Skip to content

Latest commit

 

History

History
200 lines (166 loc) · 12.8 KB

README.md

File metadata and controls

200 lines (166 loc) · 12.8 KB

Azure Storage Account for SFTP

Changelog Notice Apache V2 License OpenTofu Registry

This Terraform module creates an Azure Blob Storage with the SFTP feature.

It also manages the creation of local SFTP users within the Storage Account. An SSH key pair is automatically generated by Terraform and you have the option of downloading it (enabled by default). SFTP connection command lines and users' passwords are available in the storage_sftp_users output of this module.

Storage is created with Premium SKU by default for production ready performances.

Global versioning rule for Claranet Azure modules

Module version Terraform version OpenTofu version AzureRM version
>= 8.x.x Unverified 1.8.x >= 4.0
>= 7.x.x 1.3.x >= 3.0
>= 6.x.x 1.x >= 3.0
>= 5.x.x 0.15.x >= 2.0
>= 4.x.x 0.13.x / 0.14.x >= 2.0
>= 3.x.x 0.12.x >= 2.0
>= 2.x.x 0.12.x < 2.0
< 2.x.x 0.11.x < 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

# When using RSA algorithm, do not forget to add `-o PubkeyAcceptedKeyTypes=+ssh-rsa` in your SFTP connection command line
# e.g. `sftp -o PubkeyAcceptedKeyTypes=+ssh-rsa -i <privateKeyPath> <storageAccountName>.<sftpLocalUserName>@<storageAccountName>.blob.core.windows.net`
resource "tls_private_key" "bar_example" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

module "storage_sftp" {
  source  = "claranet/storage-sftp/azurerm"
  version = "x.x.x"

  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  client_name    = var.client_name
  environment    = var.environment
  stack          = var.stack

  resource_group_name = module.rg.name

  name_suffix = "sftp"

  account_replication_type = "LRS"

  allowed_cidrs = [chomp(data.http.my_ip.response_body)]

  containers = [
    {
      name = "foo"
    },
    {
      name = "bar"
    },
  ]

  nfsv3_enabled = true # SFTP can be used alongside the NFSv3 feature for Blob Storage

  sftp_users = [
    {
      name                 = "foo"
      home_directory       = "foo/example" # `example` is a subdirectory under `foo` container
      ssh_password_enabled = true
      permissions_scopes = [
        {
          target_container = "foo"
        },
        {
          target_container = "bar"
          permissions      = ["Read", "Write", "List"]
        },
      ]
    },
    {
      name = "bar"
      permissions_scopes = [
        {
          target_container = "bar"
        },
        {
          target_container = "foo"
          permissions      = ["List", "Create"]
        },
      ]
      ssh_authorized_keys = [{
        key         = tls_private_key.bar_example.public_key_openssh
        description = "Example"
      }]
    }
  ]

  logs_destinations_ids = [
    # module.logs.logs_storage_account_id,
    # module.logs.log_analytics_workspace_id,
  ]

  extra_tags = {
    foo = "bar"
  }
}

Providers

Name Version
azurerm ~> 4.9
local >= 2.3
tls >= 4.0

Modules

Name Source Version
storage_account claranet/storage-account/azurerm ~> 8.2.0

Resources

Name Type
azurerm_storage_account_local_user.main resource
local_sensitive_file.sftp_users_private_keys resource
local_sensitive_file.sftp_users_public_keys resource
tls_private_key.main resource

