azurermStorageAccount
Manages an Azure Storage Account.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
this,
"example_1",
{
account_replication_type: "GRS",
account_tier: "Standard",
location: azurermResourceGroupExample.location,
name: "storageaccountname",
resource_group_name: azurermResourceGroupExample.name,
tags: {
environment: "staging",
},
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
Example Usage with Network Rules
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
this,
"example_1",
{
address_space: ["10.0.0.0/16"],
location: azurermResourceGroupExample.location,
name: "virtnetname",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const azurermSubnetExample = new azurerm.subnet.Subnet(this, "example_2", {
address_prefixes: ["10.0.2.0/24"],
name: "subnetname",
resource_group_name: azurermResourceGroupExample.name,
service_endpoints: ["Microsoft.Sql", "Microsoft.Storage"],
virtual_network_name: azurermVirtualNetworkExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetExample.overrideLogicalId("example");
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
this,
"example_3",
{
account_replication_type: "LRS",
account_tier: "Standard",
location: azurermResourceGroupExample.location,
name: "storageaccountname",
network_rules: [
{
default_action: "Deny",
ip_rules: ["100.0.0.1"],
virtual_network_subnet_ids: [azurermSubnetExample.id],
},
],
resource_group_name: azurermResourceGroupExample.name,
tags: {
environment: "staging",
},
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
Argument Reference
The following arguments are supported:
-
name
- (Required) Specifies the name of the storage account. Only lowercase Alphanumeric characters allowed. Changing this forces a new resource to be created. This must be unique across the entire Azure service, not just within the resource group. -
resourceGroupName
- (Required) The name of the resource group in which to create the storage account. Changing this forces a new resource to be created. -
location
- (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. -
accountKind
- (Optional) Defines the Kind of account. Valid options areblobStorage
,blockBlobStorage
,fileStorage
,storage
andstorageV2
. Defaults tostorageV2
.
-> NOTE: Changing the accountKind
value from storage
to storageV2
will not trigger a force new on the storage account, it will only upgrade the existing storage account from storage
to storageV2
keeping the existing storage account in place.
accountTier
- (Required) Defines the Tier to use for this storage account. Valid options arestandard
andpremium
. ForblockBlobStorage
andfileStorage
accounts onlypremium
is valid. Changing this forces a new resource to be created.
-> NOTE: Blobs with a tier of premium
are of account kind storageV2
.
-
accountReplicationType
- (Required) Defines the type of replication to use for this storage account. Valid options arelrs
,grs
,ragrs
,zrs
,gzrs
andragzrs
. -
crossTenantReplicationEnabled
- (Optional) Should cross Tenant replication be enabled? Defaults totrue
. -
accessTier
- (Optional) Defines the access tier forblobStorage
,fileStorage
andstorageV2
accounts. Valid options arehot
andcool
, defaults tohot
. -
edgeZone
- (Optional) Specifies the Edge Zone within the Azure Region where this Storage Account should exist. Changing this forces a new Storage Account to be created. -
enableHttpsTrafficOnly
- (Optional) Boolean flag which forces HTTPS if enabled, see here for more information. Defaults totrue
. -
minTlsVersion
- (Optional) The minimum supported TLS version for the storage account. Possible values aretls10
,tls11
, andtls12
. Defaults totls12
for new storage accounts.
-> NOTE: At this time minTlsVersion
is only supported in the Public Cloud, China Cloud, and US Government Cloud.
allowNestedItemsToBePublic
- (Optional) Allow or disallow nested items within this Account to opt into being public. Defaults totrue
.
-> NOTE: At this time allowNestedItemsToBePublic
is only supported in the Public Cloud, China Cloud, and US Government Cloud.
sharedAccessKeyEnabled
- (Optional) Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value istrue
.
\~> Note: Terraform uses Shared Key Authorisation to provision Storage Containers, Blobs and other items - when Shared Key Access is disabled, you will need to enable the storageUseAzuread
flag in the Provider block to use Azure AD for authentication, however not all Azure Storage services support Active Directory authentication.
