Skip to content

azurermStorageAccount

Manages an Azure Storage Account.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
  this,
  "example_1",
  {
    account_replication_type: "GRS",
    account_tier: "Standard",
    location: azurermResourceGroupExample.location,
    name: "storageaccountname",
    resource_group_name: azurermResourceGroupExample.name,
    tags: {
      environment: "staging",
    },
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");

Example Usage with Network Rules

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
  this,
  "example_1",
  {
    address_space: ["10.0.0.0/16"],
    location: azurermResourceGroupExample.location,
    name: "virtnetname",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const azurermSubnetExample = new azurerm.subnet.Subnet(this, "example_2", {
  address_prefixes: ["10.0.2.0/24"],
  name: "subnetname",
  resource_group_name: azurermResourceGroupExample.name,
  service_endpoints: ["Microsoft.Sql", "Microsoft.Storage"],
  virtual_network_name: azurermVirtualNetworkExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetExample.overrideLogicalId("example");
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
  this,
  "example_3",
  {
    account_replication_type: "LRS",
    account_tier: "Standard",
    location: azurermResourceGroupExample.location,
    name: "storageaccountname",
    network_rules: [
      {
        default_action: "Deny",
        ip_rules: ["100.0.0.1"],
        virtual_network_subnet_ids: [azurermSubnetExample.id],
      },
    ],
    resource_group_name: azurermResourceGroupExample.name,
    tags: {
      environment: "staging",
    },
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • name - (Required) Specifies the name of the storage account. Only lowercase Alphanumeric characters allowed. Changing this forces a new resource to be created. This must be unique across the entire Azure service, not just within the resource group.

  • resourceGroupName - (Required) The name of the resource group in which to create the storage account. Changing this forces a new resource to be created.

  • location - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.

  • accountKind - (Optional) Defines the Kind of account. Valid options are blobStorage, blockBlobStorage, fileStorage, storage and storageV2. Defaults to storageV2.

-> NOTE: Changing the accountKind value from storage to storageV2 will not trigger a force new on the storage account, it will only upgrade the existing storage account from storage to storageV2 keeping the existing storage account in place.

  • accountTier - (Required) Defines the Tier to use for this storage account. Valid options are standard and premium. For blockBlobStorage and fileStorage accounts only premium is valid. Changing this forces a new resource to be created.

-> NOTE: Blobs with a tier of premium are of account kind storageV2.

  • accountReplicationType - (Required) Defines the type of replication to use for this storage account. Valid options are lrs, grs, ragrs, zrs, gzrs and ragzrs.

  • crossTenantReplicationEnabled - (Optional) Should cross Tenant replication be enabled? Defaults to true.

  • accessTier - (Optional) Defines the access tier for blobStorage, fileStorage and storageV2 accounts. Valid options are hot and cool, defaults to hot.

  • edgeZone - (Optional) Specifies the Edge Zone within the Azure Region where this Storage Account should exist. Changing this forces a new Storage Account to be created.

  • enableHttpsTrafficOnly - (Optional) Boolean flag which forces HTTPS if enabled, see here for more information. Defaults to true.

  • minTlsVersion - (Optional) The minimum supported TLS version for the storage account. Possible values are tls10, tls11, and tls12. Defaults to tls12 for new storage accounts.

-> NOTE: At this time minTlsVersion is only supported in the Public Cloud, China Cloud, and US Government Cloud.

  • allowNestedItemsToBePublic - (Optional) Allow or disallow nested items within this Account to opt into being public. Defaults to true.

-> NOTE: At this time allowNestedItemsToBePublic is only supported in the Public Cloud, China Cloud, and US Government Cloud.

  • sharedAccessKeyEnabled - (Optional) Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is true.

\~> Note: Terraform uses Shared Key Authorisation to provision Storage Containers, Blobs and other items - when Shared Key Access is disabled, you will need to enable the storageUseAzuread flag in the Provider block to use Azure AD for authentication, however not all Azure Storage services support Active Directory authentication.

  • publicNetworkAccessEnabled - (Optional) Whether the public network access is enabled? Defaults to true.

