azure.azcollection.azure_rm_storageaccountmanagementpolicy module – Manage storage account management policies

Note

This module is part of the azure.azcollection collection (version 3.1.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install azure.azcollection. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: azure.azcollection.azure_rm_storageaccountmanagementpolicy.

New in azure.azcollection 2.4.0

Synopsis

  • Create, update or delete storage account management policies.

Requirements

The below requirements are needed on the host that executes this module.

  • python >= 2.7

  • The host that executes this module must have the azure.azcollection collection installed via galaxy

  • All python packages listed in collection’s requirements.txt must be installed via pip on the host that executes modules from azure.azcollection

  • Full installation instructions may be found https://galaxy.ansible.com/azure/azcollection

Parameters

Parameter

Comments

ad_user

string

Active Directory username. Use when authenticating with an Active Directory user rather than service principal.

adfs_authority_url

string

added in azure.azcollection 0.0.1

Azure AD authority url. Use when authenticating with Username/password, and has your own ADFS authority.

api_profile

string

added in azure.azcollection 0.0.1

Selects an API profile to use when communicating with Azure services. Default value of latest is appropriate for public clouds; future values will allow use with Azure Stack.

Default: "latest"

auth_source

string

added in azure.azcollection 0.0.1

Controls the source of the credentials to use for authentication.

Can also be set via the ANSIBLE_AZURE_AUTH_SOURCE environment variable.

When set to auto (the default) the precedence is module parameters -> env -> credential_file -> cli.

When set to env, the credentials will be read from the environment variables

When set to credential_file, it will read the profile from ~/.azure/credentials.

When set to cli, the credentials will be sources from the Azure CLI profile. subscription_id or the environment variable AZURE_SUBSCRIPTION_ID can be used to identify the subscription ID if more than one is present otherwise the default az cli subscription is used.

When set to msi, the host machine must be an azure resource with an enabled MSI extension. subscription_id or the environment variable AZURE_SUBSCRIPTION_ID can be used to identify the subscription ID if the resource is granted access to more than one subscription, otherwise the first subscription is chosen.

The msi was added in Ansible 2.6.

Choices:

  • "auto" ← (default)

  • "cli"

  • "credential_file"

  • "env"

  • "msi"

cert_validation_mode

string

added in azure.azcollection 0.0.1

Controls the certificate validation behavior for Azure endpoints. By default, all modules will validate the server certificate, but when an HTTPS proxy is in use, or against Azure Stack, it may be necessary to disable this behavior by passing ignore. Can also be set via credential file profile or the AZURE_CERT_VALIDATION environment variable.

Choices:

  • "ignore"

  • "validate"

client_id

string

Azure client ID. Use when authenticating with a Service Principal or Managed Identity (msi).

Can also be set via the AZURE_CLIENT_ID environment variable.

cloud_environment

string

added in azure.azcollection 0.0.1

For cloud environments other than the US public cloud, the environment name (as defined by Azure Python SDK, eg, AzureChinaCloud, AzureUSGovernment), or a metadata discovery endpoint URL (required for Azure Stack). Can also be set via credential file profile or the AZURE_CLOUD_ENVIRONMENT environment variable.

Default: "AzureCloud"

disable_instance_discovery

boolean

added in azure.azcollection 2.3.0

Determines whether or not instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By setting this to **True**, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy.

Set via credential file profile or the AZURE_DISABLE_INSTANCE_DISCOVERY environment variable.

Choices:

  • false ← (default)

  • true

log_mode

string

Parent argument.

log_path

string

Parent argument.

password

string

Active Directory user password. Use when authenticating with an Active Directory user rather than service principal.

profile

string

Security profile found in ~/.azure/credentials file.

resource_group

aliases: resource_group_name

string / required

Name of the resource group to use.

rules

list / elements=dictionary

The Storage Account ManagementPolicies Rules.

definition

dictionary / required

Whether to enabled the rule

actions

dictionary / required

An object that defines the action set.

base_blob

dictionary

The management policy action for base blob.

delete

dictionary

The function to delete the blob.

days_after_last_access_time_greater_than

float

This property can only be used in conjunction with last access time tracking policy.

days_after_modification_greater_than

float

Value indicating the age in days after last modification.

enable_auto_tier_to_hot_from_cool

boolean

This property enables auto tiering of a blob from cool to hot on a blob access.

