Facilitates the use of rotating SAS tokens in Terraform modules.
When you simply use azurerm_storage_account_sas or azurerm_storage_account_blob_container_sas with the timestamp() and timeadd() functions, you'll notice that the tokens are updated on each call to terraform apply.
This module avoids that and still allows you to rotate the SAS token. You simply tell the module how often the SAS token should rotate.
Note that you should run terraform apply to actually rotate the token when needed.
Tested on Terraform 0.12.29 and 0.13.2.
The example below creates a resource group, a storage account, a blob container and a SAS token. The token rotates yearly and is valid for 72h after the next rotation point. The token has all permissions in the storage container.
resource "azurerm_resource_group" "rg" {
location = "eastus2"
name = "rg"
}
resource "azurerm_storage_account" "sa" {
account_replication_type = "LRS"
account_tier = "Standard"
location = "eastus2"
name = "sa"
resource_group_name = azurerm_resource_group.rg.name
}
resource "azurerm_storage_container" "container" {
name = "container"
storage_account_name = azurerm_storage_account.sa.name
}
module "storage-sas" {
depends_on = [azurerm_storage_container.container]
source = "datarootsio/azure-storage-sas/module"
rotation_years = 1
rotation_margin = "72h"
storage_account_name = azurerm_storage_account.sa.name
storage_container_name = azurerm_storage_container.container.name
resource_group_name = azurerm_resource_group.rg.name
}
output "sas" {
value = module.storage-sas.sas
}
Don't forget to add the depends_on like in the example above.
All available options are documented in the Terraform Registry.
All contributions are welcome! Feel free to submit an issue or a PR. The module is tested automatically with Terratest.
MIT license. Please see LICENSE for details.