  • defaultToOauthAuthentication - (Optional) Default to Azure Active Directory authorization in the Azure portal when accessing the Storage Account. The default value is false

  • isHnsEnabled - (Optional) Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 (see here for more information). Changing this forces a new resource to be created.

-> NOTE: This can only be true when accountTier is standard or when accountTier is premium and accountKind is blockBlobStorage

  • nfsv3Enabled - (Optional) Is NFSv3 protocol enabled? Changing this forces a new resource to be created. Defaults to false.

-> NOTE: This can only be true when accountTier is standard and accountKind is storageV2, or accountTier is premium and accountKind is blockBlobStorage. Additionally, the isHnsEnabled is true.

  • customDomain - (Optional) A customDomain block as documented below.

  • customerManagedKey - (Optional) A customerManagedKey block as documented below.

  • identity - (Optional) An identity block as defined below.

  • blobProperties - (Optional) A blobProperties block as defined below.

  • queueProperties - (Optional) A queueProperties block as defined below.

\~> NOTE: queueProperties cannot be set when the accountKind is set to blobStorage

  • staticWebsite - (Optional) A staticWebsite block as defined below.

\~> NOTE: staticWebsite can only be set when the accountKind is set to storageV2 or blockBlobStorage.

  • shareProperties - (Optional) A shareProperties block as defined below.

  • networkRules - (Optional) A networkRules block as documented below.

  • largeFileShareEnabled - (Optional) Is Large File Share Enabled?

  • azureFilesAuthentication - (Optional) A azureFilesAuthentication block as defined below.

  • routing - (Optional) A routing block as defined below.

  • queueEncryptionKeyType - (Optional) The encryption type of the queue service. Possible values are service and account. Changing this forces a new resource to be created. Default value is service.

  • tableEncryptionKeyType - (Optional) The encryption type of the table service. Possible values are service and account. Changing this forces a new resource to be created. Default value is service.

\~> NOTE: For the queueEncryptionKeyType and tableEncryptionKeyType, the account key type is only allowed when the accountKind is set to storageV2

  • infrastructureEncryptionEnabled - (Optional) Is infrastructure encryption enabled? Changing this forces a new resource to be created. Defaults to false.

-> NOTE: This can only be true when accountKind is storageV2 or when accountTier is premium and accountKind is one of blockBlobStorage or fileStorage.

  • immutabilityPolicy - (Optional) An immutabilityPolicy block as defined below. Changing this forces a new resource to be created.

  • sasPolicy - (Optional) A sasPolicy block as defined below.

  • allowedCopyScope - (Optional) Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet. Possible values are aad and privateLink.

  • sftpEnabled - (Optional) Boolean, enable SFTP for the storage account

-> NOTE: SFTP support requires isHnsEnabled set to true. More information on SFTP support can be found here. Defaults to false

  • tags - (Optional) A mapping of tags to assign to the resource.

A blobProperties block supports the following:

  • corsRule - (Optional) A corsRule block as defined below.

  • deleteRetentionPolicy - (Optional) A deleteRetentionPolicy block as defined below.

  • restorePolicy - (Optional) A restorePolicy block as defined below. This must be used together with deleteRetentionPolicy set, versioningEnabled and changeFeedEnabled set to true.

  • versioningEnabled - (Optional) Is versioning enabled? Default to false.

  • changeFeedEnabled - (Optional) Is the blob service properties for change feed events enabled? Default to false.

  • changeFeedRetentionInDays - (Optional) The duration of change feed events retention in days. The possible values are between 1 and 146000 days (400 years). Setting this to null (or omit this in the configuration file) indicates an infinite retention of the change feed.

  • defaultServiceVersion - (Optional) The API Version which should be used by default for requests to the Data Plane API if an incoming request doesn't specify an API Version.

  • lastAccessTimeEnabled - (Optional) Is the last access time based tracking enabled? Default to false.

  • containerDeleteRetentionPolicy - (Optional) A containerDeleteRetentionPolicy block as defined below.

