This is a second part of Terraform Azure Create Private Endpoint to existing Storage Account with Custom Private DNS zone record link. This article is little bit advance, and here I am creating multiple Private Endpoint based on the provided details in Storage account kind. For example if kind is StorageV2, which is a general-purpose and has multi sub resources such as blob, file, table and queue. It will create Private Endpoint for each sub resource, if I select BlobStorage in the kind, it should only create single Private Endpoint for blob sub resource.
This is also one of the good use and example of lookup and lower terraform functions.
This is the chart of Storage Account types (kind) and supported storage sub resources services, and for each Private endpoint is created and respective DNS A record zone is created inside Private DNS Zone for example privatelink.blob.core.windows.net or privatelink.file.core.windows.net and etc.
Type of storage account | Supported storage services | Redundancy options | Usage |
---|---|---|---|
Standard general-purpose v2 | Blob Storage (including Data Lake Storage1), Queue Storage, Table Storage, and Azure Files | Locally redundant storage (LRS) / geo-redundant storage (GRS) / read-access geo-redundant storage (RA-GRS) Zone-redundant storage (ZRS) / geo-zone-redundant storage (GZRS) / read-access geo-zone-redundant storage (RA-GZRS)2 | Standard storage account type for blobs, file shares, queues, and tables. Recommended for most scenarios using Azure Storage. If you want support for network file system (NFS) in Azure Files, use the premium file shares account type. |
Premium block blobs3 | Blob Storage (including Data Lake Storage1) | LRS ZRS2 | Premium storage account type for block blobs and append blobs. Recommended for scenarios with high transaction rates or that use smaller objects or require consistently low storage latency. |
Premium file shares3 | Azure Files | LRS ZRS2 | Premium storage account type for file shares only. Recommended for enterprise or high-performance scale applications. Use this account type if you want a storage account that supports both Server Message Block (SMB) and NFS file shares. |
Premium page blobs3 | Page blobs only | LRS ZRS2 | Premium storage account type for page blobs only. |
Related Article: Creating a Private Endpoint for Azure Storage Account with Terraform example 2
Here is my code, you can download it Terraform_Private_Endpoint_Storage_Account_based on subresource here or can be downloaded from github.com.
#variables.tf variable "resource_group_name" { type = string default = "vcloud-lab.com" description = "value" } variable "virtual_network_name" { type = string default = "vcloud_lab_global_vnet01" description = "value" } variable "subnet_name" { type = string default = "default" description = "value" } variable "storage_account_name" { type = string default = "vcloudlabsademo01" description = "value" } variable "storage_account_tier" { type = string default = "Standard" #Standard,Premium | (For Premium only BlockBlobStorage And FileStorage) description = "value" } variable "storage_account_kind" { type = string default = "StorageV2" #BlobStorage,BlockBlobStorage,FileStorage,Storage,StorageV2 | (default: StorageV2) description = "value" } variable "private_endpoint_name" { type = string default = "vcloud-lab-endpoint" description = "value" } variable "private_service_connection_name" { type = string default = "privateendpointserviceconnection" description = "value" } variable "private_dns_zone_group_name" { type = string default = "privateendpointdnzzonegroup" description = "value" } variable "private_service_connections" { description = "A map of DNS records to create based on the storage account kind" type = map(any) default = { storagev2 = ["blob", "file"] blobstorage = ["blob"] } }
In my Azure infrastructure, Virtual Network (vNet) and Private DNS Zones with names privatelink.{blob|file|table|queue}.core.windows.net already exists. New Private Endpoints will be created accordingly.
