Note: Scroll down this article to download the terrafom files in zip format. |
Terraform Azure: Secure Storage with IP Firewall and SAS Tokens
This Terraform template deploys a secure Azure Storage Account protected by an IP firewall. It uploads a predefined set of files from the local directory and generates a unique, read-only Shared Access Signature (SAS) token for each file, enabling secure, temporary access.
This configuration is designed to be idempotent. If you modify any of the local files and run terraform apply
again, Terraform will detect the change and upload the new version.
Features
- Secure by Default: The storage account is configured to deny all public network traffic by default.
- IP Firewall: Access is restricted to a list of specified IP addresses or CIDR ranges.
- Dynamic File Uploads: Automatically uploads a list of specified files from the local project directory.
- Automatic Updates: Detects changes in local file content and re-uploads them on
terraform apply
. - Scoped SAS Tokens: Generates read-only, object-level SAS tokens with a configurable expiration date.
- Uses Existing Resources: Designed to use an existing Azure Resource Group, preventing accidental creation or deletion.
Prerequisites
Before you begin, ensure you have the following installed and configured:
- Terraform v1.0+
- Azure CLI: You must be authenticated to your Azure account.
az login
- An Existing Azure Resource Group: This template looks up an existing resource group and does not create one.
⚙️ Configuration
Create Local Files This template is configured to upload four specific files. You must create these (even if they are empty) in the same directory as your
.tf
files.touch outboundFwRules.json privateAccessPeersConfig.json proxyBypassRulesFile.json proxyBypassPac.pac
Configure Variables Create a file named
terraform.auto.tfvars
and populate it with your specific values.# terraform.auto.tfvars # Input the requested values: resource_group_name = "Storage-East-US" # Resource Group for the Storage Account. location = "eastus" # Azure Location (i.e. "eastus") storage_account_name = "cscrepositories" # the name must be unique (lowercase and numbers) sas_start_date = "2025-09-14" # SAS Token start date YYYY-MM-DD sas_expiry_date = "2056-12-31" # SAS Token expiration date YYYY-MM-DD # Input the Source IPs (Public Subnets and IPs) allowed to access the storage account. source_ip_ranges = [ # CSC Subnet Site A "192.51.10.0/29", # CSC PriCPA Azure "200.200.200.200", # CSC Zscaler AWS "200.1.1.1", "200.1.2.1",]
Deployment
Follow the standard Terraform workflow to deploy the resources.
Initialize Terraform This command downloads the necessary providers.
terraform init
Plan the Deployment This command shows you what resources will be created or changed.
terraform plan
Apply the Configuration This command creates the resources in Azure.
terraform apply
Outputs
The primary output of this template is a map of filenames to their secure SAS URLs.
Because SAS tokens are sensitive credentials, the output is marked as sensitive. To display the URLs after a successful apply, run:
terraform output file_sas_urls