Update management lock defaults

Fixes #20 Update management locks variables and resources to reflect new defaults and descriptions. * **variables.tf** - Update the `management_locks` variable to set `CanNotDelete` to false and `ReadOnly` to false. - Remove the text from the description for `management_locks` about resource being recreated. * **README.md** - Update references regarding management locks to reflect the new defaults and descriptions. - Change `CanNotDelete` default to false. - Remove text about resource being recreated for `CanNotDelete` and `ReadOnly`. --- For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/Insight-NA/modcloud-terraform-azure-storage/issues/20?shareId=XXXX-XXXX-XXXX-XXXX).
Insight-NA · Jan 15, 2025 · dc27f4d · dc27f4d
1 parent 5cbabd5
commit dc27f4d
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -34,7 +34,7 @@ Remember storage account names must be between 3 and 24 characters, lowercase le
 ## Data Protection Requirements / Considerations
 
 ### Management Locks
-- CanNotDelete: Authorized users are able to read and modify the resources, but not delete. Defaults to `true`. The CanNotDelete setting will NOT prevent Terraform from destorying the storage account.
+- CanNotDelete: Authorized users are able to read and modify the resources, but not delete. Defaults to `false`.
 - ReadOnly: Authorized users can only read from a resource, but they can't modify or delete. Defaults to `false`. Once a ReadOnly lock is deployed, no further modifications can take place, including Terraform changes. This lock will have to be removed manually, through the command line, or via the Azure Portal. Navigate to the storage account, and under the left navigation panel, the Settings grouping, select Locks, then delete the lock. Be sure to remove the ReadOnly setting, or set it to `false`, to prevent it from recreating.
 
 ### Immutability Policy
@@ -538,7 +538,7 @@ No modules.
 | <a name="input_infrastructure_encryption_enabled"></a> [infrastructure\_encryption\_enabled](#input\_infrastructure\_encryption\_enabled) | (Optional) Is infrastructure encryption enabled? Changing this forces a new resource to be created. Defaults to false. | `bool` | `false` | no |
 | <a name="input_is_hns_enabled"></a> [is\_hns\_enabled](#input\_is\_hns\_enabled) | (Optional) Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 ([see here for more information](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-quickstart-create-account/)). Changing this forces a new resource to be created. | `bool` | `false` | no |
 | <a name="input_large_file_share_enabled"></a> [large\_file\_share\_enabled](#input\_large\_file\_share\_enabled) | (Optional) Is Large File Share Enabled? | `bool` | `null` | no |
-| <a name="input_management_locks"></a> [management\_locks](#input\_management\_locks) | A map of management locks<br>- `CanNotDelete` - (Required) Storage Account level CanNotDelete Management Lock. Authorized users are able to read and modify the resources, but not delete. Defaults to `true`. Changing this forces a new resource to be created.<br>- `ReadyOnly` - (Optional) Storage Account level ReadOnly Management Lock. Authorized users can only read from a resource, but they can't modify or delete. Defaults to `false`. Changing this forces a new resource to be created. | <pre>object({<br>    CanNotDelete = bool<br>    ReadOnly     = optional(bool)<br>  })</pre> | <pre>{<br>  "CanNotDelete": true,<br>  "ReadOnly": false<br>}</pre> | no |
+| <a name="input_management_locks"></a> [management\_locks](#input\_management\_locks) | A map of management locks<br>- `CanNotDelete` - (Required) Storage Account level CanNotDelete Management Lock. Authorized users are able to read and modify the resources, but not delete. Defaults to `false`.<br>- `ReadyOnly` - (Optional) Storage Account level ReadOnly Management Lock. Authorized users can only read from a resource, but they can't modify or delete. Defaults to `false`. | <pre>object({<br>    CanNotDelete = bool<br>    ReadOnly     = optional(bool)<br>  })</pre> | <pre>{<br>  "CanNotDelete": false,<br>  "ReadOnly": false<br>}</pre> | no |
