Service Catalog

gen-storage-account

Latest: v3.1.0
Category
Storage
Total Versions
16
Last Updated
2/17/2026

Release History

v3.1.0 Latest

Changes:

  • defaultToOAuthAuthentication
  • Merged PR 16511: Fixed option

v3.0.1

Changes:

  • Corrected a bug in the validation process for a 'Standard' type with 'File_Services' block.
  • Merged PR 16450: Correct bug

v3.0.0 Breaking

Changes:

  • New features:
  • Added support for ProvisionedV2 type storage.
  • Switched from AzureRM to AzApi provider for creating the Storage Account itself to resolve the issue where the default action of the firewall would be Allow and Azure policy expects Deny. The creation of optional private endpoints was not altered and remains AzureRM for now.
  • Added more defaults and extra validation to ensure:
  • Only basic configuration is require to deploy a secure storage account.This will deploy a StandardV2 version with LRS replication.
  • Account:
  • Account tier must be either 'Standard' or 'Premium'.
  • Account kind must be one of: 'StorageV2', 'BlobStorage', 'FileStorage', 'BlockBlobStorage'.
  • Replication type must be one of: 'LRS', 'GRS', 'RAGRS', 'ZRS', 'GZRS', 'RAGZRS'.
  • Network settings:
  • When ip_rules or virtual_network_subnet_ids are provided, public_network_access must be 'Enabled'.
  • Data Protection (old blob block):
  • When restore_policy_days is provided, blob_delete_retention_days and change_feed_retention_in_days must have values, and versioning_enabled must be true.
  • When restore_policy_days is provided, the value must be lower than blob_delete_retention_days.
  • When hns_enabled is true, restore_policy_days, versioning_enabled, and change_feed_retention_in_days cannot be configured in data_protection.
  • SMB Security settings:
  • file_service configuration block is not supported when account kind is 'FileStorage' and tier is 'Standard'. Settings must be configured manually in the Azure portal.
  • smb_multichannel_enabled cannot be used when account tier is 'Standard'.
  • Noteworthy:
  • The "SMB protocol settings" are not (yet) available when deploying an SA of type FileStorage with tier Standard. This is a restriction in the AzApi provider. The setting will work for the other configurations.
  • Merged PR 16444: Update module
  • Update module to supportprivate_link_access block as described here:
  • https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#private_link_access-2
  • Revert network rules setting to bypass = try(var.network_settings.bypass, ["AzureServices"]).It didn't solve the trivy security warning.
  • Exception for trivy scan:AVD-AZU-0010Allow Microsoft Service Bypass.This is a configurable option, to avoid false positive warnings when public access is disabled we need this exception.
  • Added a condition to network_rules bypass settings. This setting is not needed when public access is disabled.
  • Parameter to configurelocal_user_enabled. Default value: false Added skip ovcheck CKV2_AZURE_47: False positive
  • Option to configure Use Microsoft Entra authorization for access in the Azure portal.Default setting "Enabled".
  • Add a filter to blob properties. Blob properties will not be configured when account kind isFileStorage.
  • support for Azure file authentication settings. Default turned off.
  • Make SAS policy variable with a default value of "Block" Add checkov ignore to fix false positive

v2.5.0

Changes:

  • Update module to supportprivate_link_access block as described here:
  • https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#private_link_access-2
  • Merged PR 16068: Updated storage_account.tf
  • Revert network rules setting to bypass = try(var.network_settings.bypass, ["AzureServices"]).It didn't solve the trivy security warning.
  • Exception for trivy scan:AVD-AZU-0010Allow Microsoft Service Bypass.This is a configurable option, to avoid false positive warnings when public access is disabled we need this exception.
  • Added a condition to network_rules bypass settings. This setting is not needed when public access is disabled.
  • Parameter to configurelocal_user_enabled. Default value: false Added skip ovcheck CKV2_AZURE_47: False positive
  • Option to configure Use Microsoft Entra authorization for access in the Azure portal.Default setting "Enabled".
  • Add a filter to blob properties. Blob properties will not be configured when account kind isFileStorage.
  • support for Azure file authentication settings. Default turned off.
  • Make SAS policy variable with a default value of "Block" Add checkov ignore to fix false positive

v2.4.3

Changes:

  • Revert network rules setting to bypass = try(var.network_settings.bypass, ["AzureServices"]).It didn't solve the trivy security warning.
  • Merged PR 15759: Updated storage_account.tf
  • Exception for trivy scan:AVD-AZU-0010Allow Microsoft Service Bypass.This is a configurable option, to avoid false positive warnings when public access is disabled we need this exception.
  • Added a condition to network_rules bypass settings. This setting is not needed when public access is disabled.
  • Parameter to configurelocal_user_enabled. Default value: false Added skip ovcheck CKV2_AZURE_47: False positive
  • Option to configure Use Microsoft Entra authorization for access in the Azure portal.Default setting "Enabled".
  • Add a filter to blob properties. Blob properties will not be configured when account kind isFileStorage.
  • support for Azure file authentication settings. Default turned off.
  • Make SAS policy variable with a default value of "Block" Add checkov ignore to fix false positive

v2.4.2

Changes:

