Merge pull request #1076 from equinor/logging-strategy-storageaccounts

Lifecycle management - Storageaccounts

terraform/infrastructure/s940/prod/storageaccounts/main.tf

@@ -113,18 +113,6 @@ resource "azurerm_storage_account" "storageaccounts" {
   }
 }
 
-#######################################################################################
-### Network rules
-###
-
-# resource "azurerm_storage_account_network_rules" "network_rule" {
-#   for_each           = { for key in compact([for key, value in var.storage_accounts : value.firewall ? key : ""]) : key => var.storage_accounts[key] }
-#   storage_account_id = var.storage_accounts[each.key].create_with_rbac ? data.azurerm_storage_account.storageaccounts[each.key].id : azurerm_storage_account.storageaccounts[each.key].id
-#   default_action     = "Deny"
-#   ip_rules           = compact([for key, value in local.WHITELIST_IPS.whitelist : endswith(value.ip, "/32") ? replace(value.ip, "/32", "") : ""])
-#   bypass             = ["AzureServices"]
-# }
-
 #######################################################################################
 ### Private endpoint
 ###
@@ -243,13 +231,19 @@ resource "azurerm_storage_management_policy" "sapolicy" {
     }
 
     actions {
-      version {
-        delete_after_days_since_creation = 60
+      dynamic "version" {
+        for_each = each.value["life_cycle_version"] != 0 ? [60] : []
+        content {
+          delete_after_days_since_creation = each.value["life_cycle_version"]
+        }
       }
 
-      base_blob {
-        tier_to_cool_after_days_since_modification_greater_than = 30
-        delete_after_days_since_modification_greater_than       = 90
+      dynamic "base_blob" {
+        for_each = each.value["life_cycle_blob"] != 0 ? [90] : []
+        content {
+          delete_after_days_since_modification_greater_than       = each.value["life_cycle_blob"]
+          tier_to_cool_after_days_since_modification_greater_than = each.value["life_cycle_blob_cool"]
+        }
       }
     }
   }

terraform/infrastructure/s940/prod/storageaccounts/variables.tf

@@ -43,6 +43,9 @@ variable "storage_accounts" {
     versioning_enabled                = optional(bool, true)
     change_feed_enabled               = optional(bool, true)
     change_feed_days                  = optional(number, 35)
+    life_cycle_version                = optional(number, 60)
+    life_cycle_blob                   = optional(number, 90)
+    life_cycle_blob_cool              = optional(number, 30)
     create_with_rbac                  = optional(bool, false)
     private_endpoint                  = optional(bool, false)
   }))
@@ -72,19 +75,3 @@ variable "resource_groups" {
   }))
   default = {}
 }
-
-variable "private_link" {
-  description = "Subnet connection."
-  type = map(object({
-    linkname = string
-  }))
-  default = null
-}
-
-variable "resource_groups" {
-  type = map(object({
-    name     = string                          # Mandatory
-    location = optional(string, "northeurope") # Optional
-  }))
-  default = {}
-}

terraform/infrastructure/s941/dev/storageaccounts/main.tf

@@ -113,18 +113,6 @@ resource "azurerm_storage_account" "storageaccounts" {
   }
 }
 
-#######################################################################################
-### Network rules
-###
-
-# resource "azurerm_storage_account_network_rules" "network_rule" {
-#   for_each           = { for key in compact([for key, value in var.storage_accounts : value.firewall ? key : ""]) : key => var.storage_accounts[key] }
-#   storage_account_id = var.storage_accounts[each.key].create_with_rbac ? data.azurerm_storage_account.storageaccounts[each.key].id : azurerm_storage_account.storageaccounts[each.key].id
-#   default_action     = "Deny"
-#   ip_rules           = compact([for key, value in local.WHITELIST_IPS.whitelist : endswith(value.ip, "/32") ? replace(value.ip, "/32", "") : ""])
-#   bypass             = ["AzureServices"]
-# }
-
 #######################################################################################
 ### Private endpoint
 ###
@@ -201,13 +189,19 @@ resource "azurerm_storage_management_policy" "sapolicy" {
     }
 
     actions {
-      version {
-        delete_after_days_since_creation = 60
+      dynamic "version" {
+        for_each = each.value["life_cycle_version"] != 0 ? [60] : []
+        content {
+          delete_after_days_since_creation = each.value["life_cycle_version"]
+        }
       }
 
