Azure Storage Account for SFTP

This Terraform module creates an Azure Blob Storage with the SFTP feature.

It also manages the creation of local SFTP users within the Storage Account. An SSH key pair is automatically generated by Terraform and you have the option of downloading it (enabled by default). SFTP connection command lines and users' passwords are available in the storage_sftp_users output of this module.

Storage is created with Premium SKU by default for production ready performances.

Global versioning rule for Claranet Azure modules

Module version	Terraform version	OpenTofu version	AzureRM version
>= 8.x.x	Unverified	1.8.x	>= 4.0
>= 7.x.x	1.3.x		>= 3.0
>= 6.x.x	1.x		>= 3.0
>= 5.x.x	0.15.x		>= 2.0
>= 4.x.x	0.13.x / 0.14.x		>= 2.0
>= 3.x.x	0.12.x		>= 2.0
>= 2.x.x	0.12.x		< 2.0
< 2.x.x	0.11.x		< 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

# When using RSA algorithm, do not forget to add `-o PubkeyAcceptedKeyTypes=+ssh-rsa` in your SFTP connection command line
# e.g. `sftp -o PubkeyAcceptedKeyTypes=+ssh-rsa -i <privateKeyPath> <storageAccountName>.<sftpLocalUserName>@<storageAccountName>.blob.core.windows.net`
resource "tls_private_key" "bar_example" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

module "storage_sftp" {
  source  = "claranet/storage-sftp/azurerm"
  version = "x.x.x"

  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  client_name    = var.client_name
  environment    = var.environment
  stack          = var.stack

  resource_group_name = module.rg.name

  name_suffix = "sftp"

  account_replication_type = "LRS"

  allowed_cidrs = [chomp(data.http.my_ip.response_body)]

  containers = [
    {
      name = "foo"
    },
    {
      name = "bar"
    },
  ]

  nfsv3_enabled = true # SFTP can be used alongside the NFSv3 feature for Blob Storage

  sftp_users = [
    {
      name                 = "foo"
      home_directory       = "foo/example" # `example` is a subdirectory under `foo` container
      ssh_password_enabled = true
      permissions_scopes = [
        {
          target_container = "foo"
        },
        {
          target_container = "bar"
          permissions      = ["Read", "Write", "List"]
        },
      ]
    },
    {
      name = "bar"
      permissions_scopes = [
        {
          target_container = "bar"
        },
        {
          target_container = "foo"
          permissions      = ["List", "Create"]
        },
      ]
      ssh_authorized_keys = [{
        key         = tls_private_key.bar_example.public_key_openssh
        description = "Example"
      }]
    }
  ]

  logs_destinations_ids = [
    # module.logs.logs_storage_account_id,
    # module.logs.log_analytics_workspace_id,
  ]

  extra_tags = {
    foo = "bar"
  }
}

Providers

Name	Version
azurerm	~> 4.9
local	>= 2.3
tls	>= 4.0

Modules

Name	Source	Version
storage_account	claranet/storage-account/azurerm	~> 8.2.0

Resources

Name	Type
azurerm_storage_account_local_user.main	resource
local_sensitive_file.sftp_users_private_keys	resource
local_sensitive_file.sftp_users_public_keys	resource
tls_private_key.main	resource

