diff --git a/modules/Microsoft.Storage/storageAccounts/.test/common/deploy.test.bicep b/modules/Microsoft.Storage/storageAccounts/.test/common/deploy.test.bicep index 4fe2601520..eed64ba071 100644 --- a/modules/Microsoft.Storage/storageAccounts/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Storage/storageAccounts/.test/common/deploy.test.bicep @@ -213,6 +213,7 @@ module testDeployment '../../deploy.bicep' = { } ] } + sasExpirationPeriod: '180.00:00:00' systemAssignedIdentity: true userAssignedIdentities: { '${nestedDependencies.outputs.managedIdentityResourceId}': {} diff --git a/modules/Microsoft.Storage/storageAccounts/deploy.bicep b/modules/Microsoft.Storage/storageAccounts/deploy.bicep index 62cde7ed43..6c997aed2f 100644 --- a/modules/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/modules/Microsoft.Storage/storageAccounts/deploy.bicep @@ -201,6 +201,9 @@ param cMKKeyVersion string = '' @description('Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to "-diagnosticSettings".') param diagnosticSettingsName string = '' +@description('Optional. The SAS expiration period. DD.HH:MM:SS.') +param sasExpirationPeriod string = '' + var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { category: metric timeGrain: null @@ -286,6 +289,10 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { } : null } accessTier: storageAccountKind != 'Storage' ? storageAccountAccessTier : null + sasPolicy: !empty(sasExpirationPeriod) ? { + expirationAction: 'Log' + sasExpirationPeriod: sasExpirationPeriod + } : null supportsHttpsTrafficOnly: supportsHttpsTrafficOnly isHnsEnabled: enableHierarchicalNamespace ? enableHierarchicalNamespace : null isSftpEnabled: enableSftp diff --git a/modules/Microsoft.Storage/storageAccounts/readme.md b/modules/Microsoft.Storage/storageAccounts/readme.md index d15abd1980..2a82bc0207 100644 --- a/modules/Microsoft.Storage/storageAccounts/readme.md +++ b/modules/Microsoft.Storage/storageAccounts/readme.md @@ -90,6 +90,7 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | `queueServices` | _[queueServices](queueServices/readme.md)_ object | `{object}` | | Queue service and queues to create. | | `requireInfrastructureEncryption` | bool | `True` | | A Boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `sasExpirationPeriod` | string | `''` | | The SAS expiration period. DD.HH:MM:SS. | | `storageAccountKind` | string | `'StorageV2'` | `[BlobStorage, BlockBlobStorage, FileStorage, Storage, StorageV2]` | Type of Storage Account to create. | | `storageAccountSku` | string | `'Standard_GRS'` | `[Premium_LRS, Premium_ZRS, Standard_GRS, Standard_GZRS, Standard_LRS, Standard_RAGRS, Standard_RAGZRS, Standard_ZRS]` | Storage Account Sku Name. | | `supportsHttpsTrafficOnly` | bool | `True` | | Allows HTTPS traffic only to storage service if sets to true. | @@ -585,6 +586,7 @@ module storageAccounts './Microsoft.Storage/storageAccounts/deploy.bicep' = { roleDefinitionIdOrName: 'Reader' } ] + sasExpirationPeriod: '180.00:00:00' storageAccountSku: 'Standard_LRS' systemAssignedIdentity: true tableServices: { @@ -820,6 +822,9 @@ module storageAccounts './Microsoft.Storage/storageAccounts/deploy.bicep' = { } ] }, + "sasExpirationPeriod": { + "value": "180.00:00:00" + }, "storageAccountSku": { "value": "Standard_LRS" },