Feature Request: Add support for Azure Container SAS tokens

[jrauschenbusch]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently there is no native support for Azure Service SAS tokens.

As already mentioned #59 there are different types of SAS tokens.

To allow a more fine-grained access control it would be nice to have native support inside terraform without the need to use local-exec.

As the configuration options (especially the permission semantic) for Service SAS tokens depends on the service type i would suggest to create different SAS data sources for each of the following types: blob, container, share, file, queue, table

New or Affected Resource(s)

• azurerm_storage_container_sas
• azurerm_storage_<type>_sas

Potential Terraform Configuration

data "azurerm_storage_container_sas" "foo" {
  connection_string = "DefaultEndpointsProtocol=https;..."
  https_only = true
  ip = "127.0.0.1" // optional

  container_name = "bar"

   // Response header settings
  cache-control = ""
  content-disposition = ""
  content-encoding =  ""
  content-language = ""
  content-type = ""

  start  = "2019-03-18" // optional
  expiry = "2020-01-01"

  permissions {
    read    = true
    write   = true
    delete  = true
    list    = true
    add     = true
    create  = true
  }

  // access policy as alternative for permissions and  validity period
  policy-name = ""
}

References

• https://docs.microsoft.com/en-us/rest/api/storageservices/constructing-a-service-sas
• https://docs.microsoft.com/en-us/cli/azure/storage/container?view=azure-cli-latest#az-storage-container-generate-sas
• Feature Request: support for Shared Access Signatures on Storage Objects [AzureRM] #59 (comment)

[dominik-lekse]

I agree with @jrauschenbusch that there is a need for more extensive support for SAS tokens of different types.

In my opinion, it would be helpful to have resources instead of data sources for SAS tokens. The advantage of resources in this case is, that the generated SAS tokens stay persistent across multiple Terraform runs. An example use case is passing an Azure Storage Blob URL in the virtual machine custom script extension with a SAS token.

[r0bnet]

I'll implement it as soon as this PR is through: hashicorp/go-azure-helpers#34

// edit: PR is through; waiting for release of 0.6.0 of the go-azure-helpers

[r0bnet]

PR: #4195

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!