azure.azcollection.azure_rm_storageaccount module – Manage Azure storage accounts
Note
This module is part of the azure.azcollection collection (version 2.7.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install azure.azcollection
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: azure.azcollection.azure_rm_storageaccount
.
New in azure.azcollection 0.1.0
Synopsis
Create, update or delete a storage account.
Requirements
The below requirements are needed on the host that executes this module.
python >= 2.7
The host that executes this module must have the azure.azcollection collection installed via galaxy
All python packages listed in collection’s requirements.txt must be installed via pip on the host that executes modules from azure.azcollection
Full installation instructions may be found https://galaxy.ansible.com/azure/azcollection
Parameters
Parameter |
Comments |
---|---|
The access tier for this storage account. Required when kind=BlobStorage. Choices:
|
|
Type of storage account. Required when creating a storage account.
Other account types cannot be changed to Choices:
|
|
Active Directory username. Use when authenticating with an Active Directory user rather than service principal. |
|
Azure AD authority url. Use when authenticating with Username/password, and has your own ADFS authority. |
|
Allows blob containers in account to be set for anonymous public access. If set to false, no containers in this account will be able to allow anonymous public access. If omitted, new account creation will default to null which is currently interpreted to True. Existing accounts will not be modified. Choices:
|
|
Allow or disallow cross AAD tenant object replication. Choices:
|
|
Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true. Choices:
|
|
Selects an API profile to use when communicating with Azure services. Default value of Default: |
|
Use to control if tags field is canonical or just appends to existing tags. When canonical, any tags not found in the tags parameter will be removed from the object’s metadata. Choices:
|
|
Controls the source of the credentials to use for authentication. Can also be set via the When set to When set to When set to When set to When set to The Choices:
|
|
Specifies CORS rules for the Blob service. You can include up to five CorsRule elements in the request. If no blob_cors elements are included in the argument list, nothing about CORS will be changed. If you want to delete all CORS rules and disable CORS for the Blob service, explicitly set blob_cors=[]. |
|
A list of headers allowed to be part of the cross-origin request. |
|
A list of HTTP methods that are allowed to be executed by the origin. |
|
A list of origin domains that will be allowed via CORS, or “*” to allow all domains. |
|
A list of response headers to expose to CORS clients. |
|
The number of seconds that the client/browser should cache a preflight response. |
|
Controls the certificate validation behavior for Azure endpoints. By default, all modules will validate the server certificate, but when an HTTPS proxy is in use, or against Azure Stack, it may be necessary to disable this behavior by passing Choices:
|
|
Azure client ID. Use when authenticating with a Service Principal or Managed Identity (msi). Can also be set via the |
|
For cloud environments other than the US public cloud, the environment name (as defined by Azure Python SDK, eg, Default: |
|
User domain assigned to the storage account. Must be a dictionary with name and use_sub_domain keys where name is the CNAME source. Only one custom domain is supported per storage account at this time. To clear the existing custom domain, use an empty string for the custom domain name property. Can be added to an existing storage account. Will be ignored during storage account creation. |
|
A boolean flag which indicates whether the default authentication is OAuth or not. The default interpretation is false for this property. Choices:
|
|
Determines whether or not instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By setting this to **True**, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy. Set via credential file profile or the Choices:
|
|
NFS 3.0 protocol. Choices:
|
|
The encryption settings on the storage account. |
|
The encryption keySource (provider). Choices:
|
|
A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. Choices:
|
|
List of services which support encryption. |
|
The encryption function of the blob storage service. |
|
Whether to encrypt the blob type. Choices:
|
|
The encryption function of the file storage service. |
|
