-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathstorage-account.bicep
118 lines (110 loc) · 3.49 KB
/
storage-account.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
import { roleAssignmentInfo } from '../security/managed-identity.bicep'
@description('Name of the resource.')
param name string
@description('Location to deploy the resource. Defaults to the location of the resource group.')
param location string = resourceGroup().location
@description('Tags for the resource.')
param tags object = {}
@export()
@description('SKU information for Storage Account.')
type skuInfo = {
@description('Name of the SKU.')
name:
| 'Premium_LRS'
| 'Premium_ZRS'
| 'Standard_GRS'
| 'Standard_GZRS'
| 'Standard_LRS'
| 'Standard_RAGRS'
| 'Standard_RAGZRS'
| 'Standard_ZRS'
}
@export()
@description('Information about the blob container retention policy for the Storage Account.')
type blobContainerRetentionInfo = {
@description('Indicates whether permanent deletion is allowed for blob containers.')
allowPermanentDelete: bool
@description('Number of days to retain blobs.')
days: int
@description('Indicates whether the retention policy is enabled.')
enabled: bool
}
@description('Storage Account SKU. Defaults to Standard_LRS.')
param sku skuInfo = {
name: 'Standard_LRS'
}
@description('Access tier for the Storage Account. If the sku is a premium SKU, this will be ignored. Defaults to Hot.')
@allowed([
'Hot'
'Cool'
])
param accessTier string = 'Hot'
@description('Blob container retention policy for the Storage Account. Defaults to disabled.')
param blobContainerRetention blobContainerRetentionInfo = {
allowPermanentDelete: false
days: 7
enabled: false
}
@description('Whether to disable local (key-based) authentication. Defaults to true.')
param disableLocalAuth bool = true
@description('Role assignments to create for the Storage Account.')
param roleAssignments roleAssignmentInfo[] = []
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-05-01' = {
name: name
location: location
tags: tags
kind: 'StorageV2'
sku: sku
properties: {
accessTier: startsWith(sku.name, 'Premium') ? 'Premium' : accessTier
networkAcls: {
defaultAction: 'Allow'
bypass: 'AzureServices'
ipRules: []
virtualNetworkRules: []
}
allowSharedKeyAccess: !disableLocalAuth
supportsHttpsTrafficOnly: true
minimumTlsVersion: 'TLS1_2'
encryption: {
services: {
blob: {
enabled: true
}
file: {
enabled: true
}
table: {
enabled: true
}
queue: {
enabled: true
}
}
keySource: 'Microsoft.Storage'
}
}
resource blobServices 'blobServices@2023-05-01' = {
name: 'default'
properties: {
containerDeleteRetentionPolicy: blobContainerRetention
}
}
}
resource assignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
for roleAssignment in roleAssignments: {
name: guid(storageAccount.id, roleAssignment.principalId, roleAssignment.roleDefinitionId)
scope: storageAccount
properties: {
principalId: roleAssignment.principalId
roleDefinitionId: roleAssignment.roleDefinitionId
principalType: roleAssignment.principalType
}
}
]
@description('The deployed Storage Account resource.')
output resource resource = storageAccount
@description('ID for the deployed Storage Account resource.')
output id string = storageAccount.id
@description('Name for the deployed Storage Account resource.')
output name string = storageAccount.name