Azure Blob Storage Lifecycle Management Policies with Terraform

68
6 min to read

In my previous blog post, I demonstrated how to automate Azure Blob Storage backups using Terraform and the azurerm_storage_management_policy resource. We covered how to create rules for transitioning data between storage tiers and managing backups efficiently. Now, let's take it a step further. In this article, I'll show you how to configure advanced lifecycle management policies to meet complex requirements, including compliance and cost optimization. Whether you're dealing with data retention, automated deletions, or tier transitions, this guide will help you achieve your goals.

Introduction

Effective data management is crucial in cloud environments. Azure Blob Storage offers robust lifecycle management features that enable organizations to automate tier transitions, archive data, and delete expired content based on predefined rules. Using Terraform, we can automate these policies at scale, saving time and ensuring consistency across storage accounts.

In this post, we will:

  1. Extend the azurerm_storage_management_policy Terraform resource for advanced use cases.
  2. Demonstrate dynamic rule creation for multiple lifecycle scenarios using the for_each meta-argument.
  3. Show how to test and apply policies effectively in a production environment.

Why Advanced Lifecycle Management Matters

Azure Storage Management Policies simplify operations by automating actions such as:

  • Moving infrequently accessed data to cost-effective tiers.
  • Archiving data to long-term storage.
  • Deleting obsolete data to comply with regulatory requirements.

For organizations with diverse workloads, predefined rules can be applied to specific data categories, enabling a tailored and optimized storage solution.

Prerequisites

Before diving in, ensure you have the following:

  • An Azure subscription with necessary permissions.
  • Latest Terraform version installed.
  • Azure CLI configured and authenticated.

For more details, refer to:

Implementation Steps

To ensure a clear understanding of how to configure advanced lifecycle management policies for Azure Blob Storage using Terraform, let’s break down each component: variables, .tfvars, and the main Terraform configuration. This will demonstrate where values are set and how they flow through the configuration.

Step 1: Define Variables

The variables.tf file is used to define configurable parameters for the Terraform module. These variables make the Terraform module flexible and reusable. Here's an example:

variables.tf

variable "management_policy" {
  type = map(object({
    rules = map(object({
      name    = string
      enabled = bool
      filters = optional(object({
        prefix_match = optional(list(string))
        blob_types   = optional(list(string))
      }))
      actions = optional(object({
        base_blob = optional(object({
          tier_to_cool_after_days_since_modification_greater_than     = optional(number)
          tier_to_archive_after_days_since_modification_greater_than  = optional(number)
          delete_after_days_since_modification_greater_than           = optional(number)
        }))
      }))
    }))
  }))
}

variable "storage_account_name" {
  description = "The name of the Azure Storage Account."
  type        = string
}

variable "resource_group_name" {
  description = "The name of the resource group where the storage account resides."
  type        = string
}

These variables define:

  • management_policy: A map of rules, allowing flexibility to define multiple lifecycle rules.
  • storage_account_name: The name of the storage account.
  • resource_group_name: The resource group in which the storage account resides.

Step 2: Set Values in the .tfvars File

The .tfvars file is where you set the actual values for the variables defined in variables.tf. This file customizes the module for a specific environment or use case.

terraform.tfvars

management_policy = {
  "policy1" = {
    rules = {
      "tier_rule" = {
        name    = "HotToCool"
        enabled = true
        filters = {
          prefix_match = ["active/"]
          blob_types   = ["blockBlob"]
        }
        actions = {
          base_blob = {
            tier_to_cool_after_days_since_modification_greater_than    = 90
            tier_to_archive_after_days_since_modification_greater_than = 365
            delete_after_days_since_modification_greater_than          = null
          }
        }
      }
      "delete_rule" = {
        name    = "DeleteOldRecords"
        enabled = true
        filters = {
          prefix_match = ["archive/"]
          blob_types   = ["blockBlob"]
        }
        actions = {
          base_blob = {
            delete_after_days_since_modification_greater_than = 1825
          }
        }
      }
    }
  }
}

storage_account_name    = "myuniquestorageacct"
resource_group_name     = "my-resource-group"

Here:

  • management_policy defines two rules:
    • tier_rule: Moves data from "Hot" to "Cool" after 90 days and archives it after 365 days.
    • delete_rule: Deletes data older than five years.
  • storage_account_name and resource_group_name are set with values specific to your Azure environment.