 | <a name="input_management_policy"></a> [management\_policy](#input\_management\_policy) | `rule` block supports the following:<br> - `name` - (Required) The name of the rule. Rule name is case-sensitive. It must be unique within a policy.<br> - `enabled` - (Required) Boolean to specify whether the rule is enabled.<br> - `filters` - (Required) A filters block as documented below.<br> - `actions` - (Required) An actions block as documented below.<br><br> ---<br> `filters` block supports the following:<br> - `blob_types` - (Required) An array of predefined values. Valid options are `blockBlob` and `appendBlob`.<br> - `prefix_match` - (Optional) An array of strings for prefixes to be matched.<br> - `match_blob_index_tag` - (Optional) A match\_blob\_index\_tag object as defined below. The object defines the blob index tag based filtering for blob objects.<br> Note: The `match_blob_index_tag` block cannot be set if the snapshot and/or version blocks are set.<br><br>---<br>`match_blob_index_tag` block supports the following<br>- `name` - (Required) The filter tag name used for tag based filtering for blob objects.<br>- `operation` - (Optional) The comparison operator which is used for object comparison and filtering. Possible value is ==. Defaults to ==.<br>- `value` - (Required) The filter tag value used for tag based filtering for blob objects.<br><br> ---<br> `actions` block supports the following:<br> - `base_blob` - (Optional) A base\_blob block as documented below.<br> - `snapshot` - (Optional) A snapshot block as documented below.<br> - `version` - (Optional) A version block as documented below.<br><br> ---<br> `base_blob` block supports the following:<br> - `tier_to_cool_after_days_since_modification_greater_than` - (Optional) The age in days after last modification to tier blobs to cool storage. Supports blob currently at Hot tier. Must be between 0 and 99999. Defaults to -1.<br> - `tier_to_cool_after_days_since_last_access_time_greater_than` - (Optional) The age in days after last access time to tier blobs to cool storage. Supports blob currently at Hot tier. Must be between 0 and 99999. Defaults to -1.<br> - `tier_to_cool_after_days_since_creation_greater_than` - (Optional) The age in days after creation to cool storage. Supports blob currently at Hot tier. Must be between 0 and 99999. Defaults to -1.<br> Note: The `tier_to_cool_after_days_since_modification_greater_than`, `tier_to_cool_after_days_since_last_access_time_greater_than`, and `tier_to_cool_after_days_since_creation_greater_than` can not be set at the same time.<br><br> - `auto_tier_to_hot_from_cool_enabled` - (Optional) Whether a blob should automatically be tiered from cool back to hot if it's accessed again after being tiered to cool. Defaults to false.<br> Note: The `auto_tier_to_hot_from_cool_enabled` must be used together with `tier_to_cool_after_days_since_last_access_time_greater_than`.<br><br> - `tier_to_archive_after_days_since_modification_greater_than` - (Optional) The age in days after last modification to tier blobs to archive storage. Supports blob currently at Hot or Cool tier. Must be between 0 and 99999. Defaults to -1.<br> - `tier_to_archive_after_days_since_last_access_time_greater_than` - (Optional) The age in days after last access time to tier blobs to archive storage. Supports blob currently at Hot or Cool tier. Must be between 0 and 99999. Defaults to -1.<br> Note: The `tier_to_archive_after_days_since_modification_greater_than`, `tier_to_archive_after_days_since_last_access_time_greater_than`, and `tier_to_archive_after_days_since_creation_greater_than` can not be set at the same time.<br><br> - `tier_to_archive_after_days_since_last_tier_change_greater_than` - (Optional) The age in days after last tier change to the blobs to skip to be archived. Must be between 0 and 99999. Defaults to -1.<br> Note: The `tier_to_cool_after_days_since_modification_greater_than`, `tier_to_cool_after_days_since_last_access_time_greater_than`, and `tier_to_cool_after_days_since_creation_greater_than` can not be set at the same time.<br><br> - `delete_after_days_since_modification_greater_than` - (Optional) The age in days after last modification to delete the blob. Must be between 0 and 99999. Defaults to -1.<br> - `delete_after_days_since_last_access_time_greater_than` - (Optional) The age in days after last access time to delete the blob. Must be between 0 and 99999. Defaults to -1.<br> - `delete_after_days_since_creation_greater_than` - (Optional) The age in days after creation to delete the blob. Must be between 0 and 99999. Defaults to -1.<br> Note: The `delete_after_days_since_modification_greater_than`, `delete_after_days_since_last_access_time_greater_than`, and `delete_after_days_since_creation_greater_than` can not be set at the same time.