Whether to encrypt the file type. Choices:
|
|
The encryption function of the queue storage service. |
|
Whether to encrypt the queue type. Choices:
|
|
The encryption function of the table storage service. |
|
Whether to encrypt the table type. Choices:
|
|
Attempt deletion if resource already exists and cannot be updated. Choices:
|
|
Allows https traffic only to storage service when set to If omitted, new account creation will default to True, while existing accounts will not be change. Choices:
|
|
Identity for this resource. |
|
Type of the managed identity Choices:
|
|
User Assigned Managed Identity associated to this resource |
|
Account HierarchicalNamespace enabled if sets to true. When is_hns_enabled=True, kind cannot be Choices:
|
|
The kind of storage. The Choices:
|
|
Allow large file shares if sets to Enabled. Choices:
|
|
Valid Azure location. Defaults to location of the resource group. |
|
Parent argument. |
|
Parent argument. |
|
The minimum required version of Transport Layer Security (TLS) for requests to a storage account. If omitted, new account creation will default to null which is currently interpreted to TLS1_0. Existing accounts will not be modified. Choices:
|
|
Name of the storage account to update or create. |
|
Manages the Firewall and virtual networks settings of the storage account. |
|
When default_action=Deny this controls which Azure components can still reach the Storage Account. The list is comma separated. It can be any combination of the example If no Azure components are allowed, explicitly set bypass=””. Default: |
|
Default firewall traffic rule. If default_action=Allow no other settings have effect. Choices:
|
|
A list of IP addresses or ranges in CIDR format. |
|
The only logical action=Allow because this setting is only accessible when default_action=Deny. Default: |
|
The IP address or range. |
|
A list of subnets and their actions. |
|
The only logical action=Allow because this setting is only accessible when default_action=Deny. Default: |
|
The complete path to the subnet. |
|
Active Directory user password. Use when authenticating with an Active Directory user rather than service principal. |
|
Security profile found in ~/.azure/credentials file. |
|
Allow or disallow public network access to Storage Account. Choices:
|
|
Name of the resource group to use. |
|
Azure client secret. Use when authenticating with a Service Principal. |
|
State of the storage account. Use
Choices:
|
|
Manage static website configuration for the storage account. |
|
Indicates whether this account is hosting a static website. Choices:
|
|
The absolute path of the custom 404 page. |
|
The default name of the index page under each directory. |
|
Your Azure subscription Id. |
|
Dictionary of string:string pairs to assign as metadata to the object. Metadata tags on the object will be updated with any provided values. To remove tags set append_tags option to false. Currently, Azure DNS zones and Traffic Manager services also don’t allow the use of spaces in the tag. Azure Front Door doesn’t support the use of Azure Automation and Azure CDN only support 15 tags on resources. |
|
Azure tenant ID. Use when authenticating with a Service Principal. |
|
The thumbprint of the private key specified in x509_certificate_path. Use when authenticating with a Service Principal. Required if x509_certificate_path is defined. |
|
Path to the X509 certificate used to create the service principal in PEM format. The certificate must be appended to the private key. Use when authenticating with a Service Principal. |
Notes
Note
For authentication with Azure you can pass parameters, set environment variables, use a profile stored in ~/.azure/credentials, or log in before you run your tasks or playbook with
az login
.Authentication is also possible using a service principal or Active Directory user.
To authenticate via service principal, pass subscription_id, client_id, secret and tenant or set environment variables AZURE_SUBSCRIPTION_ID, AZURE_CLIENT_ID, AZURE_SECRET and AZURE_TENANT.
To authenticate via Active Directory user, pass ad_user and password, or set AZURE_AD_USER and AZURE_PASSWORD in the environment.
Alternatively, credentials can be stored in ~/.azure/credentials. This is an ini file containing a [default] section and the following keys: subscription_id, client_id, secret and tenant or subscription_id, ad_user and password. It is also possible to add additional profiles. Specify the profile by passing profile or setting AZURE_PROFILE in the environment.
See Also
See also
- Sign in with Azure CLI
How to authenticate using the
az login
command.
