage can be configured in Azure Resource Manager with the resource name Microsoft.Storage/storageAccounts/managementPolicies
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
apiVersion
required - stringname
required - stringThe name of the Storage Account Management Policy. It should always be 'default'
properties
optionalpolicy
requiredrules
required arraydefinition
requiredactions
requiredbaseBlob
optionaldelete
optionaldaysAfterLastAccessTimeGreaterThan
optional - numberValue indicating the age in days after last blob access. This property can only be used in conjunction with last access time tracking policy
daysAfterModificationGreaterThan
optional - numberValue indicating the age in days after last modification
enableAutoTierToHotFromCool
optional - booleanThis property enables auto tiering of a blob from cool to hot on a blob access. This property requires tierToCool.daysAfterLastAccessTimeGreaterThan.
tierToArchive
optionaldaysAfterLastAccessTimeGreaterThan
optional - numberValue indicating the age in days after last blob access. This property can only be used in conjunction with last access time tracking policy
daysAfterModificationGreaterThan
optional - numberValue indicating the age in days after last modification
tierToCool
optionaldaysAfterLastAccessTimeGreaterThan
optional - numberValue indicating the age in days after last blob access. This property can only be used in conjunction with last access time tracking policy
daysAfterModificationGreaterThan
optional - numberValue indicating the age in days after last modification
snapshot
optionaldelete
optionaldaysAfterCreationGreaterThan
required - numberValue indicating the age in days after creation
tierToArchive
optionaldaysAfterCreationGreaterThan
required - numberValue indicating the age in days after creation
tierToCool
optionaldaysAfterCreationGreaterThan
required - numberValue indicating the age in days after creation
version
optionaldelete
optionaldaysAfterCreationGreaterThan
required - numberValue indicating the age in days after creation
tierToArchive
optionaldaysAfterCreationGreaterThan
required - numberValue indicating the age in days after creation
tierToCool
optionaldaysAfterCreationGreaterThan
required - numberValue indicating the age in days after creation
filters
optionalblobIndexMatch
optional arrayname
required - stringThis is the filter tag name, it can have 1 - 128 characters
op
required - stringThis is the comparison operator which is used for object comparison and filtering. Only == (equality operator) is currently supported
value
required - stringThis is the filter tag value field used for tag based filtering, it can have 0 - 256 characters
blobTypes
required - arrayAn array of predefined enum values. Currently blockBlob supports all tiering and delete actions. Only delete actions are supported for appendBlob.
prefixMatch
optional - arrayAn array of strings for prefixes to be match.
enabled
optional - booleanRule is enabled if set to true.
name
required - stringA rule name can contain any combination of alpha numeric characters. Rule name is case-sensitive. It must be unique within a policy.
type
required - stringThe valid value is Lifecycle
type
required - string
Frequently asked questions
What is Azure Storage Management Policy?
Azure Storage Management Policy is a resource for Storage of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Storage Management Policy?
For Terraform, the sal12oni/aws_azure_migration, thecomalley/homelab-remote-backup and tmeadon/clippings source code examples are useful. See the Terraform Example section for further details.