- Overview
- Data Protection Requirements/Considerations
- High Availability Requirements/Considerations
- Disaster Recovery Requirements/Considerations
- Cloud Platform Organization Policies
- Hashicorp Sentinel Policies
- Permissions Required
- Apis Required
- How to Use this Module
- Create a Standard StorageV2 that has a variety of features
- Requirements
- Providers
- Modules
- Resources
- Inputs
- Outputs
The Azure Storage Account module deploys Azure Storage data objects: Containers, Blobs, Queues, Tables, File Shares, and Data Lake Gen2 storage.
Standard StorageV2 - Standard storage account type for blobs, file shares, queues, and tables. Recommended for most scenarios using Azure Storage.
Premium File Shares - Premium storage account type for Server Message Block (SMB) file shares only. Recommended for enterprise or high-performance scale applications.
Premium Blockblobs - Premium storage account type for block blobs and append blobs. Recommended for scenarios with high transaction rates or that use smaller objects or require consistently low storage latency, e.g., Data Lake Storage for dedicated big data analytics capabilties.
This module was defaults to a Standard StorageV2, with a Hot access tier, and read-access geo-redunant replication. For Premium accounts, account replication must be either locally-redundant (LRS) or zone-redundant (ZRS).
Remember storage account names must be between 3 and 24 characters, lowercase letters and numbers, and globally unique.
- CanNotDelete: Authorized users are able to read and modify the resources, but not delete. Defaults to
true. The CanNotDelete setting will NOT prevent Terraform from destorying the storage account. - ReadOnly: Authorized users can only read from a resource, but they can't modify or delete. Defaults to
false. Once a ReadOnly lock is deployed, no further modifications can take place, including Terraform changes. This lock will have to be removed manually, through the command line, or via the Azure Portal. Navigate to the storage account, and under the left navigation panel, the Settings grouping, select Locks, then delete the lock. Be sure to remove the ReadOnly setting, or set it tofalse, to prevent it from recreating.
The immutability policy can be set at the storage account level, which will be inherited by objects, containers and blobs, that do not possess an explicit immutability policy. Be aware that the initial state can only be 'Disabled' or 'Unlocked', before being put in a 'Locked' state. Once in a 'Locked' state, it cannot be reverted.
Changing the name for these resources and fields will cause a replace of the resource, resulting in data loss. As a general rule of thumb, changing a resource's name or the name of a parent resource will cause a replacement.
| Resource | Changing this field will force a new resource to be created |
|---|---|
| azurerm_storage_account | name resource_group_name location account_tier edge_zone enable_https_traffic_only is_hns_enabled nfsv3_enabled queue_encryption_key_type table_encryption_key_type infrastructure_encryption_enabled immutability_policy |
| azurerm_storage_account_network_rules | storage_account_id |
| azurerm_storage_blob_inventory_policy | storage_account_id |
| azurerm_storage_management_policy | storage_account_id |
| azurerm_storage_blob | name storage_account_name storage_container_name type size content_md5 source_content source_uri parallelism |
| azurerm_storage_container | name storage_account_name |
| azurerm_storage_data_lake_gen2_filesystem | name storage_acccount_id |
| azurerm_storage_data_lake_gen2_path | path filesystem_name storage_account_id resource |
| azurerm_storage_queue | name storage_account_name |
| azurerm_storage_share | name storage_account_name |
| azurerm_storage_share_directory | name share_name storage_account_name |
| azurerm_storage_share_file | name storage_share_id path source content_md5 |
| azurerm_storage_table | name storage_account_name |
| azurerm_storage_table_entity | storage_account_name table_name partition_key row_key |
By default account replication is set to read-access geo-redunant (RAGRS). Possible options for Standard Storage Accounts are:
- LRS: Locally redundant storage
- least expensive replication option, but data is only copied in a single location in the primary region
- ZRS: Zone-redundant storage
- copies data across three Azure availability zones in the primary region
- GRS: Geo-redundant storage
- copies data across three Azure availability zones in the primary region, and in single location in the secondary region
- GZRS: Geo-zone-redundant storage
- similar to GRS, however data in the secondary region is copied using LRS
- RA-GRS: Read-access Geo-redundant storage
- similar to GRS, with the added benefit of data always available to be read from the secondary, including in a situation where the primary region becomes unavailable
- RA-GZRS: Read-access Geo-zone-redundant storage
- similar to GZRS, with the added benefit of data always available to be read from the secondary, including in a situation where the primary region becomes unavailable
For example, Azure Cross-Region Replication has East US 2 paired wtih Central US.
Premium accounts are currently restricted to locally-redundant (LRS) or zone-redundant (ZRS) per Azure capabilities.
There are two types of failover, Customer-managed and Microsoft-managed. Regardless of failover, some level of data loss should be anticipated, due to a delay between data being written to the primary region before being copied to the secondary. For more information, see the Microsoft documentation here.
Customer-managed failovers enable you to fail over your entire geo-redundant storage account to the secondary region if the storage service endpoints for the primary region become unavailable. During failover, the original secondary region becomes the new primary and all storage service endpoints for blobs, tables, queues and files are redirected to the new primary region. After the storage service endpoint outage has been resolved, you can perform another failover operation to fail back to the original primary region. For more information, see the Microsoft documentation here.
Microsoft-managed failovers are at the region or scale unit level, and can't be initiated for individual storage accounts, subscriptions, or tenants. This happens during extremem circumstances, where the original primary region is deemed unrecoverable.
If public_network_access_enabled variable is set to true (which is default), then using the network_rules variables, ip_rules can be set to allow access for public ip addresses and ip address ranges, e.g., specific single client, range of VPN users, on-premises networks. Additionally, virtual_network_subnet_ids can specifiy virtual network subnets, allowing access for resources there. Exceptions for access can be allowed for Logging, Metrics, and Azure Services, using the bypass parameter.
If public_network_access_enabled variable is set to false, then network_rules has no effect.
If leveraging HCP Terraform (formerly Terraform Cloud), and internally owned runners are not being used, then the relevant workspace will need be in local mode, and the user's IP address added to the network_rules ip_rules parameter. This is because the IP addresses for HCP Terraform shared runners are not published, and thus they cannot be reliably be added to the exception listed. For your awareness, HashiCorp does publish ip addresses for other services, via https://app.terraform.io/api/meta/ip-ranges, but they do not have any affect on the runners.
