Configures storage buckets to be optionally exposed via service endpoints

terraform/modules/bucket/main.tf

@@ -9,6 +9,12 @@ resource "azurerm_storage_account" "bucket" {
   location                 = azurerm_resource_group.bucket.location
   account_tier             = "Standard"
   account_replication_type = "LRS"
+
+  network_rules {
+    default_action             = var.policy
+    virtual_network_subnet_ids = var.subnet_ids
+    #ip_rules = ["66.220.238.246/30"]
+  }
 }
 
 resource "azurerm_storage_container" "bucket" {

terraform/modules/bucket/variables.tf

@@ -29,3 +29,14 @@ variable "service_name" {
   description = "Name of the service using this bucket"
   type        = string
 }
+
+variable "subnet_ids" {
+  description = "List of subnet_ids that will have access to this service"
+  type        = list
+}
+
+variable "policy" {
+  description = "The default policy for the network access rules (Allow/Deny)"
+  default     = "Deny"
+  type        = string
+}