Configuring plug-in based Azure storage accounts in VMware Aria Automation

As a cloud administrator, you can leverage the Microsoft Azure plug-in to create storage accounts using templates in VMware Aria Automation. You can attach the storage account to an Azure resource to ensure that your data objects are only accessible through the storage account.

You can easily configure your Azure storage accounts to support your infrastructure needs. For example, you can use encryption properties in your cloud templates to control access to the storage account.

Creating, updating, and deleting storage account resources is supported in VMware Aria Automation.

Storage account properties

The following properties are required to provision storage account resources.


Property	Description
`name`	The plug-in specific name for the resource. You can use the same value for the `account_name` property.
`account_name`	The name for the storage account resource.
`account`	The Microsoft Azure cloud account for account regions to which your team deploys cloud templates. See Create a Microsoft Azure cloud account in VMware Aria Automation for more information.
`location`	The location where the storage account resource will be deployed.
`sku_name`	The SKU name for the storage account.
`resource_group_name`	The name of the resource group. You must create the resource group in your Azure portal.

The following sections contain example templates for provisioning storage accounts. After you provision your storage account, you can provision data storage in your Azure portal.

Provision a basic storage account

The following template shows how you might provision a basic storage account.

formatVersion: 1
inputs: {}
resources:
  Idem_AZURE_STORAGE_RESOURCE_PROVIDER_STORAGE_ACCOUNTS_1:
    type: Idem.AZURE.STORAGE_RESOURCE_PROVIDER.STORAGE_ACCOUNTS
    properties:name: validate_azure_storageacct
      account: azure-account
      resource_group_name: validate_azure_rg
      location: eastus
      sku_name: Standard_LRS
      account_name: validateazurestorageacct
      tags:
        key: value
      allow_blob_public_access: true
      identity:
        type: SystemAssigned

Provision a storage account with a customer-managed key

The following template shows how you might provision a storage account with a customer-managed key.

Before you deploy the template, you must create a customer-managed key in your Azure portal. See Configure customer-managed keys in the same tenant for a new storage account in the Microsoft Azure documentation.

formatVersion: 1
inputs: {}
resources:
  Idem_AZURE_STORAGE_RESOURCE_PROVIDER_STORAGE_ACCOUNTS_1:
    type: Idem.AZURE.STORAGE_RESOURCE_PROVIDER.STORAGE_ACCOUNTS
    properties:
      name: validateazurestorageaccount
      account: azure-account
      location: eastus
      sku_name: Standard_LRS
      account_name: validateazurestorageaccount
      resource_group_name: validate_azure_rg
      identity:
        type: UserAssigned
        user_assigned_identities:
          /subscriptions/svpvln45-brk0-mzca-7yxh-dla7h19zxyn3/resourcegroups/azure-test/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-idem-managed-identity: {}
      encryption_service:
        encryption_key_source: Microsoft.Keyvault
        blob_encryption_key_type: Account
        file_encryption_key_type: Account
      customer_managed_key:
        key_name: idem-key
        key_vault_uri: https://my-idem-key-vault.vault.azure.net
        key_version: ''
        user_assigned_identity_id: /subscriptions/svpvln45-brk0-mzca-7yxh-dla7h19zxyn3/resourcegroups/azure-test/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-idem-managed-identity

Provision a storage account with an immutability policy

The following template shows how you might provision a storage account with an immutability policy. You can use the immutability_policy property to define the account-level immutability policy for your objects.

formatVersion: 1
inputs: {}
resources:
  Idem_AZURE_STORAGE_RESOURCE_PROVIDER_STORAGE_ACCOUNTS_1:
    type: Idem.AZURE.STORAGE_RESOURCE_PROVIDER.STORAGE_ACCOUNTS
    properties:
      name: validateazurestorageaccount
      account: azure-account
      location: eastus
      sku_name: Standard_GRS
      account_name: validateazurestorageaccount
      resource_group_name: validate_azure_rg
      enable_https_traffic_only: false
      key_policy: 
        key_expiration_period_in_days: 25
      is_hns_enabled: false
      allow_blob_public_access: false
      min_tls_version: TLS1_2
      allow_shared_key_access: true
      public_network_access: Disabled
      encryption_service: 
        file_encryption_key_type: Account
        blob_encryption_key_type: Account
        encryption_key_source: Microsoft.Storage
      require_infrastructure_encryption: false
      immutability_policy: 
        allow_protected_append_writes: true
        period_since_creation_in_days: 5
        state: Unlocked
      tags: 
        abc: def