Skip to content

Commit

Permalink
Upstream/fix storage account access tier (#1999)
Browse files Browse the repository at this point in the history
* fix(examples): fix permissions and key_opts

* fix(storage_account): access_tier only for specific kinds

---------

Co-authored-by: Simon Schneider <[email protected]>
  • Loading branch information
sschne and Simon Schneider authored Jul 1, 2024
1 parent 7b0a203 commit f26b3ff
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 8 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,34 @@ storage_accounts = {
}
}

enable_system_msi = true
customer_managed_key = {
keyvault_key = "stg_byok"

# Reference to the var.keyvault_keys
keyvault_key_key = "byok"
}
}
sa2 = {
name = "sa2dev"
resource_group_key = "test"
# Account types are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Defaults to StorageV2
account_kind = "BlockBlobStorage"
# Account Tier options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid.
account_tier = "Premium"
# Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS
account_replication_type = "ZRS" # https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
tags = {
environment = "dev"
team = "IT"
##
}
containers = {
dev = {
name = "random"
}
}

enable_system_msi = true
customer_managed_key = {
keyvault_key = "stg_byok"
Expand Down Expand Up @@ -79,4 +107,4 @@ diagnostic_storage_accounts = {
keyvault_key_key = "diabyok"
}
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -13,16 +13,16 @@ keyvault_access_policies = {
stg_byok = {
stg = {
storage_account_key = "sa1"
key_permissions = ["get", "create", "list", "restore", "recover", "unwrapkey", "wrapkey", "purge", "Encrypt", "Decrypt", "Sign", "Verify"]
key_permissions = ["Get", "Create", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"]
secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
}
diastg = {
diagnostic_storage_account_key = "dsa1"
key_permissions = ["get", "create", "list", "restore", "recover", "unwrapkey", "wrapkey", "purge", "Encrypt", "Decrypt", "Sign", "Verify"]
key_permissions = ["Get", "Create", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"]
secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
}
logged_in_user = {
key_permissions = ["get", "create", "delete", "list", "restore", "recover", "unwrapkey", "wrapkey", "purge", "Encrypt", "Decrypt", "Sign", "Verify"]
key_permissions = ["Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"]
secret_permissions = ["Set", "Get", "List", "Delete", "Purge", "Recover"]
}
}
Expand All @@ -34,13 +34,13 @@ keyvault_keys = {
keyvault_key = "stg_byok"
key_type = "RSA"
key_size = 2048
key_opts = ["Decrypt", "Encrypt", "Sign", "UnwrapKey", "Verify", "WrapKey"]
key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
}
diabyok = {
name = "diagnosticstorage"
keyvault_key = "stg_byok"
key_type = "RSA"
key_size = 2048
key_opts = ["Decrypt", "Encrypt", "Sign", "UnwrapKey", "Verify", "WrapKey"]
key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
}
}
}
2 changes: 1 addition & 1 deletion modules/storage_account/storage_account.tf
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ resource "azurerm_storage_account" "stg" {
account_tier = try(var.storage_account.account_tier, "Standard")
account_replication_type = try(var.storage_account.account_replication_type, "LRS")
account_kind = try(var.storage_account.account_kind, "StorageV2")
access_tier = try(var.storage_account.access_tier, "Hot")
access_tier = contains(["BlobStorage", "FileStorage", "StorageV2"], try(var.storage_account.account_kind, "StorageV2")) ? try(var.storage_account.access_tier, "Hot") : null
allow_nested_items_to_be_public = try(var.storage_account.allow_nested_items_to_be_public, var.storage_account.allow_blob_public_access, false)
cross_tenant_replication_enabled = try(var.storage_account.cross_tenant_replication_enabled, null)
edge_zone = try(var.storage_account.edge_zone, null)
Expand Down

0 comments on commit f26b3ff

Please sign in to comment.