A corsRule block supports the following:

  • allowedHeaders - (Required) A list of headers that are allowed to be a part of the cross-origin request.

  • allowedMethods - (Required) A list of HTTP methods that are allowed to be executed by the origin. Valid options are delete, get, head, merge, post, options, put or patch.

  • allowedOrigins - (Required) A list of origin domains that will be allowed by CORS.

  • exposedHeaders - (Required) A list of response headers that are exposed to CORS clients.

  • maxAgeInSeconds - (Required) The number of seconds the client should cache a preflight response.

A customDomain block supports the following:

  • name - (Required) The Custom Domain Name to use for the Storage Account, which will be validated by Azure.

  • useSubdomain - (Optional) Should the Custom Domain Name be validated by using indirect CNAME validation?

A customerManagedKey block supports the following:

  • keyVaultKeyId - (Required) The ID of the Key Vault Key, supplying a version-less key ID will enable auto-rotation of this key.

  • userAssignedIdentityId - (Required) The ID of a user assigned identity.

\~> NOTE: customerManagedKey can only be set when the accountKind is set to storageV2 or accountTier set to premium, and the identity type is userAssigned.

A deleteRetentionPolicy block supports the following:

  • days - (Optional) Specifies the number of days that the blob should be retained, between 1 and 365 days. Defaults to 7.

A restorePolicy block supports the following:

  • days - (Required) Specifies the number of days that the blob can be restored, between 1 and 365 days. This must be less than the days specified for deleteRetentionPolicy.

A containerDeleteRetentionPolicy block supports the following:

  • days - (Optional) Specifies the number of days that the container should be retained, between 1 and 365 days. Defaults to 7.

A hourMetrics block supports the following:

  • enabled - (Required) Indicates whether hour metrics are enabled for the Queue service.

  • version - (Required) The version of storage analytics to configure.

  • includeApis - (Optional) Indicates whether metrics should generate summary statistics for called API operations.

  • retentionPolicyDays - (Optional) Specifies the number of days that logs will be retained.

An identity block supports the following:

  • type - (Required) Specifies the type of Managed Service Identity that should be configured on this Storage Account. Possible values are systemAssigned, userAssigned, systemAssigned,UserAssigned (to enable both).

  • identityIds - (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Storage Account.

\~> NOTE: This is required when type is set to userAssigned or systemAssigned,UserAssigned.

\~> The assigned principalId and tenantId can be retrieved after the identity type has been set to systemAssigned and Storage Account has been created. More details are available below.

An immutabilityPolicy block supports the following:

\~> NOTE: This argument specifies the default account-level immutability policy which is inherited and applied to objects that do not possess an explicit immutability policy at the object level. The object-level immutability policy has higher precedence than the container-level immutability policy, which has a higher precedence than the account-level immutability policy.

  • allowProtectedAppendWrites - (Required) When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted.

  • state - (Required) Defines the mode of the policy. disabled state disables the policy, unlocked state allows increase and decrease of immutability retention time and also allows toggling allowProtectedAppendWrites property, locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted.

  • periodSinceCreationInDays - (Required) The immutability period for the blobs in the container since the policy creation, in days.

A logging block supports the following:

  • delete - (Required) Indicates whether all delete requests should be logged.

  • read - (Required) Indicates whether all read requests should be logged.

  • version - (Required) The version of storage analytics to configure.

  • write - (Required) Indicates whether all write requests should be logged.

  • retentionPolicyDays - (Optional) Specifies the number of days that logs will be retained.

A minuteMetrics block supports the following:

  • enabled - (Required) Indicates whether minute metrics are enabled for the Queue service.

  • version - (Required) The version of storage analytics to configure.

  • includeApis - (Optional) Indicates whether metrics should generate summary statistics for called API operations.

  • retentionPolicyDays - (Optional) Specifies the number of days that logs will be retained.

A networkRules block supports the following:

  • defaultAction - (Required) Specifies the default action of allow or deny when no other rules match. Valid options are deny or allow.

  • bypass - (Optional) Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination of logging, metrics, azureServices, or none.