If leveraging Terraform Cloud there's it's recommended to utilize internal owned runners utilizing HCP Teraform Agents, which is documented here. The network of machine where the agent is installed can be linked to the storage account, utilizing a service endpoint. A subnet id, an example of an Azure one below, can be added to the network_rules virtual_network_subnet_ids variable.
tfc_agent_<region>_subnet_id = "/subscriptions/<sub_id>/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>/subnets/<snet>"To enable Private Endpoints, set the enable_private_networking variable to true, and private_endpoint_subnet_id and dns_zone_ids will need to be populated. dns_zone_ids is a map of object with name and id parameters. Optionally, the private_endpoint_resource_group_name variable can be populated if the resource group is different than the resource_group_name variable value.
Secure transfer with HTTPS only traffic can be enforced with the enable_https_traffic_only variable; it currently defaults to true. This is generally recommended, the exception being this must be disabled when using NFS (Network File System) Azure File Shares. Additionally, this setting will not be applied for custom domain names.
Azure Storage automatically encrypts all data in a storage account at the service level using 256-bit AES with GCM (Galois/Counter Mode) encryption and is FIPS 140-2 compliant. If compliance requirements require more, an additional layer of 256-bit AES CBC (Cipher Block Chaining) encryption is available using the infrastructure_encryption_enabled variable. This module currently implements only Microsoft-managed keys for this option. Otherwise, enabling this feature may impact peformance, and is irreversibile once set (storage account would have to be destroyed and recreated to turn off this f).
The min_tls_version variable defaults to TLS1.2, and the variable validation currently constrains it to only that value.
locals {
tags = {
env = "dev"
app_code = "storage"
app_instance = "storagev2"
classification = "internal-only"
cost_id = "12345"
department_id = "678901"
project_id = "it-ab00c123"
org_code = "insight"
managed_by = "terraform"
}
}
data "azurerm_subnet" "test_sub" {
name = "default"
virtual_network_name = var.virtual_network_name
resource_group_name = var.resource_group_name
}
resource "random_id" "random_suffix" {
byte_length = 8
}
module "azure_storage_account_standard_storagev2" {
source = "app.terraform.io/insight/azure-storage/terraform"
version = "1.0.0"
tags = local.tags
storage_account_name = substr(format("st%s%s%s%s", local.tags.app_code, local.tags.env, local.tags.app_instance, random_id.random_suffix.hex), 0, 24)
resource_group_name = var.resource_group_name
public_network_access_enabled = false
network_rules = {
default_action = "Deny"
# This could be a specific ip address for individual users, e.g., 20.94.5.238
# or an ip range for a group of users (VPN), e.g., 20.128.0.0/16
ip_rules = ["20.94.5.238"]
virtual_network_subnet_ids = [data.azurerm_subnet.test_sub.id]
}
storage_container = [
{
name = "container-append"
blob = [
{
name = "blob_append"
type = "Append"
metadata = {
blob_type = "append"
purpose = "logs"
}
}]
},
{
name = "container-block"
blob = [
{
name = "blob_block_first"
type = "Block"
access_tier = "Hot"
source_content = "Hello World!"
metadata = {
blob_type = "block"
purpose = "backups"
}
}
]
}
]
blob_properties = {
versioning_enabled = true
}
blob_inventory_policy = [
{
name = "blob-inventory-policy-rule-blob"
storage_container_name = "container-append"
format = "Csv"
schedule = "Daily"
scope = "Blob"
schema_fields = [
"Name",
"Last-Modified",
"Metadata",
"VersionId",
"IsCurrentVersion"
]
filter = {
blob_types = ["blockBlob"]
include_blob_versions = true
include_deleted = false
include_snapshots = false
prefix_match = ["prefix1", "prefix2"]
exclude_prefixes = ["prefix3", "prefix4"]
}
},
{
name = "blob-inventory-policy-rule-blob-expanded"
storage_container_name = "container-append"
format = "Parquet"
schedule = "Weekly"
scope = "Blob"
schema_fields = [
"Name",
"Last-Modified",
"Metadata",
"BlobType",
"AccessTier",
"LastAccessTime"
]
filter = {
blob_types = ["appendBlob"]
}
},
{
name = "blob-inventory-policy-rule-container"
storage_container_name = "container-append"
format = "Csv"
schedule = "Weekly"
scope = "Container"
schema_fields = [
"Name",
"Last-Modified",
"Metadata",
"PublicAccess",
"HasImmutabilityPolicy",
"HasLegalHold",
"DefaultEncryptionScope"
]
},
{
name = "blob-inventory-policy-rule-blob-2"
storage_container_name = "container-block"
format = "Csv"
schedule = "Daily"
scope = "Blob"
schema_fields = [
"Name",
"Last-Modified",
"Metadata"
]
filter = {
blob_types = ["blockBlob"]
}
}
]
management_policy = {
rule = [
{
name = "firstrule"
enabled = true
filters = {
prefix_match = ["container-block/blob_block"]
blob_types = ["blockBlob"]
match_blob_index_tag = {
name = "tag1"
operation = "=="
value = "val1"
}
}
actions = {
base_blob = {
tier_to_cool_after_days_since_modification_greater_than = 10
tier_to_archive_after_days_since_modification_greater_than = 50
delete_after_days_since_modification_greater_than = 100
}
}
},
{
name = "secondrule"
enabled = true
filters = {
prefix_match = ["container-block-page-combo/blob_block"]
blob_types = ["blockBlob"]
}
actions = {
snapshot = {
delete_after_days_since_creation_greater_than = 30
}
version = {
delete_after_days_since_creation = 60
}
}
}
]
}
storage_queue = [
{
name = "queue-first"
metadata = {
testkey = "testvalue"
queuetype = module.azure_storage_account_standard_storagev2.storage_account_tier
classification = local.tags.classification
}
},
{
name = "queue-second"
}
]
queue_properties = {
cors_rule = [{
allowed_headers = ["x-ms-meta-data*", "x-ms-meta-target*"]
allowed_methods = ["PUT", "GET"]
allowed_origins = ["http://*.contoso.com", "http://www.fabrikam.com"]
exposed_headers = ["x-ms-meta-*"]
max_age_in_seconds = 200
}]
logging = {
delete = true
read = true
retention_policy_days = 7
version = "1.0"
write = true
}
minute_metrics = {
enabled = true
retention_policy_days = 7
version = "1.0"
}
}
storage_table = [
{
name = "supplies"
entities = {
stethoscope = {
partition_key = "Diagnostic"
row_key = "STETH"
entity = {
"Equipment" = "Stethoscope"
"Description" = "A device used to listen to sounds within the body, such as heart or lung sounds."
"Use" = "Used by doctors and nurses to diagnose and monitor various medical conditions."
"Quantity" = "235"
}
}
blood_pressure_monitor = {
partition_key = "Diagnostic"
row_key = "BPM"
entity = {
"Equipment" = "Blood pressure monitor"
"Description" = "A device used to measure the pressure of blood in the arteries."
