Azure Storage Object Replication
This page shows how to write Terraform and Azure Resource Manager for Storage Object Replication and write them securely.
azurerm_storage_object_replication (Terraform)
The Object Replication in Storage can be configured in Terraform with the resource name azurerm_storage_object_replication
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
The following arguments are supported:
source_storage_account_id
- (Required) The ID of the source storage account. Changing this forces a new Storage Object Replication to be created.destination_storage_account_id
- (Required) The ID of the destination storage account. Changing this forces a new Storage Object Replication to be created.rules
- (Required) One or morerules
blocks as defined below.
A rules
block supports the following:
source_container_name
- (Required) The source storage container name. Changing this forces a new Storage Object Replication to be created.destination_container_name
- (Required) The destination storage container name. Changing this forces a new Storage Object Replication to be created.copy_blobs_created_after
- (Optional) The time after which the Block Blobs created will be copies to the destination. Possible values areOnlyNewObjects
,Everything
and time in RFC3339 format:2006-01-02T15:04:00Z
.filter_out_blobs_with_prefix
- (Optional) Specifies a list of filters prefixes, the blobs whose names begin with which will be replicated.
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the Storage Object Replication in the destination storage account. It's composed as formatsource_object_replication_id;destination_object_replication_id
.source_object_replication_id
- The ID of the Object Replication in the source storage account.destination_object_replication_id
- The ID of the Object Replication in the destination storage account.
Explanation in Terraform Registry
Manages a Storage Object Replication.
Tips: Best Practices for The Other Azure Storage Resources
In addition to the azurerm_storage_account, Azure Storage has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_storage_account
Ensure to use HTTPS connections
It is better to use HTTPS instead of HTTP, which could be vulnerable to person-in-the-middle attacks.
azurerm_storage_account_network_rules
Ensure to allow Trusted Microsoft Services to bypass
It is better to allow Trusted Microsoft Services to bypass. They are not able to access storage account unless rules are set to allow them explicitly.
Microsoft.Storage/storageAccounts/objectReplicationPolicies (Azure Resource Manager)
The storageAccounts/objectReplicationPolicies in Microsoft.Storage can be configured in Azure Resource Manager with the resource name Microsoft.Storage/storageAccounts/objectReplicationPolicies
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
apiVersion
required - stringname
required - stringFor the destination account, provide the value 'default'. Configure the policy on the destination account first. For the source account, provide the value of the policy ID that is returned when you download the policy that was defined on the destination account. The policy is downloaded as a JSON file.
properties
optionaldestinationAccount
required - stringRequired. Destination account name. It should be full resource id if allowCrossTenantReplication set to false.
rules
optional arraydestinationContainer
required - stringRequired. Destination container name.
filters
optionalminCreationTime
optional - stringBlobs created after the time will be replicated to the destination. It must be in datetime format 'yyyy-MM-ddTHH:mm:ssZ'. Example: 2020-02-19T16:05:00Z
prefixMatch
optional - arrayOptional. Filters the results to replicate only blobs whose names begin with the specified prefix.
ruleId
optional - stringRule Id is auto-generated for each new rule on destination account. It is required for put policy on source account.
sourceContainer
required - stringRequired. Source container name.
sourceAccount
required - stringRequired. Source account name. It should be full resource id if allowCrossTenantReplication set to false.
type
required - string