110 lines
5.4 KiB
Markdown
110 lines
5.4 KiB
Markdown
# Azure Storage Account Module
|
|
|
|
This module creates an Azure Storage Account with the specified name, resource group, and location. It also allows for the creation of storage containers within the account.
|
|
|
|
## Variables
|
|
|
|
- `rg_name`: The name of the resource group where the storage account will be created.
|
|
- `location`: The Azure region where the storage account will be created.
|
|
- `base_name`: Optional base name used to generate a unique storage account name when `name` is not set.
|
|
- `name`: Optional explicit storage account name. If omitted, the module generates a deterministic name from `base_name`.
|
|
- `account_tier`: Storage account performance tier.
|
|
- `account_replication_type`: Storage account replication strategy.
|
|
- `allow_nested_items_to_be_public`: Controls whether nested blobs/containers can be public.
|
|
- `public_network_access_enabled`: Enables or disables public network access.
|
|
- `tags`: Tags to apply to the storage account.
|
|
- `containers`: A map of storage containers to be created within the storage account. Each container is defined as an object with the following properties:
|
|
- `name`: The name of the storage container.
|
|
- `container_access_type`: The access level of the container (e.g., "private", "blob", "container").
|
|
|
|
### Blob Data Protection Inputs
|
|
|
|
- `enable_blob_soft_delete` (optional, default `false`): Enables blob soft delete (`delete_retention_policy`) to recover deleted blobs/snapshots within a retention window.
|
|
- `blob_soft_delete_retention_days` (optional, default `null`): Retention days for blob soft delete. When `null`, provider default is used.
|
|
- `enable_container_soft_delete` (optional, default `false`): Enables container soft delete (`container_delete_retention_policy`) to recover deleted containers.
|
|
- `container_soft_delete_retention_days` (optional, default `null`): Retention days for container soft delete. When `null`, provider default is used.
|
|
- `enable_blob_versioning` (optional, default `false`): Stores previous blob versions so changes can be rolled back.
|
|
- `enable_blob_change_feed` (optional, default `false`): Records ordered blob change events for audit, replay, and recovery workflows.
|
|
- `enable_point_in_time_restore_for_containers` (optional, default `false`): Enables point-in-time restore (`restore_policy`) for blob data to recover state from a chosen point in time.
|
|
- `point_in_time_restore_days` (optional, default `null`): Restore window in days. Required only when point-in-time restore is enabled.
|
|
|
|
Point-in-time restore requires `enable_blob_soft_delete = true`, `enable_blob_versioning = true`, and `enable_blob_change_feed = true`.
|
|
|
|
## Example Usage
|
|
|
|
Use this module to create a storage account with containers and enable Blob data protection features for short-term rollback and recovery.
|
|
|
|
```hcl
|
|
module "state_storage" {
|
|
source = "./modules/storage-account"
|
|
|
|
rg_name = azurerm_resource_group.rg.name
|
|
location = azurerm_resource_group.rg.location
|
|
|
|
base_name = "sttfstate"
|
|
|
|
enable_blob_soft_delete = true
|
|
blob_soft_delete_retention_days = 30
|
|
enable_container_soft_delete = true
|
|
container_soft_delete_retention_days = 30
|
|
enable_blob_versioning = true
|
|
enable_blob_change_feed = true
|
|
enable_point_in_time_restore_for_containers = true
|
|
point_in_time_restore_days = 14
|
|
|
|
containers = {
|
|
tfstate = {
|
|
name = "tfstate"
|
|
container_access_type = "private"
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
This example provides quick rollback using storage-account level protection (`soft delete`, `versioning`, `change feed`, and `point-in-time restore`).
|
|
|
|
## Data Recovery
|
|
|
|
### Operational recovery (Azure Blobs)
|
|
|
|
For Azure Blobs, this module enables the storage-account level protection features used for operational recovery: blob soft delete, container soft delete, blob versioning, change feed, and point-in-time restore. This is intended for short-term rollback and fast recovery after accidental delete, overwrite, or data corruption events.
|
|
|
|
In this module, Azure Blobs operational recovery is configured through the Blob Data Protection inputs (`enable_blob_soft_delete`, `enable_blob_versioning`, `enable_blob_change_feed`, and `enable_point_in_time_restore_for_containers`) in the main storage-account example above.
|
|
|
|
### Azure Backup recovery (vaulted)
|
|
|
|
To add the vaulted recovery option, the `backup-vault` module is required.
|
|
After creating the vault, configure Azure Backup (policy and backup instance) to protect the storage account for vaulted retention and restore workflows.
|
|
|
|
```hcl
|
|
module "state_storage" {
|
|
source = "./modules/storage-account"
|
|
|
|
rg_name = azurerm_resource_group.rg.name
|
|
location = azurerm_resource_group.rg.location
|
|
|
|
base_name = "sttfstate"
|
|
}
|
|
|
|
module "backup_vault" {
|
|
source = "./modules/backup-vault"
|
|
|
|
rg_name = azurerm_resource_group.rg.name
|
|
location = azurerm_resource_group.rg.location
|
|
|
|
base_name = "bkvault"
|
|
datastore_type = "VaultStore"
|
|
redundancy = "GeoRedundant"
|
|
cross_region_restore_enabled = true
|
|
retention_duration_in_days = 30
|
|
soft_delete = "On"
|
|
immutability = "Disabled"
|
|
}
|
|
```
|
|
|
|
## Outputs
|
|
|
|
- `storage_account_id`: The ID of the created storage account.
|
|
- `storage_account_name`: The name of the created storage account.
|
|
- `container_names`: A list of the names of the created storage containers.
|