terraform.azure.automation/modules/azure_sa/main.tf

terraform {
  required_version = "~> 0.12.21"
  required_providers {
    azurerm = "~> 1.44"
  }
}

resource "azurerm_storage_account" "azsa" {
  depends_on = [var.azsa_depends_on]
  for_each = var.sas

  name                      = each.key
  resource_group_name       = each.value.resource_group_name
  location                  = each.value.location
  account_kind              = try(each.value.kind, null)
  account_tier              = try(each.value.tier, "Standard")
  account_replication_type  = try(each.value.replication_type, "GRS")
  access_tier               = try(each.value.access, null)
  enable_https_traffic_only = try(each.value.https_traffic, true)
  is_hns_enabled            = try(each.value.hns, null)
  tags                      = try(each.value.tags, null)

  dynamic "custom_domain" {
    for_each = try(each.value.custom_domain, {})
    content {
      name          = try(custom_domain.value.cname, null)
      use_subdomain = try(custom_domain.value.subdomain, null)
    }
  }

  identity {
    type = try(each.value.identity.type, "SystemAssigned")
  }

  blob_properties {
    /*dynamic "cors_rule" {
      for_each = try(each.value.blob_properties.cors_rule, {})
      content {
        allowed_headers    = try(cors_rule.value.headers, [])
        allowed_methods    = try(cors_rule.value.methods, [])
        allowed_origins    = try(cors_rule.value.origins, [])
        exposed_headers    = try(cors_rule.value.exposed, [])
        max_age_in_seconds = try(cors_rule.value.age, 30)
      }
    }*/
    delete_retention_policy {
      days = try(each.value.blob_properties.retention, 7)
    }
  }

  dynamic "queue_properties" {
    for_each = try(each.value.queue_properties, {})
    content {
      dynamic "cors_rule" {
        for_each = try(queue_properties.value.cors_rule, {})
        content {
          allowed_headers    = try(cors_rule.value.headers, [])
          allowed_methods    = try(cors_rule.value.methods, [])
          allowed_origins    = try(cors_rule.value.origins, [])
          exposed_headers    = try(cors_rule.value.exposed, [])
          max_age_in_seconds = try(cors_rule.value.age, 30)
        }
      }
      dynamic "logging" {
        for_each = try(queue_properties.value.logging, {})
        content {
          delete                = try(logging.value.delete, true)
          read                  = try(logging.value.read, true)
          version               = try(logging.value.version, "1.0")
          write                 = try(logging.value.write, true)
          retention_policy_days = try(logging.value.retention, null)
        }
      }
      dynamic "minute_metrics" {
        for_each = try(queue_properties.value.minutes, {})
        content {
          enabled               = try(minute_metrics.value.enabled, true)
          version               = try(minute_metrics.value.version, "1.0")
          include_apis          = try(minute_metrics.value.include_api, null)
          retention_policy_days = try(minute_metrics.value.retention, null)
        }
      }
      dynamic "hour_metrics" {
        for_each = try(queue_properties.value.hours, {})
        content {
          enabled               = try(hour_metrics.value.enabled, true)
          version               = try(hour_metrics.value.version, "1.0")
          include_apis          = try(hour_metrics.value.include_api, null)
          retention_policy_days = try(hour_metrics.value.retention, null)
        }
      }
    }
  }

  /*dynamic "stactic_website" {
    for_each = try(each.value.kind, "StorageV2") == "StorageV2" ? try(each.value.website, {}) : {}
    content {
      index_document     = try(stactic_website.value.index, null)
      error_404_document = try(stactic_website.value.error, null)
    }
  }*/

  network_rules {
    default_action             = try(each.value.network_rules.default, "Deny")
    bypass                     = try(each.value.network_rules.bypass, null) #Logging, Metrics, AzureServices, None
    ip_rules                   = try(each.value.network_rules.publicips, null)
    virtual_network_subnet_ids = try(each.value.network_rules.subnets, null)
    #virtual_network_subnet_ids = [ for subnet in try(each.value.network_rules.subnets, []) : data.azurerm_subnet.subnet[join("_", [subnet.name, subnet.vnet, subnet.resource_group])].id ]
  }
}

/*
locals {
  # flatten ensures that this local value is a flat list of objects, rather
  # than a list of lists of objects.
  subnets = flatten([
    for sa in var.sas : [
      for subnet in try(sa.network_rules.subnets, []) : {
        key                 = join("_", [subnet.name, subnet.vnet, subnet.resource_group])
        name                = subnet.name
        vnet                = subnet.vnet
        resource_group = subnet.resource_group
      }
    ]
  ])
}

data "azurerm_subnet" "subnet" {
  for_each = {for subnet in local.subnets: subnet.key => subnet...}

  name                 = each.value.subnet.name
  virtual_network_name = each.value.subnet.vnet
  resource_group_name  = each.value.sunnet.resource_group
}
*/

locals {
  # flatten ensures that this local value is a flat list of objects, rather
  # than a list of lists of objects.
  containers = flatten([
    for saname, sa in var.sas : [
      for container in try(sa.containers, []) : {
        name                 = container.name
        storage_account_name = saname
        container_access_type = try(container.access_type, null)
        metadata = try(container.metadata, null)
      }
    ]
  ])
}

resource "azurerm_storage_container" "azsc" {
  depends_on = [azurerm_storage_account.azsa]
  count = length(local.containers)

  name                  = local.containers[count.index].name
  storage_account_name  = local.containers[count.index].storage_account_name
  container_access_type = try(local.containers[count.index].container_access_type, "private")
  metadata              = try(local.containers[count.index].metadata, null)
}