Bicep Module Documentation
← Back to Overview
Module storage-account
storageAccount
| Property | Value | Description |
|---|---|---|
| general (required) | general | |
| privateLinkBlob | privateLink | Settings for the private endpoint and private link for this resource |
| privateLinkTable | privateLink | Settings for the private endpoint and private link for this resource |
| privateLinkQueue | privateLink | Settings for the private endpoint and private link for this resource |
| privateLinkFile | privateLink | Settings for the private endpoint and private link for this resource |
| privateLinkWeb | privateLink | Settings for the private endpoint and private link for this resource |
| sku (required) | 'Premium_LRS' 'Premium_ZRS' 'Standard_GRS' 'Standard_GZRS' 'Standard_LRS' 'Standard_RAGRS' 'Standard_RAGZRS' 'Standard_ZRS' |
The SKU name. Required for account creation |
| kind (required) | 'BlobStorage' 'BlockBlobStorage' 'FileStorage' 'Storage' 'StorageV2' |
Azure storage account kind classifies storage accounts based on feature set and replication options. |
| managedIdentityType | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
Type of managed identity associated with this resource (default: SystemAssigned) |
| managedIdentityId | string | User assigned managed identity id to access other resources |
| accessTier (required) | 'Cold' 'Cool' 'Hot' 'Premium' |
Azure storage account access tier determines the cost and performance of storing and accessing data in Azure. |
| allowBlobPublicAccess | bool | is a boolean property that determines whether public access to blobs in the Azure Storage Account is allowed or not. |
| allowCrossTenantReplication | bool | is a boolean property that controls whether replication of data across tenants is permitted in the Azure Storage Account. |
| allowedCopyScope | string | specifies the set of Azure Resource Manager (ARM) templates that are allowed for copying resources in the Azure Storage Account. |
| allowSharedKeyAccess | bool | boolean property that indicates whether shared key access authentication is allowed for the Azure Storage Account, enabling access via account key or SAS (Shared Access Signature). |
| activeDirectoryProperties | activeDirectoryProperties | Provides the identity based authentication settings for Azure Files. |
| defaultSharePermission | 'None' 'StorageFileDataSmbShareContributor' 'StorageFileDataSmbShareElevatedContributor' 'StorageFileDataSmbShareReader' |
Default share permission for users using Kerberos authentication if RBAC role is not assigned. |
| directoryServiceOptions | 'AADDS' 'AADKERB' 'AD' 'None' |
Indicates the directory service used. Note that this enum may be extended in the future. |
| customDomain | customDomain | configure a custom domain name for your Azure Storage Account, enabling you to access your storage resources using a custom URL instead of the default Azure-generated URL. |
| defaultToOAuthAuthentication | bool | A boolean flag which indicates whether the default authentication is OAuth or not. The default interpretation is false for this property. |
| dnsEndpointType | 'AzureDnsZone' 'Standard' |
Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription |
| encryption | object | the security feature in an Azure Storage Account that ensures data at rest is protected by encrypting it, providing an additional layer of data security. |
| requireInfrastructureEncryption | bool | boolean property that enforces the use of infrastructure encryption mechanisms to safeguard data in your Azure Storage Account, enhancing overall data security by ensuring encryption at the underlying infrastructure level. |
| services | services | List of services which support encryption. |
| immutableStorageWithVersioning | immutableStorageWithVersioning | When set to true, it enables object level immutability for all the new containers in the account by default. |
| isHnsEnabled | bool | Set Account HierarchicalNamespace? HierarchicalNamespace organizes the objects or files into a hierarchy of directories for efficient data access. |
| isLocalUserEnabled | bool | Enables local users feature, if set to true |
| isNfsV3Enabled | bool | Enables or disables support for NFSv3 protocol, allowing remote access to files stored in Azure. |
| isSftpEnabled | bool | Enables Secure File Transfer Protocol, if set to true |
| largeFileSharesState | 'Disabled' 'Enabled' |
Allow large file shares if sets to Enabled. It cannot be disabled once it is enabled. |
| minimumTlsVersion | 'TLS1_0' 'TLS1_1' 'TLS1_2' |