Choices:

  • false

  • true

tier_to_archive

dictionary

The function to tier blobs to archive storage.

Support blobs currently at Hot or Cool tier.

days_after_last_access_time_greater_than

float

This property can only be used in conjunction with last access time tracking policy.

days_after_modification_greater_than

float

Value indicating the age in days after last modification.

tier_to_cool

dictionary

The function to tier blobs to cool storage.

Support blobs currently at Hot tier.

days_after_last_access_time_greater_than

float

This property can only be used in conjunction with last access time tracking policy.

days_after_modification_greater_than

float

Value indicating the age in days after last modification.

snapshot

dictionary

The management policy action for snapshot.

delete

dictionary

The function to delete the blob snapshot.

days_after_creation_greater_than

float / required

Value indicating the age in days after creation.

tier_to_archive

dictionary

The function to tier blob snapshot to archive storage.

Support blob snapshot currently at Hot or Cool tier.

days_after_creation_greater_than

float / required

Value indicating the age in days after creation.

tier_to_cool

dictionary

The function to tier blob snapshot to cool storage.

Support blob snapshot at Hot tier.

days_after_creation_greater_than

float / required

Value indicating the age in days after creation.

version

dictionary

The management policy action for version.

delete

dictionary

The function to delete the blob version.

days_after_creation_greater_than

float / required

Value indicating the age in days after creation.

tier_to_archive

dictionary

The function to tier blob version to archive storage.

Support blob version currently at Hot or Cool tier.

days_after_creation_greater_than

float / required

Value indicating the age in days after creation.

tier_to_cool

dictionary

The function to tier blob version to cool storage.

Support blob version currently at Hot tier.

days_after_creation_greater_than

float / required

Value indicating the age in days after creation.

filters

dictionary

An object that defines the filter set.

blob_index_match

list / elements=dictionary

An array of blob index tag based filters, there can be at most 10 tag filters.

name

string / required

This is the filter tag name, it can have 1 - 128 characters.

op

string / required

This is the comparison operator which is used for object comparison and filtering.

Only == (equality operator) is currently supported.

value

string / required

This is the filter tag value field used for tag based filtering.

It can have 0-256 characters.

blob_types

list / elements=string / required

An array of predefined enum values.

Currently blockBlob supports all tiering and delete actions. Only delete actions are supported for appendBlob.

Choices:

  • "blockBlob"

  • "appendBlob"

prefix_match

list / elements=string

An array of strings for prefixes to be match.

enabled

boolean

Whether to enabled the rule

Choices:

  • false

  • true

name

string / required

The name of the policy rule.

A rule name can contain any combination of alpha numeric characters.

type

string / required

The type of the policy rule.

Choices:

  • "Lifecycle"

secret

string

Azure client secret. Use when authenticating with a Service Principal.

state

string

State of the storage account managed policy. Use present add or update the policy rule.

Use absent to delete all policy rules.

Choices:

  • "absent"

  • "present" ← (default)

storage_account_name

string / required

Name of the storage account.

subscription_id

string

Your Azure subscription Id.

tenant

string

Azure tenant ID. Use when authenticating with a Service Principal.

thumbprint

string

added in azure.azcollection 1.14.0

The thumbprint of the private key specified in x509_certificate_path.

Use when authenticating with a Service Principal.

Required if x509_certificate_path is defined.

x509_certificate_path

path

added in azure.azcollection 1.14.0

Path to the X509 certificate used to create the service principal in PEM format.

The certificate must be appended to the private key.

Use when authenticating with a Service Principal.

Notes

Note

  • For authentication with Azure you can pass parameters, set environment variables, use a profile stored in ~/.azure/credentials, or log in before you run your tasks or playbook with az login.

  • Authentication is also possible using a service principal or Active Directory user.

  • To authenticate via service principal, pass subscription_id, client_id, secret and tenant or set environment variables AZURE_SUBSCRIPTION_ID, AZURE_CLIENT_ID, AZURE_SECRET and AZURE_TENANT.

  • To authenticate via Active Directory user, pass ad_user and password, or set AZURE_AD_USER and AZURE_PASSWORD in the environment.

