-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvariables_storageaccount.tf
152 lines (129 loc) · 7.08 KB
/
variables_storageaccount.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
variable "access_tier" {
type = string
default = "Hot"
description = "(Optional) Defines the access tier for `BlobStorage`, `FileStorage` and `StorageV2` accounts. Valid options are `Hot` and `Cool`, defaults to `Hot`."
validation {
condition = contains(["Hot", "Cool"], var.access_tier)
error_message = "Invalid value for access tier. Valid options are 'Hot' or 'Cool'."
}
}
variable "account_kind" {
type = string
default = "StorageV2"
description = "(Optional) Defines the Kind of account. Valid options are `BlobStorage`, `BlockBlobStorage`, `FileStorage`, `Storage` and `StorageV2`. Defaults to `StorageV2`."
validation {
condition = contains(["BlobStorage", "BlockBlobStorage", "FileStorage", "Storage", "StorageV2"], var.account_kind)
error_message = "Invalid value for account kind. Valid options are `BlobStorage`, `BlockBlobStorage`, `FileStorage`, `Storage` and `StorageV2`. Defaults to `StorageV2`."
}
}
variable "account_replication_type" {
type = string
description = "(Required) Defines the type of replication to use for this storage account. Valid options are `LRS`, `GRS`, `RAGRS`, `ZRS`, `GZRS` and `RAGZRS`. Defaults to `ZRS`"
nullable = false
default = "LRS"
validation {
condition = contains(["LRS", "GRS", "RAGRS", "ZRS", "GZRS", "RAGZRS"], var.account_replication_type)
error_message = "Invalid value for replication type. Valid options are `LRS`, `GRS`, `RAGRS`, `ZRS`, `GZRS` and `RAGZRS`."
}
}
variable "account_tier" {
type = string
description = "(Required) Defines the Tier to use for this storage account. Valid options are `Standard` and `Premium`. For `BlockBlobStorage` and `FileStorage` accounts only `Premium` is valid. Changing this forces a new resource to be created."
default = "Standard"
nullable = false
validation {
condition = contains(["Standard", "Premium"], var.account_tier)
error_message = "Invalid value for account tier. Valid options are `Standard` and `Premium`. For `BlockBlobStorage` and `FileStorage` accounts only `Premium` is valid. Changing this forces a new resource to be created."
}
}
variable "https_traffic_only_enabled" {
type = bool
default = true
description = "(Optional) Boolean flag which forces HTTPS if enabled, see [here](https://docs.microsoft.com/azure/storage/storage-require-secure-transfer/) for more information. Defaults to `true`."
}
variable "infrastructure_encryption_enabled" {
type = bool
default = false
description = "(Optional) Is infrastructure encryption enabled? Changing this forces a new resource to be created. Defaults to `false`."
}
variable "allow_nested_items_to_be_public" {
type = bool
default = true
description = "(Optional) Allow or disallow nested items within this Account to opt into being public. Defaults to `false`."
}
variable "cross_tenant_replication_enabled" {
type = bool
default = true
description = "(Optional) Should cross Tenant replication be enabled? Defaults to `false`."
}
variable "shared_access_key_enabled" {
type = bool
default = true
description = "(Optional) Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is `false`."
}
variable "default_to_oauth_authentication" {
type = bool
default = false
description = "(Optional) Default to Azure Active Directory authorization in the Azure portal when accessing the Storage Account. The default value is `false`"
}
variable "min_tls_version" {
type = string
default = "TLS1_2"
description = "(Optional) The minimum supported TLS version for the storage account. Possible values are `TLS1_0`, `TLS1_1`, and `TLS1_2`. Defaults to `TLS1_2` for new storage accounts."
}
variable "network_rules" {
type = object({
bypass = optional(set(string), ["AzureServices"])
default_action = optional(string, "Deny")
ip_rules = optional(set(string), [])
virtual_network_subnet_ids = optional(set(string), [])
private_link_access = optional(list(object({
endpoint_resource_id = string
endpoint_tenant_id = optional(string)
})))
timeouts = optional(object({
create = optional(string)
delete = optional(string)
read = optional(string)
update = optional(string)
}))
})
default = null
description = <<-EOT
> Note the default value for this variable will block all public access to the storage account. If you want to disable all network rules, set this value to `null`.
- `bypass` - (Optional) Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination of `Logging`, `Metrics`, `AzureServices`, or `None`.
- `default_action` - (Required) Specifies the default action of allow or deny when no other rules match. Valid options are `Deny` or `Allow`.
- `ip_rules` - (Optional) List of public IP or IP ranges in CIDR Format. Only IPv4 addresses are allowed. Private IP address ranges (as defined in [RFC 1918](https://tools.ietf.org/html/rfc1918#section-3)) are not allowed.
- `storage_account_id` - (Required) Specifies the ID of the storage account. Changing this forces a new resource to be created.
- `virtual_network_subnet_ids` - (Optional) A list of virtual network subnet ids to secure the storage account.
---
`private_link_access` block supports the following:
- `endpoint_resource_id` - (Required) The resource id of the resource access rule to be granted access.
- `endpoint_tenant_id` - (Optional) The tenant id of the resource of the resource access rule to be granted access. Defaults to the current tenant id.
---
`timeouts` block supports the following:
- `create` - (Defaults to 60 minutes) Used when creating the Network Rules for this Storage Account.
- `delete` - (Defaults to 60 minutes) Used when deleting the Network Rules for this Storage Account.
- `read` - (Defaults to 5 minutes) Used when retrieving the Network Rules for this Storage Account.
- `update` - (Defaults to 60 minutes) Used when updating the Network Rules for this Storage Account.
EOT
}
variable "nfsv3_enabled" {
type = bool
default = false
description = "(Optional) Is NFSv3 protocol enabled? Changing this forces a new resource to be created. Defaults to `false`."
}
variable "public_network_access_enabled" {
type = bool
default = true
description = "(Optional) Whether the public network access is enabled? Defaults to `false`."
}
variable "storageaccount_name" {
type = string
description = "The name of the resource."
default = "defaultstorageacct" # Default value that meets the validation criteria. Provide a valid name if flow_log_enabled is true.
validation {
condition = can(regex("^[a-z0-9]{3,24}$", var.storageaccount_name))
error_message = "The name must be between 3 and 24 characters, valid characters are lowercase letters and numbers."
}
}