Azure Azure - Terraform templates

Storage Account

Last updated: December 15, 2024
You can create a simple storage account with the following code:

resource "azurerm_storage_account" "storage_account_simple_plain" {
  name                     = "${local.resource_prefix_short}simple"
  location                 = local.location
  resource_group_name      = azurerm_resource_group.rg.name
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

The required parameters are: name (has to be all lowercase letters between 3-24 characters), location, and resource group.

It will create a storage account with StandardV2 tier with locally redundant storage replication. It is open to public and has no security configurations. 

Storage for websites


If you want to configure a storage account to host a static website, then the following code will do the job:

resource "azurerm_storage_account" "storage_account_website" {
  name                     = "${local.resource_prefix_short}website"
  location                 = local.location
  resource_group_name      = azurerm_resource_group.rg.name
  account_tier             = "Standard"
  account_replication_type = "LRS"
  https_traffic_only_enabled = true

  static_website {
    index_document     = "index.html"
    error_404_document = "404.html"
  }
}

Secure storage account for files


The code below creates a storage account with security in mind. The configuration includes:
  • Only allows incoming traffic from your ip address and Azure services
  • Allows only https traffic
  • Uses Azure Entra ID RBAC authorization
  • Redundancy of the storage account is also set to geo-redundant
  • Has authorization through shared access keys disabled
  • Has soft delete set to 90 days for containers and blob storage

After creating the storage account, the code creates the "files" container for storing files (you can reuse the block to create further containers as you need). 

resource "azurerm_storage_account" "storage_account_secure" {
  name                     = "${local.resource_prefix_short}secure"
  location                 = local.location
  resource_group_name      = azurerm_resource_group.rg.name
  account_tier             = "Standard"
  account_replication_type = "GRS"
  
  # Enable RBAC authentication
  is_hns_enabled          = true
  https_traffic_only_enabled = true
  shared_access_key_enabled = false

  # Network rules - restrict to specific IPs
  network_rules {
    default_action = "Deny"
    ip_rules       = ["YOUR_IP_ADDRESS"]  # you need this to be able to see the contents and create files
    bypass         = ["AzureServices"]
  }
}

resource "azurerm_storage_container" "files" {
  name                  = "files"
  storage_account_name  = azurerm_storage_account.storage_account_secure.name
  container_access_type = "private"
  depends_on = [
    azurerm_storage_account.storage_account_secure
  ]
}