#main.tf terraform { required_providers { azurerm = { source = "hashicorp/azurerm" #version = "=2.91.0" } } } # Configure the Microsoft Azure Provider provider "azurerm" { features {} } data "azurerm_subscription" "subscriptioninfo" {} data "azurerm_resource_group" "rginfo" { name = var.resource_group_name } data "azurerm_virtual_network" "vnetinfo" { name = var.virtual_network_name resource_group_name = data.azurerm_resource_group.rginfo.name } data "azurerm_subnet" "subnetinfo" { name = var.subnet_name resource_group_name = data.azurerm_resource_group.rginfo.name virtual_network_name = data.azurerm_virtual_network.vnetinfo.name } resource "azurerm_storage_account" "storageaccount" { name = var.storage_account_name resource_group_name = data.azurerm_resource_group.rginfo.name location = data.azurerm_resource_group.rginfo.location account_kind = var.storage_account_kind account_tier = var.storage_account_tier account_replication_type = "LRS" public_network_access_enabled = false } locals { selected_private_endpoint = lookup(var.private_service_connections, lower(var.storage_account_kind), []) } resource "azurerm_private_endpoint" "privateendpoint" { for_each = { for ep, connection in local.selected_private_endpoint : ep => connection } name = "${var.private_endpoint_name}-${each.value}" resource_group_name = data.azurerm_resource_group.rginfo.name location = data.azurerm_resource_group.rginfo.location subnet_id = data.azurerm_subnet.subnetinfo.id custom_network_interface_name = "${var.private_endpoint_name}-${each.value}-nic" private_service_connection { name = "${var.private_service_connection_name}-${each.value}" private_connection_resource_id = resource.azurerm_storage_account.storageaccount.id subresource_names = [each.value] is_manual_connection = false } private_dns_zone_group { name = var.private_dns_zone_group_name private_dns_zone_ids = ["/subscriptions/${data.azurerm_subscription.subscriptioninfo.subscription_id}/resourceGroups/${data.azurerm_resource_group.rginfo.name}/providers/Microsoft.Network/privateDnsZones/privatelink.${each.value}.core.windows.net"] } }
This is the console output after applying terraform configuration.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 |
terraform apply --auto-approve data.azurerm_resource_group.rginfo: Reading... data.azurerm_subscription.subscriptioninfo: Reading... data.azurerm_subscription.subscriptioninfo: Read complete after 0s [id=/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx] data.azurerm_resource_group.rginfo: Read complete after 0s [id=/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vcloud-lab.com] data.azurerm_virtual_network.vnetinfo: Reading... data.azurerm_virtual_network.vnetinfo: Read complete after 1s [id=/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vcloud-lab.com/providers/Microsoft.Network/virtualNetworks/vcloud_lab_global_vnet01] data.azurerm_subnet.subnetinfo: Reading... data.azurerm_subnet.subnetinfo: Read complete after 0s [id=/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vcloud-lab.com/providers/Microsoft.Network/virtualNetworks/vcloud_lab_global_vnet01/subnets/default] Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # azurerm_private_endpoint.privateendpoint["0"] will be created + resource "azurerm_private_endpoint" "privateendpoint" { + custom_dns_configs = (known after apply) + custom_network_interface_name = "vcloud-lab-endpoint-blob-nic" + id = (known after apply) + location = "eastus" + name = "vcloud-lab-endpoint-blob" + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = "vcloud-lab.com" + subnet_id = "/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vcloud-lab.com/providers/Microsoft.Network/virtualNetworks/vcloud_lab_global_vnet01/subnets/default" + private_dns_zone_group { + id = (known after apply) + name = "privateendpointdnzzonegroup" + private_dns_zone_ids = [ + "/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vcloud-lab.com/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net", ] } + private_service_connection { + is_manual_connection = false + name = "privateendpointserviceconnection-blob" + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "blob", ] } } # azurerm_private_endpoint.privateendpoint["1"] will be created + resource "azurerm_private_endpoint" "privateendpoint" { + custom_dns_configs = (known after apply) + custom_network_interface_name = "vcloud-lab-endpoint-file-nic" + id = (known after apply) + location = "eastus" + name = "vcloud-lab-endpoint-file" + network_interface = (known after apply) + private_dns_zone_configs = (known after apply) + resource_group_name = "vcloud-lab.com" + subnet_id = "/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vcloud-lab.com/providers/Microsoft.Network/virtualNetworks/vcloud_lab_global_vnet01/subnets/default" + private_dns_zone_group { + id = (known after apply) + name = "privateendpointdnzzonegroup" + private_dns_zone_ids = [ + "/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vcloud-lab.com/providers/Microsoft.Network/privateDnsZones/privatelink.file.core.windows.net", ] } + private_service_connection { + is_manual_connection = false + name = "privateendpointserviceconnection-file" + private_connection_resource_id = (known after apply) + private_ip_address = (known after apply) + subresource_names = [ + "file", ] } } # azurerm_storage_account.storageaccount will be created + resource "azurerm_storage_account" "storageaccount" { + access_tier = (known after apply) + account_kind = "StorageV2" + account_replication_type = "LRS" + account_tier = "Standard" + allow_nested_items_to_be_public = true + cross_tenant_replication_enabled = true + default_to_oauth_authentication = false + dns_endpoint_type = "Standard" + enable_https_traffic_only = true + id = (known after apply) + infrastructure_encryption_enabled = false + is_hns_enabled = false + large_file_share_enabled = (known after apply) + local_user_enabled = true + location = "eastus" + min_tls_version = "TLS1_2" + name = "vcloudlabsademo01" + nfsv3_enabled = false + primary_access_key = (sensitive value) + primary_blob_connection_string = (sensitive value) + primary_blob_endpoint = (known after apply) + primary_blob_host = (known after apply) + primary_blob_internet_endpoint = (known after apply) + primary_blob_internet_host = (known after apply) + primary_blob_microsoft_endpoint = (known after apply) + primary_blob_microsoft_host = (known after apply) + primary_connection_string = (sensitive value) + primary_dfs_endpoint = (known after apply) + primary_dfs_host = (known after apply) + primary_dfs_internet_endpoint = (known after apply) + primary_dfs_internet_host = (known after apply) + primary_dfs_microsoft_endpoint = (known after apply) + primary_dfs_microsoft_host = (known after apply) + primary_file_endpoint = (known after apply) + primary_file_host = (known after apply) + primary_file_internet_endpoint = (known after apply) + primary_file_internet_host = (known after apply) + primary_file_microsoft_endpoint = (known after apply) + primary_file_microsoft_host = (known after apply) + primary_location = (known after apply) + primary_queue_endpoint = (known after apply) + primary_queue_host = (known after apply) + primary_queue_microsoft_endpoint = (known after apply) + primary_queue_microsoft_host = (known after apply) + primary_table_endpoint = (known after apply) + primary_table_host = (known after apply) + primary_table_microsoft_endpoint = (known after apply) + primary_table_microsoft_host = (known after apply) + primary_web_endpoint = (known after apply) + primary_web_host = (known after apply) + primary_web_internet_endpoint = (known after apply) + primary_web_internet_host = (known after apply) + primary_web_microsoft_endpoint = (known after apply) + primary_web_microsoft_host = (known after apply) + public_network_access_enabled = false + queue_encryption_key_type = "Service" + resource_group_name = "vcloud-lab.com" + secondary_access_key = (sensitive value) + secondary_blob_connection_string = (sensitive value) + secondary_blob_endpoint = (known after apply) + secondary_blob_host = (known after apply) + secondary_blob_internet_endpoint = (known after apply) + secondary_blob_internet_host = (known after apply) + secondary_blob_microsoft_endpoint = (known after apply) + secondary_blob_microsoft_host = (known after apply) + secondary_connection_string = (sensitive value) + secondary_dfs_endpoint = (known after apply) + secondary_dfs_host = (known after apply) + secondary_dfs_internet_endpoint = (known after apply) + secondary_dfs_internet_host = (known after apply) + secondary_dfs_microsoft_endpoint = (known after apply) + secondary_dfs_microsoft_host = (known after apply) + secondary_file_endpoint = (known after apply) + secondary_file_host = (known after apply) + secondary_file_internet_endpoint = (known after apply) + secondary_file_internet_host = (known after apply) + secondary_file_microsoft_endpoint = (known after apply) + secondary_file_microsoft_host = (known after apply) + secondary_location = (known after apply) + secondary_queue_endpoint = (known after apply) + secondary_queue_host = (known after apply) + secondary_queue_microsoft_endpoint = (known after apply) + secondary_queue_microsoft_host = (known after apply) + secondary_table_endpoint = (known after apply) + secondary_table_host = (known after apply) + secondary_table_microsoft_endpoint = (known after apply) + secondary_table_microsoft_host = (known after apply) + secondary_web_endpoint = (known after apply) + secondary_web_host = (known after apply) + secondary_web_internet_endpoint = (known after apply) + secondary_web_internet_host = (known after apply) + secondary_web_microsoft_endpoint = (known after apply) + secondary_web_microsoft_host = (known after apply) + sftp_enabled = false + shared_access_key_enabled = true + table_encryption_key_type = "Service" } Plan: 3 to add, 0 to change, 0 to destroy. azurerm_storage_account.storageaccount: Creating... azurerm_storage_account.storageaccount: Still creating... [10s elapsed] azurerm_storage_account.storageaccount: Still creating... [20s elapsed] azurerm_storage_account.storageaccount: Still creating... [30s elapsed] azurerm_storage_account.storageaccount: Still creating... [40s elapsed] azurerm_storage_account.storageaccount: Still creating... [50s elapsed] azurerm_storage_account.storageaccount: Still creating... [1m0s elapsed] azurerm_storage_account.storageaccount: Still creating... [1m10s elapsed] azurerm_storage_account.storageaccount: Still creating... [1m20s elapsed] azurerm_storage_account.storageaccount: Still creating... [1m30s elapsed] azurerm_storage_account.storageaccount: Still creating... [1m40s elapsed] azurerm_storage_account.storageaccount: Still creating... [1m50s elapsed] azurerm_storage_account.storageaccount: Still creating... [2m0s elapsed] azurerm_storage_account.storageaccount: Still creating... [2m10s elapsed] azurerm_storage_account.storageaccount: Still creating... [2m20s elapsed] azurerm_storage_account.storageaccount: Still creating... [2m30s elapsed] azurerm_storage_account.storageaccount: Still creating... [2m40s elapsed] azurerm_storage_account.storageaccount: Still creating... [2m50s elapsed] azurerm_storage_account.storageaccount: Still creating... [3m0s elapsed] azurerm_storage_account.storageaccount: Still creating... [3m10s elapsed] azurerm_storage_account.storageaccount: Still creating... [3m20s elapsed] azurerm_storage_account.storageaccount: Still creating... [3m30s elapsed] azurerm_storage_account.storageaccount: Still creating... [3m40s elapsed] azurerm_storage_account.storageaccount: Still creating... [3m50s elapsed] azurerm_storage_account.storageaccount: Still creating... [4m0s elapsed] azurerm_storage_account.storageaccount: Still creating... [4m10s elapsed] azurerm_storage_account.storageaccount: Still creating... [4m20s elapsed] azurerm_storage_account.storageaccount: Still creating... [4m30s elapsed] azurerm_storage_account.storageaccount: Still creating... [4m40s elapsed] azurerm_storage_account.storageaccount: Still creating... [4m50s elapsed] azurerm_storage_account.storageaccount: Still creating... [5m0s elapsed] azurerm_storage_account.storageaccount: Still creating... [5m10s elapsed] azurerm_storage_account.storageaccount: Still creating... [5m20s elapsed] azurerm_storage_account.storageaccount: Still creating... [5m30s elapsed] azurerm_storage_account.storageaccount: Still creating... [5m40s elapsed] azurerm_storage_account.storageaccount: Still creating... [5m50s elapsed] azurerm_storage_account.storageaccount: Still creating... [6m0s elapsed] azurerm_storage_account.storageaccount: Still creating... [6m10s elapsed] azurerm_storage_account.storageaccount: Still creating... [6m20s elapsed] azurerm_storage_account.storageaccount: Still creating... [6m30s elapsed] azurerm_storage_account.storageaccount: Still creating... [6m40s elapsed] azurerm_storage_account.storageaccount: Still creating... [6m50s elapsed] azurerm_storage_account.storageaccount: Still creating... [7m0s elapsed] azurerm_storage_account.storageaccount: Still creating... [7m10s