Inputs

Name Description Type Default Required
access_tier Defines the access tier for StorageV2 accounts. Valid options are Hot and Cool, defaults to Hot. string "Hot" no
account_replication_type Defines the type of replication to use for this Storage Account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS. string "ZRS" no
advanced_threat_protection_enabled Boolean flag which controls if advanced threat protection is enabled, see documentation for more information. bool false no
allowed_cidrs List of CIDR to allow access to that Storage Account. list(string) [] no
blob_cors_rules Storage Account blob CORS rules. Please refer to the documentation for more information.
list(object({
allowed_headers = list(string)
allowed_methods = list(string)
allowed_origins = list(string)
exposed_headers = list(string)
max_age_in_seconds = number
}))
[] no
blob_data_protection Blob Storage data protection parameters.
object({
delete_retention_policy_in_days = optional(number, 0)
container_delete_retention_policy_in_days = optional(number, 0)
})
{
"container_delete_retention_policy_in_days": 30,
"delete_retention_policy_in_days": 30
}
no
client_name Client name/account used in naming. string n/a yes
containers List of objects to create some Blob containers in this Storage Account.
list(object({
name = string
container_access_type = optional(string)
metadata = optional(map(string))
}))
n/a yes
create_sftp_users_keys Whether or not key pairs should be created on the filesystem. bool true no
custom_name Custom Azure Storage Account name, generated if not set. string "" no
default_firewall_action Which default firewalling policy to apply. Valid values are Allow or Deny. string "Deny" no
default_tags_enabled Option to enable or disable default tags. bool true no
diagnostic_settings_custom_name Custom name of the diagnostics settings, name will be default if not set. string "default" no
environment Project environment. string n/a yes
extra_tags Additional tags to associate with the Storage Account. map(string) {} no
https_traffic_only_enabled Boolean flag which forces HTTPS if enabled. bool true no
identity_ids Specifies a list of User Assigned Managed Identity IDs to be assigned to this Storage Account. list(string) null no
identity_type Specifies the type of Managed Service Identity that should be configured on this Storage Account. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both). string "SystemAssigned" no
is_premium true to enable Premium tier for this Storage Account. bool true no
location Azure location. string n/a yes
location_short Short string for Azure location. string n/a yes
logs_categories Log categories to send to destinations. list(string) null no
logs_destinations_ids List of destination resources IDs for logs diagnostic destination.
Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set.
If you want to use Azure EventHub as a destination, you must provide a formatted string containing both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the | character.
list(string) n/a yes
logs_metrics_categories Metrics categories to send to destinations. list(string) null no
min_tls_version The minimum supported TLS version for the Storage Account. Possible values are TLS1_0, TLS1_1, and TLS1_2. string "TLS1_2" no
name_prefix Optional prefix for the generated name. string "" no
name_suffix Optional suffix for the generated name. string "" no
network_bypass Specifies whether traffic is bypassed for 'Logging', 'Metrics', 'AzureServices' or 'None'. list(string)
[
"Logging",
"Metrics",
"AzureServices"
]
no
network_rules_enabled Boolean to enable network rules on the Storage Account, requires network_bypass, allowed_cidrs, subnet_ids or default_firewall_action correctly set if enabled. bool true no
nfsv3_enabled Is NFSv3 protocol enabled? Changing this forces a new resource to be created. bool false no
private_link_access List of Privatelink objects to allow access from.
list(object({
endpoint_resource_id = string
endpoint_tenant_id = optional(string, null)
}))
[] no
public_nested_items_allowed Allow or disallow nested items within this Storage Account to opt into being public. bool false no
resource_group_name Resource group name. string n/a yes
sftp_users List of local SFTP user objects.
list(object({
name = string
home_directory = optional(string)
ssh_key_enabled = optional(bool, true)
ssh_password_enabled = optional(bool)
permissions_scopes = list(object({
target_container = string
permissions = optional(list(string), ["All"])
}))
ssh_authorized_keys = optional(list(object({
key = string
description = optional(string)
})), [])
}))
n/a yes
sftp_users_keys_path The filesystem location in which the key pairs will be created. Default to ~/.ssh/keys. string "~/.ssh/keys" no
shared_access_key_enabled Indicates whether the Storage Account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). bool false no
stack Project stack name. string n/a yes
static_website_config Static website configuration.
object({
index_document = optional(string)
error_404_document = optional(string)
})
null no
subnet_ids Subnets to allow access to that Storage Account. list(string) [] no

Outputs

Name Description
blob_containers Created Blob containers in the Storage Account.
id Storage Account ID.
identity_principal_id Storage Account system identity principal ID.
module_diagnostics Diagnostics settings module outputs.
name Storage Account name.
resource Storage Account resource object.
sftp_users Information about created local SFTP users.