resource "azurerm_storage_account" "this" { account_replication_type = var.account_replication_type account_tier = var.account_tier location = var.location name = var.name resource_group_name = var.resource_group_name access_tier = var.account_kind == "BlockBlobStorage" && var.account_tier == "Premium" ? null : var.access_tier account_kind = var.account_kind allow_nested_items_to_be_public = var.allow_nested_items_to_be_public allowed_copy_scope = var.allowed_copy_scope cross_tenant_replication_enabled = var.cross_tenant_replication_enabled default_to_oauth_authentication = var.default_to_oauth_authentication edge_zone = var.edge_zone https_traffic_only_enabled = var.https_traffic_only_enabled infrastructure_encryption_enabled = var.infrastructure_encryption_enabled is_hns_enabled = var.is_hns_enabled large_file_share_enabled = var.large_file_share_enabled min_tls_version = var.min_tls_version nfsv3_enabled = var.nfsv3_enabled public_network_access_enabled = var.public_network_access_enabled queue_encryption_key_type = var.queue_encryption_key_type sftp_enabled = var.sftp_enabled shared_access_key_enabled = var.shared_access_key_enabled table_encryption_key_type = var.table_encryption_key_type tags = var.tags dynamic "azure_files_authentication" { for_each = var.azure_files_authentication == null ? [] : [ var.azure_files_authentication ] content { directory_type = azure_files_authentication.value.directory_type default_share_level_permission = azure_files_authentication.value.default_share_level_permission dynamic "active_directory" { for_each = azure_files_authentication.value.active_directory == null ? [] : [ azure_files_authentication.value.active_directory ] content { domain_guid = active_directory.value.domain_guid domain_name = active_directory.value.domain_name domain_sid = active_directory.value.domain_sid forest_name = active_directory.value.forest_name netbios_domain_name = active_directory.value.netbios_domain_name storage_sid = active_directory.value.storage_sid } } } } dynamic "blob_properties" { for_each = var.blob_properties == null ? [] : [var.blob_properties] content { change_feed_enabled = blob_properties.value.change_feed_enabled change_feed_retention_in_days = blob_properties.value.change_feed_retention_in_days default_service_version = blob_properties.value.default_service_version last_access_time_enabled = blob_properties.value.last_access_time_enabled versioning_enabled = blob_properties.value.versioning_enabled dynamic "container_delete_retention_policy" { for_each = blob_properties.value.container_delete_retention_policy == null ? [] : [ blob_properties.value.container_delete_retention_policy ] content { days = container_delete_retention_policy.value.days } } dynamic "cors_rule" { for_each = blob_properties.value.cors_rule == null ? [] : blob_properties.value.cors_rule content { allowed_headers = cors_rule.value.allowed_headers allowed_methods = cors_rule.value.allowed_methods allowed_origins = cors_rule.value.allowed_origins exposed_headers = cors_rule.value.exposed_headers max_age_in_seconds = cors_rule.value.max_age_in_seconds } } dynamic "delete_retention_policy" { for_each = blob_properties.value.delete_retention_policy == null ? [] : [ blob_properties.value.delete_retention_policy ] content { days = delete_retention_policy.value.days } } dynamic "restore_policy" { for_each = blob_properties.value.restore_policy == null ? [] : [blob_properties.value.restore_policy] content { days = restore_policy.value.days } } } } dynamic "custom_domain" { for_each = var.custom_domain == null ? [] : [var.custom_domain] content { name = custom_domain.value.name use_subdomain = custom_domain.value.use_subdomain } } dynamic "identity" { for_each = (var.managed_identities.system_assigned || length(var.managed_identities.user_assigned_resource_ids) > 0) ? { this = var.managed_identities } : {} content { type = identity.value.system_assigned && length(identity.value.user_assigned_resource_ids) > 0 ? "SystemAssigned, UserAssigned" : length(identity.value.user_assigned_resource_ids) > 0 ? "UserAssigned" : "SystemAssigned" identity_ids = identity.value.user_assigned_resource_ids } } dynamic "immutability_policy" { for_each = var.immutability_policy == null ? [] : [var.immutability_policy] content { allow_protected_append_writes = immutability_policy.value.allow_protected_append_writes period_since_creation_in_days = immutability_policy.value.period_since_creation_in_days state = immutability_policy.value.state } } dynamic "network_rules" { for_each = var.network_rules == null ? [] : [var.network_rules] content { default_action = network_rules.value.default_action bypass = network_rules.value.bypass ip_rules = network_rules.value.ip_rules virtual_network_subnet_ids = network_rules.value.virtual_network_subnet_ids dynamic "private_link_access" { for_each = var.network_rules.private_link_access == null ? [] : var.network_rules.private_link_access content { endpoint_resource_id = private_link_access.value.endpoint_resource_id endpoint_tenant_id = private_link_access.value.endpoint_tenant_id } } } } dynamic "routing" { for_each = var.routing == null ? [] : [var.routing] content { choice = routing.value.choice publish_internet_endpoints = routing.value.publish_internet_endpoints publish_microsoft_endpoints = routing.value.publish_microsoft_endpoints } } dynamic "sas_policy" { for_each = var.sas_policy == null ? [] : [var.sas_policy] content { expiration_period = sas_policy.value.expiration_period expiration_action = sas_policy.value.expiration_action } } dynamic "share_properties" { for_each = var.share_properties == null ? [] : [var.share_properties] content { dynamic "cors_rule" { for_each = share_properties.value.cors_rule == null ? [] : share_properties.value.cors_rule content { allowed_headers = cors_rule.value.allowed_headers allowed_methods = cors_rule.value.allowed_methods allowed_origins = cors_rule.value.allowed_origins exposed_headers = cors_rule.value.exposed_headers max_age_in_seconds = cors_rule.value.max_age_in_seconds } } dynamic "retention_policy" { for_each = share_properties.value.retention_policy == null ? [] : [share_properties.value.retention_policy] content { days = retention_policy.value.days } } dynamic "smb" { for_each = share_properties.value.smb == null ? [] : [share_properties.value.smb] content { authentication_types = smb.value.authentication_types channel_encryption_type = smb.value.channel_encryption_type kerberos_ticket_encryption_type = smb.value.kerberos_ticket_encryption_type multichannel_enabled = smb.value.multichannel_enabled versions = smb.value.versions } } } } dynamic "timeouts" { for_each = var.timeouts == null ? [] : [var.timeouts] content { create = timeouts.value.create delete = timeouts.value.delete read = timeouts.value.read update = timeouts.value.update } } lifecycle { ignore_changes = [ customer_managed_key, queue_properties, static_website ] } } resource "azurerm_storage_account_local_user" "this" { for_each = var.local_user name = each.value.name storage_account_id = azurerm_storage_account.this.id home_directory = each.value.home_directory ssh_key_enabled = each.value.ssh_key_enabled ssh_password_enabled = each.value.ssh_password_enabled dynamic "permission_scope" { for_each = each.value.permission_scope == null ? [] : each.value.permission_scope content { resource_name = permission_scope.value.resource_name service = permission_scope.value.service dynamic "permissions" { for_each = [permission_scope.value.permissions] content { create = permissions.value.create delete = permissions.value.delete list = permissions.value.list read = permissions.value.read write = permissions.value.write } } } } dynamic "ssh_authorized_key" { for_each = each.value.ssh_authorized_key == null ? [] : each.value.ssh_authorized_key content { key = ssh_authorized_key.value.key description = ssh_authorized_key.value.description } } dynamic "timeouts" { for_each = each.value.timeouts == null ? [] : [each.value.timeouts] content { create = timeouts.value.create delete = timeouts.value.delete read = timeouts.value.read update = timeouts.value.update } } } resource "azurerm_storage_account_customer_managed_key" "this" { count = var.customer_managed_key != null ? 1 : 0 key_name = var.customer_managed_key.key_name storage_account_id = azurerm_storage_account.this.id key_vault_id = var.customer_managed_key.key_vault_resource_id key_version = var.customer_managed_key.key_version user_assigned_identity_id = try(var.customer_managed_key.user_assigned_identity.resource_id, null) lifecycle { precondition { condition = (var.account_kind == "StorageV2" || var.account_tier == "Premium") error_message = "`var.customer_managed_key` can only be set when the `account_kind` is set to `StorageV2` or `account_tier` set to `Premium`, and the identity type is `UserAssigned`." } } } resource "azurerm_role_assignment" "storage_account" { for_each = var.role_assignments principal_id = each.value.principal_id scope = azurerm_storage_account.this.id condition = each.value.condition condition_version = each.value.condition_version delegated_managed_identity_resource_id = each.value.delegated_managed_identity_resource_id role_definition_id = strcontains(lower(each.value.role_definition_id_or_name), lower(local.role_definition_resource_substring)) ? each.value.role_definition_id_or_name : null role_definition_name = strcontains(lower(each.value.role_definition_id_or_name), lower(local.role_definition_resource_substring)) ? null : each.value.role_definition_id_or_name skip_service_principal_aad_check = each.value.skip_service_principal_aad_check } resource "azurerm_storage_account_static_website" "this" { for_each = var.static_website == null ? {} : var.static_website storage_account_id = azurerm_storage_account.this.id error_404_document = each.value.error_404_document index_document = each.value.index_document } resource "azurerm_storage_account_queue_properties" "this" { for_each = var.queue_properties storage_account_id = azurerm_storage_account.this.id dynamic "cors_rule" { for_each = each.value.cors_rule content { allowed_headers = cors_rule.value.allowed_headers allowed_methods = cors_rule.value.allowed_methods allowed_origins = cors_rule.value.allowed_origins exposed_headers = cors_rule.value.exposed_headers max_age_in_seconds = cors_rule.value.max_age_in_seconds } } dynamic "hour_metrics" { for_each = each.value.hour_metrics == null ? [] : ["1"] content { version = each.value.hour_metrics.version include_apis = each.value.hour_metrics.include_apis retention_policy_days = each.value.hour_metrics.retention_policy_days } } dynamic "logging" { for_each = each.value.logging == null ? [] : ["1"] content { delete = each.value.logging.delete read = each.value.logging.read version = each.value.logging.version write = each.value.logging.write retention_policy_days = each.value.logging.retention_policy_days } } dynamic "minute_metrics" { for_each = each.value.minute_metrics == null ? [] : ["1"] content { version = each.value.minute_metrics.version include_apis = each.value.minute_metrics.include_apis retention_policy_days = each.value.minute_metrics.retention_policy_days } } }