"Use" = "Used to diagnose and monitor high blood pressure (hypertension) and other cardiovascular conditions."
"Quantity" = "35"
}
},
surgical_laser = {
partition_key = "Surgical"
row_key = "SURGLAS"
entity = {
"Equipment" = "Surgical laser"
"Description" = "A device that uses a focused beam of light to cut or vaporize tissue."
"Use" = "Used during surgical procedures to make precise incisions, remove tumors, or treat various medical conditions."
"Quantity" = "12"
}
}
}
},
{
name = "technicians"
acl = [
{
id = "example-acl-id"
access_policy = [
{
start = "2024-02-01"
expiry = "2025-03-15T14:00:00"
permissions = "raud"
utc_offset = "-5h"
}
]
}
]
}
]
storage_share = [
{
name = "first-share"
quota = 1
},
{
name = "second-share"
quota = 2
directories = [
{
name = "media"
},
{
name = "images"
files = [
{
name = "logo.png"
},
{
name = "banner.png"
}
]
metadata = {
owner = "Public Affairs"
purpose = "branding"
}
},
{
name = "documents"
files = [
{
name = "README.md"
source = "./README.md"
content_type = "test/markdown"
content_md5 = "767f964b6c24295e25e0a5f42e1bfebf"
content_encoding = "identity"
content_disposition = "attachment"
metadata = {
description = "Readme"
filetype = "markdown"
}
}
]
}
]
}
]
share_properties = {
retention_policy = {
days = 7
}
}
}| Name | Version |
|---|---|
| terraform | ~>1.3 |
| azurerm | =3.116.0 |
| random | >=3.6.0, < 4.0.0 |
| Name | Version |
|---|---|
| azurerm | =3.116.0 |
No modules.
| Name | Type |
|---|---|
| azurerm_management_lock.this | resource |
| azurerm_private_endpoint.blob | resource |
| azurerm_private_endpoint.dfs | resource |
| azurerm_private_endpoint.file | resource |
| azurerm_private_endpoint.queue | resource |
| azurerm_private_endpoint.table | resource |
| azurerm_private_endpoint.web | resource |
| azurerm_storage_account.this | resource |
| azurerm_storage_account_local_user.this | resource |
| azurerm_storage_account_network_rules.this | resource |
| azurerm_storage_blob.this | resource |
| azurerm_storage_blob_inventory_policy.this | resource |
| azurerm_storage_container.this | resource |
| azurerm_storage_data_lake_gen2_filesystem.this | resource |
| azurerm_storage_data_lake_gen2_path.this | resource |
| azurerm_storage_management_policy.this | resource |
| azurerm_storage_queue.this | resource |
| azurerm_storage_share.this | resource |
| azurerm_storage_share_directory.this | resource |
| azurerm_storage_share_file.this | resource |
| azurerm_storage_table.this | resource |
| azurerm_storage_table_entity.this | resource |
| azurerm_resource_group.rgrp | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_tier | (Optional) Defines the access tier for BlobStorage, FileStorage and StorageV2 accounts. Valid options are Hot and Cool, defaults to Hot. |
string |
"Hot" |
no |
| account_kind | (Optional) Defines the Kind of account. Valid options are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Defaults to StorageV2. |
string |
"StorageV2" |
no |
| account_replication_type | (Required) Defines the type of replication to use for this storage account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS. |
string |
"RAGRS" |
no |
| account_tier | (Required) Defines the Tier to use for this storage account. Valid options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid. Changing this forces a new resource to be created. |
string |
"Standard" |
no |
| allow_nested_items_to_be_public | (Optional) Allow or disallow nested items within this Account to opt into being public. Defaults to false. | bool |
false |
no |
| allowed_copy_scope | (Optional) Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet. Possible values are AAD and PrivateLink. |
string |
null |
no |
| azure_files_authentication | - directory_type - (Required) Specifies the directory service used. Possible values are AADDS, AD and AADKERB.--- active_directory block supports the following:- domain_guid - (Required) Specifies the domain GUID.- domain_name - (Required) Specifies the primary domain that the AD DNS server is authoritative for.- domain_sid - (Required) Specifies the security identifier (SID).- forest_name - (Required) Specifies the Active Directory forest.- netbios_domain_name - (Required) Specifies the NetBIOS domain name.- storage_sid - (Required) Specifies the security identifier (SID) for Azure Storage. |
object({ |
null |
no |
| blob_inventory_policy | - name - (Required) The name which should be used for this Blob Inventory Policy Rule.- storage_container_name - (Required) The storage container name to store the blob inventory files for this rule.- format - (Required) The format of the inventory files. Possible values are Csv and Parquet.- schedule - (Required) The inventory schedule applied by this rule. Possible values are Daily and Weekly.- scope - (Required) The scope of the inventory for this rule. Possible values are Blob and Container.- schema_fields - (Required) A list of fields to be included in the inventory. See the Azure API reference Blob Inventory Policies for all the supported fields.- filter block- timeouts block--- filter block supports the following:- blob_types - (Required) A set of blob types. Possible values are blockBlob, appendBlob, and pageBlob. The storage account with is_hns_enabled is true doesn't support pageBlob.- include_blob_versions - (Optional) Includes blob versions in blob inventory or not? Defaults to false.- include_deleted - (Optional) Includes deleted blobs in blob inventory or not? Defaults to false.- include_snapshots - (Optional) Includes blob snapshots in blob inventory or not? Defaults to false.- prefix_match - (Optional) A set of strings for blob prefixes to be matched. Maximum of 10 blob prefixes.- exclude_prefixes - (Optional) A set of strings for blob prefixes to be excluded. Maximum of 10 blob prefixes. |
list(object({ |
null |
no |
| blob_properties | - change_feed_enabled - (Optional) Is the blob service properties for change feed events enabled? Default to false.- change_feed_retention_in_days - (Optional) The duration of change feed events retention in days. The possible values are between 1 and 146000 days (400 years). Setting this to null (or omit this in the configuration file) indicates an infinite retention of the change feed.- default_service_version - (Optional) The API Version which should be used by default for requests to the Data Plane API if an incoming request doesn't specify an API Version.- last_access_time_enabled - (Optional) Is the last access time based tracking enabled? Default to false.- versioning_enabled - (Optional) Is versioning enabled? Default to false.--- container_delete_retention_policy block supports the following:- days - (Optional) Specifies the number of days that the container should be retained, between 1 and 365 days. Defaults to 7.--- cors_rule block supports the following:- allowed_headers - (Required) A list of headers that are allowed to be a part of the cross-origin request.- allowed_methods - (Required) A list of HTTP methods that are allowed to be executed by the origin. Valid options are DELETE, GET, HEAD, MERGE, POST, OPTIONS, PUT or PATCH.- allowed_origins - (Required) A list of origin domains that will be allowed by CORS.- exposed_headers - (Required) A list of response headers that are exposed to CORS clients.- max_age_in_seconds - (Required) The number of seconds the client should cache a preflight response.--- delete_retention_policy block supports the following:- days - (Optional) Specifies the number of days that the blob should be retained, between 1 and 365 days. Defaults to 7.--- restore_policy block supports the following:- days - (Required) Specifies the number of days that the blob can be restored, between 1 and 365 days. This must be less than the days specified for delete_retention_policy. |
