diff --git a/_example/complete/example.tf b/_example/complete/example.tf index bdd689d..70dec09 100644 --- a/_example/complete/example.tf +++ b/_example/complete/example.tf @@ -6,7 +6,7 @@ provider "azurerm" { data "azurerm_client_config" "current_client_config" {} locals { - name = "storage" + name = "app-storage" environment = "test" label_order = ["name", "environment"] } @@ -83,7 +83,7 @@ module "vault" { source = "clouddrove/key-vault/azure" version = "1.1.0" - name = "vault65960589" + name = "vault6596058" environment = "test" label_order = ["name", "environment", ] resource_group_name = module.resource_group.resource_group_name @@ -95,6 +95,7 @@ module "vault" { enabled_for_disk_encryption = false #private endpoint enable_private_endpoint = false + network_acls = null ########Following to be uncommnented only when using DNS Zone from different subscription along with existing DNS zone. # diff_sub = true @@ -121,18 +122,16 @@ module "storage" { label_order = local.label_order resource_group_name = module.resource_group.resource_group_name location = module.resource_group.resource_group_location - storage_account_name = "storage874682" + storage_account_name = "storage87482" public_network_access_enabled = true account_kind = "StorageV2" account_tier = "Standard" - identity_type = "UserAssigned" - object_id = [data.azurerm_client_config.current_client_config.object_id] - account_replication_type = "ZRS" - cmk_encryption_enabled = true admin_objects_ids = [data.azurerm_client_config.current_client_config.object_id] ###customer_managed_key can only be set when the account_kind is set to StorageV2 or account_tier set to Premium, and the identity type is UserAssigned. - key_vault_id = module.vault.id + cmk_encryption_enabled = true + key_vault_id = module.vault.id + ## Storage Container containers_list = [ { name = "app-test", access_type = "private" }, diff --git a/main.tf b/main.tf index 2f34225..a5fbdf5 100644 --- a/main.tf +++ b/main.tf @@ -18,8 +18,7 @@ module "labels" { ## To create storage account with cmk(customer managed key) encryption set 'var.default_enabled = false'. ##----------------------------------------------------------------------------- resource "azurerm_storage_account" "storage" { - count = var.enabled ? 1 : 0 - # depends_on = [azurerm_role_assignment.identity_assigned] + count = var.enabled ? 1 : 0 name = var.storage_account_name resource_group_name = var.resource_group_name location = var.location @@ -295,7 +294,7 @@ resource "azurerm_storage_account_network_rules" "network-rules" { ## Below resource will create threat protection for storage account. ##----------------------------------------------------------------------------- resource "azurerm_advanced_threat_protection" "atp" { - count = var.enabled ? 1 : 0 + count = var.enabled && var.enable_advanced_threat_protection ? 1 : 0 target_resource_id = join("", azurerm_storage_account.storage.*.id) enabled = var.enable_advanced_threat_protection } @@ -305,7 +304,7 @@ resource "azurerm_advanced_threat_protection" "atp" { ## This resource is not required when key vault has role based authorization(rbac) enabled. ##----------------------------------------------------------------------------- resource "azurerm_key_vault_access_policy" "keyvault-access-policy" { - count = var.enabled && var.key_vault_rbac_auth_enabled == false ? length(var.object_id) : 0 + count = var.enabled && var.key_vault_rbac_auth_enabled == false ? 1 : 0 key_vault_id = var.key_vault_id tenant_id = data.azurerm_client_config.current.tenant_id object_id = join("", azurerm_user_assigned_identity.identity.*.principal_id) @@ -345,7 +344,7 @@ resource "azurerm_key_vault_access_policy" "keyvault-access-policy" { ## Below resource will create container in storage account. ##----------------------------------------------------------------------------- resource "azurerm_storage_container" "container" { - count = length(var.containers_list) + count = var.enabled ? length(var.containers_list) : 0 name = var.containers_list[count.index].name storage_account_name = azurerm_storage_account.storage[0].name container_access_type = var.containers_list[count.index].access_type @@ -355,7 +354,7 @@ resource "azurerm_storage_container" "container" { ## Below resource will create file share in storage account. ##----------------------------------------------------------------------------- resource "azurerm_storage_share" "fileshare" { - count = length(var.file_shares) + count = var.enabled ? length(var.file_shares) : 0 name = var.file_shares[count.index].name storage_account_name = azurerm_storage_account.storage[0].name quota = var.file_shares[count.index].quota @@ -365,7 +364,7 @@ resource "azurerm_storage_share" "fileshare" { ## Below resource will create tables in storage account. ##----------------------------------------------------------------------------- resource "azurerm_storage_table" "tables" { - count = length(var.tables) + count = var.enabled ? length(var.tables) : 0 name = var.tables[count.index] storage_account_name = join("", azurerm_storage_account.storage.*.name) } @@ -374,7 +373,7 @@ resource "azurerm_storage_table" "tables" { ## Below resource will create queue in storage account. ##----------------------------------------------------------------------------- resource "azurerm_storage_queue" "queues" { - count = length(var.queues) + count = var.enabled ? length(var.queues) : 0 name = var.queues[count.index] storage_account_name = join("", azurerm_storage_account.storage.*.name) } @@ -509,7 +508,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vent-link-1" { ##----------------------------------------------------------------------------- resource "azurerm_private_dns_zone_virtual_network_link" "vent-link-diff-subs" { provider = azurerm.peer - count = var.multi_sub_vnet_link && var.existing_private_dns_zone != null ? 1 : 0 + count = var.enabled && var.multi_sub_vnet_link && var.existing_private_dns_zone != null ? 1 : 0 name = format("%s-pdz-vnet-link-storage-1", module.labels.id) resource_group_name = var.existing_private_dns_zone_resource_group_name private_dns_zone_name = var.existing_private_dns_zone diff --git a/variables.tf b/variables.tf index ee3bb68..b48d3c2 100644 --- a/variables.tf +++ b/variables.tf @@ -67,7 +67,7 @@ variable "access_tier" { variable "account_replication_type" { type = string - default = "GRS" + default = "LRS" description = "Defines the type of replication to use for this storage account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS. Changing this forces a new resource to be created when types LRS, GRS and RAGRS are changed to ZRS, GZRS or RAGZRS and vice versa." } @@ -338,11 +338,6 @@ variable "allow_nested_items_to_be_public" { description = "Allow or disallow nested items within this Account to opt into being public. Defaults to true." } -variable "object_id" { - type = list(string) - default = [] -} - variable "allowed_copy_scope" { type = string default = "PrivateLink"