Inputs

Name	Description	Type	Default	Required
access_tier	Defines the access tier for StorageV2 accounts. Valid options are Hot and Cool, defaults to Hot.	string	"Hot"	no
account_replication_type	Defines the type of replication to use for this Storage Account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS.	string	"ZRS"	no
advanced_threat_protection_enabled	Boolean flag which controls if advanced threat protection is enabled, see documentation for more information.	bool	false	no
allowed_cidrs	List of CIDR to allow access to that Storage Account.	list(string)	[]	no
blob_cors_rules	Storage Account blob CORS rules. Please refer to the documentation for more information.	list(object({ allowed_headers = list(string) allowed_methods = list(string) allowed_origins = list(string) exposed_headers = list(string) max_age_in_seconds = number }))	[]	no
blob_data_protection	Blob Storage data protection parameters.	object({ delete_retention_policy_in_days = optional(number, 0) container_delete_retention_policy_in_days = optional(number, 0) })	{ "container_delete_retention_policy_in_days": 30, "delete_retention_policy_in_days": 30 }	no
client_name	Client name/account used in naming.	string	n/a	yes
containers	List of objects to create some Blob containers in this Storage Account.	list(object({ name = string container_access_type = optional(string) metadata = optional(map(string)) }))	n/a	yes
create_sftp_users_keys	Whether or not key pairs should be created on the filesystem.	bool	true	no
custom_name	Custom Azure Storage Account name, generated if not set.	string	""	no
default_firewall_action	Which default firewalling policy to apply. Valid values are Allow or Deny.	string	"Deny"	no
default_tags_enabled	Option to enable or disable default tags.	bool	true	no
diagnostic_settings_custom_name	Custom name of the diagnostics settings, name will be default if not set.	string	"default"	no
environment	Project environment.	string	n/a	yes
extra_tags	Additional tags to associate with the Storage Account.	map(string)	{}	no
https_traffic_only_enabled	Boolean flag which forces HTTPS if enabled.	bool	true	no
identity_ids	Specifies a list of User Assigned Managed Identity IDs to be assigned to this Storage Account.	list(string)	null	no
identity_type	Specifies the type of Managed Service Identity that should be configured on this Storage Account. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both).	string	"SystemAssigned"	no
is_premium	true to enable Premium tier for this Storage Account.	bool	true	no
location	Azure location.	string	n/a	yes
location_short	Short string for Azure location.	string	n/a	yes
logs_categories	Log categories to send to destinations.	list(string)	null	no
logs_destinations_ids	List of destination resources IDs for logs diagnostic destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set. If you want to use Azure EventHub as a destination, you must provide a formatted string containing both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the | character.	list(string)	n/a	yes
logs_metrics_categories	Metrics categories to send to destinations.	list(string)	null	no
min_tls_version	The minimum supported TLS version for the Storage Account. Possible values are TLS1_0, TLS1_1, and TLS1_2.	string	"TLS1_2"	no
name_prefix	Optional prefix for the generated name.	string	""	no
name_suffix	Optional suffix for the generated name.	string	""	no
network_bypass	Specifies whether traffic is bypassed for 'Logging', 'Metrics', 'AzureServices' or 'None'.	list(string)	[ "Logging", "Metrics", "AzureServices" ]	no
network_rules_enabled	Boolean to enable network rules on the Storage Account, requires network_bypass, allowed_cidrs, subnet_ids or default_firewall_action correctly set if enabled.	bool	true	no
nfsv3_enabled	Is NFSv3 protocol enabled? Changing this forces a new resource to be created.	bool	false	no
private_link_access	List of Privatelink objects to allow access from.	list(object({ endpoint_resource_id = string endpoint_tenant_id = optional(string, null) }))	[]	no
public_nested_items_allowed	Allow or disallow nested items within this Storage Account to opt into being public.	bool	false	no
resource_group_name	Resource group name.	string	n/a	yes
sftp_users	List of local SFTP user objects.	list(object({ name = string home_directory = optional(string) ssh_key_enabled = optional(bool, true) ssh_password_enabled = optional(bool) permissions_scopes = list(object({ target_container = string permissions = optional(list(string), ["All"]) })) ssh_authorized_keys = optional(list(object({ key = string description = optional(string) })), []) }))	n/a	yes
sftp_users_keys_path	The filesystem location in which the key pairs will be created. Default to ~/.ssh/keys.	string	"~/.ssh/keys"	no
shared_access_key_enabled	Indicates whether the Storage Account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD).	bool	false	no
stack	Project stack name.	string	n/a	yes
static_website_config	Static website configuration.	object({ index_document = optional(string) error_404_document = optional(string) })	null	no
subnet_ids	Subnets to allow access to that Storage Account.	list(string)	[]	no

Outputs

Name	Description
blob_containers	Created Blob containers in the Storage Account.
id	Storage Account ID.
identity_principal_id	Storage Account system identity principal ID.
module_diagnostics	Diagnostics settings module outputs.
name	Storage Account name.
resource	Storage Account resource object.
sftp_users	Information about created local SFTP users.