Note: Scroll down this article to download the terrafom files in zip format.


Terraform Azure: Secure Storage with IP Firewall and SAS Tokens

This Terraform template deploys a secure Azure Storage Account protected by an IP firewall. It uploads a predefined set of files from the local directory and generates a unique, read-only Shared Access Signature (SAS) token for each file, enabling secure, temporary access.

This configuration is designed to be idempotent. If you modify any of the local files and run terraform apply again, Terraform will detect the change and upload the new version.

Features

  • Secure by Default: The storage account is configured to deny all public network traffic by default.
  • IP Firewall: Access is restricted to a list of specified IP addresses or CIDR ranges.
  • Dynamic File Uploads: Automatically uploads a list of specified files from the local project directory.
  • Automatic Updates: Detects changes in local file content and re-uploads them on terraform apply.
  • Scoped SAS Tokens: Generates read-only, object-level SAS tokens with a configurable expiration date.
  • Uses Existing Resources: Designed to use an existing Azure Resource Group, preventing accidental creation or deletion.

Prerequisites

Before you begin, ensure you have the following installed and configured:

  1. Terraform v1.0+
  2. Azure CLI: You must be authenticated to your Azure account.
    az login
    Bash
  3. An Existing Azure Resource Group: This template looks up an existing resource group and does not create one.

⚙️ Configuration

  1. Create Local Files This template is configured to upload four specific files. You must create these (even if they are empty) in the same directory as your .tf files.

    touch outboundFwRules.json privateAccessPeersConfig.json proxyBypassRulesFile.json proxyBypassPac.pac
    Bash

  2. Configure Variables Create a file named terraform.auto.tfvars and populate it with your specific values.

    # terraform.auto.tfvars

# Input the requested values:
resource_group_name         = "Storage-East-US" # Resource Group for the Storage Account.
location                    = "eastus" # Azure Location (i.e. "eastus")
storage_account_name        = "cscrepositories" # the name must be unique (lowercase and numbers)
sas_start_date              = "2025-09-14" # SAS Token start date YYYY-MM-DD
sas_expiry_date             = "2056-12-31" # SAS Token expiration date YYYY-MM-DD

# Input the Source IPs (Public Subnets and IPs) allowed to access the storage account.
source_ip_ranges = [
    # CSC Subnet Site A
    "192.51.10.0/29",
    # CSC PriCPA Azure
    "200.200.200.200",
    # CSC Zscaler AWS
    "200.1.1.1",
    "200.1.2.1",]
    Terraform

Deployment

Follow the standard Terraform workflow to deploy the resources.

  1. Initialize Terraform This command downloads the necessary providers.

    terraform init
    Bash

  2. Plan the Deployment This command shows you what resources will be created or changed.

    terraform plan
    Bash

  3. Apply the Configuration This command creates the resources in Azure.

    terraform apply
    Bash

Outputs

The primary output of this template is a map of filenames to their secure SAS URLs.

Because SAS tokens are sensitive credentials, the output is marked as sensitive. To display the URLs after a successful apply, run:

terraform output file_sas_urls