object({ |
null |
no |
| cross_tenant_replication_enabled | (Optional) Should cross Tenant replication be enabled? Defaults to false. | bool |
false |
no |
| custom_domain | - name - (Required) The Custom Domain Name to use for the Storage Account, which will be validated by Azure.- use_subdomain - (Optional) Should the Custom Domain Name be validated by using indirect CNAME validation? |
object({ |
null |
no |
| data_lake_gen2 | - name - (Required) The name of the Data Lake Gen2 File System which should be created within the Storage Account. Must be unique within the storage account the queue is located. Changing this forces a new resource to be created.- properties - (Optional) A mapping of Key to Base64-Encoded Values which should be assigned to this Data Lake Gen2 File System.- ace - (Optional) One or more ace blocks as defined below to specify the entries for the ACL for the path.- owner - (Optional) Specifies the Object ID of the Azure Active Directory User to make the owning user of the root path (i.e. /). Possible values also include $superuser.- group - (Optional) Specifies the Object ID of the Azure Active Directory Group to make the owning group of the root path (i.e. /). Possible values also include $superuser.--- An ace block supports the following:- scope - (Optional) Specifies whether the ACE represents an access entry or a default entry. Default value is access.- type - (Required) Specifies the type of entry. Can be user, group, mask or other.- id - (Optional) Specifies the Object ID of the Azure Active Directory User or Group that the entry relates to. Only valid for user or group entries.- permissions - (Required) Specifies the permissions for the entry in rwx form. For example, rwx gives full permissions but r-- only gives read permissions.More details on ACLs can be found here: https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-access-control#access-control-lists-on-files-and-directories --- An path block supports the following:- path - (Required) The path which should be created within the Data Lake Gen2 File System in the Storage Account. Changing this forces a new resource to be created.- resource - (Required) Specifies the type for path to create. Currently only directory is supported. Changing this forces a new resource to be created.- owner - (Optional) Specifies the Object ID of the Azure Active Directory User to make the owning user. Possible values also include $superuser.- group - (Optional) Specifies the Object ID of the Azure Active Directory Group to make the owning group. Possible values also include $superuser.- ace - (Optional) One or more ace blocks as defined below to specify the entries for the ACL for the path.--- The timeouts block supports the following:- create - (Defaults to 30 minutes) Used when creating the Data Lake Gen2 File System.- update - (Defaults to 30 minutes) Used when updating the Data Lake Gen2 File System.- read - (Defaults to 5 minutes) Used when retrieving the Data Lake Gen2 File System.- delete - (Defaults to 30 minutes) Used when deleting the Data Lake Gen2 File System. |
list(object({ |
[] |
no |
| default_to_oauth_authentication | (Optional) Default to Azure Active Directory authorization in the Azure portal when accessing the Storage Account. The default value is false |
bool |
false |
no |
| dns_zone_ids | A Map of DNS zone ids from the private DNS zones module, dns_zone name is the key | map(object({ |
{} |
no |
| edge_zone | (Optional) Specifies the Edge Zone within the Azure Region where this Storage Account should exist. Changing this forces a new Storage Account to be created. | string |
null |
no |
| enable_private_networking | Declare whether Private Networking should be leveraged (VNet integration and Private Endpoints). | bool |
false |
no |
| https_traffic_only_enabled | (Optional) Boolean flag which forces HTTPS if enabled, see here for more information. Defaults to true. | bool |
true |
no |
| identity | - identity_ids - (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Storage Account.- type - (Required) Specifies the type of Managed Service Identity that should be configured on this Storage Account. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both). |
object({ |
null |
no |
| immutability_policy | - allow_protected_append_writes - (Required) When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. Only new blocks can be added and any existing blocks cannot be modified or deleted.- period_since_creation_in_days - (Required) The immutability period for the blobs in the container since the policy creation, in days.- state - (Required) Defines the mode of the policy. Disabled state disables the policy, Unlocked state allows increase and decrease of immutability retention time and also allows toggling allowProtectedAppendWrites property, Locked state only allows the increase of the immutability retention time. A policy can only be created in a Disabled or Unlocked state and can be toggled between the two states. Only a policy in an Unlocked state can transition to a Locked state which cannot be reverted. |
object({ |
null |
no |
| infrastructure_encryption_enabled | (Optional) Is infrastructure encryption enabled? Changing this forces a new resource to be created. Defaults to false. | bool |
false |
no |
| is_hns_enabled | (Optional) Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 (see here for more information). Changing this forces a new resource to be created. | bool |
false |
no |
| large_file_share_enabled | (Optional) Is Large File Share Enabled? | bool |
null |
no |
| management_locks | A map of management locks - CanNotDelete - (Required) Storage Account level CanNotDelete Management Lock. Authorized users are able to read and modify the resources, but not delete. Defaults to true. Changing this forces a new resource to be created.- ReadyOnly - (Optional) Storage Account level ReadOnly Management Lock. Authorized users can only read from a resource, but they can't modify or delete. Defaults to false. Changing this forces a new resource to be created. |
object({ |
{ |
no |
| management_policy | rule block supports the following:- name - (Required) The name of the rule. Rule name is case-sensitive. It must be unique within a policy.- enabled - (Required) Boolean to specify whether the rule is enabled.- filters - (Required) A filters block as documented below.- actions - (Required) An actions block as documented below.--- filters block supports the following:- blob_types - (Required) An array of predefined values. Valid options are blockBlob and appendBlob.- prefix_match - (Optional) An array of strings for prefixes to be matched.- match_blob_index_tag - (Optional) A match_blob_index_tag object as defined below. The object defines the blob index tag based filtering for blob objects.Note: The match_blob_index_tag block cannot be set if the snapshot and/or version blocks are set.--- match_blob_index_tag block supports the following- name - (Required) The filter tag name used for tag based filtering for blob objects.- operation - (Optional) The comparison operator which is used for object comparison and filtering. Possible value is ==. Defaults to ==.- value - (Required) The filter tag value used for tag based filtering for blob objects.--- actions block supports the following:- base_blob - (Optional) A base_blob block as documented below.- snapshot - (Optional) A snapshot block as documented below.- version - (Optional) A version block as documented below.--- base_blob block supports the following:- tier_to_cool_after_days_since_modification_greater_than - (Optional) The age in days after last modification to tier blobs to cool storage. Supports blob currently at Hot tier. Must be between 0 and 99999. Defaults to -1.