Merge pull request #413 from aztfmod/storage-network-rules-fix

Storage Account network rules - fix

examples/storage_accounts/103-storage-account-network-rules/configuration.tfvars

@@ -0,0 +1,63 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "southeastasia"
+  }
+}
+
+
+resource_groups = {
+  test = {
+    name = "test"
+  }
+}
+
+vnets = {
+  vnet1 = {
+    resource_group_key = "test"
+    vnet = {
+      name          = "test-stg"
+      address_space = ["10.100.100.0/24"]
+    }
+    specialsubnets = {}
+    subnets = {
+      subnet1 = {
+        name = "test-stg"
+        cidr = ["10.100.100.0/29"]
+        service_endpoints = ["Microsoft.Storage"]
+      }
+    }
+
+  }
+}
+
+# https://docs.microsoft.com/en-us/azure/storage/
+storage_accounts = {
+  sa1 = {
+    name               = "sa1dev"
+    resource_group_key = "test"
+    # Account types are BlobStorage, BlockBlobStorage, FileStorage, Storage and StorageV2. Defaults to StorageV2
+    account_kind = "BlobStorage"
+    # Account Tier options are Standard and Premium. For BlockBlobStorage and FileStorage accounts only Premium is valid.
+    account_tier = "Standard"
+    #  Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS
+    account_replication_type = "LRS" # https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
+    tags = {
+      environment = "dev"
+      team        = "IT"
+      ##
+    }
+    network = {
+      bypass = "None"
+      subnets = {
+        subnet1 = {
+          #lz_key = ""
+          vnet_key   = "vnet1"
+          subnet_key = "subnet1"
+        }
+      }
+
+    }
+  }
+}
+

modules/storage_account/storage_account.tf

@@ -135,20 +135,20 @@ resource "azurerm_storage_account" "stg" {
   }
 
   dynamic "network_rules" {
-    for_each = lookup(var.storage_account, "network", {})
-
+    for_each = lookup(var.storage_account, "network", null) == null ? [] : [1]
     content {
-      bypass         = network_rules.value.bypass
+      bypass         = try(network_rules.value.bypass, [])
       default_action = try(network_rules.value.default_action, "Deny")
       ip_rules       = try(network_rules.value.ip_rules, null)
-      virtual_network_subnet_ids = [
-        for subnet_key in network_rules.value.subnet_keys : var.vnets[network_rules.key].subnets[subnet_key].id
+      virtual_network_subnet_ids = try(var.storage_account.network.subnets, null) == null ? null : [
+        for key , value in var.storage_account.network.subnets : try(var.vnets[var.client_config.landingzone_key][value.vnet_key].subnets[value.subnet_key].id, var.vnets[value.lz_key][value.vnet_key].subnets[value.subnet_key].id)
       ]
     }
   }
-
 }
 
+
+
 module "container" {
   source   = "./container"
   for_each = try(var.storage_account.containers, {})

storage_accounts.tf

@@ -8,7 +8,7 @@ module "storage_accounts" {
   storage_account     = each.value
   resource_group_name = module.resource_groups[each.value.resource_group_key].name
   location            = lookup(each.value, "region", null) == null ? module.resource_groups[each.value.resource_group_key].location : local.global_settings.regions[each.value.region]
-  vnets               = try(each.value.private_endpoints, {}) == {} ? null : local.combined_objects_networking
+  vnets               = local.combined_objects_networking
   private_endpoints   = try(each.value.private_endpoints, {})
   resource_groups     = try(each.value.private_endpoints, {}) == {} ? null : module.resource_groups
   recovery_vaults     = local.combined_objects_recovery_vaults