Support SFTP on the Terraform resource azurerm_storage_account

[JamesDLD]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

This concerns SSH File Transfer Protocol (SFTP) support for Azure Blob Storage.

New or Affected Resource(s)

• azurerm_storage_account

Potential Terraform Configuration

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_storage_account" "example" {
  name                     = "storageaccountname"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  is_hns_enabled           = true
  is_sftp_enabled          = true

  tags = {
    environment = "staging"
  }
}

References

• SSH File Transfer Protocol (SFTP) support for Azure Blob Storage
• Known issues with SSH File Transfer Protocol (SFTP) support for Azure Blob Storage (preview)

[cnegovik]

Hi guys! Could you tell if there are any updates on this issue? Really very necessary and usable thing

[bamarch]

If you can't wait for this feature and need to add the flag via terraform then using the AzAPI Provider could be a good workaround option for you

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_storage_account" "example" {
  name                     = "storageaccountname"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  is_hns_enabled           = true
  is_sftp_enabled          = true

  tags = {
    environment = "staging"
  }
}

# Workaround until azurerm_storage_account supports isSftpEnabled property
# see https://github.com/hashicorp/terraform-provider-azurerm/issues/14736
resource "azapi_update_resource" "example_enable_sftp" {
  type        = "Microsoft.Storage/storageAccounts@2021-09-01"
  resource_id = azurerm_storage_account.example.id

  body = jsonencode({
    properties = {
      isSftpEnabled = true
    }
  })
}

[wvkranenburg]

To add to the answer of @bamarch, the following snippet can be used to add a local user for the SFTP (needs a blob-container with containername):

resource "azapi_resource" "example_local-user" {
  type        = "Microsoft.Storage/storageAccounts/localUsers@2021-09-01"
  parent_id = azurerm_storage_account.example.id
  name = "username"

  body = jsonencode({
    properties = {
      hasSshPassword = true,
      homeDirectory = "containername/"
      hasSharedKey = true,
      hasSshKey = false,
      permissionScopes = [{
        permissions = "cwl",
        service = "blob",
        resourceName = "containername"
      }]
    }
  })

  depends_on = [
    azurerm_storage_account.example
  ]
}

However, for this particular use case I would like to also retrieve the SSH password with Terraform. For this, I think I need the regeneratePassword command. However, I do not know how to call this using terraform. Does anyone have an example for me?

[wvkranenburg]

To answer my own question. I solved retrieving the password with an external data provider:

# Regenerate password of username as it is the only way to set and retrieve password
data "external" "username_password" {
  program   = [
    "/bin/bash", "${path.module}/external/StorageUserRegeneratePassword.sh"
  ]
  query = {
    rg = azurerm_resource_group.rg-example.name,
    sa_name = azurerm_storage_account.sa-example.name
    username = azapi_resource.example_local-user.name
  }

  depends_on = [
    azapi_resource.example_local-user
}

where /external/StorageUserRegeneratePassword.sh (inspired by https://www.tech-notes.net/terraform-bash-script-external-data-source/) contains:

#!/usr/bin/env bash
function error_exit() {
  echo "$1" 1>&2
  exit 1
}

function check_deps() {
  jq_test=$(which jq)
  az_test=$(which az)
  if [[ -z $jq_test ]]; then error_exit "jq binary not found"; fi
  if [[ -z $az_test ]]; then error_exit "az binary not found"; fi
}

function extract_data() {
  eval "$(jq -r '@sh "rg=\(.rg) sa_name=\(.sa_name) username=\(.username)"')"

  az storage account local-user regenerate-password --account-name $sa_name --name $username -g $rg
}

check_deps
extract_data

[sponte]

I managed to get password generated entirely within terraform using following azapi action:

resource "azapi_resource_action" "generate_sftp_user_password" {
  type        = "Microsoft.Storage/storageAccounts/localUsers@2022-05-01"
  resource_id = azapi_resource.sftp_user.id
  action      = "regeneratePassword"
  body = jsonencode({
    username = azapi_resource.sftp_user.name
  })

  response_export_values = ["sshPassword"]
}

The password is then stored in the .outputs of the resource

[RomainPhil]

any possibility to have the sftp feature directly integrate to the provider azurerm or we must rely on the azapi_update_resource trick ?

[raswinraaj]

Are there any plans to implement this feature in azurerm ? I dont see any activity from their team on this issue?

[rigozalli]

is there any way to use SSHKyePair instead of SSHPassword, or use both at the same time, as i cannot seem to find anything about using a keypair through terraform for sftp users, only through the portal, but that is not a good option.

[dimilider]

Are there any plans to implement this feature in azurerm provider soon?

[Christophvh]

Would love this feature. Even just to enable it, user setup would be great too, but that can be a separate issue. Just the option to enable it in terraform would help a lot.

[MATTHEWTAYLOR1995]

This feature would be so useful to have. Hopefully it's added soon

[leesutcliffe]

Hey all, just added a PR to enable the service, may look to improving it in the future and add some more features as I'm likely going to need it.

[stephybun]

Closed by #19428

[github-actions[bot]]

This functionality has been released in v3.34.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[raswinraaj]

@leesutcliffe Will this also include adding local users? or will that we be a separate resource and will be in a later release? I meant this command - https://learn.microsoft.com/en-us/cli/azure/storage/account/local-user?view=azure-cli-latest#az-storage-account-local-user-create

[leesutcliffe]

@raswinraaj this issue is in relation to enabling the SFTP service only. Any future enhancements will be made in subsequent provider releases

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.