- tier_to_cool_after_days_since_last_access_time_greater_than - (Optional) The age in days after last access time to tier blobs to cool storage. Supports blob currently at Hot tier. Must be between 0 and 99999. Defaults to -1.- tier_to_cool_after_days_since_creation_greater_than - (Optional) The age in days after creation to cool storage. Supports blob currently at Hot tier. Must be between 0 and 99999. Defaults to -1.Note: The tier_to_cool_after_days_since_modification_greater_than, tier_to_cool_after_days_since_last_access_time_greater_than, and tier_to_cool_after_days_since_creation_greater_than can not be set at the same time.- auto_tier_to_hot_from_cool_enabled - (Optional) Whether a blob should automatically be tiered from cool back to hot if it's accessed again after being tiered to cool. Defaults to false.Note: The auto_tier_to_hot_from_cool_enabled must be used together with tier_to_cool_after_days_since_last_access_time_greater_than.- tier_to_archive_after_days_since_modification_greater_than - (Optional) The age in days after last modification to tier blobs to archive storage. Supports blob currently at Hot or Cool tier. Must be between 0 and 99999. Defaults to -1.- tier_to_archive_after_days_since_last_access_time_greater_than - (Optional) The age in days after last access time to tier blobs to archive storage. Supports blob currently at Hot or Cool tier. Must be between 0 and 99999. Defaults to -1.Note: The tier_to_archive_after_days_since_modification_greater_than, tier_to_archive_after_days_since_last_access_time_greater_than, and tier_to_archive_after_days_since_creation_greater_than can not be set at the same time.- tier_to_archive_after_days_since_last_tier_change_greater_than - (Optional) The age in days after last tier change to the blobs to skip to be archived. Must be between 0 and 99999. Defaults to -1.Note: The tier_to_cool_after_days_since_modification_greater_than, tier_to_cool_after_days_since_last_access_time_greater_than, and tier_to_cool_after_days_since_creation_greater_than can not be set at the same time.- delete_after_days_since_modification_greater_than - (Optional) The age in days after last modification to delete the blob. Must be between 0 and 99999. Defaults to -1.- delete_after_days_since_last_access_time_greater_than - (Optional) The age in days after last access time to delete the blob. Must be between 0 and 99999. Defaults to -1.- delete_after_days_since_creation_greater_than - (Optional) The age in days after creation to delete the blob. Must be between 0 and 99999. Defaults to -1.Note: The delete_after_days_since_modification_greater_than, delete_after_days_since_last_access_time_greater_than, and delete_after_days_since_creation_greater_than can not be set at the same time.Note: The last_access_time_enabled must be set to true in the azurerm_storage_account in order to use tier_to_cool_after_days_since_last_access_time_greater_than, tier_to_archive_after_days_since_last_access_time_greater_than, and delete_after_days_since_last_access_time_greater_than.--- snapshot block supports the following:- change_tier_to_archive_after_days_since_creation - (Optional) The age in days after creation to tier blob snapshot to archive storage. Must be between 0 and 99999. Defaults to -1.- tier_to_archive_after_days_since_last_tier_change_greater_than - (Optional) The age in days after last tier change to the blobs to skip to be archived. Must be between 0 and 99999. Defaults to -1.- change_tier_to_cool_after_days_since_creation - (Optional) The age in days after creation to tier blob snapshot to cool storage. Must be between 0 and 99999. Defaults to -1.- delete_after_days_since_creation- (Optional) The age in days after creation to delete the blob version. Must be between 0 and 99999. Defaults to -1.--- timeouts block supports the following:- create - (Defaults to 60 minutes) Used when creating the Network Rules for this Storage Account.- delete - (Defaults to 60 minutes) Used when deleting the Network Rules for this Storage Account.- read - (Defaults to 5 minutes) Used when retrieving the Network Rules for this Storage Account.- update - (Defaults to 60 minutes) Used when updating the Network Rules for this Storage Account. |
object({ |
null |
no |
| min_tls_version | (Optional) The minimum supported TLS version for the storage account. Defaults to TLS1_2 for new storage accounts. |
string |
"TLS1_2" |
no |
| network_rules | - default_action - (Optional) Specifies the default action of allow or deny when no other rules match. Valid options are Deny or Allow. Defaults to Deny.- bypass - (Optional) Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination of Logging, Metrics, AzureServices, or None.- ip_rules - (Optional) List of public IP or IP ranges in CIDR Format. Only IPv4 addresses are allowed. Private IP address ranges (as defined in RFC 1918) are not allowed.- storage_account_id - (Required) Specifies the ID of the storage account. Changing this forces a new resource to be created.- virtual_network_subnet_ids - (Optional) A list of virtual network subnet ids to secure the storage account.- subnet_id - (Required) The ID of the Subnet from which Private IP Addresses will be allocated for this Private Endpoint. Changing this forces a new resource to be created.--- private_link_access block supports the following:- endpoint_resource_id - (Required) The resource id of the resource access rule to be granted access.- endpoint_tenant_id - (Optional) The tenant id of the resource of the resource access rule to be granted access. Defaults to the current tenant id.--- timeouts block supports the following:- create - (Defaults to 60 minutes) Used when creating the Network Rules for this Storage Account.- delete - (Defaults to 60 minutes) Used when deleting the Network Rules for this Storage Account.- read - (Defaults to 5 minutes) Used when retrieving the Network Rules for this Storage Account.- update - (Defaults to 60 minutes) Used when updating the Network Rules for this Storage Account. |
object({ |
{} |
no |
| nfsv3_enabled | (Optional) Is NFSv3 protocol enabled? Changing this forces a new resource to be created. Defaults to false. |
bool |
false |
no |
| private_endpoint_resource_group_name | The name of the resource group where the private endpoint resources will be deployed. | string |
"" |
no |
| private_endpoint_subnet_id | The ID of the subnet for the Private Endpoint. | string |
null |
no |
| public_network_access_enabled | (Optional) Whether the public network access is enabled? Defaults to true. |
bool |
true |
no |
| queue_encryption_key_type | (Optional) The encryption type of the queue service. Possible values are Service and Account. Changing this forces a new resource to be created. Default value is Service. |
string |
"Service" |
no |
