Introduction
Azure supports enabling the following categories for Storage Account Blob, Files, Queues, and Tables.
- Storage Read
- Storage Write
- Storage Delete
But it is not obvious how to enable these settings using the Azure Terraform Provider.
Expected Outcome
Understand how to configure Terraform to enable Storage Read, Storage Write, or Storage Delete settings on Azure Blob, File, Queue, or Table.
Procedure
The resource azurerm_monitor_diagnostic_setting is used to enable these settings.
The key to enabling these settings for different data types in a Storage Account is using a particular string in the target_resource_id argument.
Specifically, target_resource_id should be the Storage Account ID of the storage account where these settings should be enabled, plus
For Blob
/blobServices/default/For File,
/fileServices/default/For Queue
/queueServices/default/For Table
/tableServices/default/And Storage Write, Read, or Delete is enabled using category:
StorageWriteStorageReadStorageDelete
In practice, this is what it would look like to to enable Storage Write for Blob, File, Queue, and Table on a Storage Account:
provider "azurerm" {
features { }
}
resource "azurerm_resource_group" "example" {
name = "example-resources-azurermdiag"
location = "West Europe"
}
resource "azurerm_storage_account" "example" {
name = "storageaccdiag"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_monitor_diagnostic_setting" "examplesablob" {
name = "examplediagsettingblob"
target_resource_id = "${azurerm_storage_account.example.id}/blobServices/default/"
storage_account_id = azurerm_storage_account.example.id
enabled_log {
category = "StorageWrite"
}
}
resource "azurerm_monitor_diagnostic_setting" "examplesaqueue" {
name = "examplediagsettingqueue"
target_resource_id = "${azurerm_storage_account.example.id}/queueServices/default/"
storage_account_id = azurerm_storage_account.example.id
enabled_log {
category = "StorageWrite"
}
}
resource "azurerm_monitor_diagnostic_setting" "examplesatable" {
name = "examplediagsettingtable"
target_resource_id = "${azurerm_storage_account.example.id}/tableServices/default/"
storage_account_id = azurerm_storage_account.example.id
enabled_log {
category = "StorageWrite"
}
}
resource "azurerm_monitor_diagnostic_setting" "examplesafile" {
name = "examplediagsettingfile"
target_resource_id = "${azurerm_storage_account.example.id}/fileServices/default/"
storage_account_id = azurerm_storage_account.example.id
enabled_log {
category = "StorageWrite"
}
}Applying this configuration should cause Storage Write to be enabled for blob, queue, table and files: