Skip to content

azure-storage-trust-msft

Ensure 'Trusted Microsoft Services' is enabled for Storage Account access

Enabling this option ensures that Microsoft services which require access to your Storage accounts may do so without explicitely being granted access in the network rules. This is advantageous as it allows you to have a more explicit list of allow/deny rules within this resource which both reduce the change of misconfigurations and enhances maintainability.

Examples

Insecure Example

resource "azurerm_storage_account" "example" {
  name                = "storageaccountname"
  resource_group_name = azurerm_resource_group.example.name

  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"

  network_rules {
    default_action             = "Allow"
    ip_rules                   = ["100.0.0.1"]
    virtual_network_subnet_ids = [azurerm_subnet.example.id]
    bypass                     = []  # (defaults to None)
  }
}

Secure Example

resource "azurerm_storage_account" "example" {
  name                = "storageaccountname"
  resource_group_name = azurerm_resource_group.example.name

  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"

  network_rules {
    default_action             = "Deny"
    ip_rules                   = ["100.0.0.1"]
    virtual_network_subnet_ids = [azurerm_subnet.example.id]
    bypass                     = ["AzureServices"]
  }
}

More information