Azure Storage Lifecycle Management Policy Terraform Module

This Terraform module creates and assigns an Azure Policy that enforces lifecycle management on Azure Storage accounts. The policy can be applied at either management group, subscription level or storage account level.

Features

• Enforce consistent lifecycle management across all storage accounts
• Configure days for transition to cool tier, archive tier, and deletion
• Apply at management group, subscription, or individual storage account level
• Configurable policy effect (Deploy, Audit, or Disable)
• Custom prefix filters for targeted application

Prerequisites

• Terraform >= 1.0
• Azure CLI >= 2.20.0
• Azure subscription or management group with appropriate permissions

Usage

Example usage of the Azure Storage Lifecycle Management Policy Module

Example 1: Apply at subscription level

module "storage_lifecycle_subscription" {
source = "../" # Path to the module directory

scope_type = "subscription"
subscription_id = "00000000-0000-0000-0000-000000000000" # Replace with your subscription ID

days_to_cool_tier = 30
days_to_archive_tier = 90
days_to_delete = 365
days_to_delete_snapshots = 30

prefix_filters = ["container1/", "backups/"]

policy_effect = "DeployIfNotExists"
}

Example 2: Apply at management group level

module "storage_lifecycle_management_group" {
source = "../" # Path to the module directory

scope_type = "management_group"
management_group_id = "mg-production" # Use the ID of the management group

days_to_cool_tier = 45
days_to_archive_tier = 120
days_to_delete = 730
days_to_delete_snapshots = 45

prefix_filters = ["logs/", "metrics/"]

policy_effect = "AuditIfNotExists" # Start with audit before enforcing
}

Example 3: Apply to a specific storage account

module "storage_lifecycle_storage_account" {
source = "../" # Path to the module directory

scope_type = "storage_account"
subscription_id = "00000000-0000-0000-0000-000000000000" # Replace with your subscription ID
storage_account_name = "mystorageaccount" # Replace with your storage account name
resource_group_name = "myresourcegroup" # Replace with your resource group name

days_to_cool_tier = 60
days_to_archive_tier = 180
days_to_delete = 365
days_to_delete_snapshots = 30

prefix_filters = ["critical/", "important/"]

policy_effect = "DeployIfNotExists" # Start with audit before enforcing but here we showcase DINE approach in our example.
}

Terraform Documentation

Requirements

Name	Version
terraform	>= 1.0.0
azurerm	>=3.0.0
azurerm	>= 3.0.0

Providers

Name	Version
azurerm	>=3.0.0 >= 3.0.0

Modules

No modules.

Resources

Name	Type
azurerm_management_group_policy_assignment.mg_storage_lifecycle	resource
azurerm_policy_definition.storage_lifecycle	resource
azurerm_resource_policy_assignment.sa_storage_lifecycle	resource
azurerm_role_assignment.mg_storage_lifecycle	resource
azurerm_role_assignment.sa_storage_lifecycle	resource
azurerm_role_assignment.sub_storage_lifecycle	resource
azurerm_subscription_policy_assignment.sub_storage_lifecycle	resource
azurerm_subscription.current	data source

Inputs

Name	Description	Type	Default	Required
days_to_archive_tier	The number of days after which a blob should be moved to the archive tier	number	90	no
days_to_cool_tier	The number of days after which a blob should be moved to the cool tier	number	30	no
days_to_delete	The number of days after which a blob should be deleted	number	365	no
days_to_delete_snapshots	The number of days after which blob snapshots should be deleted	number	30	no
location	The Azure region to use for deployments	string	"westeurope"	no
management_group_id	The ID of the management group to assign the policy to. Required if scope_type is 'management_group'	string	null	no
policy_effect	The effect of the policy. Valid values are 'DeployIfNotExists', 'AuditIfNotExists', or 'Disabled'	string	"DeployIfNotExists"	no
prefix_filters	A list of blob prefix filters to apply the lifecycle policy to	list(string)	[]	no
resource_group_name	The name of the resource group containing the storage account. Required if scope_type is 'storage_account'	string	null	no
scope_type	The type of scope to assign the policy to. Valid values are 'management_group', 'subscription', or 'storage_account'	string	"subscription"	no
storage_account_name	The name of the storage account to assign the policy to. Required if scope_type is 'storage_account'	string	null	no
subscription_id	The ID of the subscription to assign the policy to. Required if scope_type is 'subscription'. If not provided and scope_type is 'subscription', the current subscription will be used.	string	null	no

Outputs

Name	Description
applied_scope	The scope where the policy was applied
policy_assignment_id	The ID of the policy assignment
policy_assignment_identity	The managed identity associated with the policy assignment
policy_id	The ID of the created policy definition