terraform-azurerm-storage-account: A Terraform Module to Deploy ‘Secure By Default’ Storage Accounts

terraform-azurerm-storage-account: A Terraform Module to Deploy ‘Secure By Default’ Storage Accounts

As organizations increasingly rely on cloud storage solutions, securing data becomes paramount. Storage accounts offer a scalable and durable storage option in the Azure cloud.

To simplify the process of provisioning secure storage accounts, I have developed a Terraform module called terraform-azurerm-storage-account. In this blog post, I will guide you through the features and benefits of this module.

The Importance of Secure Defaults

Using the default settings when provisioning a new storage account can create several vulnerabilities. For instance, by default, storage accounts enable access from any network, cross-tenant replication is allowed, and public access to blobs or containers is permitted. These default settings can leave your data susceptible to unauthorized access and potential data breaches.

When creating a storage account, it’s also critical to enforce HTTPS traffic to prevent data interception during transit. By default, this setting is not enabled, which could expose your data to man-in-the-middle attacks.

To address these security concerns, it is crucial to enforce secure defaults when creating storage accounts. This is where the terraform-azurerm-storage-account module comes in.

Introducing the terraform-azurerm-storage-account module

The terraform-azurerm-storage-account module is designed to facilitate the creation and configuration of storage accounts using Terraform. By leveraging this module, you can effortlessly provision storage accounts that adhere to security best practices, minimizing the risk of unauthorized access and data breaches.

Enforcing Security Defaults

One of the key features of the terraform-azurerm-storage-account module is its focus on security defaults.

The module enforces the following security defaults:

  1. HTTPS Traffic Only: The module enables the enable_https_traffic_only setting, ensuring that all traffic to the storage account is encrypted using HTTPS. This prevents data interception and unauthorized access.
  2. Restricted Public Access: By setting allow_nested_items_to_be_public to false, the module disallows public access to all blobs or containers in the storage account. This minimizes the risk of accidental exposure of sensitive data.
  3. Network Rules: The module allows you to define network rules using the allowed_public_ip and allowed_subnet_ids variables. These rules control which IP addresses or subnets can access the storage account, adding an extra layer of protection.
  4. Default Deny Action: The module sets the default_action to “Deny” by default, ensuring that any access attempts not explicitly allowed by the defined rules are denied. This prevents unauthorized access to the storage account.
  5. Minimum TLS Version: The module allows you to specify the minimum version of TLS that must be used to connect to the storage account through the tls_ver variable. This ensures that only secure TLS 1.2 connections are accepted by default.
  6. Cross-Tenant Replication: The module disables cross-tenant replication by default through the cross_tenant_replication variable. This feature enhances data durability by replicating storage account data across multiple Azure tenants.

By implementing these security defaults, the terraform-azurerm-storage-account module ensures that your storage accounts are configured with recommended security measures, significantly reducing the risk of data breaches and unauthorized access.

Usage Example

Here’s an example showcasing how you can use the terraform-azurerm-storage-account module in your Terraform code:

module "storage_account" {
  source                 = "RCFromCLE/storage-account/azurerm"
  sa_resource_group_name = "my-resource-group"
  storage_account_name   = "my-storage-account"
  location               = "East US"
}

In this example, the module is invoked using the module block. The necessary inputs such as the resource group name, storage account name, and location are provided. You can modify these inputs to match your desired configuration.

Flexible Configuration Options

The terraform-azurerm-storage-account module offers a wide range of configuration options to suit your specific requirements. You can customize properties such as replication type, account tier (standard or premium), location, and resource group name. The module also supports the creation of blob containers, storage shares, storage tables, and storage queues, enabling you to provision a complete storage solution with ease.

Easy Integration with Existing Infrastructure

The module seamlessly integrates with your existing Terraform infrastructure code. You can include it as a module in your main Terraform configuration file, providing the necessary input variables to customize the storage account creation.

Conclusion

Automating the creation of secure storage accounts is essential for safeguarding your data and ensuring compliance with industry standards. The terraform-azurerm-storage-account module empowers you to provision storage accounts effortlessly while adhering to security best practices. By enabling security defaults and leveraging Terraform’s infrastructure as code approach, you can create storage accounts consistently and securely across your Azure tenant(s).

Leave a Reply