Set the minimum TLS version to be permitted on requests to storage. |
| networkAcls | networkAcls | Set firewall rules |
| publicNetworkAccess | 'Disabled' 'Enabled' |
Allow or disallow public network access to Storage Account. Value is optional. |
| routingPreference | routingPreference | Maintains information about the network routing choice opted by the user for data transfer |
| sasPolicy | sasPolicy | SasPolicy assigned to the storage account. |
| supportsHttpsTrafficOnly | bool | Allows https traffic only to storage service if sets to true. |
| fileServices | storageAccountFileServices | |
| blobServices | storageAccountBlobServices | |
| fileShare | storageAccountShare[] | |
| storageAccountContainer | storageAccountContainer[] | |
| queueServices | storageAccountQueue[] | |
| tableServices | storageAccountTable[] |
activeDirectoryProperties
| Property | Value | Description |
|---|---|---|
| accountType (required) | 'Computer' 'User' |
Specifies the Active Directory account type for Azure Storage. |
| azureStorageSid | string | Specifies the security identifier (SID) for Azure Storage. |
| domainGuid | string | Specifies the domain GUID. |
| domainName | string | Specifies the primary domain that the AD DNS server is authoritative for. |
| domainSid | string | Specifies the security identifier (SID). |
| forestName | string | Specifies the Active Directory forest to get. |
| netBiosDomainName | string | Specifies the NetBIOS domain name. |
| samAccountName | string | Specifies the Active Directory SAMAccountName for Azure Storage. |
customDomain
| Property | Value | Description |
|---|---|---|
| name (required) | string | Gets or sets the custom domain name assigned to the storage account. Name is the CNAME source. |
| useSubDomainName | bool | Indicates whether indirect CName validation is enabled. Default value is false. This should only be set on updates. |
blob
| Property | Value | Description |
|---|---|---|
| enabled | bool | A boolean indicating whether or not the service encrypts the data as it is stored. Encryption at rest is enabled by default today and cannot be disabled. |
| keyType (required) | 'Account' 'Service' |
Encryption key type to be used for the encryption service. Account key type implies that an account-scoped encryption key will be used. Service key type implies that a default service key is used. |
file
| Property | Value | Description |
|---|---|---|
| enabled | bool | A boolean indicating whether or not the service encrypts the data as it is stored. Encryption at rest is enabled by default today and cannot be disabled. |
| keyType (required) | 'Account' 'Service' |
Encryption key type to be used for the encryption service. Account key type implies that an account-scoped encryption key will be used. Service key type implies that a default service key is used. |
queue
| Property | Value | Description |
|---|---|---|
| enabled | bool | A boolean indicating whether or not the service encrypts the data as it is stored. Encryption at rest is enabled by default today and cannot be disabled. |
| keyType (required) | 'Account' 'Service' |
Encryption key type to be used for the encryption service. Account key type implies that an account-scoped encryption key will be used. Service key type implies that a default service key is used. |
table
| Property | Value | Description |
|---|---|---|
| enabled | bool | A boolean indicating whether or not the service encrypts the data as it is stored. Encryption at rest is enabled by default today and cannot be disabled. |
| keyType (required) | 'Account' 'Service' |
Encryption key type to be used for the encryption service. Account key type implies that an account-scoped encryption key will be used. Service key type implies that a default service key is used. |
services
| Property | Value | Description |
|---|---|---|
| blob (required) | blob | The encryption function of the blob storage service. |
| file (required) | file | The encryption function of the file storage service. |
| queue (required) | queue | The encryption function of the queue storage service. |
| table (required) | table | The encryption function of the table storage service. |
immutabilityPolicy
| Property | Value | Description |
|---|---|---|
| allowProtectedAppendWrites | bool | When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. |
| immutabilityPeriodSinceCreationInDays (required) | int | The immutability period for the blobs in the container since the policy creation, in days. |
| state (required) | 'Disabled' 'Locked' 'Unlocked' |
The ImmutabilityPolicy state defines the mode of the policy |