Examples
- name: remove account, if it exists
azure_rm_storageaccount:
resource_group: myResourceGroup
name: clh0002
state: absent
- name: create an account
azure_rm_storageaccount:
resource_group: myResourceGroup
name: clh0002
type: Standard_RAGRS
tags:
testing: testing
delete: on-exit
- name: Create an account with kind of FileStorage
azure_rm_storageaccount:
resource_group: myResourceGroup
name: c1h0002
type: Premium_LRS
kind: FileStorage
tags:
testing: testing
- name: Create storage account with I(enable_nfs_v3=false)
azure_rm_storageaccount:
resource_group: myResourceGroup
name: c1h0002
account_type: Premium_LRS
kind: FileStorage
enable_nfs_v3: false
static_website:
enabled: true
- name: configure firewall and virtual networks
azure_rm_storageaccount:
resource_group: myResourceGroup
name: clh0002
type: Standard_RAGRS
network_acls:
bypass: AzureServices,Metrics
default_action: Deny
virtual_network_rules:
- id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet
action: Allow
ip_rules:
- value: 1.2.3.4
action: Allow
- value: 123.234.123.0/24
action: Allow
- name: create an account with blob CORS
azure_rm_storageaccount:
resource_group: myResourceGroup
name: clh002
type: Standard_RAGRS
blob_cors:
- allowed_origins:
- http://www.example.com/
allowed_methods:
- GET
- POST
allowed_headers:
- x-ms-meta-data*
- x-ms-meta-target*
- x-ms-meta-abc
exposed_headers:
- x-ms-meta-*
max_age_in_seconds: 200
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Current state of the storage account. Returned: always |
|
Type of storage account. Returned: always Sample: |
|
Public access to all blobs or containers in the storage account allowed or disallowed. Returned: always Sample: |
|
Allow or disallow cross AAD tenant object replication. Returned: always Sample: |
|
Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. Returned: always Sample: |
|
User domain assigned to the storage account. Returned: always |
|
CNAME source. Returned: always Sample: |
|
Whether to use sub domain. Returned: always Sample: |
|
A boolean flag which indicates whether the default authentication is OAuth or not. The default interpretation is false for this property. Returned: always Sample: |
|
NFS 3.0 protocol. Returned: always Sample: |
|
The encryption settings on the storage account. Returned: always |
|
The encryption keySource (provider). Returned: always Sample: |
|
A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. Returned: always Sample: |
|
List of services which support encryption. Returned: always |
|
The encryption function of the blob storage service. Returned: always Sample: |
|
The encryption function of the file storage service. Returned: always Sample: |
|
The encryption function of the queue storage service. Returned: always Sample: |
|
The encryption function of the table storage service. Returned: always Sample: |
|
Status indicating the storage account is currently failing over to its secondary location. Returned: always Sample: |
|
Allows https traffic only to storage service when set to Returned: always Sample: |
|
Resource ID. Returned: always Sample: |
|
Account HierarchicalNamespace enabled if sets to true. Returned: always Sample: |
|
Allow large file shares if sets to Enabled. Returned: always Sample: |
|
Valid Azure location. Defaults to location of the resource group. Returned: always Sample: |
|
The minimum TLS version permitted on requests to storage. Returned: always Sample: |
|
Name of the storage account to update or create. Returned: always Sample: |
|
A set of firewall and virtual network rules Returned: always Sample: |
|
The URLs to retrieve the public blob, queue, or table object from the primary location. Returned: always Sample: |
|
The location of the primary data center for the storage account. Returned: always Sample: |
|
The status of the storage account. Possible values include Returned: always Sample: |
|
Public network access to Storage Account allowed or disallowed. Returned: always Sample: |
|
The resource group’s name. Returned: always Sample: |
|
The URLs to retrieve the public blob, queue, or table object from the secondary location. Returned: always Sample: |
|
The location of the geo-replicated secondary for the storage account. Returned: always Sample: |
|
Static website configuration for the storage account. Returned: always |
|
Whether this account is hosting a static website. Returned: always Sample: |
|
The absolute path of the custom 404 page. Returned: always Sample: |
|
The default name of the index page under each directory. Returned: always Sample: |
|
The status of the primary location of the storage account; either Returned: always Sample: |
|
The status of the secondary location of the storage account; either Returned: always Sample: |
|
Resource tags. Returned: always Sample: |
|
The storage account type. Returned: always Sample: |