<br> Note: The `last_access_time_enabled` must be set to true in the `azurerm_storage_account` in order to use `tier_to_cool_after_days_since_last_access_time_greater_than`, `tier_to_archive_after_days_since_last_access_time_greater_than`, and `delete_after_days_since_last_access_time_greater_than`.<br><br> ---<br> `snapshot` block supports the following:<br> - `change_tier_to_archive_after_days_since_creation` - (Optional) The age in days after creation to tier blob snapshot to archive storage. Must be between 0 and 99999. Defaults to -1.<br> - `tier_to_archive_after_days_since_last_tier_change_greater_than` - (Optional) The age in days after last tier change to the blobs to skip to be archived. Must be between 0 and 99999. Defaults to -1.<br> - `change_tier_to_cool_after_days_since_creation` - (Optional) The age in days after creation to tier blob snapshot to cool storage. Must be between 0 and 99999. Defaults to -1.<br> - `delete_after_days_since_creation`- (Optional) The age in days after creation to delete the blob version. Must be between 0 and 99999. Defaults to -1.<br><br> ---<br> `timeouts` block supports the following:<br> - `create` - (Defaults to 60 minutes) Used when creating the  Network Rules for this Storage Account.<br> - `delete` - (Defaults to 60 minutes) Used when deleting the Network Rules for this Storage Account.<br> - `read` - (Defaults to 5 minutes) Used when retrieving the Network Rules for this Storage Account.<br> - `update` - (Defaults to 60 minutes) Used when updating the Network Rules for this Storage Account. | <pre>object({<br>    rule = optional(list(object({<br>      name    = string<br>      enabled = bool<br>      filters = object({<br>        blob_types   = list(string)<br>        prefix_match = optional(list(string))<br>        match_blob_index_tag = optional(object({<br>          name      = string<br>          operation = optional(string, "==")<br>          value     = string<br>        }))<br>      })<br>      actions = object({<br>        base_blob = optional(object({<br>          tier_to_cool_after_days_since_modification_greater_than        = optional(number)<br>          tier_to_cool_after_days_since_last_access_time_greater_than    = optional(number)<br>          tier_to_cool_after_days_since_creation_greater_than            = optional(number)<br>          auto_tier_to_hot_from_cool_enabled                             = optional(bool)<br>          tier_to_archive_after_days_since_modification_greater_than     = optional(number)<br>          tier_to_archive_after_days_since_last_access_time_greater_than = optional(number)<br>          tier_to_archive_after_days_since_creation_greater_than         = optional(number)<br>          tier_to_archive_after_days_since_last_tier_change_greater_than = optional(number)<br>          delete_after_days_since_modification_greater_than              = optional(number)<br>          delete_after_days_since_last_access_time_greater_than          = optional(number)<br>          delete_after_days_since_creation_greater_than                  = optional(number)<br>        }))<br>        snapshot = optional(object({<br>          change_tier_to_archive_after_days_since_creation               = optional(number)<br>          tier_to_archive_after_days_since_last_tier_change_greater_than = optional(number)<br>          change_tier_to_cool_after_days_since_creation                  = optional(number)<br>          delete_after_days_since_creation_greater_than                  = optional(number)<br>        }))<br>        version = optional(object({<br>          change_tier_to_archive_after_days_since_creation               = optional(number)<br>          tier_to_archive_after_days_since_last_tier_change_greater_than = optional(number)<br>          change_tier_to_cool_after_days_since_creation                  = optional(number)<br>          delete_after_days_since_creation                               = optional(number)<br>        }))<br>      })<br>    })))<br>    timeouts = optional(object({<br>      create = optional(string)<br>      delete = optional(string)<br>      read   = optional(string)<br>      update = optional(string)<br>    }))<br>  })</pre> | `null` | no |
 | <a name="input_min_tls_version"></a> [min\_tls\_version](#input\_min\_tls\_version) | (Optional) The minimum supported TLS version for the storage account. Defaults to `TLS1_2` for new storage accounts. | `string` | `"TLS1_2"` | no |