elapsed] azurerm_storage_account.storageaccount: Still creating... [7m20s elapsed] azurerm_storage_account.storageaccount: Still creating... [7m30s elapsed] azurerm_storage_account.storageaccount: Still creating... [7m41s elapsed] azurerm_storage_account.storageaccount: Still creating... [7m51s elapsed] azurerm_storage_account.storageaccount: Still creating... [8m1s elapsed] azurerm_storage_account.storageaccount: Still creating... [8m11s elapsed] azurerm_storage_account.storageaccount: Still creating... [8m21s elapsed] azurerm_storage_account.storageaccount: Still creating... [8m31s elapsed] azurerm_storage_account.storageaccount: Still creating... [8m41s elapsed] azurerm_storage_account.storageaccount: Still creating... [8m51s elapsed] azurerm_storage_account.storageaccount: Still creating... [9m1s elapsed] azurerm_storage_account.storageaccount: Still creating... [9m11s elapsed] azurerm_storage_account.storageaccount: Still creating... [9m21s elapsed] azurerm_storage_account.storageaccount: Still creating... [9m31s elapsed] azurerm_storage_account.storageaccount: Still creating... [9m41s elapsed] azurerm_storage_account.storageaccount: Still creating... [9m51s elapsed] azurerm_storage_account.storageaccount: Still creating... [10m1s elapsed] azurerm_storage_account.storageaccount: Creation complete after 10m5s [id=/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vcloud-lab.com/providers/Microsoft.Storage/storageAccounts/vcloudlabsademo01] azurerm_private_endpoint.privateendpoint["1"]: Creating... azurerm_private_endpoint.privateendpoint["0"]: Creating... azurerm_private_endpoint.privateendpoint["0"]: Still creating... [10s elapsed] azurerm_private_endpoint.privateendpoint["1"]: Still creating... [10s elapsed] azurerm_private_endpoint.privateendpoint["1"]: Still creating... [20s elapsed] azurerm_private_endpoint.privateendpoint["0"]: Still creating... [20s elapsed] azurerm_private_endpoint.privateendpoint["1"]: Still creating... [30s elapsed] azurerm_private_endpoint.privateendpoint["0"]: Still creating... [30s elapsed] azurerm_private_endpoint.privateendpoint["0"]: Still creating... [40s elapsed] azurerm_private_endpoint.privateendpoint["1"]: Still creating... [40s elapsed] azurerm_private_endpoint.privateendpoint["1"]: Still creating... [50s elapsed] azurerm_private_endpoint.privateendpoint["0"]: Still creating... [50s elapsed] azurerm_private_endpoint.privateendpoint["0"]: Creation complete after 1m0s [id=/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vcloud-lab.com/providers/Microsoft.Network/privateEndpoints/vcloud-lab-endpoint-blob] azurerm_private_endpoint.privateendpoint["1"]: Still creating... [1m0s elapsed] azurerm_private_endpoint.privateendpoint["1"]: Creation complete after 1m2s [id=/subscriptions/9e22xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/vcloud-lab.com/providers/Microsoft.Network/privateEndpoints/vcloud-lab-endpoint-file] Apply complete! Resources: 3 added, 0 changed, 0 destroyed. |
Useful Articles
Hashicorp Terraform map and object inside module and variable example
Terraform one module deploy null or multiple resources based on input
Terraform A reference to a resource type must be followed by at least one attribute access, specifying the resource name
Terraform fore_each for loop filter with if condition example
Terraform remote-exec provisioner with ssh connection in null_resource
Terraform count vs for_each for examples with map of objects
Terraform one module deploy null or multiple resources based on input (nested for loop) Example of flatten and coalesce
Terraform Azure Create Private Endpoint to existing Storage Account with Custom Private DNS zone record link
Create an Azure virtual machine scale set and load balancer using Terraform
Azure Terraform fixed Availibility Zones on Virtual Machine Scale Set
Writing and Using Terraform modules
Terraform Using one module variable in another module
Hashicorp Terraform dynamic block with example
Terraform for_each loop on map example
Terraform for_each loop on resource example
Terraform manage similar resources with for_each loop inside modules
Importing existing resources into Terraform - Step by Step
Importing already created module Infrastructure into Terraform and update state file
Conditionally create resources in Terraform
Using element function with count meta argument example Terraform Azure subnets