Use this data source to create a Shared Access Signature (SAS) for an Azure Storage Account.
Shared access signatures allow fine-grained, ephemeral access control to various aspects of an Azure Storage Account.
Note that this is an Account SAS and not a Service SAS.
resource "azurerm_resource_group" "testrg" {
name = "resourceGroupName"
location = "westus"
}
resource "azurerm_storage_account" "testsa" {
name = "storageaccountname"
resource_group_name = "${azurerm_resource_group.testrg.name}"
location = "westus"
account_tier = "Standard"
account_replication_type = "GRS"
tags {
environment = "staging"
}
}
data "azurerm_storage_account_sas" "test" {
connection_string = "${azurerm_storage_account.testsa.primary_connection_string}"
https_only = true
resource_types {
service = true
container = false
object = false
}
services {
blob = true
queue = false
table = false
file = false
}
start = "2018-03-21"
expiry = "2020-03-21"
permissions {
read = true
write = true
delete = false
list = false
add = true
create = true
update = false
process = false
}
}
output "sas_url_query_string" {
value = "${data.azurerm_storage_account_sas.test.sas}"
}
connection_string - (Required) The connection string for the storage account to which this SAS applies. Typically directly from the primary_connection_string attribute of a terraform created azurerm_storage_account resource. https_only - (Optional) Only permit https access. If false, both http and https are permitted. Defaults to true. resource_types - (Required) A resource_types block as defined below. services - (Required) A services block as defined below. start - (Required) The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string. expiry - (Required) The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string. permissions - (Required) A permissions block as defined below. resource_types is a set of true/false flags which define the storage account resource types that are granted access by this SAS. This can be thought of as the scope over which the permissions apply. A service will have larger scope (affecting all sub-resources) than object.
A resource_types block contains:
service - (Required) Should permission be granted to the entire service? container - (Required) Should permission be granted to the container? object - (Required) Should permission be granted only to a specific object? services is a set of true/false flags which define the storage account services that are granted access by this SAS.
A services block contains:
blob - (Required) Should permission be granted to blob services within this storage account? queue - (Required) Should permission be granted to queue services within this storage account? table - (Required) Should permission be granted to table services within this storage account? file - (Required) Should permission be granted to file services within this storage account? A permissions block contains:
read - (Required) Should Read permissions be enabled for this SAS? write - (Required) Should Write permissions be enabled for this SAS? delete - (Required) Should Delete permissions be enabled for this SAS? list - (Required) Should List permissions be enabled for this SAS? add - (Required) Should Add permissions be enabled for this SAS? create - (Required) Should Create permissions be enabled for this SAS? update - (Required) Should Update permissions be enabled for this SAS? process - (Required) Should Process permissions be enabled for this SAS? Refer to the SAS creation reference from Azure for additional details on the fields above.
sas - The computed Account Shared Access Signature (SAS).
© 2018 HashiCorpLicensed under the MPL 2.0 License.
https://www.terraform.io/docs/providers/azurerm/d/storage_account_sas.html