| queue_properties | ---cors_rule block supports the following:- allowed_headers - (Required) A list of headers that are allowed to be a part of the cross-origin request.- allowed_methods - (Required) A list of HTTP methods that are allowed to be executed by the origin. Valid options are DELETE, GET, HEAD, MERGE, POST, OPTIONS, PUT or PATCH.- allowed_origins - (Required) A list of origin domains that will be allowed by CORS.- exposed_headers - (Required) A list of response headers that are exposed to CORS clients.- max_age_in_seconds - (Required) The number of seconds the client should cache a preflight response.--- hour_metrics block supports the following:- enabled - (Required) Indicates whether hour metrics are enabled for the Queue service.- include_apis - (Optional) Indicates whether metrics should generate summary statistics for called API operations.- retention_policy_days - (Optional) Specifies the number of days that logs will be retained.- version - (Required) The version of storage analytics to configure.--- logging block supports the following:- delete - (Required) Indicates whether all delete requests should be logged.- read - (Required) Indicates whether all read requests should be logged.- retention_policy_days - (Optional) Specifies the number of days that logs will be retained.- version - (Required) The version of storage analytics to configure.- write - (Required) Indicates whether all write requests should be logged.--- minute_metrics block supports the following:- enabled - (Required) Indicates whether minute metrics are enabled for the Queue service.- include_apis - (Optional) Indicates whether metrics should generate summary statistics for called API operations.- retention_policy_days - (Optional) Specifies the number of days that logs will be retained.- version - (Required) The version of storage analytics to configure. |
object({ |
null |
no |
| resource_group_name | (Required) The name of the resource group in which to create the storage account. Changing this forces a new resource to be created. | string |
n/a | yes |
| routing | - choice - (Optional) Specifies the kind of network routing opted by the user. Possible values are InternetRouting and MicrosoftRouting. Defaults to MicrosoftRouting.- publish_internet_endpoints - (Optional) Should internet routing storage endpoints be published? Defaults to false.- publish_microsoft_endpoints - (Optional) Should Microsoft routing storage endpoints be published? Defaults to false. |
object({ |
null |
no |
| sas_policy | - expiration_action - (Optional) The SAS expiration action. The only possible value is Log at this moment. Defaults to Log.- expiration_period - (Required) The SAS expiration period in format of DD.HH:MM:SS. |
object({ |
{ |
no |
| sftp_enabled | (Optional) Boolean, enable SFTP for the storage account | bool |
false |
no |
| share_properties | ---cors_rule block supports the following:- allowed_headers - (Required) A list of headers that are allowed to be a part of the cross-origin request.- allowed_methods - (Required) A list of HTTP methods that are allowed to be executed by the origin. Valid options are DELETE, GET, HEAD, MERGE, POST, OPTIONS, PUT or PATCH.- allowed_origins - (Required) A list of origin domains that will be allowed by CORS.- exposed_headers - (Required) A list of response headers that are exposed to CORS clients.- max_age_in_seconds - (Required) The number of seconds the client should cache a preflight response.--- retention_policy block supports the following:- days - (Optional) Specifies the number of days that the azurerm_storage_share should be retained, between 1 and 365 days. Defaults to 7.--- smb block supports the following:- authentication_types - (Optional) A set of SMB authentication methods. Possible values are NTLMv2, and Kerberos.- channel_encryption_type - (Optional) A set of SMB channel encryption. Possible values are AES-128-CCM, AES-128-GCM, and AES-256-GCM.- kerberos_ticket_encryption_type - (Optional) A set of Kerberos ticket encryption. Possible values are RC4-HMAC, and AES-256.- multichannel_enabled - (Optional) Indicates whether multichannel is enabled. Defaults to false. This is only supported on Premium storage accounts.- versions - (Optional) A set of SMB protocol versions. Possible values are SMB2.1, SMB3.0, and SMB3.1.1. |
object({ |
null |
no |
| shared_access_key_enabled | (Optional) Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is true. |
bool |
true |
no |
| static_website | - error_404_document - (Optional) The absolute path to a custom webpage that should be used when a request is made which does not correspond to an existing file.- index_document - (Optional) The webpage that Azure Storage serves for requests to the root of a website or any subfolder. For example, index.html. The value is case-sensitive. |
object({ |
null |
no |
| storage_account_local_user | - home_directory - (Optional) The home directory of the Storage Account Local User.- name - (Required) The name which should be used for this Storage Account Local User. Changing this forces a new Storage Account Local User to be created.- ssh_key_enabled - (Optional) Specifies whether SSH Key Authentication is enabled. Defaults to false.- ssh_password_enabled - (Optional) Specifies whether SSH Password Authentication is enabled. Defaults to false.--- permission_scope block supports the following:- resource_name - (Required) The container name (when service is set to blob) or the file share name (when service is set to file), used by the Storage Account Local User.- service - (Required) The storage service used by this Storage Account Local User. Possible values are blob and file.--- permissions block supports the following:- create - (Optional) Specifies if the Local User has the create permission for this scope. Defaults to false.- delete - (Optional) Specifies if the Local User has the delete permission for this scope. Defaults to false.- list - (Optional) Specifies if the Local User has the list permission for this scope. Defaults to false.- read - (Optional) Specifies if the Local User has the read permission for this scope. Defaults to false.- write - (Optional) Specifies if the Local User has the write permission for this scope. Defaults to false.--- ssh_authorized_key block supports the following:- description - (Optional) The description of this SSH authorized key.- key - (Required) The public key value of this SSH authorized key.--- timeouts block supports the following:- create - (Defaults to 30 minutes) Used when creating the Storage Account Local User.- delete - (Defaults to 30 minutes) Used when deleting the Storage Account Local User.- read - (Defaults to 5 minutes) Used when retrieving the Storage Account Local User.- update - (Defaults to 30 minutes) Used when updating the Storage Account Local User. |
map(object({ |
{} |
no |
| storage_account_location | (Required) Specifies the supported Azure location where the resource exists. Defaults to the Resource Group location. Changing this forces a new resource to be created. | string |
null |
no |
| storage_account_name | (Required) Specifies the name of the storage account. Only lowercase Alphanumeric characters allowed. Changing this forces a new resource to be created. This must be unique across the entire Azure service, not just within the resource group. | string |
n/a | yes |
| storage_container | - container_access_type - (Optional) The Access Level configured for this Container. Possible values are blob, container or private. Defaults to private.- metadata - (Optional) A mapping of MetaData for this Container. All metadata keys should be lowercase.- name - (Required) The name of the Container which should be created within the Storage Account. Changing this forces a new resource to be created.--- blob block supports the following:- name - (Required) The name of the storage blob. Must be unique within the storage container the blob is located. Changing this forces a new resource to be created.- type - (Required) The type of the storage blob to be created. Possible values are Append, Block or Page. Changing this forces a new resource to be created.- size - (optional) Size is required if source_uri is not set. Used only for page blobs to specify the size in bytes of the blob to be created. Must be a multiple of 512. Defaults to 0. Changing this forces a new resource to be created.- access_tier - (optional) The access tier of the storage blob. Possible values are Archive, Cool and Hot.- cache_control - (optional) Controls the cache control header content of the response when blob is requested .- content_type - (optional) The content type of the storage blob. Cannot be defined if source_uri is defined. Defaults to application/octet-stream.