  • Alternatively, credentials can be stored in ~/.azure/credentials. This is an ini file containing a [default] section and the following keys: subscription_id, client_id, secret and tenant or subscription_id, ad_user and password. It is also possible to add additional profiles. Specify the profile by passing profile or setting AZURE_PROFILE in the environment.

See Also

See also

Sign in with Azure CLI

How to authenticate using the az login command.

Examples

- name: Create storage account management policy with multi parameters
  azure_rm_storageaccountmanagementpolicy:
    resource_group: testRG
    storage_account_name: testaccount
    rules:
      - name: olcmtest5
        type: Lifecycle
        enabled: false
        definition:
          actions:
            base_blob:
              enable_auto_tier_to_hot_from_cool: true
              delete:
                days_after_modification_greater_than: 33
                days_after_last_access_time_greater_than: 33
              tier_to_cool:
                days_after_modification_greater_than: 33
                days_after_last_access_time_greater_than: 33
              tier_to_archive:
                days_after_modification_greater_than: 33
                days_after_last_access_time_greater_than: 33
            snapshot:
              tier_to_cool:
                days_after_creation_greater_than: 33
              tier_to_archive:
                days_after_creation_greater_than: 33
              delete:
                days_after_creation_greater_than: 33
            version:
              tier_to_archive:
                days_after_creation_greater_than: 33
              tier_to_cool:
                days_after_creation_greater_than: 33
              delete:
                days_after_creation_greater_than: 33
          filters:
            prefix_match:
              - olcmtestcontainer2
            blob_types:
              - blockBlob
              - appendBlob
            blob_index_match:
              - name: tags3
                op: '=='
                value: value3

- name: Delete management policy rules
  azure_rm_storageaccountmanagementpolicy:
    resource_group: "{{ resource_group }}"
    storage_account_name: "st{{ rpfx }}"
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

state

complex

The data policy rules associated with the specified storage account.

Returned: always

id

string

The data policy’s ID.

Returned: always

Sample: "/subscriptions/xxx-xxx/resourceGroups/testRG/providers/Microsoft.Storage/storageAccounts/sttest/managementPolicies/default"

last_modified_time

string

Returns the date and time the ManagementPolicies was last modified.

Returned: always

Sample: "2024-04-12T11:40:10.376465+00:00"

name

string

The name of the resource.

Returned: always

Sample: "DefaultManagementPolicy"

policy

complex

The Storage Account ManagementPolicy.

Returned: always

rules

list / elements=string

The Storage Account ManagementPolicies Rules.

Returned: always

Sample: [{"definition": {"actions": {"base_blob": {"delete": {"days_after_last_access_time_greater_than": 33.0, "days_after_modification_greater_than": 33.0}, "enable_auto_tier_to_hot_from_cool": true, "tier_to_archive": {"days_after_last_access_time_greater_than": 33.0, "days_after_modification_greater_than": 33.0}, "tier_to_cool": {"days_after_last_access_time_greater_than": 33.0, "days_after_modification_greater_than": 33.0}}, "snapshot": {"delete": {"days_after_creation_greater_than": 33.0}, "tier_to_archive": {"days_after_creation_greater_than": 33.0}, "tier_to_cool": {"days_after_creation_greater_than": 33.0}}, "version": {"delete": {"days_after_creation_greater_than": 33.0}, "tier_to_archive": {"days_after_creation_greater_than": 33.0}, "tier_to_cool": {"days_after_creation_greater_than": 33.0}}}, "filters": {"blob_index_match": [{"name": "tags3", "op": "==", "value": "value3"}], "blob_types": ["blockBlob", "appendBlob"], "prefix_match": ["olcmtestcontainer2"]}}, "enabled": false, "name": "olcmtest5", "type": "Lifecycle"}]

resource_group

string

The resource group name.

Returned: always

Sample: "testRG"

storage_account_name

string

The storage account name.

Returned: always

Sample: "teststname"

type

string

The type of the resource.

Returned: always

Sample: "Microsoft.Storage/storageAccounts/managementPolicies"

Authors

  • xuzhang3 (@xuzhang3)

  • Fred-sun (@Fred-sun)