immutableStorageWithVersioning
| Property | Value | Description |
|---|---|---|
| enabled | bool | This is an immutable property, when set to true it enables object level immutability at the container level. |
networkAcls
| Property | Value | Description |
|---|---|---|
| bypass | 'AzureServices' 'None' |
(default: None) |
| defaultAction | 'Allow' 'Deny' |
(default: deny) |
| ipRules | storageAccountIpRule[] | Add allowed rules to keyvault [Array of IP rules] |
| virtualNetworkRules | storageAccountVirtualNetworkRule[] | Add allowed virtual networks to keyvault [ResourceIds] |
routingPreference
| Property | Value | Description |
|---|---|---|
| publishInternetEndpoints | bool | A boolean flag which indicates whether internet routing storage endpoints are to be published |
| publishMicrosoftEndpoints | bool | A boolean flag which indicates whether microsoft routing storage endpoints are to be published |
| routingChoice | 'InternetRouting' 'MicrosoftRouting' |
Routing Choice defines the kind of network routing opted by the user. |
sasPolicy
| Property | Value | Description |
|---|---|---|
| expirationAction | 'Log' | The SAS expiration action. Can only be Log. |
| sasExpirationPeriod | string | The SAS expiration period, DD.HH:MM:SS. |
storageAccountIpRule
| Property | Value | Description |
|---|---|---|
| action (required) | 'Allow' | |
| value (required) | string | [[CIDR notation or IP address only IPv4] |
storageAccountVirtualNetworkRule
| Property | Value | Description |
|---|---|---|
| id (required) | string | The virtual network Id which should be allowed |
storageAccountFileServices
| Property | Value | Description |
|---|---|---|
| protocolSettings | protocolSettings | Protocol settings for file service |
| shareDeleteRetentionPolicy | shareDeleteRetentionPolicy |
multichannel
| Property | Value | Description |
|---|---|---|
| enabled | bool | Indicates whether multichannel is enabled |
smb
| Property | Value | Description |
|---|---|---|
| authenticationMethods | 'Kerberos' 'NTLMv2' |
SMB authentication methods supported by server. Valid values are NTLMv2, Kerberos. |
| channelEncryption | 'AES-128-CCM' 'AES-128-GCM' 'AES-256-GCM' |
SMB channel encryption supported by server. Valid values are AES-128-CCM, AES-128-GCM, AES-256-GCM. |
| kerberosTicketEncryption | 'AES-256' 'RC4-HMAC' |
Kerberos ticket encryption supported by server. Valid values are RC4-HMAC, AES-256. |
| multichannel | multichannel | |
| versions | 'SMB2.1' 'SMB3.0' 'SMB3.1.1' |
SMB protocol versions supported by server |
protocolSettings
| Property | Value | Description |
|---|---|---|
| smb | smb | Setting for SMB protocol |
shareDeleteRetentionPolicy
| Property | Value | Description |
|---|---|---|
| allowPermanentDelete | bool | This property when set to true allows deletion of the soft deleted blob versions and snapshots. |
| days | int | Indicates the number of days that the deleted item should be retained. The minimum specified value can be 1 and the maximum value can be 365. |
| enabled | bool | Indicates whether DeleteRetentionPolicy is enabled. |
storageAccountBlobServices
| Property | Value | Description |
|---|---|---|
| changeFeed | changeFeed | The blob service properties for change feed events. |
| containerDeleteRetentionPolicy | containerDeleteRetentionPolicy | |
| defaultServiceVersion | string | DefaultServiceVersion indicates the default version to use for requests to the Blob service if an incoming request’s version is not specified. Possible values include version 2008-10-27 and all more recent versions. |
| deleteRetentionPolicy | deleteRetentionPolicy | The blob service properties for blob soft delete. |
| isVersioningEnabled (required) | bool | Versioning is enabled if set to true. |
| lastAccessTimeTrackingPolicy | lastAccessTimeTrackingPolicy | When set to true last access time based tracking is enabled. |
| restorePolicy | restorePolicy |
changeFeed
| Property | Value | Description |
|---|---|---|
| enabled (required) | bool | Indicates whether change feed event logging is enabled for the Blob service. |
| retentionInDays (required) | int | Indicates the duration of changeFeed retention in days. Minimum value is 1 day and maximum value is 146000 days (400 years). A null value indicates an infinite retention of the change feed. |
containerDeleteRetentionPolicy
| Property | Value | Description |
|---|---|---|
| allowPermanentDelete (required) | bool | This property when set to true allows deletion of the soft deleted blob versions and snapshots, This property only applies to blob service and does not apply to containers or file share. |