 | <a name="input_network_rules"></a> [network\_rules](#input\_network\_rules) | - `default_action` - (Optional) Specifies the default action of allow or deny when no other rules match. Valid options are Deny or Allow. Defaults to Deny.<br>- `bypass` - (Optional) Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination of `Logging`, `Metrics`, `AzureServices`, or `None`.<br>- `ip_rules` - (Optional) List of public IP or IP ranges in CIDR Format. Only IPv4 addresses are allowed. Private IP address ranges (as defined in [RFC 1918](https://tools.ietf.org/html/rfc1918#section-3)) are not allowed.<br>- `storage_account_id` - (Required) Specifies the ID of the storage account. Changing this forces a new resource to be created.<br>- `virtual_network_subnet_ids` - (Optional) A list of virtual network subnet ids to secure the storage account.<br>- `subnet_id` - (Required) The ID of the Subnet from which Private IP Addresses will be allocated for this Private Endpoint. Changing this forces a new resource to be created.<br><br>---<br>`private_link_access` block supports the following:<br>- `endpoint_resource_id` - (Required) The resource id of the resource access rule to be granted access.<br>- `endpoint_tenant_id` - (Optional) The tenant id of the resource of the resource access rule to be granted access. Defaults to the current tenant id.<br><br>---<br>`timeouts` block supports the following:<br>- `create` - (Defaults to 60 minutes) Used when creating the  Network Rules for this Storage Account.<br>- `delete` - (Defaults to 60 minutes) Used when deleting the Network Rules for this Storage Account.<br>- `read` - (Defaults to 5 minutes) Used when retrieving the Network Rules for this Storage Account.<br>- `update` - (Defaults to 60 minutes) Used when updating the Network Rules for this Storage Account. | <pre>object({<br>    default_action             = optional(string, "Deny")<br>    bypass                     = optional(set(string), ["Logging", "Metrics", "AzureServices"])<br>    ip_rules                   = optional(list(string), [])<br>    virtual_network_subnet_ids = optional(set(string))<br>    private_link_access = optional(list(object({<br>      endpoint_resource_id = string<br>      endpoint_tenant_id   = optional(string)<br>    })))<br>    timeouts = optional(object({<br>      create = optional(string)<br>      delete = optional(string)<br>      read   = optional(string)<br>      update = optional(string)<br>    }))<br>  })</pre> | `{}` | no |
@@ -655,4 +655,4 @@ No modules.
 | <a name="output_storage_share_file"></a> [storage\_share\_file](#output\_storage\_share\_file) | Map of storage share directories created. |
 | <a name="output_storage_table"></a> [storage\_table](#output\_storage\_table) | Map of storage tables created. |
 | <a name="output_storage_table_entity"></a> [storage\_table\_entity](#output\_storage\_table\_entity) | Map of storage table entities created. |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->
diff --git a/variables.tf b/variables.tf
@@ -348,13 +348,13 @@ variable "management_locks" {
     ReadOnly     = optional(bool)
   })
   default = {
-    CanNotDelete = true
+    CanNotDelete = false
     ReadOnly     = false
   }
   description = <<-EOT
   A map of management locks
-  - `CanNotDelete` - (Required) Storage Account level CanNotDelete Management Lock. Authorized users are able to read and modify the resources, but not delete. Defaults to `true`. Changing this forces a new resource to be created.
-  - `ReadyOnly` - (Optional) Storage Account level ReadOnly Management Lock. Authorized users can only read from a resource, but they can't modify or delete. Defaults to `false`. Changing this forces a new resource to be created.
+  - `CanNotDelete` - (Required) Storage Account level CanNotDelete Management Lock. Authorized users are able to read and modify the resources, but not delete. Defaults to `true`.
+  - `ReadyOnly` - (Optional) Storage Account level ReadOnly Management Lock. Authorized users can only read from a resource, but they can't modify or delete. Defaults to `false`.
 EOT
   nullable    = false
 }
@@ -1066,4 +1066,4 @@ variable "timeouts" {
  - `read` - (Defaults to 5 minutes) Used when retrieving the Storage Account.
  - `update` - (Defaults to 60 minutes) Used when updating the Storage Account.
 EOT
-}
+}