Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support SFTP on the Terraform resource azurerm_storage_account #14736

Closed
JamesDLD opened this issue Dec 27, 2021 · 17 comments
Closed

Support SFTP on the Terraform resource azurerm_storage_account #14736

JamesDLD opened this issue Dec 27, 2021 · 17 comments

Comments

@JamesDLD
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

This concerns SSH File Transfer Protocol (SFTP) support for Azure Blob Storage.

New or Affected Resource(s)

  • azurerm_storage_account

Potential Terraform Configuration

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_storage_account" "example" {
  name                     = "storageaccountname"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  is_hns_enabled           = true
  is_sftp_enabled          = true

  tags = {
    environment = "staging"
  }
}

References

@JamesDLD JamesDLD changed the title Support for SFTP for the resource azurerm_storage_account Support SFTP on the Terraform resource azurerm_storage_account Dec 28, 2021
@cnegovik

This comment was marked as off-topic.

@bamarch
Copy link

bamarch commented Jun 17, 2022

If you can't wait for this feature and need to add the flag via terraform then using the AzAPI Provider could be a good workaround option for you

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_storage_account" "example" {
  name                     = "storageaccountname"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  is_hns_enabled           = true
  is_sftp_enabled          = true

  tags = {
    environment = "staging"
  }
}

# Workaround until azurerm_storage_account supports isSftpEnabled property
# see https://github.com/hashicorp/terraform-provider-azurerm/issues/14736
resource "azapi_update_resource" "example_enable_sftp" {
  type        = "Microsoft.Storage/storageAccounts@2021-09-01"
  resource_id = azurerm_storage_account.example.id

  body = jsonencode({
    properties = {
      isSftpEnabled = true
    }
  })
}

@wvkranenburg
Copy link

wvkranenburg commented Jul 22, 2022

To add to the answer of @bamarch, the following snippet can be used to add a local user for the SFTP (needs a blob-container with containername):

resource "azapi_resource" "example_local-user" {
  type        = "Microsoft.Storage/storageAccounts/localUsers@2021-09-01"
  parent_id = azurerm_storage_account.example.id
  name = "username"

  body = jsonencode({
    properties = {
      hasSshPassword = true,
      homeDirectory = "containername/"
      hasSharedKey = true,
      hasSshKey = false,
      permissionScopes = [{
        permissions = "cwl",
        service = "blob",
        resourceName = "containername"
      }]
    }
  })

  depends_on = [
    azurerm_storage_account.example
  ]
}

However, for this particular use case I would like to also retrieve the SSH password with Terraform. For this, I think I need the regeneratePassword command. However, I do not know how to call this using terraform. Does anyone have an example for me?

@wvkranenburg
Copy link

wvkranenburg commented Jul 25, 2022

To answer my own question. I solved retrieving the password with an external data provider:

# Regenerate password of username as it is the only way to set and retrieve password
data "external" "username_password" {
  program   = [
    "/bin/bash", "${path.module}/external/StorageUserRegeneratePassword.sh"
  ]
  query = {
    rg = azurerm_resource_group.rg-example.name,
    sa_name = azurerm_storage_account.sa-example.name
    username = azapi_resource.example_local-user.name
  }

  depends_on = [
    azapi_resource.example_local-user
}

where /external/StorageUserRegeneratePassword.sh (inspired by https://www.tech-notes.net/terraform-bash-script-external-data-source/) contains:

#!/usr/bin/env bash
function error_exit() {
  echo "$1" 1>&2
  exit 1
}

function check_deps() {
  jq_test=$(which jq)
  az_test=$(which az)
  if [[ -z $jq_test ]]; then error_exit "jq binary not found"; fi
  if [[ -z $az_test ]]; then error_exit "az binary not found"; fi
}

function extract_data() {
  eval "$(jq -r '@sh "rg=\(.rg) sa_name=\(.sa_name) username=\(.username)"')"

  az storage account local-user regenerate-password --account-name $sa_name --name $username -g $rg
}

check_deps
extract_data

@sponte
Copy link
Contributor

sponte commented Sep 2, 2022

I managed to get password generated entirely within terraform using following azapi action:

resource "azapi_resource_action" "generate_sftp_user_password" {
  type        = "Microsoft.Storage/storageAccounts/localUsers@2022-05-01"
  resource_id = azapi_resource.sftp_user.id
  action      = "regeneratePassword"
  body = jsonencode({
    username = azapi_resource.sftp_user.name
  })

  response_export_values = ["sshPassword"]
}

The password is then stored in the .outputs of the resource

@RomainPhil
Copy link

any possibility to have the sftp feature directly integrate to the provider azurerm or we must rely on the azapi_update_resource trick ?

