From 8b27d1c65791c6a6917f4cb8888499a0656801a6 Mon Sep 17 00:00:00 2001 From: Shawn Meyer Date: Mon, 20 Mar 2023 14:24:40 -0400 Subject: [PATCH 1/3] initial commit --- .../storageAccounts/.test/common/deploy.test.bicep | 1 + modules/Microsoft.Storage/storageAccounts/deploy.bicep | 10 ++++++++++ modules/Microsoft.Storage/storageAccounts/readme.md | 6 ++++++ 3 files changed, 17 insertions(+) diff --git a/modules/Microsoft.Storage/storageAccounts/.test/common/deploy.test.bicep b/modules/Microsoft.Storage/storageAccounts/.test/common/deploy.test.bicep index 4fe2601520..eed64ba071 100644 --- a/modules/Microsoft.Storage/storageAccounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Storage/storageAccounts/.test/common/deploy.test.bicep @@ -213,6 +213,7 @@ module testDeployment '../../deploy.bicep' = { } ] } + sasExpirationPeriod: '180.00:00:00' systemAssignedIdentity: true userAssignedIdentities: { '${nestedDependencies.outputs.managedIdentityResourceId}': {} diff --git a/modules/Microsoft.Storage/storageAccounts/deploy.bicep b/modules/Microsoft.Storage/storageAccounts/deploy.bicep index 62cde7ed43..aa95ee955e 100644 --- a/modules/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/modules/Microsoft.Storage/storageAccounts/deploy.bicep @@ -201,6 +201,12 @@ param cMKKeyVersion string = '' @description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') param diagnosticSettingsName string = '' +@description('Optional. The SAS expiration action. Can only be Log.') +param expirationAction string = 'Log' + +@description('Optional. The SAS expiration period. DD.HH:MM:SS.') +param sasExpirationPeriod string = '' + var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { category: metric timeGrain: null @@ -286,6 +292,10 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { } : null } accessTier: storageAccountKind != 'Storage' ? storageAccountAccessTier : null + sasPolicy: !empty(sasExpirationPeriod) ? { + expirationAction: expirationAction + sasExpirationPeriod: sasExpirationPeriod + } : null supportsHttpsTrafficOnly: supportsHttpsTrafficOnly isHnsEnabled: enableHierarchicalNamespace ? enableHierarchicalNamespace : null isSftpEnabled: enableSftp diff --git a/modules/Microsoft.Storage/storageAccounts/readme.md b/modules/Microsoft.Storage/storageAccounts/readme.md index d15abd1980..ac6ca3c24c 100644 --- a/modules/Microsoft.Storage/storageAccounts/readme.md +++ b/modules/Microsoft.Storage/storageAccounts/readme.md @@ -76,6 +76,7 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `enableNfsV3` | bool | `False` | | If true, enables NFS 3.0 support for the storage account. Requires enableHierarchicalNamespace to be true. | | `enableSftp` | bool | `False` | | If true, enables Secure File Transfer Protocol for the storage account. Requires enableHierarchicalNamespace to be true. | +| `expirationAction` | string | `'Log'` | | The SAS expiration action. Can only be Log. | | `fileServices` | _[fileServices](fileServices/readme.md)_ object | `{object}` | | File service and shares to deploy. | | `isLocalUserEnabled` | bool | `False` | | Enables local users feature, if set to true. | | `largeFileSharesState` | string | `'Disabled'` | `[Disabled, Enabled]` | Allow large file shares if sets to 'Enabled'. It cannot be disabled once it is enabled. Only supported on locally redundant and zone redundant file shares. It cannot be set on FileStorage storage accounts (storage accounts for premium file shares). | @@ -90,6 +91,7 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | `queueServices` | _[queueServices](queueServices/readme.md)_ object | `{object}` | | Queue service and queues to create. | | `requireInfrastructureEncryption` | bool | `True` | | A Boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `sasExpirationPeriod` | string | `''` | | The SAS expiration period. DD.HH:MM:SS. | | `storageAccountKind` | string | `'StorageV2'` | `[BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2]` | Type of Storage Account to create. | | `storageAccountSku` | string | `'Standard_GRS'` | `[Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS]` | Storage Account Sku Name. | | `supportsHttpsTrafficOnly` | bool | `True` | | Allows HTTPS traffic only to storage service if sets to true. | @@ -585,6 +587,7 @@ module storageAccounts './Microsoft.Storage/storageAccounts/deploy.bicep' = { roleDefinitionIdOrName: 'Reader' } ] + sasExpirationPeriod: '180.00:00:00' storageAccountSku: 'Standard_LRS' systemAssignedIdentity: true tableServices: { @@ -820,6 +823,9 @@ module storageAccounts './Microsoft.Storage/storageAccounts/deploy.bicep' = { } ] }, + "sasExpirationPeriod": { + "value": "180.00:00:00" + }, "storageAccountSku": { "value": "Standard_LRS" }, From 577e8fae64b00fa6ad919eccaa2734dae03e3e28 Mon Sep 17 00:00:00 2001 From: Shawn Meyer Date: Tue, 21 Mar 2023 09:09:03 -0400 Subject: [PATCH 2/3] removed expirationAction Parameter because not needed --- modules/Microsoft.Storage/storageAccounts/deploy.bicep | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/modules/Microsoft.Storage/storageAccounts/deploy.bicep b/modules/Microsoft.Storage/storageAccounts/deploy.bicep index aa95ee955e..6c997aed2f 100644 --- a/modules/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/modules/Microsoft.Storage/storageAccounts/deploy.bicep @@ -201,9 +201,6 @@ param cMKKeyVersion string = '' @description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') param diagnosticSettingsName string = '' -@description('Optional. The SAS expiration action. Can only be Log.') -param expirationAction string = 'Log' - @description('Optional. The SAS expiration period. DD.HH:MM:SS.') param sasExpirationPeriod string = '' @@ -293,7 +290,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { } accessTier: storageAccountKind != 'Storage' ? storageAccountAccessTier : null sasPolicy: !empty(sasExpirationPeriod) ? { - expirationAction: expirationAction + expirationAction: 'Log' sasExpirationPeriod: sasExpirationPeriod } : null supportsHttpsTrafficOnly: supportsHttpsTrafficOnly From c5fb947efdc08ea1ce69e3edf9d0733280b1f20c Mon Sep 17 00:00:00 2001 From: Shawn Meyer Date: Tue, 21 Mar 2023 14:22:12 -0400 Subject: [PATCH 3/3] updated readme --- modules/Microsoft.Storage/storageAccounts/readme.md | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/Microsoft.Storage/storageAccounts/readme.md b/modules/Microsoft.Storage/storageAccounts/readme.md index ac6ca3c24c..2a82bc0207 100644 --- a/modules/Microsoft.Storage/storageAccounts/readme.md +++ b/modules/Microsoft.Storage/storageAccounts/readme.md @@ -76,7 +76,6 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `enableNfsV3` | bool | `False` | | If true, enables NFS 3.0 support for the storage account. Requires enableHierarchicalNamespace to be true. | | `enableSftp` | bool | `False` | | If true, enables Secure File Transfer Protocol for the storage account. Requires enableHierarchicalNamespace to be true. | -| `expirationAction` | string | `'Log'` | | The SAS expiration action. Can only be Log. | | `fileServices` | _[fileServices](fileServices/readme.md)_ object | `{object}` | | File service and shares to deploy. | | `isLocalUserEnabled` | bool | `False` | | Enables local users feature, if set to true. | | `largeFileSharesState` | string | `'Disabled'` | `[Disabled, Enabled]` | Allow large file shares if sets to 'Enabled'. It cannot be disabled once it is enabled. Only supported on locally redundant and zone redundant file shares. It cannot be set on FileStorage storage accounts (storage accounts for premium file shares). |