Step 3: Configure the Main Terraform File

The main.tf file contains the core Terraform resources that implement the lifecycle management policies. It references the variables defined earlier and applies the provided values dynamically.

main.tf

resource "azurerm_storage_account" "example" {
  name                     = var.storage_account_name
  resource_group_name      = var.resource_group_name
  location                 = "East US"
  account_kind             = "StorageV2"
  account_tier             = "Standard"
  access_tier              = "Hot"
  enable_https_traffic_only = true
}

resource "azurerm_storage_management_policy" "mgmt_policy" {
  storage_account_id = azurerm_storage_account.example.id

  dynamic "rule" {
    for_each = var.management_policy["policy1"].rules

    content {
      name    = rule.value.name
      enabled = rule.value.enabled

      filters {
        prefix_match = try(rule.value.filters.prefix_match, null)
        blob_types   = try(rule.value.filters.blob_types, null)
      }

      actions {
        base_blob {
          tier_to_cool_after_days_since_modification_greater_than     = try(rule.value.actions.base_blob.tier_to_cool_after_days_since_modification_greater_than, null)
          tier_to_archive_after_days_since_modification_greater_than  = try(rule.value.actions.base_blob.tier_to_archive_after_days_since_modification_greater_than, null)
          delete_after_days_since_modification_greater_than           = try(rule.value.actions.base_blob.delete_after_days_since_modification_greater_than, null)
        }
      }
    }
  }
}

Key points:

  • Storage Account Creation: A azurerm_storage_account resource creates the storage account.
  • Management Policy Application: The azurerm_storage_management_policy resource applies rules dynamically using the for_each meta-argument, iterating over the rules provided in the management_policy variable.

Step 4: Add Outputs for Visibility

Define outputs to retrieve useful information about the created resources.

outputs.tf

output "storage_account_name" {
  value       = azurerm_storage_account.example.name
  description = "The name of the created storage account."
}

output "management_policy_rules" {
  value       = var.management_policy["policy1"].rules
  description = "The applied storage management policy rules."
}

Step 5: Deploy and Verify

  1. Initialize Terraform: 
    terraform init
  2. Review the Plan: 
    terraform plan
    • Verify the lifecycle rules and their values in the output.
  3. Apply the Configuration: 
    terraform apply
    • Confirm the changes to deploy the resources and policies.

By organizing the configuration into variables.tf, .tfvars, and main.tf, the setup becomes modular and maintainable, ensuring consistency across deployments while allowing customization for specific use cases.

Use Case: Data Retention for Healthcare Records

For example, a healthcare provider needs to manage patient data efficiently:

  • Retain data in the "Hot" tier for 90 days for active use.
  • Move data to the "Cool" tier after 90 days for reduced costs.
  • Archive data after one year for compliance.
  • Automatically delete data after five years to meet regulatory requirements.

The Terraform configuration enables these rules dynamically and ensures compliance with minimal manual intervention.

Conclusion

In this article, we extended the concepts from my previous blog post to build advanced Azure Blob Storage lifecycle policies with Terraform. By leveraging dynamic configurations and customizable rules, you can manage complex scenarios efficiently.

If you're looking to optimize your Azure storage costs and streamline data management, implementing these policies is a must.

Useful Links

These links provide in-depth guidance and context for creating and managing Azure Blob Storage lifecycle policies, using Terraform effectively, and optimizing cloud storage operations.

About me

Azure Cloud Solutions Engineer with a passion for cloud automation, DevOps, Kubernetes , monitoring, identity management (IAM), cloud security and O365. Working with Azure, Amazon AWS, System Center, OMS/Log Analytics and related cloud services and software.

My certifications
Recent articles
Should You Use a Separate Stage for Bicep Linting in Your CI/CD Pipeline?
Should You Use a Separate Stage for Bicep Linting in Your CI/CD Pipeline?
How To Share Bicep Templates and Modules
How To Share Bicep Templates and Modules
How to publish Bicep Modules to ACR
How to publish Bicep Modules to ACR
Azure Blob Storage Lifecycle Management Policies with Terraform
Azure Blob Storage Lifecycle Management Policies with Terraform
Topics
Tags