  • ipRules - (Optional) List of public IP or IP ranges in CIDR Format. Only IPv4 addresses are allowed. /31 CIDRs, /32 CIDRs, and Private IP address ranges (as defined in RFC 1918), are not allowed.

  • virtualNetworkSubnetIds - (Optional) A list of resource ids for subnets.

  • privateLinkAccess - (Optional) One or More privateLinkAccess block as defined below.

\~> Note: If specifying networkRules, one of either ipRules or virtualNetworkSubnetIds must be specified and defaultAction must be set to deny.

\~> NOTE: Network Rules can be defined either directly on the azurermStorageAccount resource, or using the azurermStorageAccountNetworkRules resource - but the two cannot be used together. If both are used against the same Storage Account, spurious changes will occur. When managing Network Rules using this resource, to change from a defaultAction of deny to allow requires defining, rather than removing, the block.

\~> Note: The prefix of ipRules must be between 0 and 30 and only supports public IP addresses.

\~> Note: More information on Validation is available here

A privateLinkAccess block supports the following:

  • endpointResourceId - (Required) The resource id of the resource access rule to be granted access.

  • endpointTenantId - (Optional) The tenant id of the resource of the resource access rule to be granted access. Defaults to the current tenant id.

A azureFilesAuthentication block supports the following:

  • directoryType - (Required) Specifies the directory service used. Possible values are aadds, ad and aadkerb.

  • activeDirectory - (Optional) A activeDirectory block as defined below. Required when directoryType is ad.

\~> Note: If directoryType is set to aadkerb, activeDirectory is not supported. Use icals to configure directory and file level permissions.

A activeDirectory block supports the following:

  • storageSid - (Required) Specifies the security identifier (SID) for Azure Storage.

  • domainName - (Required) Specifies the primary domain that the AD DNS server is authoritative for.

  • domainSid - (Required) Specifies the security identifier (SID).

  • domainGuid - (Required) Specifies the domain GUID.

  • forestName - (Required) Specifies the Active Directory forest.

  • netbiosDomainName - (Required) Specifies the NetBIOS domain name.

A routing block supports the following:

  • publishInternetEndpoints - (Optional) Should internet routing storage endpoints be published? Defaults to false.

  • publishMicrosoftEndpoints - (Optional) Should Microsoft routing storage endpoints be published? Defaults to false.

  • choice - (Optional) Specifies the kind of network routing opted by the user. Possible values are internetRouting and microsoftRouting. Defaults to microsoftRouting.

A queueProperties block supports the following:

  • corsRule - (Optional) A corsRule block as defined above.

  • logging - (Optional) A logging block as defined below.

  • minuteMetrics - (Optional) A minuteMetrics block as defined below.

  • hourMetrics - (Optional) A hourMetrics block as defined below.

A sasPolicy block supports the following:

  • expirationPeriod - (Required) The SAS expiration period in format of ddHh:mm:ss.

  • expirationAction - (Optional) The SAS expiration action. The only possible value is log at this moment. Defaults to log.

A staticWebsite block supports the following:

  • indexDocument - (Optional) The webpage that Azure Storage serves for requests to the root of a website or any subfolder. For example, index.html. The value is case-sensitive.

  • error404Document - (Optional) The absolute path to a custom webpage that should be used when a request is made which does not correspond to an existing file.

A shareProperties block supports the following:

  • corsRule - (Optional) A corsRule block as defined below.

  • retentionPolicy - (Optional) A retentionPolicy block as defined below.

  • smb - (Optional) A smb block as defined below.

A retentionPolicy block supports the following:

  • days - (Optional) Specifies the number of days that the azurermStorageShare should be retained, between 1 and 365 days. Defaults to 7.

A smb block supports the following:

  • versions - (Optional) A set of SMB protocol versions. Possible values are smb21, smb30, and smb311.

  • authenticationTypes - (Optional) A set of SMB authentication methods. Possible values are ntlMv2, and kerberos.

  • kerberosTicketEncryptionType - (Optional) A set of Kerberos ticket encryption. Possible values are rc4Hmac, and aes256.

