azurermStorageAccountNetworkRules
Manages network rules inside of a Azure Storage Account.
\~> NOTE: Network Rules can be defined either directly on the azurermStorageAccount resource, or using the azurermStorageAccountNetworkRules resource - but the two cannot be used together. Spurious changes will occur if both are used against the same Storage Account.
\~> NOTE: Only one azurermStorageAccountNetworkRules can be tied to an azurermStorageAccount. Spurious changes will occur if more than azurermStorageAccountNetworkRules is tied to the same azurermStorageAccount.
\~> NOTE: Deleting this resource updates the storage account back to the default values it had when the storage account was created.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
this,
"example_1",
{
account_replication_type: "GRS",
account_tier: "Standard",
location: azurermResourceGroupExample.location,
name: "storageaccountname",
resource_group_name: azurermResourceGroupExample.name,
tags: {
environment: "staging",
},
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
this,
"example_2",
{
address_space: ["10.0.0.0/16"],
location: azurermResourceGroupExample.location,
name: "example-vnet",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const azurermSubnetExample = new azurerm.subnet.Subnet(this, "example_3", {
address_prefixes: ["10.0.2.0/24"],
name: "example-subnet",
resource_group_name: azurermResourceGroupExample.name,
service_endpoints: ["Microsoft.Storage"],
virtual_network_name: azurermVirtualNetworkExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetExample.overrideLogicalId("example");
const azurermStorageAccountNetworkRulesExample =
new azurerm.storageAccountNetworkRules.StorageAccountNetworkRules(
this,
"example_4",
{
bypass: ["Metrics"],
default_action: "Allow",
ip_rules: ["127.0.0.1"],
storage_account_id: azurermStorageAccountExample.id,
virtual_network_subnet_ids: [azurermSubnetExample.id],
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountNetworkRulesExample.overrideLogicalId("example");
Argument Reference
The following arguments are supported:
-
storageAccountId- (Required) Specifies the ID of the storage account. Changing this forces a new resource to be created. -
defaultAction- (Required) Specifies the default action of allow or deny when no other rules match. Valid options aredenyorallow. -
bypass- (Optional) Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination oflogging,metrics,azureServices, ornone.
-> NOTE User has to explicitly set bypass to empty slice ([]) to remove it.
ipRules- (Optional) List of public IP or IP ranges in CIDR Format. Only IPv4 addresses are allowed. Private IP address ranges (as defined in RFC 1918) are not allowed.
-> NOTE Small address ranges using "/31" or "/32" prefix sizes are not supported. These ranges should be configured using individual IP address rules without prefix specified.
-> NOTE IP network rules have no effect on requests originating from the same Azure region as the storage account. Use Virtual network rules to allow same-region requests. Services deployed in the same region as the storage account use private Azure IP addresses for communication. Thus, you cannot restrict access to specific Azure services based on their public outbound IP address range.
-> NOTE User has to explicitly set ipRules to empty slice ([]) to remove it.
virtualNetworkSubnetIds- (Optional) A list of virtual network subnet ids to secure the storage account.
-> NOTE User has to explicitly set virtualNetworkSubnetIds to empty slice ([]) to remove it.
privateLinkAccess- (Optional) One or MoreprivateLinkAccessblock as defined below.
A privateLinkAccess block supports the following:
-
endpointResourceId- (Required) The resource id of the resource access rule to be granted access. -
endpointTenantId- (Optional) The tenant id of the resource of the resource access rule to be granted access. Defaults to the current tenant id.
Attributes Reference
The following attributes are exported in addition to the arguments listed above:
id- The ID of the Storage Account.
Timeouts
The timeouts block allows you to specify timeouts for certain actions:
create- (Defaults to 60 minutes) Used when creating the Network Rules for this Storage Account.update- (Defaults to 60 minutes) Used when updating the Network Rules for this Storage Account.read- (Defaults to 5 minutes) Used when retrieving the Network Rules for this Storage Account.delete- (Defaults to 60 minutes) Used when deleting the Network Rules for this Storage Account.
Import
Storage Account Network Rules can be imported using the resourceId, e.g.