-      base_blob {
-        tier_to_cool_after_days_since_modification_greater_than = 30
-        delete_after_days_since_modification_greater_than       = 90
+      dynamic "base_blob" {
+        for_each = each.value["life_cycle_blob"] != 0 ? [180] : []
+        content {
+          delete_after_days_since_modification_greater_than       = each.value["life_cycle_blob"]
+          tier_to_cool_after_days_since_modification_greater_than = each.value["life_cycle_blob_cool"]
+        }
       }
     }
   }

terraform/infrastructure/s941/dev/storageaccounts/variables.tf

@@ -43,6 +43,9 @@ variable "storage_accounts" {
     versioning_enabled                = optional(bool, true)
     change_feed_enabled               = optional(bool, true)
     change_feed_days                  = optional(number, 35)
+    life_cycle_version                = optional(number, 60)
+    life_cycle_blob                   = optional(number, 180)
+    life_cycle_blob_cool              = optional(number, 90)
     create_with_rbac                  = optional(bool, false)
     private_endpoint                  = optional(bool, false)
   }))
@@ -72,27 +75,3 @@ variable "resource_groups" {
   }))
   default = {}
 }
-
-variable "virtual_networks" {
-  type = map(object({
-    name    = optional(string, "vnet-hub")
-    rg_name = string
-  }))
-  default = {}
-}
-
-variable "private_link" {
-  description = "Subnet connection."
-  type = map(object({
-    linkname = string
-  }))
-  default = null
-}
-
-variable "resource_groups" {
-  type = map(object({
-    name     = string                          # Mandatory
-    location = optional(string, "northeurope") # Optional
-  }))
-  default = {}
-}

terraform/radix-zone/radix_zone_dev.tfvars

@@ -184,15 +184,20 @@ storage_accounts = {
     backup_center = true
   }
   "radixflowlogsplayground" = {
-    name             = "radixflowlogsplayground"
-    rg_name          = "Logs-Dev"
-    backup_center    = true
-    managed_identity = true
+    name                 = "radixflowlogsplayground"
+    rg_name              = "Logs-Dev"
+    backup_center        = true
+    managed_identity     = true
+    life_cycle           = true
+    life_cycle_version   = 3
+    life_cycle_blob      = 90
+    life_cycle_blob_cool = 7
   }
   "s941radixinfra" = {
     name                            = "s941radixinfra"
     rg_name                         = "s941-tfstate"
     backup_center                   = true
+    life_cycle                      = false
     repl                            = "RAGRS"
     allow_nested_items_to_be_public = false
     create_with_rbac                = true

terraform/radix-zone/radix_zone_prod.tfvars

@@ -233,21 +233,31 @@ storage_accounts = {
     backup_center    = true
     life_cycle       = false
     managed_identity = true
+    life_cycle           = true
+    life_cycle_version   = 3
+    life_cycle_blob      = 90
+    life_cycle_blob_cool = 7
   }
   "radixflowlogsprod" = {
     name             = "radixflowlogsprod"
     rg_name          = "Logs"
     backup_center    = true
     life_cycle       = false
     managed_identity = true
+    life_cycle           = true
+    life_cycle_version   = 3
+    life_cycle_blob      = 90
+    life_cycle_blob_cool = 7
   }
   "s940radixinfra" = {
     name             = "s940radixinfra"
     rg_name          = "s940-tfstate"
     repl             = "RAGRS"
+    life_cycle       = true
     backup_center    = true
     firewall         = false
     create_with_rbac = true
+    life_cycle_blob = 0
   }
   "s940radixveleroc2" = {
     name             = "s940radixveleroc2"