-
publicNetworkAccessEnabled
- (Optional) Whether the public network access is enabled? Defaults totrue
. -
defaultToOauthAuthentication
- (Optional) Default to Azure Active Directory authorization in the Azure portal when accessing the Storage Account. The default value isfalse
-
isHnsEnabled
- (Optional) Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 (see here for more information). Changing this forces a new resource to be created.
-> NOTE: This can only be true
when accountTier
is standard
or when accountTier
is premium
and accountKind
is blockBlobStorage
nfsv3Enabled
- (Optional) Is NFSv3 protocol enabled? Changing this forces a new resource to be created. Defaults tofalse
.
-> NOTE: This can only be true
when accountTier
is standard
and accountKind
is storageV2
, or accountTier
is premium
and accountKind
is blockBlobStorage
. Additionally, the isHnsEnabled
is true
.
-
customDomain
- (Optional) AcustomDomain
block as documented below. -
customerManagedKey
- (Optional) AcustomerManagedKey
block as documented below. -
identity
- (Optional) Anidentity
block as defined below. -
blobProperties
- (Optional) AblobProperties
block as defined below. -
queueProperties
- (Optional) AqueueProperties
block as defined below.
\~> NOTE: queueProperties
cannot be set when the accountKind
is set to blobStorage
staticWebsite
- (Optional) AstaticWebsite
block as defined below.
\~> NOTE: staticWebsite
can only be set when the accountKind
is set to storageV2
or blockBlobStorage
.
-
shareProperties
- (Optional) AshareProperties
block as defined below. -
networkRules
- (Optional) AnetworkRules
block as documented below. -
largeFileShareEnabled
- (Optional) Is Large File Share Enabled? -
azureFilesAuthentication
- (Optional) AazureFilesAuthentication
block as defined below. -
routing
- (Optional) Arouting
block as defined below. -
queueEncryptionKeyType
- (Optional) The encryption type of the queue service. Possible values areservice
andaccount
. Changing this forces a new resource to be created. Default value isservice
. -
tableEncryptionKeyType
- (Optional) The encryption type of the table service. Possible values areservice
andaccount
. Changing this forces a new resource to be created. Default value isservice
.
\~> NOTE: For the queueEncryptionKeyType
and tableEncryptionKeyType
, the account
key type is only allowed when the accountKind
is set to storageV2
infrastructureEncryptionEnabled
- (Optional) Is infrastructure encryption enabled? Changing this forces a new resource to be created. Defaults tofalse
.
-> NOTE: This can only be true
when accountKind
is storageV2
or when accountTier
is premium
and accountKind
is one of blockBlobStorage
or fileStorage
.
-
immutabilityPolicy
- (Optional) AnimmutabilityPolicy
block as defined below. Changing this forces a new resource to be created. -
sasPolicy
- (Optional) AsasPolicy
block as defined below. -
allowedCopyScope
- (Optional) Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet. Possible values areaad
andprivateLink
. -
sftpEnabled
- (Optional) Boolean, enable SFTP for the storage account
-> NOTE: SFTP support requires isHnsEnabled
set to true
. More information on SFTP support can be found here. Defaults to false
tags
- (Optional) A mapping of tags to assign to the resource.
A blobProperties
block supports the following:
-
corsRule
- (Optional) AcorsRule
block as defined below. -
deleteRetentionPolicy
- (Optional) AdeleteRetentionPolicy
block as defined below. -
restorePolicy
- (Optional) ArestorePolicy
block as defined below. This must be used together withdeleteRetentionPolicy
set,versioningEnabled
andchangeFeedEnabled
set totrue
. -
versioningEnabled
- (Optional) Is versioning enabled? Default tofalse
. -
changeFeedEnabled
- (Optional) Is the blob service properties for change feed events enabled? Default tofalse
. -
changeFeedRetentionInDays
- (Optional) The duration of change feed events retention in days. The possible values are between 1 and 146000 days (400 years). Setting this to null (or omit this in the configuration file) indicates an infinite retention of the change feed. -
defaultServiceVersion
- (Optional) The API Version which should be used by default for requests to the Data Plane API if an incoming request doesn't specify an API Version. -
lastAccessTimeEnabled
- (Optional) Is the last access time based tracking enabled? Default tofalse
. -
containerDeleteRetentionPolicy
- (Optional) AcontainerDeleteRetentionPolicy
block as defined below.
