Merge pull request #6 from Datatamer/14968-sas-token

DEV-14968: Add optional sas token submodule
Datatamer · Sep 9, 2021 · ef2f879 · ef2f879
2 parents 057efef + d2c5c1c
commit ef2f879
Show file tree

Hide file tree

Showing 8 changed files with 144 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Tamr Terraform ADLS Gen2 module
 
+# v1.1.0 - Aug 25th 2021
+* Add optional `azure-sas-token` submodule
+
 # v1.0.0 - June 1st 2021
 * Upgrade `azurerm` provider
 * Upgrade `azuread` provider

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.0.0
+1.1.0
diff --git a/examples/minimal/main.tf b/examples/minimal/main.tf
@@ -41,3 +41,11 @@ module "rules" {
   allowed_ips          = ["4.3.2.1"]
   allowed_subnet_ids   = [azurerm_subnet.example-subnet.id]
 }
+
+module "sas-token" {
+  source = "../../modules/azure-sas-token"
+
+  storage_account_primary_connection_string = module.minimal.storage_account_primary_connection_string
+  start_time                                = "2021-01-1T00:00:00Z"
+  end_time                                  = "2021-12-31T00:00:00Z"
+}
diff --git a/modules/azure-sas-token/README.md b/modules/azure-sas-token/README.md
@@ -0,0 +1,62 @@
+# Tamr Azure SAS token module
+
+This terraform module creates a Shared Access Signature for an existing storage account
+
+## Assumptions
+* A resource group exists
+* A storage account exists for which the token will be created
+
+# Examples
+## Basic
+`terraform apply`
+
+main.tf:
+```
+module "sas-token" {
+  source = "git::https://github.com/Datatamer/terraform-azure-adls-gen2.git//modules/azure-sas-token?ref=x.y.z"
+
+  storage_account_primary_connection_string = azurerm_storage_account.adls2_storage.primary_connection_string
+  start_time                                = "2021-01-1T00:00:00Z"
+  end_time                                  = "2021-12-31T00:00:00Z"
+}
+```
+
+## SAS token
+Smallest complete fully working example with a SAS Token. This example might require extra resources to run the example.
+- [Minimal](https://github.com/Datatamer/terraform-adls-gen2/tree/master/examples/minimal)
+
+# Resources Created
+This modules creates no new resources
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 0.12 |
+| azuread | >= 1.5.0 |
+| azurerm | >= 2.60.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| azurerm | >= 2.60.0 |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| end\_time | The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string | `string` | n/a | yes |
+| start\_time | The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string | `string` | n/a | yes |
+| storage\_account\_primary\_connection\_string | Primary connection string associated with the storage account for which the token will be created | `string` | n/a | yes |
+| delete\_allowed | Whether or not to give this token permission to delete blobs | `bool` | `false` | no |
+| signed\_version | Specifies the signed storage service version to use to authorize requests made with this account SAS | `string` | `"2017-07-29"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| sas\_url\_query\_string | Token for client usage |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/azure-sas-token/main.tf b/modules/azure-sas-token/main.tf
@@ -0,0 +1,32 @@
+data "azurerm_storage_account_sas" "sas_token" {
+  connection_string = var.storage_account_primary_connection_string
+  https_only        = true
+  signed_version    = var.signed_version
+
+  resource_types {
+    service   = true
+    container = true
+    object    = true
+  }
+
+  services {
+    blob  = true
+    queue = false
+    table = false
+    file  = true
+  }
+
+  start  = var.start_time
+  expiry = var.end_time
+
+  permissions {
+    read    = true
+    write   = true
+    delete  = var.delete_allowed
+    list    = true
+    add     = true
+    create  = true
+    update  = false
+    process = false
+  }
+}
diff --git a/modules/azure-sas-token/outputs.tf b/modules/azure-sas-token/outputs.tf
@@ -0,0 +1,5 @@
+output "sas_url_query_string" {
+  description = "Token for client usage"
+  value       = data.azurerm_storage_account_sas.sas_token.sas
+  sensitive   = true
+}
diff --git a/modules/azure-sas-token/variables.tf b/modules/azure-sas-token/variables.tf
@@ -0,0 +1,26 @@
+variable "storage_account_primary_connection_string" {
+  description = "Primary connection string associated with the storage account for which the token will be created"
+  type        = string
+}
+
+variable "signed_version" {
+  description = "Specifies the signed storage service version to use to authorize requests made with this account SAS"
+  type        = string
+  default     = "2017-07-29"
+}
+
+variable "start_time" {
+  description = "The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string"
+  type        = string
+}
+
+variable "end_time" {
+  description = "The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string"
+  type        = string
+}
+
+variable "delete_allowed" {
+  description = "Whether or not to give this token permission to delete blobs"
+  type        = bool
+  default     = false
+}
diff --git a/modules/azure-sas-token/versions.tf b/modules/azure-sas-token/versions.tf
@@ -0,0 +1,7 @@
+terraform {
+  required_version = ">= 0.12"
+  required_providers {
+    azuread = ">= 1.5.0"
+    azurerm = ">= 2.60.0"
+  }
+}