  • Exception for trivy scan:AVD-AZU-0010Allow Microsoft Service Bypass.This is a configurable option, to avoid false positive warnings when public access is disabled we need this exception.
  • Merged PR 15725: Add trivy exception
  • Added a condition to network_rules bypass settings. This setting is not needed when public access is disabled.
  • Parameter to configurelocal_user_enabled. Default value: false Added skip ovcheck CKV2_AZURE_47: False positive
  • Option to configure Use Microsoft Entra authorization for access in the Azure portal.Default setting "Enabled".
  • Add a filter to blob properties. Blob properties will not be configured when account kind isFileStorage.
  • support for Azure file authentication settings. Default turned off.
  • Make SAS policy variable with a default value of "Block" Add checkov ignore to fix false positive

v2.4.1

Changes:

  • Added a condition to network_rules bypass settings. This setting is not needed when public access is disabled.
  • Merged PR 15647: Update bypass rules for network access based on public network access configu...
  • Parameter to configurelocal_user_enabled. Default value: false Added skip ovcheck CKV2_AZURE_47: False positive
  • Option to configure Use Microsoft Entra authorization for access in the Azure portal.Default setting "Enabled".
  • Add a filter to blob properties. Blob properties will not be configured when account kind isFileStorage.
  • support for Azure file authentication settings. Default turned off.
  • Make SAS policy variable with a default value of "Block" Add checkov ignore to fix false positive

v2.4.0

Changes:

  • Parameter to configurelocal_user_enabled. Default value: false Added skip ovcheck CKV2_AZURE_47: False positive
  • Merged PR 15629: Add localuser config
  • Option to configure Use Microsoft Entra authorization for access in the Azure portal.Default setting "Enabled".
  • Add a filter to blob properties. Blob properties will not be configured when account kind isFileStorage.
  • support for Azure file authentication settings. Default turned off.
  • Make SAS policy variable with a default value of "Block" Add checkov ignore to fix false positive

v2.3.0

Changes:

  • Option to configure Use Microsoft Entra authorization for access in the Azure portal.Default setting "Enabled".
  • Merged PR 15533: Add default_to_oauth_authentication variable to configuration
  • Add a filter to blob properties. Blob properties will not be configured when account kind isFileStorage.
  • support for Azure file authentication settings. Default turned off.
  • Make SAS policy variable with a default value of "Block" Add checkov ignore to fix false positive

v2.2.1

Changes:

  • Add a filter to blob properties. Blob properties will not be configured when account kind isFileStorage.
  • Merged PR 15113: Refactor blob_properties to conditionally apply for non-FileStorage accounts
  • support for Azure file authentication settings. Default turned off.
  • Make SAS policy variable with a default value of "Block" Add checkov ignore to fix false positive

v2.2.0

Changes:

  • support for Azure file authentication settings. Default turned off.
  • Merged PR 15039: Add azure_files_authentication
  • Make SAS policy variable with a default value of "Block" Add checkov ignore to fix false positive

v2.1.0

Changes:

  • Make SAS policy variable with a default value of "Block" Add checkov ignore to fix false positive
  • Merged PR 15008: Fix checkov warning

v2.0.0 Breaking

Changes:

  • 'network_rules' are no longer enabled by default
  • network_rules' are moved to a separate resource
  • 'Public access from all networks' is now posibble to configure
  • Merged PR 13457: module_update

v1.2.2

Changes:

  • Added variable group
  • Changed releasenote branch to main
  • Changed PR template without skip
  • Added IPMhub publish
  • Merged PR 12224: Update pull request template and YAML configuration for storage account module

v1.2.1

Changes:

  • Updated module to avoid it from destroying the storage account and possible private endpoints in case new tags are added.
  • storage_account.tf:
  • to get location from the location variable
  • Updated readme.md
  • Merged PR 11458: gen-storage-account_update

v1.2.0

Changes:

  • by this module) are deployed at the same time.
  • Updated the private_endpoints variable to a map of objects. Updated private_endpoints.tf resources to reflect the changes of the private_endpoints variable Added 'web' private endpoint resource to private_endpoints.tf Updated readme.md
  • Merged PR 11283: gen-storage-account_update
  • Updated pipeline and pull request template to work with the simacsupport releasenote website.
  • Update tflint to latest version.
Back to Modules