A corsRule
block supports the following:
-
allowedHeaders
- (Required) A list of headers that are allowed to be a part of the cross-origin request. -
allowedMethods
- (Required) A list of HTTP methods that are allowed to be executed by the origin. Valid options aredelete
,get
,head
,merge
,post
,options
,put
orpatch
. -
allowedOrigins
- (Required) A list of origin domains that will be allowed by CORS. -
exposedHeaders
- (Required) A list of response headers that are exposed to CORS clients. -
maxAgeInSeconds
- (Required) The number of seconds the client should cache a preflight response.
A customDomain
block supports the following:
-
name
- (Required) The Custom Domain Name to use for the Storage Account, which will be validated by Azure. -
useSubdomain
- (Optional) Should the Custom Domain Name be validated by using indirect CNAME validation?
A customerManagedKey
block supports the following:
-
keyVaultKeyId
- (Required) The ID of the Key Vault Key, supplying a version-less key ID will enable auto-rotation of this key. -
userAssignedIdentityId
- (Required) The ID of a user assigned identity.
\~> NOTE: customerManagedKey
can only be set when the accountKind
is set to storageV2
or accountTier
set to premium
, and the identity type is userAssigned
.
A deleteRetentionPolicy
block supports the following:
days
- (Optional) Specifies the number of days that the blob should be retained, between1
and365
days. Defaults to7
.
A restorePolicy
block supports the following:
days
- (Required) Specifies the number of days that the blob can be restored, between1
and365
days. This must be less than thedays
specified fordeleteRetentionPolicy
.
A containerDeleteRetentionPolicy
block supports the following:
days
- (Optional) Specifies the number of days that the container should be retained, between1
and365
days. Defaults to7
.
A hourMetrics
block supports the following:
-
enabled
- (Required) Indicates whether hour metrics are enabled for the Queue service. -
version
- (Required) The version of storage analytics to configure. -
includeApis
- (Optional) Indicates whether metrics should generate summary statistics for called API operations. -
retentionPolicyDays
- (Optional) Specifies the number of days that logs will be retained.
An identity
block supports the following:
-
type
- (Required) Specifies the type of Managed Service Identity that should be configured on this Storage Account. Possible values aresystemAssigned
,userAssigned
,systemAssigned,UserAssigned
(to enable both). -
identityIds
- (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Storage Account.
\~> NOTE: This is required when type
is set to userAssigned
or systemAssigned,UserAssigned
.
\~> The assigned principalId
and tenantId
can be retrieved after the identity type
has been set to systemAssigned
and Storage Account has been created. More details are available below.
An immutabilityPolicy
block supports the following:
\~> NOTE: This argument specifies the default account-level immutability policy which is inherited and applied to objects that do not possess an explicit immutability policy at the object level. The object-level immutability policy has higher precedence than the container-level immutability policy, which has a higher precedence than the account-level immutability policy.
-
allowProtectedAppendWrites
- (Required) When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted. -
state
- (Required) Defines the mode of the policy.disabled
state disables the policy,unlocked
state allows increase and decrease of immutability retention time and also allows toggling allowProtectedAppendWrites property,locked
state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted. -
periodSinceCreationInDays
- (Required) The immutability period for the blobs in the container since the policy creation, in days.
A logging
block supports the following:
-
delete
- (Required) Indicates whether all delete requests should be logged. -
read
- (Required) Indicates whether all read requests should be logged. -
version
- (Required) The version of storage analytics to configure. -
write
- (Required) Indicates whether all write requests should be logged. -
retentionPolicyDays
- (Optional) Specifies the number of days that logs will be retained.
A minuteMetrics
block supports the following:
-
enabled
- (Required) Indicates whether minute metrics are enabled for the Queue service. -
version
- (Required) The version of storage analytics to configure. -
includeApis
- (Optional) Indicates whether metrics should generate summary statistics for called API operations. -
retentionPolicyDays
- (Optional) Specifies the number of days that logs will be retained.
A networkRules
block supports the following:
-
defaultAction
- (Required) Specifies the default action of allow or deny when no other rules match. Valid options aredeny
orallow
. -
bypass
- (Optional) Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination oflogging
,metrics
,azureServices
, ornone
. -
ipRules
- (Optional) List of public IP or IP ranges in CIDR Format. Only IPv4 addresses are allowed. /31 CIDRs, /32 CIDRs, and Private IP address ranges (as defined in RFC 1918), are not allowed. -
virtualNetworkSubnetIds
- (Optional) A list of resource ids for subnets. -
privateLinkAccess
- (Optional) One or MoreprivateLinkAccess
block as defined below.
\~> Note: If specifying networkRules
, one of either ipRules
or virtualNetworkSubnetIds
must be specified and defaultAction
must be set to deny
.
\~> NOTE: Network Rules can be defined either directly on the azurermStorageAccount
resource, or using the azurermStorageAccountNetworkRules
resource - but the two cannot be used together. If both are used against the same Storage Account, spurious changes will occur. When managing Network Rules using this resource, to change from a defaultAction
of deny
to allow
requires defining, rather than removing, the block.
\~> Note: The prefix of ipRules
must be between 0 and 30 and only supports public IP addresses.
\~> Note: More information on Validation is available here
A privateLinkAccess
block supports the following:
-
endpointResourceId
- (Required) The resource id of the resource access rule to be granted access. -
endpointTenantId
- (Optional) The tenant id of the resource of the resource access rule to be granted access. Defaults to the current tenant id.
A azureFilesAuthentication
block supports the following:
-
directoryType
- (Required) Specifies the directory service used. Possible values areaadds
,ad
andaadkerb
. -
activeDirectory
- (Optional) AactiveDirectory
block as defined below. Required whendirectoryType
isad
.
\~> Note: If directoryType
is set to aadkerb
, activeDirectory
is not supported. Use icals to configure directory and file level permissions.
A activeDirectory
block supports the following:
-
storageSid
- (Required) Specifies the security identifier (SID) for Azure Storage. -
domainName
- (Required) Specifies the primary domain that the AD DNS server is authoritative for. -
domainSid
- (Required) Specifies the security identifier (SID). -
domainGuid
- (Required) Specifies the domain GUID. -
forestName
- (Required) Specifies the Active Directory forest. -
netbiosDomainName
- (Required) Specifies the NetBIOS domain name.
A routing
block supports the following:
-
publishInternetEndpoints
- (Optional) Should internet routing storage endpoints be published? Defaults tofalse
. -
publishMicrosoftEndpoints
- (Optional) Should Microsoft routing storage endpoints be published? Defaults tofalse
. -
choice
- (Optional) Specifies the kind of network routing opted by the user. Possible values areinternetRouting
andmicrosoftRouting
. Defaults tomicrosoftRouting
.
A queueProperties
block supports the following:
-
corsRule
- (Optional) AcorsRule
block as defined above. -
logging
- (Optional) Alogging
block as defined below. -
minuteMetrics
- (Optional) AminuteMetrics
block as defined below. -
hourMetrics
- (Optional) AhourMetrics
block as defined below.
A sasPolicy
block supports the following:
-
expirationPeriod
- (Required) The SAS expiration period in format ofddHh:mm:ss
. -
expirationAction
- (Optional) The SAS expiration action. The only possible value islog
at this moment. Defaults tolog
.
A staticWebsite
block supports the following:
-
indexDocument
- (Optional) The webpage that Azure Storage serves for requests to the root of a website or any subfolder. For example, index.html. The value is case-sensitive. -
error404Document
- (Optional) The absolute path to a custom webpage that should be used when a request is made which does not correspond to an existing file.
A shareProperties
block supports the following:
-
corsRule
- (Optional) AcorsRule
block as defined below. -
retentionPolicy
- (Optional) AretentionPolicy
block as defined below. -
smb
- (Optional) Asmb
block as defined below.
A retentionPolicy
block supports the following:
days
- (Optional) Specifies the number of days that theazurermStorageShare
should be retained, between1
and365
days. Defaults to7
.
A smb
block supports the following:
-
versions
- (Optional) A set of SMB protocol versions. Possible values aresmb21
,smb30
, andsmb311
. -
authenticationTypes
- (Optional) A set of SMB authentication methods. Possible values arentlMv2
, andkerberos
. -
kerberosTicketEncryptionType
- (Optional) A set of Kerberos ticket encryption. Possible values arerc4Hmac
, andaes256
. -
channelEncryptionType
- (Optional) A set of SMB channel encryption. Possible values areaes128Ccm
,aes128Gcm
, andaes256Gcm
. -
multichannelEnabled
- (Optional) Indicates whether multichannel is enabled. Defaults tofalse
. This is only supported on Premium storage accounts.
Attributes Reference
The following attributes are exported in addition to the arguments listed above:
-
id
- The ID of the Storage Account. -
primaryLocation
- The primary location of the storage account. -
secondaryLocation
- The secondary location of the storage account. -
primaryBlobEndpoint
- The endpoint URL for blob storage in the primary location. -
primaryBlobHost
- The hostname with port if applicable for blob storage in the primary location. -
secondaryBlobEndpoint
- The endpoint URL for blob storage in the secondary location. -
secondaryBlobHost
- The hostname with port if applicable for blob storage in the secondary location. -
primaryQueueEndpoint
- The endpoint URL for queue storage in the primary location. -
primaryQueueHost
- The hostname with port if applicable for queue storage in the primary location. -
secondaryQueueEndpoint
- The endpoint URL for queue storage in the secondary location. -
secondaryQueueHost
- The hostname with port if applicable for queue storage in the secondary location. -
primaryTableEndpoint
- The endpoint URL for table storage in the primary location. -
primaryTableHost
- The hostname with port if applicable for table storage in the primary location. -
secondaryTableEndpoint
- The endpoint URL for table storage in the secondary location. -
secondaryTableHost
- The hostname with port if applicable for table storage in the secondary location. -
primaryFileEndpoint
- The endpoint URL for file storage in the primary location. -
primaryFileHost
- The hostname with port if applicable for file storage in the primary location. -
secondaryFileEndpoint
- The endpoint URL for file storage in the secondary location. -
secondaryFileHost
- The hostname with port if applicable for file storage in the secondary location. -
primaryDfsEndpoint
- The endpoint URL for DFS storage in the primary location. -
primaryDfsHost
- The hostname with port if applicable for DFS storage in the primary location. -
secondaryDfsEndpoint
- The endpoint URL for DFS storage in the secondary location. -
secondaryDfsHost
- The hostname with port if applicable for DFS storage in the secondary location. -
primaryWebEndpoint
- The endpoint URL for web storage in the primary location. -
primaryWebHost
- The hostname with port if applicable for web storage in the primary location. -
secondaryWebEndpoint
- The endpoint URL for web storage in the secondary location. -
secondaryWebHost
- The hostname with port if applicable for web storage in the secondary location. -
primaryAccessKey
- The primary access key for the storage account. -
secondaryAccessKey
- The secondary access key for the storage account. -
primaryConnectionString
- The connection string associated with the primary location. -
secondaryConnectionString
- The connection string associated with the secondary location. -
primaryBlobConnectionString
- The connection string associated with the primary blob location. -
secondaryBlobConnectionString
- The connection string associated with the secondary blob location.
\~> NOTE: If there's a write-lock on the Storage Account, or the account doesn't have permission then these fields will have an empty value due to a bug in the Azure API
identity
- Anidentity
block as defined below.
An identity
block exports the following:
-
principalId
- The Principal ID for the Service Principal associated with the Identity of this Storage Account. -
tenantId
- The Tenant ID for the Service Principal associated with the Identity of this Storage Account.
-> You can access the Principal ID via ${azurermStorageAccountExampleIdentity0PrincipalId}
and the Tenant ID via ${azurermStorageAccountExampleIdentity0TenantId}
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 60 minutes) Used when creating the Storage Account.update
- (Defaults to 60 minutes) Used when updating the Storage Account.read
- (Defaults to 5 minutes) Used when retrieving the Storage Account.delete
- (Defaults to 60 minutes) Used when deleting the Storage Account.
Import
Storage Accounts can be imported using the resourceId
, e.g.