  • channelEncryptionType - (Optional) A set of SMB channel encryption. Possible values are aes128Ccm, aes128Gcm, and aes256Gcm.

  • multichannelEnabled - (Optional) Indicates whether multichannel is enabled. Defaults to false. This is only supported on Premium storage accounts.

Attributes Reference

The following attributes are exported in addition to the arguments listed above:

  • id - The ID of the Storage Account.

  • primaryLocation - The primary location of the storage account.

  • secondaryLocation - The secondary location of the storage account.

  • primaryBlobEndpoint - The endpoint URL for blob storage in the primary location.

  • primaryBlobHost - The hostname with port if applicable for blob storage in the primary location.

  • secondaryBlobEndpoint - The endpoint URL for blob storage in the secondary location.

  • secondaryBlobHost - The hostname with port if applicable for blob storage in the secondary location.

  • primaryQueueEndpoint - The endpoint URL for queue storage in the primary location.

  • primaryQueueHost - The hostname with port if applicable for queue storage in the primary location.

  • secondaryQueueEndpoint - The endpoint URL for queue storage in the secondary location.

  • secondaryQueueHost - The hostname with port if applicable for queue storage in the secondary location.

  • primaryTableEndpoint - The endpoint URL for table storage in the primary location.

  • primaryTableHost - The hostname with port if applicable for table storage in the primary location.

  • secondaryTableEndpoint - The endpoint URL for table storage in the secondary location.

  • secondaryTableHost - The hostname with port if applicable for table storage in the secondary location.

  • primaryFileEndpoint - The endpoint URL for file storage in the primary location.

  • primaryFileHost - The hostname with port if applicable for file storage in the primary location.

  • secondaryFileEndpoint - The endpoint URL for file storage in the secondary location.

  • secondaryFileHost - The hostname with port if applicable for file storage in the secondary location.

  • primaryDfsEndpoint - The endpoint URL for DFS storage in the primary location.

  • primaryDfsHost - The hostname with port if applicable for DFS storage in the primary location.

  • secondaryDfsEndpoint - The endpoint URL for DFS storage in the secondary location.

  • secondaryDfsHost - The hostname with port if applicable for DFS storage in the secondary location.

  • primaryWebEndpoint - The endpoint URL for web storage in the primary location.

  • primaryWebHost - The hostname with port if applicable for web storage in the primary location.

  • secondaryWebEndpoint - The endpoint URL for web storage in the secondary location.

  • secondaryWebHost - The hostname with port if applicable for web storage in the secondary location.

  • primaryAccessKey - The primary access key for the storage account.

  • secondaryAccessKey - The secondary access key for the storage account.

  • primaryConnectionString - The connection string associated with the primary location.

  • secondaryConnectionString - The connection string associated with the secondary location.

  • primaryBlobConnectionString - The connection string associated with the primary blob location.

  • secondaryBlobConnectionString - The connection string associated with the secondary blob location.

\~> NOTE: If there's a write-lock on the Storage Account, or the account doesn't have permission then these fields will have an empty value due to a bug in the Azure API

  • identity - An identity block as defined below.

An identity block exports the following:

  • principalId - The Principal ID for the Service Principal associated with the Identity of this Storage Account.

  • tenantId - The Tenant ID for the Service Principal associated with the Identity of this Storage Account.

-> You can access the Principal ID via ${azurermStorageAccountExampleIdentity0PrincipalId} and the Tenant ID via ${azurermStorageAccountExampleIdentity0TenantId}

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 60 minutes) Used when creating the Storage Account.
  • update - (Defaults to 60 minutes) Used when updating the Storage Account.
  • read - (Defaults to 5 minutes) Used when retrieving the Storage Account.
  • delete - (Defaults to 60 minutes) Used when deleting the Storage Account.

Import

Storage Accounts can be imported using the resourceId, e.g.

terraform import azurerm_storage_account.storageAcc1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myresourcegroup/providers/Microsoft.Storage/storageAccounts/myaccount