Common Azure terraform module to create a Storage Account dedicated to file shares with backup enabled (except for NFS due to Azure limitation).
Storage is created with Premium SKU by default for production ready performances.
Module version | Terraform version | OpenTofu version | AzureRM version |
---|---|---|---|
>= 8.x.x | Unverified | 1.8.x | >= 4.0 |
>= 7.x.x | 1.3.x | >= 3.0 | |
>= 6.x.x | 1.x | >= 3.0 | |
>= 5.x.x | 0.15.x | >= 2.0 | |
>= 4.x.x | 0.13.x / 0.14.x | >= 2.0 | |
>= 3.x.x | 0.12.x | >= 2.0 | |
>= 2.x.x | 0.12.x | < 2.0 | |
< 2.x.x | 0.11.x | < 2.0 |
If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper
available in the documentation.
module "storage_file" {
source = "claranet/storage-file/azurerm"
version = "x.x.x"
location = module.azure_region.location
location_short = module.azure_region.location_short
client_name = var.client_name
environment = var.environment
stack = var.stack
resource_group_name = module.rg.name
account_replication_type = "LRS"
logs_destinations_ids = [
# module.run.logs_storage_account_id,
# module.run.log_analytics_workspace_id
]
# backup_policy_id = module.run.file_share_backup_policy_id
backup_policy_id = null
allowed_cidrs = [format("%s/32", data.http.ip.response_body)]
network_bypass = ["AzureServices"] # Mandatory for backup purpose
file_shares = [
{
name = "share-smb"
quota_in_gb = 500
},
{
name = "share-nfs"
quota_in_gb = 700
enabled_protocol = "NFS" # Note that NFS file shares are not backed up due to Azure limitation
}
]
file_share_authentication = {
directory_type = "AADDS"
}
extra_tags = {
foo = "bar"
}
}
# Sample Cloud Init script that can be used in a VM or VMSS custom data
locals {
# tflint-ignore: terraform_unused_declarations
cloud_init_script = <<EOC
#!/bin/bash
apt install -o DPkg::Lock::Timeout=120 -y nfs-common cifs-utils
mkdir -p $(dirname ${module.storage_file.default_cifs_configuration_file_path})
echo "${module.storage_file.cifs_credentials_file_content}" > ${module.storage_file.default_cifs_configuration_file_path}
mkdir -p ${module.storage_file.file_shares_default_mount_paths["share-smb"]}
mkdir -p ${module.storage_file.file_shares_default_mount_paths["share-nfs"]}
echo "${module.storage_file.file_shares_default_fstab_entries["share-smb"]}" >> /etc/fstab
echo "${module.storage_file.file_shares_default_fstab_entries["share-nfs"]}" >> /etc/fstab
mount ${module.storage_file.file_shares_default_mount_paths["share-smb"]}
mount ${module.storage_file.file_shares_default_mount_paths["share-nfs"]}}
EOC
}
Name | Version |
---|---|
azurerm | ~> 4.9 |
Name | Source | Version |
---|---|---|
storage_account | claranet/storage-account/azurerm | ~> 8.3.0 |
Name | Type |
---|---|
azurerm_backup_container_storage_account.main | resource |
azurerm_backup_protected_file_share.main | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
account_replication_type | Defines the type of replication to use for this Storage Account. Valid options are LRS , GRS , RAGRS , ZRS , GZRS and RAGZRS . |
string |
"ZRS" |
no |
advanced_threat_protection_enabled | Boolean flag which controls if advanced threat protection is enabled, see documentation for more information. | bool |
false |
no |
allowed_cidrs | List of CIDR to allow access to that Storage Account. | list(string) |
[] |
no |
backup_policy_id | ID of the Recovery Services Vault policy for file share backups. | string |
n/a | yes |
client_name | Client name/account used in naming. | string |
n/a | yes |
custom_name | Custom Azure Storage Account name, generated if not set. | string |
"" |
no |
default_firewall_action | Which default firewalling policy to apply. Valid values are Allow or Deny . |
string |
"Deny" |
no |
default_tags_enabled | Option to enable or disable default tags. | bool |
true |
no |
diagnostic_settings_custom_name | Custom name of the diagnostics settings, name will be default if not set. |
string |
"default" |
no |
environment | Project environment. | string |
n/a | yes |
extra_tags | Additional tags to associate with your Azure Storage Account. | map(string) |
{} |
no |
file_share_authentication | Storage Account file shares authentication configuration. | object({ |
null |
no |
file_share_cors_rules | Storage Account file shares CORS rule. Please refer to the documentation for more information. | object({ |
null |
no |
file_share_properties_smb | Storage Account file shares SMB properties. Multichannel is enabled by default on Premium Storage Accounts. | object({ |
null |
no |
file_share_retention_policy_in_days | Storage Account file shares retention policy in days. | number |
14 |
no |
file_shares | List of objects to create some File Shares in this Storage Account. | list(object({ |
n/a | yes |
https_traffic_only_enabled | Boolean flag which forces HTTPS if enabled. Disabled if any NFS file share is provisioned. | bool |
true |
no |
identity_ids | Specifies a list of User Assigned Managed Identity IDs to be assigned to this Storage Account. | list(string) |
null |
no |
identity_type | Specifies the type of Managed Service Identity that should be configured on this Storage Account. Possible values are SystemAssigned , UserAssigned , SystemAssigned, UserAssigned (to enable both). |
string |
"SystemAssigned" |
no |
is_premium | True to enable Premium tier for this Storage Account. |
bool |
true |
no |
location | Azure location. | string |
n/a | yes |
location_short | Short string for Azure location. | string |
n/a | yes |
logs_categories | Log categories to send to destinations. | list(string) |
null |
no |
logs_destinations_ids | List of destination resources IDs for logs diagnostic destination. Can be Storage Account , Log Analytics Workspace and Event Hub . No more than one of each can be set.If you want to use Azure EventHub as a destination, you must provide a formatted string containing both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the | character. |
list(string) |
n/a | yes |
logs_metrics_categories | Metrics categories to send to destinations. | list(string) |
null |
no |
min_tls_version | The minimum supported TLS version for the Storage Account. Possible values are TLS1_0 , TLS1_1 , and TLS1_2 . |
string |
"TLS1_2" |
no |
name_prefix | Optional prefix for the generated name. | string |
"" |
no |
name_suffix | Optional suffix for the generated name. | string |
"" |
no |
network_bypass | Specifies whether traffic is bypassed for 'Logging', 'Metrics', 'AzureServices' or 'None'. | list(string) |
[ |
no |
network_rules_enabled | Boolean to enable Network Rules on the Storage Account, requires network_bypass , allowed_cidrs , subnet_ids or default_firewall_action correctly set if enabled. |
bool |
true |
no |
private_link_access | List of Private Link objects to allow access from. | list(object({ |
[] |
no |
resource_group_name | Resource group name. | string |
n/a | yes |
shared_access_key_enabled | Indicates whether the Storage Account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). | bool |
false |
no |
stack | Project stack name. | string |
n/a | yes |
subnet_ids | Subnets to allow access to that Storage Account. | list(string) |
[] |
no |
Name | Description |
---|---|
cifs_credentials_file_content | Content of the CIFS credentials file. |
default_cifs_configuration_file_path | Default configuration file path for CIFS credentials file. |
file_shares | Created file shares in the Storage Account. |
file_shares_default_fstab_entries | Default fstab entries for the file shares. |
file_shares_default_mount_commands | Default mount commands for the file shares. |
file_shares_default_mount_paths | Default mount paths for the file shares. |
file_shares_mount_endpoints | Mount endpoints of created file shares. |
file_shares_mount_options | Mount options for the file shares. |
id | Storage Account ID. |
identity_principal_id | Storage Account system identity principal ID. |
module_diagnostics | Diagnostics settings module outputs. |
name | Storage Account name. |
resource | Storage Account resource object. |