- content_md5 - (optional) The MD5 sum of the blob contents. Cannot be defined if source_uri is defined, or if blob type is Append or Page. Changing this forces a new resource to be created.- source - (optional) An absolute path to a file on the local system. This field cannot be specified for Append blobs and cannot be specified if source_content or source_uri is specified. Changing this forces a new resource to be created.- source_content - (optional) The content for this blob which should be defined inline. This field can only be specified for Block blobs and cannot be specified if source or source_uri is specified. Changing this forces a new resource to be created.- source_uri - (optional) The URI of an existing blob, or a file in the Azure File service, to use as the source contents for the blob to be created. Changing this forces a new resource to be created. This field cannot be specified for Append blobs and cannot be specified if source or source_content is specified.- parallelism - (optional) The number of workers per CPU core to run for concurrent uploads. Defaults to 8. Currently, only applicable for Page blobs. Changing this forces a new resource to be created.- metadata - (Optional) A mapping of MetaData which should be assigned to this Blob.- timeouts block--- timeouts block supports the following:- create - (Defaults to 30 minutes) Used when creating the Storage Container.- delete - (Defaults to 30 minutes) Used when deleting the Storage Container.- read - (Defaults to 5 minutes) Used when retrieving the Storage Container.- update - (Defaults to 30 minutes) Used when updating the Storage Container. |
list(object({ |
[] |
no |
| storage_queue | - metadata - (Optional) A mapping of MetaData which should be assigned to this Storage Queue.- name - (Required) The name of the Queue which should be created within the Storage Account. Must be unique within the storage account the queue is located. Changing this forces a new resource to be created.--- timeouts block supports the following:- create - (Defaults to 30 minutes) Used when creating the Storage Queue.- delete - (Defaults to 30 minutes) Used when deleting the Storage Queue.- read - (Defaults to 5 minutes) Used when retrieving the Storage Queue.- update - (Defaults to 30 minutes) Used when updating the Storage Queue. |
list(object({ |
[] |
no |
| storage_share | - access_tier - (Optional) The access tier of the File Share. Possible values are Hot, Cool and TransactionOptimized, Premium.- enabled_protocol - (Optional) The protocol used for the share. Possible values are SMB and NFS. The SMB indicates the share can be accessed by SMBv3.0, SMBv2.1 and REST. The NFS indicates the share can be accessed by NFSv4.1. Defaults to SMB. Changing this forces a new resource to be created.- metadata - (Optional) A mapping of MetaData for this File Share.- name - (Required) The name of the share. Must be unique within the storage account where the share is located. Changing this forces a new resource to be created.- quota - (Required) The maximum size of the share, in gigabytes. For Standard storage accounts, this must be 1GB (or higher) and at most 5120 GB (5 TB). For Premium FileStorage storage accounts, this must be greater than 100 GB and at most 102400 GB (100 TB).--- directories block supports the following:- name - (Required) The name (or path) of the Directory that should be created within this File Share. Changing this forces a new resource to be created.- files block--- files block supports the following:- name - (Required) The name (or path) of the File that should be created within this File Share. Changing this forces a new resource to be created.- source - (Optional) An absolute path to a file on the local system. Changing this forces a new resource to be created.- content_type - (Optional) The content type of the share file. Defaults to application/octet-stream. Some possible values are text/plain, application/json, application/ms-excel, image/png, audio/mpeg, video/mp4, etc.- content_md5 - (Optional) The MD5 sum of the file contents. Changing this forces a new resource to be created.- content_encoding - (Optional) Specifies which content encodings have been applied to the file. Some possible values are gzip, deflate, identity, compress, etc.- content_disposition - (Optional) Sets the file’s Content-Disposition header. Some possible values are inline, attachment, filename=example.txt, etc.- metadata - (Optional) A mapping of metadata to assign to this file.--- acl block supports the following:- id - (Required) The ID which should be used for this Shared Identifier.--- access_policy block supports the following:- expiry - (Optional) The time at which this Access Policy should be valid until, in ISO8601 format.- permissions - (Required) The permissions which should be associated with this Shared Identifier. Possible value is combination of r (read), w (write), d (delete), and l (list).- start - (Optional) The time at which this Access Policy should be valid from, in ISO8601 format.--- timeouts block supports the following:- create - (Defaults to 30 minutes) Used when creating the Storage Share.- delete - (Defaults to 30 minutes) Used when deleting the Storage Share.- read - (Defaults to 5 minutes) Used when retrieving the Storage Share.- update - (Defaults to 30 minutes) Used when updating the Storage Share. |
list(object({ |
[] |
no |
| storage_table | - name - (Required) The name of the storage table. Only Alphanumeric characters allowed, starting with a letter. Must be unique within the storage account the table is located. Changing this forces a new resource to be created.--- entities block supports the following:- partition_key - (Required) The key for the partition where the entity will be retrieved.- row_key - (Required) The key for the row where the entity will be inserted/merged. Changing this forces a new resource.- entity - (Required) A map of key/value pairs that describe the entity to be inserted/merged in to the storage table.--- acl block supports the following:- id - (Required) The ID which should be used for this Shared Identifier.--- access_policy block supports the following:- expiry - (Required) The ISO8061 UTC time at which this Access Policy should be valid until.- permissions - (Required) The permissions which should associated with this Shared Identifier.- start - (Required) The ISO8061 UTC time at which this Access Policy should be valid from.- utc_offset - (Optional) The difference in hours and minutes between Coordinated Universal Time and local solar time. Defaults to Central Time Zone utc offset of "-6h".--- timeouts block supports the following:- create - (Defaults to 30 minutes) Used when creating the Storage Table.- delete - (Defaults to 30 minutes) Used when deleting the Storage Table.- read - (Defaults to 5 minutes) Used when retrieving the Storage Table.- update - (Defaults to 30 minutes) Used when updating the Storage Table. |
list(object({ |
[] |
no |
| table_encryption_key_type | (Optional) The encryption type of the table service. Possible values are Service and Account. Changing this forces a new resource to be created. Default value is Service. |
string |
"Service" |
no |
| tags | (Optional) A mapping of tags to assign to the resource. | map(string) |
null |
no |
| timeouts | - create - (Defaults to 60 minutes) Used when creating the Storage Account.- delete - (Defaults to 60 minutes) Used when deleting the Storage Account.- read - (Defaults to 5 minutes) Used when retrieving the Storage Account.- update - (Defaults to 60 minutes) Used when updating the Storage Account. |
object({ |
null |
no |
| Name | Description |
|---|---|
