I have created a storage account using a Terraform. I would like to disable the option found under the storage account settings and configuration in the Azure portal called Allow public blob access, however under the azurerm_storage_account command, I cannot seem to find the option required to achieve this.
Below is my code so far to create the storage account, which works, but if anyone could point me in the right direction that would be great, thank you.
Storage Account
resource "azurerm_storage_account" "st" {
name = var.st.name
resource_group_name = var.rg_shared_name
location = var.rg_shared_location
account_tier = var.st.tier
account_replication_type = var.st.replication
public_network_access_enabled = false
}
CodePudding user response:
As soon as I've posted this question, I found the command, so I apologise for wasting your time.
The command to use is allow_nested_items_to_be_public, if you set this to false it will disable the feature found under Storage Account > Settings > Configuration, Allow blob public access
Updated Code
resource "azurerm_storage_account" "st" {
name = var.st.name
resource_group_name = var.rg_shared_name
location = var.rg_shared_location
account_tier = var.st.tier
account_replication_type = var.st.replication
public_network_access_enabled = false
allow_nested_items_to_be_public = false
}
CodePudding user response:
With the release of version 3.0 of the azurerm provider, the argument allow_blob_public_access changed in allow_nested_items_to_be_public. This can cause confusion if you read old documentation or examples. Furthermore, there are several ways in which you can disable public network access for a storage account.
- You can set
public_network_access_enabledto false. - You can use the
network_rulesblock and setdefault_actionto deny. - You can use the
azurerm_storage_account_network_rulesresource and set thedefault_actionto deny.
Explicitly telling that nobody should be able to publicly enter the storage account is the cleanest/safest option. However, sometimes you want to open a storage account for a specific set of IP addresses and block all the others, then the other options are useful.
If you disable public network access then you should make use of private endpoints or service endpoints to be able to connect to your storage account from a private network. Example based on this repository:
resource "azurerm_storage_account" "storage_account" {
name = var.name
resource_group_name = var.resource_group_name
location = var.location
account_kind = var.kind
account_tier = var.tier
account_replication_type = var.replication_type
is_hns_enabled = true
enable_https_traffic_only = true
public_network_access_enabled = false
allow_nested_items_to_be_public = false
min_tls_version = var.min_tls_version
}
resource "azurerm_private_endpoint" "private_endpoint_blob" {
name = "pe-blob-${var.name}"
location = var.location
resource_group_name = var.resource_group_name
subnet_id = var.subnet_id
private_service_connection {
name = "psc-blob-${var.name}"
is_manual_connection = false
private_connection_resource_id = azurerm_storage_account.storage_account.id
subresource_names = ["blob"]
}
# Should be deployed by Azure policy
lifecycle {
ignore_changes = [private_dns_zone_group]
}
}