» azurerm_storage_account

Manage an Azure Storage Account.

» Example Usage

resource "azurerm_resource_group" "testrg" {
  name     = "resourceGroupName"
  location = "westus"
}

resource "azurerm_storage_account" "testsa" {
  name                     = "storageaccountname"
  resource_group_name      = "${azurerm_resource_group.testrg.name}"
  location                 = "westus"
  account_tier             = "Standard"
  account_replication_type = "GRS"

  tags = {
    environment = "staging"
  }
}

» Example Usage with Network Rules

resource "azurerm_resource_group" "testrg" {
  name     = "resourceGroupName"
  location = "westus"
}

resource "azurerm_virtual_network" "test" {
  name                = "virtnetname"
  address_space       = ["10.0.0.0/16"]
  location            = "${azurerm_resource_group.testrg.location}"
  resource_group_name = "${azurerm_resource_group.testrg.name}"
}

resource "azurerm_subnet" "test" {
  name                 = "subnetname"
  resource_group_name  = "${azurerm_resource_group.testrg.name}"
  virtual_network_name = "${azurerm_virtual_network.test.name}"
  address_prefix       = "10.0.2.0/24"
  service_endpoints    = ["Microsoft.Sql", "Microsoft.Storage"]
}

resource "azurerm_storage_account" "testsa" {
  name                = "storageaccountname"
  resource_group_name = "${azurerm_resource_group.testrg.name}"

  location                 = "${azurerm_resource_group.testrg.location}"
  account_tier             = "Standard"
  account_replication_type = "LRS"

  network_rules {
    ip_rules                   = ["100.0.0.1"]
    virtual_network_subnet_ids = ["${azurerm_subnet.test.id}"]
  }

  tags = {
    environment = "staging"
  }
}

» Argument Reference

The following arguments are supported:

name - (Required) Specifies the name of the storage account. Changing this forces a new resource to be created. This must be unique across the entire Azure service, not just within the resource group.
resource_group_name - (Required) The name of the resource group in which to create the storage account. Changing this forces a new resource to be created.
location - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
account_kind - (Optional) Defines the Kind of account. Valid options are Storage, StorageV2 and BlobStorage. Changing this forces a new resource to be created. Defaults to Storage.
account_tier - (Required) Defines the Tier to use for this storage account. Valid options are Standard and Premium. Changing this forces a new resource to be created
account_replication_type - (Required) Defines the type of replication to use for this storage account. Valid options are LRS, GRS, RAGRS and ZRS.
access_tier - (Optional) Defines the access tier for BlobStorage and StorageV2 accounts. Valid options are Hot and Cool, defaults to Hot.
enable_blob_encryption - (Optional) Boolean flag which controls if Encryption Services are enabled for Blob storage, see here for more information. Defaults to true.
enable_file_encryption - (Optional) Boolean flag which controls if Encryption Services are enabled for File storage, see here for more information. Defaults to true.
enable_https_traffic_only - (Optional) Boolean flag which forces HTTPS if enabled, see here for more information.
is_hns_enabled - (Optional) Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 (see here for more information). Changing this forces a new resource to be created.
account_encryption_source - (Optional) The Encryption Source for this Storage Account. Possible values are Microsoft.Keyvault and Microsoft.Storage. Defaults to Microsoft.Storage.
custom_domain - (Optional) A custom_domain block as documented below.
network_rules - (Optional) A network_rules block as documented below.
tags - (Optional) A mapping of tags to assign to the resource.
identity - (Optional) A Managed Service Identity block as defined below.

custom_domain supports the following:
name - (Optional) The Custom Domain Name to use for the Storage Account, which will be validated by Azure.
use_subdomain - (Optional) Should the Custom Domain Name be validated by using indirect CNAME validation?

network_rules supports the following:
bypass - (Optional) Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination of Logging, Metrics, AzureServices, or None.
ip_rules - (Optional) List of public IP or IP ranges in CIDR Format. Only IPV4 addresses are allowed. Private IP address ranges (as defined in RFC 1918) are not allowed.
virtual_network_subnet_ids - (Optional) A list of resource ids for subnets.

Note: If specifying network_rules, one of either ip_rules or virtual_network_subnet_ids must be specified.

Note: More information on Validation is available here

identity supports the following:

type - (Required) Specifies the identity type of the Storage Account. At this time the only allowed value is SystemAssigned.

The assigned principal_id and tenant_id can be retrieved after the identity type has been set to SystemAssigned and Storage Account has been created. More details are available below.

» Attributes Reference

The following attributes are exported in addition to the arguments listed above:

id - The storage account Resource ID.
primary_location - The primary location of the storage account.
secondary_location - The secondary location of the storage account.
primary_blob_endpoint - The endpoint URL for blob storage in the primary location.
primary_blob_host - The hostname with port if applicable for blob storage in the primary location.
secondary_blob_endpoint - The endpoint URL for blob storage in the secondary location.
secondary_blob_host - The hostname with port if applicable for blob storage in the secondary location.
primary_queue_endpoint - The endpoint URL for queue storage in the primary location.
primary_queue_host - The hostname with port if applicable for queue storage in the primary location.
secondary_queue_endpoint - The endpoint URL for queue storage in the secondary location.
secondary_queue_host - The hostname with port if applicable for queue storage in the secondary location.
primary_table_endpoint - The endpoint URL for table storage in the primary location.
primary_table_host - The hostname with port if applicable for table storage in the primary location.
secondary_table_endpoint - The endpoint URL for table storage in the secondary location.
secondary_table_host - The hostname with port if applicable for table storage in the secondary location.
primary_file_endpoint - The endpoint URL for file storage in the primary location.
primary_file_host - The hostname with port if applicable for file storage in the primary location.
secondary_file_endpoint - The endpoint URL for file storage in the secondary location.
secondary_file_host - The hostname with port if applicable for file storage in the secondary location.
primary_dfs_endpoint - The endpoint URL for DFS storage in the primary location.
primary_dfs_host - The hostname with port if applicable for DFS storage in the primary location.
secondary_dfs_endpoint - The endpoint URL for DFS storage in the secondary location.
secondary_dfs_host - The hostname with port if applicable for DFS storage in the secondary location.
primary_web_endpoint - The endpoint URL for web storage in the primary location.
primary_web_host - The hostname with port if applicable for web storage in the primary location.
secondary_web_endpoint - The endpoint URL for web storage in the secondary location.
secondary_web_host - The hostname with port if applicable for web storage in the secondary location.
primary_access_key - The primary access key for the storage account.
secondary_access_key - The secondary access key for the storage account.
primary_connection_string - The connection string associated with the primary location.
secondary_connection_string - The connection string associated with the secondary location.
primary_blob_connection_string - The connection string associated with the primary blob location.
secondary_blob_connection_string - The connection string associated with the secondary blob location.
identity - An identity block as defined below, which contains the Identity information for this Storage Account.

identity exports the following:

principal_id - The Principal ID for the Service Principal associated with the Identity of this Storage Account.
tenant_id - The Tenant ID for the Service Principal associated with the Identity of this Storage Account.

You can access the Principal ID via ${azurerm_storage_account.test.identity.0.principal_id} and the Tenant ID via ${azurerm_storage_account.test.identity.0.tenant_id}

» Import

Storage Accounts can be imported using the resource id, e.g.

terraform import azurerm_storage_account.storageAcc1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myresourcegroup/providers/Microsoft.Storage/storageAccounts/myaccount