azure-storage-trust-msft¶
Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
Enabling this option ensures that Microsoft services which require access to your Storage accounts may do so without explicitely being granted access in the network rules. This is advantageous as it allows you to have a more explicit list of allow/deny rules within this resource which both reduce the change of misconfigurations and enhances maintainability.
Examples¶
Insecure Example
resource "azurerm_storage_account" "example" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
network_rules {
default_action = "Allow"
ip_rules = ["100.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.example.id]
bypass = [] # (defaults to None)
}
}
Secure Example
resource "azurerm_storage_account" "example" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
network_rules {
default_action = "Deny"
ip_rules = ["100.0.0.1"]
virtual_network_subnet_ids = [azurerm_subnet.example.id]
bypass = ["AzureServices"]
}
}