| days (required) | int | Indicates the number of days that the deleted item should be retained |
| enabled (required) | bool | Indicates whether DeleteRetentionPolicy is enabled. |
deleteRetentionPolicy
| Property | Value | Description |
|---|---|---|
| allowPermanentDelete (required) | bool | This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used blob restore policy. This property only applies to blob service and does not apply to containers or file share. |
| days (required) | int | Indicates the number of days that the deleted item should be retained |
| enabled (required) | bool | Indicates whether DeleteRetentionPolicy is enabled. |
lastAccessTimeTrackingPolicy
| Property | Value | Description |
|---|---|---|
| enable (required) | bool | When set to true last access time based tracking is enabled. |
restorePolicy
| Property | Value | Description |
|---|---|---|
| days (required) | int | how long this blob can be restored. It should be great than zero and less than DeleteRetentionPolicy.days. |
| enabled (required) | bool | Blob restore is enabled if set to true. |
storageAccountShare
| Property | Value | Description |
|---|---|---|
| name (required) | string | share name:Lowercase letters, numbers, and hyphens. Cant start or end with hyphen. Cant use consecutive hyphens. |
| accessTier | 'Cool' 'Hot' 'Premium' 'TransactionOptimized' |
Access tier for specific share. |
| enabledProtocols | 'NFS' 'SMB' |
The authentication protocol that is used for the file share. |
| metadata | object | A name-value pair to associate with the share as metadata. |
| rootSquash | 'AllSquash' 'NoRootSquash' 'RootSquash' |
The property is for NFS share only |
| shareQuota (required) | int | The maximum size of the share, in gigabytes. |
| signedIdentifiers | storageAccountSignedIdentifiers[] | List of stored access policies specified on the share. |
storageAccountSignedIdentifiers
| Property | Value | Description |
|---|---|---|
| accessPolicy (required) | accessPolicy | |
| id (required) | string | An unique identifier of the stored access policy. |
accessPolicy
| Property | Value | Description |
|---|---|---|
| expiryTime (required) | string | Expiry time of the access policy |
| permission (required) | string | List of abbreviated permissions. |
| startTime (required) | string | Start time of the access policy |
storageAccountQueue
| Property | Value | Description |
|---|---|---|
| name (required) | string | |
| properties | properties |
properties
| Property | Value | Description |
|---|---|---|
| id | string | A name-value pair to associate with the share as metadata. |
storageAccountTable
| Property | Value | Description |
|---|---|---|
| name (required) | string | |
| properties | properties |
storageAccountContainer
| Property | Value | Description |
|---|---|---|
| name (required) | string | Start with lowercase letter or number. Cant use consecutive hyphens. |
| defaultEncryptionScope | string | Default the container to use specified encryption scope for all writes. |
| denyEncryptionScopeOverride | bool | Block override of encryption scope from the container default. |
| enableNfsV3AllSquash | bool | Enable NFSv3 all squash on blob container. |
| enableNfsV3RootSquash | bool | Enable NFSv3 root squash on blob container. |
| immutableStorageWithVersioning | immutableStorageWithVersioning | |
| metadata | object | A name-value pair to associate with the container as metadata. |
| publicAccess | 'Blob' 'Container' 'None' |
Specifies whether data in the container may be accessed publicly and the level of access. (default: None) |
resourceLock
| Property | Value | Description |
|---|---|---|
| name | string | Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Cant end in period. |
| level (required) | 'CanNotDelete' 'ReadOnly' |
The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they cant modify or delete it. Read-Only locks must be commented to be able to deploy again |
| notes | string | Notes about the lock. Maximum of 512 characters. |
| owners | resourceLockOwner[] | The owners of the lock |
resourceLockOwner
| Property | Value | Description |
|---|---|---|
| applicationId (required) | string | The application ID of the lock owner. |
roleAssignment
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The principal ID |
| roleDefinitionId (required) | string | The role definition ID, data file can be used for this |
| condition | string | Condition on the role assignment |
| conditionVersion | string | Version of the condition. Currently the only accepted value is "2.0" |
| delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource |
| description | string | Description of role assignment |
| principalType (required) | 'Device' 'ForeignGroup' 'Group' 'ServicePrincipal' 'User' |
The principal type of the assigned principal ID |
general
| Property | Value | Description |
|---|---|---|
| tags | object | Tags of the resource [hashtable] |
| location (required) | string | Location of the resource |
| naming (required) | naming | Naming module of the resource |
| resourceGroupName (required) | string | Name of the resource group where the resource should be located |
| sharedNaming (required) | naming | Reference to the default naming |
| roleAssignments | roleAssignment[] | Role assignments on the resource |
| resourceLocks | resourceLock[] | Resource Locks on the resource |
naming
| Property | Value | Description |
|---|---|---|
| forceFunctionAsFullName | bool | Use the function value as the full name of the resource |
| abbreviation | string | Override the abbreviation of this resource with this parameter |
| environment | string | The resource environment (for example: dev, tst, acc, prd) |
| location | string | The resource location (for example: weu, we, westeurope) |
| customer | string | The name of the customer |
| delimiter | string | The delimiter between resources (default: -) |
| nameFormat | Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName' |
The order of the array defines the order of elements in the naming scheme |
| param1 | string | Extra parameter self defined |
| param2 | string | Extra parameter self defined |
| param3 | string | Extra parameter self defined |
| function (required) | string | Function of the resource [can be app, db, security,...] |
| useCaseName | string | Name of the use case [can be hub, spoke,...] |
| suffix | string | Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...] |
| forceDefaultNaming | bool | Force the CAF naming instead of default company naming |
privateLink
| Property | Value | Description |
|---|---|---|
| pepNaming | naming | Name of the private endpoint |
| nicNaming | naming | Name of the network interface of the private endpoint |
| privateLinkNaming | naming | Name of the private link connection |
| subnets (required) | subnets[] | Id of the subnets and optionally the name of the resourcegroup in which the private endpoint should be created |
| dnsZoneIds (required) | string[] | List of DNS zone ids that need to be linked |
subnets
| Property | Value | Description |
|---|---|---|
| resourceGroupName | string | Resourcegroup (default: resourcegroup defined here => resourceGroup of pep resource => resourceGroup of subnet) |
| id (required) | string | Id of the subnet |
| location | string | Location if Vnet is in different location |
Changelog
9.2.0 (2025-10-28)
Features
- add DFS private endpoint
9.1.0 (2025-10-07)
Features
- update resource api versions
9.0.2 (2025-09-26)
Bug Fixes
- make parameter accessTier optional
9.0.1 (2025-09-24)
Bug Fixes
- remove deployment name + cleanup
9.0.0 (2025-09-24)
⚠ BREAKING CHANGES
- remove deprecated outputs
Bug Fixes
- remove deprecated outputs
8.3.0 (2025-09-16)
Features
- add secure output storageAccountKey
8.2.1 (2025-06-30)
Bug Fixes
- resolve issue with immutablilty policy when empty
8.2.0 (2025-05-14)
Features
- add blob CORS rules
8.1.0 (2025-05-14)
Features
- add resource access rules
8.0.0 (2025-05-12)
⚠ BREAKING CHANGES
- allowBlobPublicAccess default false
Bug Fixes
- allowBlobPublicAccess default false
7.2.1 (2025-04-11)
Bug Fixes
- naming connected resources when forceFunctionAsFullName or forceDefaultNaming is true
7.2.0 (2025-03-26)
Features
- add resourceName output
7.1.0 (2025-03-20)
Features
- add expirationActions to sasPolicy
7.0.1 (2025-03-19)
Bug Fixes
- add defaultSharePermission default to 'None'
7.0.0 (2025-03-19)
⚠ BREAKING CHANGES
- update the azureFilesIdentityBaseAuthentication configuration
Bug Fixes
- update the azureFilesIdentityBaseAuthentication configuration
6.0.0 (2025-03-17)
⚠ BREAKING CHANGES
- remove role-assignment principalType parameter
Features
- remove role-assignment principalType parameter
5.2.0 (2025-03-10)
Features
- add AD authentication
5.1.3 (2025-02-28)
Bug Fixes
- revise descriptions
5.1.2 (2025-02-17)
Bug Fixes
- make immutability policy optional
5.1.1 (2025-02-14)
Bug Fixes
- upgrade API versions + fix container creation
5.1.0 (2025-02-11)
Features
- add immutability
5.0.2 (2025-02-11)
Bug Fixes
- add missing access tier
5.0.1 (2024-12-04)
Bug Fixes
- rework routing preference for azure files