| fqdn | Fqdns for storage services. |
| local_user | Storage Account Local User. |
| management_locks | Map of the management locks created |
| management_policy_id | ID of the management policy created |
| primary_access_key | The primary access key for the storage account |
| primary_blob_connection_string | The connection string associated with the primary blob location. |
| primary_blob_endpoint | The endpoint URL for blob storage in the primary location. |
| primary_blob_host | The hostname with port if applicable for blob storage in the primary location. |
| primary_blob_microsoft_endpoint | The microsoft routing endpoint URL for blob storage in the primary location. |
| primary_blob_microsoft_host | The microsoft routing hostname with port if applicable for blob storage in the primary location. |
| primary_connection_string | The primary connection string for the storage account |
| primary_dfs_endpoint | The endpoint URL for dfs storage in the primary location. |
| primary_dfs_host | The hostname with port if applicable for dfs storage in the primary location. |
| primary_dfs_microsoft_endpoint | The microsoft routing endpoint URL for dfs storage in the primary location. |
| primary_dfs_microsoft_host | The microsoft routing hostname with port if applicable for dfs storage in the primary location. |
| primary_file_endpoint | The endpoint URL for file storage in the primary location. |
| primary_file_host | The hostname with port if applicable for file storage in the primary location. |
| primary_file_microsoft_endpoint | The microsoft routing endpoint URL for file storage in the primary location. |
| primary_file_microsoft_host | The microsoft routing hostname with port if applicable for file storage in the primary location. |
| primary_location | The primary location of the storage account. |
| primary_queue_endpoint | The endpoint URL for queue storage in the primary location. |
| primary_queue_host | The hostname with port if applicable for queue storage in the primary location. |
| primary_queue_microsoft_endpoint | The microsoft endpoint URL for queue storage in the primary location. |
| primary_queue_microsoft_host | The microsoft hostname with port if applicable for queue storage in the primary location. |
| primary_table_endpoint | The endpoint with port if applicable for table storage in the primary location. |
| primary_table_host | The hostname with port if applicable for table storage in the primary location. |
| primary_table_microsoft_endpoint | The endpoint with port if applicable for table storage in the primary location. |
| primary_table_microsoft_host | The hostname with port if applicable for table storage in the primary location. |
| primary_web_endpoint | The endpoint with port if applicable for web storage in the primary location. |
| primary_web_host | The hostname with port if applicable for web storage in the primary location. |
| primary_web_microsoft_endpoint | The endpoint with port if applicable for web storage in the primary location. |
| primary_web_microsoft_host | The hostname with port if applicable for web storage in the primary location. |
| private_endpoint_blob | Blob Private Endpoint |
| private_endpoint_dfs | Blob Private Endpoint |
| private_endpoint_file | File Private Endpoint |
| private_endpoint_queue | Queue Private Endpoint |
| private_endpoint_table | Table Private Endpoint |
| private_endpoint_web | Blob Private Endpoint |
| secondary_access_key | The primary access key for the storage account. |
| secondary_blob_connection_string | The connection string associated with the secondary blob location. |
| secondary_blob_endpoint | The endpoint URL for blob storage in the secondary location. |
| secondary_blob_host | The hostname with port if applicable for blob storage in the secondary location. |
| secondary_blob_microsoft_endpoint | The microsoft routing endpoint URL for blob storage in the secondary location. |
| secondary_blob_microsoft_host | The microsoft routing hostname with port if applicable for blob storage in the secondary location. |
| secondary_connection_string | The secondary connection string for the storage account |
| secondary_dfs_endpoint | The endpoint URL for dfs storage in the secondary location. |
| secondary_dfs_host | The hostname with port if applicable for dfs storage in the secondary location. |
| secondary_dfs_microsoft_endpoint | The microsoft routing endpoint URL for dfs storage in the secondary location. |
| secondary_dfs_microsoft_host | The microsoft routing hostname with port if applicable for dfs storage in the secondary location. |
| secondary_file_endpoint | The endpoint URL for file storage in the secondary location. |
| secondary_file_host | The hostname with port if applicable for file storage in the secondary location. |
| secondary_file_microsoft_endpoint | The microsoft routing endpoint URL for file storage in the secondary location. |
| secondary_file_microsoft_host | The microsoft routing hostname with port if applicable for file storage in the secondary location. |
| secondary_location | The secondary location of the storage account. |
| secondary_queue_endpoint | The endpoint URL for queue storage in the secondary location. |
| secondary_queue_host | The hostname with port if applicable for queue storage in the secondary location. |
| secondary_queue_microsoft_endpoint | The microsoft endpoint URL for queue storage in the secondary location. |
| secondary_queue_microsoft_host | The microsoft hostname with port if applicable for queue storage in the secondary location. |
| secondary_table_endpoint | The endpoint with port if applicable for table storage in the secondary location. |
| secondary_table_host | The hostname with port if applicable for table storage in the secondary location. |
| secondary_table_microsoft_endpoint | The microsoft endpoint with port if applicable for table storage in the secondary location. |
| secondary_table_microsoft_host | The microsoft hostname with port if applicable for table storage in the secondary location. |
| secondary_web_endpoint | The endpoint with port if applicable for web storage in the secondary location. |
| secondary_web_host | The hostname with port if applicable for web storage in the secondary location. |
| secondary_web_microsoft_endpoint | The microsoft endpoint with port if applicable for web storage in the secondary location. |
| secondary_web_microsoft_host | The microsoft hostname with port if applicable for web storage in the secondary location. |
| storage_account | The Storage Account object. |
| storage_account_access_tier | The access tier of the Storage Account. |
| storage_account_id | The ID of the Storage Account. |
| storage_account_kind | The kind of the Storage Account. |
| storage_account_name | The name of the storage account |
| storage_account_nonsensitive | Nonsensitive outputs of the Storage Account object. |
| storage_account_replication_type | The account replication type of the Storage Account. |
| storage_account_tier | The tier of the Storage Account. |
| storage_blob | Map of storage blob created. |
| storage_blob_inventory_policy | Id of the storage blob inventory policy created. |
| storage_container | Map of storage containers created. |
| storage_data_lake_gen2_filesystem | Map of storage data lake gen2 filesystem created. |
| storage_data_lake_gen2_path | Map of storage data lake gen2 path created. |
| storage_queue | Map of storage queues created. |
| storage_share | Map of storage shares created. |
| storage_share_directory | Map of storage share directories created. |
| storage_share_file | Map of storage share directories created. |
| storage_table | Map of storage tables created. |
| storage_table_entity | Map of storage table entities created. |