You can use Terraform to create a secure Azure Storage Account with enhanced access controls.
To enable network access rules, you can use the `azurerm_storage_account_network_rules` resource. This allows you to specify which IP addresses can access your storage account.
Azure Storage Accounts can also be configured for private endpoint access, which provides a secure and private connection to your storage account.
Here's an interesting read: Azure Storage Account Private Endpoint
Security and Access
To avoid potential Terraform issues, it's essential to use granular Entra ID permissions on different containers within the storage account. This ensures that one service principal can't write to another state, even if it has write access to the existing state files.
Having multiple state files in the same storage account can lead to inconsistent state, especially if the new Terraform environment attempts to write to the existing state file. This can happen if the key/container settings aren't updated after cloning the backend config.
A best practice is to have three different security principals, preferably managed identities, and grant them Storage Blob Data Owner on their respective container. This adheres to the least privilege principle and is a step towards zero trust.
Intriguing read: Azure Blob Storage Move Files between Containers C#
If you're using shared access keys, you're implicitly granting all service principals access to all three states, which can lead to security risks.
To disable shared access key authorization, consider compatibility with other Azure tools and services, as well as potential issues with Terraform management.
You can disable shared access key authorization in the Azure Portal, using Azure PowerShell, or with the Azure CLI.
Expand your knowledge: Azure Blob Storage Access
Configuration and Management
To configure and manage your Terraform Azure storage account, you'll need to create a storage account and grant the necessary permissions. This requires a globally unique name, and you should also consider restricting access to the storage account using a storage firewall or service endpoint.
To authenticate connections, Terraform uses shared access keys. The security principal running Terraform needs the listKeys permission on any storage account it manages. This allows Terraform to list shared access keys and use them for subsequent connections.
Here are the required permissions for Storage Account management config:
- Storage Blob Data Owner
- Storage Blob Data Contributor
Configure Your Environment
To configure your environment, you need an Azure subscription. If you don't have one, create a free account before you begin.
To start, you'll need to configure Terraform. You can do this by running the command `terraform init` to initialize the configuration. This will set up the necessary files and directories for Terraform to work with.
If you're using Azure, you'll also need to configure your Azure subscription. This can be done by running the command `az login` to log in to your Azure account.
To further configure your environment, you'll need to specify the Azure location where you want to create your resources. This can be done by setting the `location` variable in your Terraform configuration file.
Here are some specific settings you'll need to configure:
- Azure subscription: Create a free account if you don't have one.
- Terraform configuration: Initialize the configuration with `terraform init`.
- Azure location: Set the `location` variable in your Terraform configuration file.
- Azure storage account: Create a new storage account with `az storage account create`.
- Terraform backend state: Configure the backend state with the Azure storage account information.
Here are the specific Azure storage account settings you'll need:
- Storage account name
- Container name
- Key
- Access key
It's recommended to use an environment variable for the access key value to prevent it from being written to disk. You can do this by running the command `export ARM_ACCESS_KEY=$(az keyvault secret show --name terraform-backend-key --vault-name myKeyVault --query value -o tsv)`.
If this caught your attention, see: Azure Storage Account Key
Management
Management is a crucial aspect of configuration and storage account management. To manage storage accounts, Terraform uses shared access keys to authenticate connections.
The security principal running Terraform needs the listKeys permission on any storage account it manages. This permission allows Terraform to list Shared Access Keys and use them for subsequent connections.
Terraform will list Shared Access Keys before doing anything requiring authentication to a storage account. This includes creating queues, updating blob content, and creating containers.
By default, Terraform uses Shared Access keys to access the state backend. This is not an issue if one storage account equals one state.
Here are some scenarios where we might create separate storage accounts for different states:
- saterraformstates001/production for production state.
- saterraformstates001/test for test state.
- saterraformstates001/dev for development state.
To manage storage accounts with Files and Table Storage, the User/Service Principal needs to have the associated Storage roles: Storage Blob Data Owner, Storage Blob Data Contributor.
Related reading: Which Azure Storage Service Supports Big Data Analytics
Outputs
The Outputs section is a crucial part of the Storage Account configuration and management. It provides a comprehensive list of attributes that are returned by the Storage Account.
The Storage Account's ID is the unique identifier assigned to it, which is used for management and operations. This ID is a required attribute.
The Storage Account's name is a unique identifier chosen by the user, which is used for identification purposes. This name is a required attribute.
The primary access key for the Storage Account is a secret key used for authentication and authorization. This key is a required attribute.
Here is a list of the Storage Account's endpoints:
The primary connection string for the Storage Account is a string used for authentication and authorization. This string is a required attribute.
The Storage Account's principal ID is the unique identifier of the Service Principal associated with the Identity of this Storage Account. This ID is a required attribute.
The Storage Account's secondary access key is a secret key used for authentication and authorization. This key is a required attribute.
The secondary connection string for the Storage Account is a string used for authentication and authorization. This string is a required attribute.
The Storage Account's secondary endpoints include blob, DFS, file, queue, table, and web storage endpoints. These endpoints are used for authentication and authorization.
The secondary connection string for the Storage Account is a string used for authentication and authorization. This string is a required attribute.
You might enjoy: Azure Connection String
Sources
- https://www.techielass.com/store-terraform-state-in-azure-blob-storage/
- https://codewithme.cloud/posts/2023/09/improve-storage-account-security-with-azure-rbac-and-terraform/
- https://github.com/Azure-Terraform/terraform-azurerm-storage-account
- https://learn.microsoft.com/en-us/azure/developer/terraform/store-state-in-azure-storage
- https://build5nines.com/terraform-deploy-azure-storage-account-and-blob-container/
Featured Images: pexels.com
