Configures storage buckets to be optionally exposed via service endpoints

terraform/providers/dev/buckets.tf

@@ -5,6 +5,8 @@ module "task_order_bucket" {
   name         = var.name
   environment  = var.environment
   region       = var.region
+  policy       = "Deny"
+  subnet_ids   = [module.vpc.subnets]
 }
 
 module "tf_state" {
@@ -14,4 +16,6 @@ module "tf_state" {
   name         = var.name
   environment  = var.environment
   region       = var.region
+  policy       = "Allow"
+  subnet_ids   = []
 }

terraform/providers/dev/variables.tf

@@ -36,6 +36,14 @@ variable "networks" {
   }
 }
 
+variable "service_endpoints" {
+  type = map
+  default = {
+    public  = ""
+    private = "Microsoft.Storage,Microsoft.KeyVault"
+  }
+}
+
 variable "gateway_subnet" {
   type    = string
   default = "10.1.20.0/24"

terraform/providers/dev/vpc.tf

@@ -1,13 +1,14 @@
 module "vpc" {
-  source          = "../../modules/vpc/"
-  environment     = var.environment
-  region          = var.region
-  virtual_network = var.virtual_network
-  networks        = var.networks
-  gateway_subnet  = var.gateway_subnet
-  route_tables    = var.route_tables
-  owner           = var.owner
-  name            = var.name
-  dns_servers     = var.dns_servers
+  source            = "../../modules/vpc/"
+  environment       = var.environment
+  region            = var.region
+  virtual_network   = var.virtual_network
+  networks          = var.networks
+  gateway_subnet    = var.gateway_subnet
+  route_tables      = var.route_tables
+  owner             = var.owner
+  name              = var.name
+  dns_servers       = var.dns_servers
+  service_endpoints = var.service_endpoints
 }