From 5c53e238c55142a0636422adc69a6fdaf4f6d366 Mon Sep 17 00:00:00 2001 From: Sebastian Schmeck Date: Wed, 5 Aug 2020 15:10:01 +0200 Subject: [PATCH] Add signed_version attribute --- .../data_source_storage_account_sas.go | 8 +- .../data_source_storage_account_sas_test.go | 2 + .../docs/d/storage_account_sas.html.markdown | 270 +++++++++--------- 3 files changed, 145 insertions(+), 135 deletions(-) diff --git a/azurerm/internal/services/storage/data_source_storage_account_sas.go b/azurerm/internal/services/storage/data_source_storage_account_sas.go index 53cd99b0d8d35..c6b07059a55f6 100644 --- a/azurerm/internal/services/storage/data_source_storage_account_sas.go +++ b/azurerm/internal/services/storage/data_source_storage_account_sas.go @@ -39,6 +39,12 @@ func dataSourceArmStorageAccountSharedAccessSignature() *schema.Resource { Default: true, }, + "signed_version": { + Type: schema.TypeString, + Optional: true, + Default: sasSignedVersion, + }, + "resource_types": { Type: schema.TypeList, Required: true, @@ -167,6 +173,7 @@ func dataSourceArmStorageAccountSharedAccessSignature() *schema.Resource { func dataSourceArmStorageAccountSasRead(d *schema.ResourceData, _ interface{}) error { connString := d.Get("connection_string").(string) httpsOnly := d.Get("https_only").(bool) + signedVersion := d.Get("signed_version").(string) resourceTypesIface := d.Get("resource_types").([]interface{}) servicesIface := d.Get("services").([]interface{}) start := d.Get("start").(string) @@ -194,7 +201,6 @@ func dataSourceArmStorageAccountSasRead(d *schema.ResourceData, _ interface{}) e signedProtocol = "https" } signedIp := "" - signedVersion := sasSignedVersion sasToken, err := storage.ComputeAccountSASToken(accountName, accountKey, permissions, services, resourceTypes, start, expiry, signedProtocol, signedIp, signedVersion) diff --git a/azurerm/internal/services/storage/tests/data_source_storage_account_sas_test.go b/azurerm/internal/services/storage/tests/data_source_storage_account_sas_test.go index 7791bf2906f4b..3600ee506e6b4 100644 --- a/azurerm/internal/services/storage/tests/data_source_storage_account_sas_test.go +++ b/azurerm/internal/services/storage/tests/data_source_storage_account_sas_test.go @@ -25,6 +25,7 @@ func TestAccDataSourceArmStorageAccountSas_basic(t *testing.T) { Config: testAccDataSourceAzureRMStorageAccountSas_basic(data, startDate, endDate), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(data.ResourceName, "https_only", "true"), + resource.TestCheckResourceAttr(data.ResourceName, "signed_version", "2019-10-10"), resource.TestCheckResourceAttr(data.ResourceName, "start", startDate), resource.TestCheckResourceAttr(data.ResourceName, "expiry", endDate), resource.TestCheckResourceAttrSet(data.ResourceName, "sas"), @@ -61,6 +62,7 @@ resource "azurerm_storage_account" "test" { data "azurerm_storage_account_sas" "test" { connection_string = azurerm_storage_account.test.primary_connection_string https_only = true + signed_version = "2019-10-10" resource_types { service = true diff --git a/website/docs/d/storage_account_sas.html.markdown b/website/docs/d/storage_account_sas.html.markdown index ee31dbb1d5c64..09cb3a7ede6e8 100644 --- a/website/docs/d/storage_account_sas.html.markdown +++ b/website/docs/d/storage_account_sas.html.markdown @@ -1,134 +1,136 @@ ---- -subcategory: "Storage" -layout: "azurerm" -page_title: "Azure Resource Manager: azurerm_storage_account_sas" -description: |- - Gets a Shared Access Signature (SAS Token) for an existing Storage Account. - ---- - -# Data Source: azurerm_storage_account_sas - -Use this data source to obtain a Shared Access Signature (SAS Token) for an existing Storage Account. - -Shared access signatures allow fine-grained, ephemeral access control to various aspects of an Azure Storage Account. - -Note that this is an [Account SAS](https://docs.microsoft.com/en-us/rest/api/storageservices/constructing-an-account-sas) -and *not* a [Service SAS](https://docs.microsoft.com/en-us/rest/api/storageservices/constructing-a-service-sas). - -## Example Usage - -```hcl -resource "azurerm_resource_group" "example" { - name = "resourceGroupName" - location = "westus" -} - -resource "azurerm_storage_account" "example" { - name = "storageaccountname" - resource_group_name = azurerm_resource_group.example.name - location = "westus" - account_tier = "Standard" - account_replication_type = "GRS" - - tags = { - environment = "staging" - } -} - -data "azurerm_storage_account_sas" "example" { - connection_string = azurerm_storage_account.example.primary_connection_string - https_only = true - - resource_types { - service = true - container = false - object = false - } - - services { - blob = true - queue = false - table = false - file = false - } - - start = "2018-03-21" - expiry = "2020-03-21" - - permissions { - read = true - write = true - delete = false - list = false - add = true - create = true - update = false - process = false - } -} - -output "sas_url_query_string" { - value = data.azurerm_storage_account_sas.example.sas -} -``` - -## Argument Reference - -* `connection_string` - The connection string for the storage account to which this SAS applies. Typically directly from the `primary_connection_string` attribute of a terraform created `azurerm_storage_account` resource. -* `https_only` - (Optional) Only permit `https` access. If `false`, both `http` and `https` are permitted. Defaults to `true`. -* `resource_types` - A `resource_types` block as defined below. -* `services` - A `services` block as defined below. -* `start` - The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string. -* `expiry` - The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string. -* `permissions` - A `permissions` block as defined below. - ---- - -`resource_types` is a set of `true`/`false` flags which define the storage account resource types that are granted -access by this SAS. This can be thought of as the scope over which the permissions apply. A `service` will have -larger scope (affecting all sub-resources) than `object`. - -A `resource_types` block contains: - -* `service` - Should permission be granted to the entire service? -* `container` - Should permission be granted to the container? -* `object` - Should permission be granted only to a specific object? - ---- - -`services` is a set of `true`/`false` flags which define the storage account services that are granted access by this SAS. - -A `services` block contains: - -* `blob` - Should permission be granted to `blob` services within this storage account? -* `queue` - Should permission be granted to `queue` services within this storage account? -* `table` - Should permission be granted to `table` services within this storage account? -* `file` - Should permission be granted to `file` services within this storage account? - ---- - -A `permissions` block contains: - - -* `read` - Should Read permissions be enabled for this SAS? -* `write` - Should Write permissions be enabled for this SAS? -* `delete` - Should Delete permissions be enabled for this SAS? -* `list` - Should List permissions be enabled for this SAS? -* `add` - Should Add permissions be enabled for this SAS? -* `create` - Should Create permissions be enabled for this SAS? -* `update` - Should Update permissions be enabled for this SAS? -* `process` - Should Process permissions be enabled for this SAS? - -Refer to the [SAS creation reference from Azure](https://docs.microsoft.com/en-us/rest/api/storageservices/constructing-an-account-sas) -for additional details on the fields above. - -## Attributes Reference - -* `sas` - The computed Account Shared Access Signature (SAS). - -## Timeouts - -The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/docs/configuration/resources.html#timeouts) for certain actions: - -* `read` - (Defaults to 5 minutes) Used when retrieving the SAS Token. +--- +subcategory: "Storage" +layout: "azurerm" +page_title: "Azure Resource Manager: azurerm_storage_account_sas" +description: |- + Gets a Shared Access Signature (SAS Token) for an existing Storage Account. + +--- + +# Data Source: azurerm_storage_account_sas + +Use this data source to obtain a Shared Access Signature (SAS Token) for an existing Storage Account. + +Shared access signatures allow fine-grained, ephemeral access control to various aspects of an Azure Storage Account. + +Note that this is an [Account SAS](https://docs.microsoft.com/en-us/rest/api/storageservices/constructing-an-account-sas) +and *not* a [Service SAS](https://docs.microsoft.com/en-us/rest/api/storageservices/constructing-a-service-sas). + +## Example Usage + +```hcl +resource "azurerm_resource_group" "example" { + name = "resourceGroupName" + location = "westus" +} + +resource "azurerm_storage_account" "example" { + name = "storageaccountname" + resource_group_name = azurerm_resource_group.example.name + location = "westus" + account_tier = "Standard" + account_replication_type = "GRS" + + tags = { + environment = "staging" + } +} + +data "azurerm_storage_account_sas" "example" { + connection_string = azurerm_storage_account.example.primary_connection_string + https_only = true + signed_version = "2017-07-29" + + resource_types { + service = true + container = false + object = false + } + + services { + blob = true + queue = false + table = false + file = false + } + + start = "2018-03-21" + expiry = "2020-03-21" + + permissions { + read = true + write = true + delete = false + list = false + add = true + create = true + update = false + process = false + } +} + +output "sas_url_query_string" { + value = data.azurerm_storage_account_sas.example.sas +} +``` + +## Argument Reference + +* `connection_string` - The connection string for the storage account to which this SAS applies. Typically directly from the `primary_connection_string` attribute of a terraform created `azurerm_storage_account` resource. +* `https_only` - (Optional) Only permit `https` access. If `false`, both `http` and `https` are permitted. Defaults to `true`. +* `signed_version` - (Optional) Specifies the signed storage service version to use to authorize requests made with this account SAS. Defaults to `2017-07-29`. +* `resource_types` - A `resource_types` block as defined below. +* `services` - A `services` block as defined below. +* `start` - The starting time and date of validity of this SAS. Must be a valid ISO-8601 format time/date string. +* `expiry` - The expiration time and date of this SAS. Must be a valid ISO-8601 format time/date string. +* `permissions` - A `permissions` block as defined below. + +--- + +`resource_types` is a set of `true`/`false` flags which define the storage account resource types that are granted +access by this SAS. This can be thought of as the scope over which the permissions apply. A `service` will have +larger scope (affecting all sub-resources) than `object`. + +A `resource_types` block contains: + +* `service` - Should permission be granted to the entire service? +* `container` - Should permission be granted to the container? +* `object` - Should permission be granted only to a specific object? + +--- + +`services` is a set of `true`/`false` flags which define the storage account services that are granted access by this SAS. + +A `services` block contains: + +* `blob` - Should permission be granted to `blob` services within this storage account? +* `queue` - Should permission be granted to `queue` services within this storage account? +* `table` - Should permission be granted to `table` services within this storage account? +* `file` - Should permission be granted to `file` services within this storage account? + +--- + +A `permissions` block contains: + + +* `read` - Should Read permissions be enabled for this SAS? +* `write` - Should Write permissions be enabled for this SAS? +* `delete` - Should Delete permissions be enabled for this SAS? +* `list` - Should List permissions be enabled for this SAS? +* `add` - Should Add permissions be enabled for this SAS? +* `create` - Should Create permissions be enabled for this SAS? +* `update` - Should Update permissions be enabled for this SAS? +* `process` - Should Process permissions be enabled for this SAS? + +Refer to the [SAS creation reference from Azure](https://docs.microsoft.com/en-us/rest/api/storageservices/constructing-an-account-sas) +for additional details on the fields above. + +## Attributes Reference + +* `sas` - The computed Account Shared Access Signature (SAS). + +## Timeouts + +The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/docs/configuration/resources.html#timeouts) for certain actions: + +* `read` - (Defaults to 5 minutes) Used when retrieving the SAS Token.