@raswinraaj
Copy link

Are there any plans to implement this feature in azurerm ? I dont see any activity from their team on this issue?

@rigozalli
Copy link

is there any way to use SSHKyePair instead of SSHPassword, or use both at the same time, as i cannot seem to find anything about using a keypair through terraform for sftp users, only through the portal, but that is not a good option.

@dimilider
Copy link

Are there any plans to implement this feature in azurerm provider soon?

@Christophvh
Copy link

Would love this feature. Even just to enable it, user setup would be great too, but that can be a separate issue. Just the option to enable it in terraform would help a lot.

@MATTHEWTAYLOR1995
Copy link
Contributor

This feature would be so useful to have. Hopefully it's added soon

leesutcliffe added a commit to leesutcliffe/terraform-provider-azurerm that referenced this issue Nov 24, 2022
leesutcliffe pushed a commit to leesutcliffe/terraform-provider-azurerm that referenced this issue Nov 24, 2022
…m_security_center_server_vulnerability_assessment_virtual_machine` - adding pricing tier in test config

Relates-to: hashicorp#14736
leesutcliffe pushed a commit to leesutcliffe/terraform-provider-azurerm that referenced this issue Nov 24, 2022
leesutcliffe pushed a commit to leesutcliffe/terraform-provider-azurerm that referenced this issue Nov 24, 2022
leesutcliffe pushed a commit to leesutcliffe/terraform-provider-azurerm that referenced this issue Nov 24, 2022
leesutcliffe pushed a commit to leesutcliffe/terraform-provider-azurerm that referenced this issue Nov 24, 2022
leesutcliffe pushed a commit to leesutcliffe/terraform-provider-azurerm that referenced this issue Nov 24, 2022
leesutcliffe pushed a commit to leesutcliffe/terraform-provider-azurerm that referenced this issue Nov 24, 2022
leesutcliffe pushed a commit to leesutcliffe/terraform-provider-azurerm that referenced this issue Nov 24, 2022
leesutcliffe pushed a commit to leesutcliffe/terraform-provider-azurerm that referenced this issue Nov 24, 2022
leesutcliffe pushed a commit to leesutcliffe/terraform-provider-azurerm that referenced this issue Nov 24, 2022
leesutcliffe pushed a commit to leesutcliffe/terraform-provider-azurerm that referenced this issue Nov 24, 2022
leesutcliffe pushed a commit to leesutcliffe/terraform-provider-azurerm that referenced this issue Nov 24, 2022
leesutcliffe added a commit to leesutcliffe/terraform-provider-azurerm that referenced this issue Nov 24, 2022
@leesutcliffe
Copy link
Contributor

Hey all, just added a PR to enable the service, may look to improving it in the future and add some more features as I'm likely going to need it.

leesutcliffe added a commit to leesutcliffe/terraform-provider-azurerm that referenced this issue Nov 24, 2022
leesutcliffe added a commit to leesutcliffe/terraform-provider-azurerm that referenced this issue Nov 28, 2022
stephybun pushed a commit that referenced this issue Nov 28, 2022
* adds sftp_enabled property to azurerm_storage_account

Relates-to: #14736

* resolves lint error

Relates-to: #14736

* resolves comments, bool in notes and error msg format

Relates-to: #14736
@stephybun stephybun added this to the v3.34.0 milestone Nov 28, 2022
@stephybun
Copy link
Member

Closed by #19428

harshavmb pushed a commit to AmadeusITGroup/terraform-provider-azurerm that referenced this issue Nov 28, 2022
…9428)

* adds sftp_enabled property to azurerm_storage_account

Relates-to: hashicorp#14736

* resolves lint error

Relates-to: hashicorp#14736

* resolves comments, bool in notes and error msg format

Relates-to: hashicorp#14736
@github-actions
Copy link

github-actions bot commented Dec 2, 2022

This functionality has been released in v3.34.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@raswinraaj
Copy link

raswinraaj commented Dec 2, 2022

@leesutcliffe Will this also include adding local users? or will that we be a separate resource and will be in a later release?
I meant this command - https://learn.microsoft.com/en-us/cli/azure/storage/account/local-user?view=azure-cli-latest#az-storage-account-local-user-create

@leesutcliffe
Copy link
Contributor

@raswinraaj this issue is in relation to enabling the SFTP service only.
Any future enhancements will be made in subsequent provider releases

@github-actions
Copy link

github-actions bot commented Jan 2, 2023

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 2, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests