terraform-azurerm-disallow-ragrs-policy: A Terraform Module to Prevent or Audit the Creation of Standard_RAGRS Storage Accounts

terraform-azurerm-disallow-ragrs-policy: A Terraform Module to Prevent or Audit the Creation of Standard_RAGRS Storage Accounts

Comments 0 Comment

As Azure engineers, we need to be prudent in managing our resources. One such resource is storage accounts. The default option when creating a storage account via the Azure portal or CLI is Standard_RAGRS SKU, which is usually overkill. Here, we introduce the terraform-azurerm-disallow-ragrs-policy module that helps enforce cost-effective use of storage by preventing or auditing the creation of Standard_RAGRS storage accounts.

Understanding the Standard_RAGRS vs Standard_GRS Dilemma

Standard_RAGRS (Read-Access Geographically Redundant Storage) offers geo-replication across two regions, with read-only access to the data in the secondary location. Contrastingly, Standard_GRS (Geographically Redundant Storage) provides geo-replication without read access to the secondary region. In most cases, Standard_GRS suffices, and it’s less expensive than Standard_RAGRS. We might wonder why Microsoft defaults to a pricier option, but let’s focus on the solution for now.

Delving Into terraform-azurerm-disallow-ragrs-policy Module

This Terraform module creates an Azure policy definition that prevents the creation of storage accounts with Standard_RAGRS SKU unless they have the exemption tag “Exempt: Disallow Standard_RAGRS”. The policy can be assigned to a management group or subscription.

Two Modes of Operation

This module can operate in two modes as determined by the policy_effect variable: ‘auditIfNotExists’ and ‘deny’. ‘AuditIfNotExists’ mode audits any storage account without the exemption tag and with the Standard_RAGRS SKU. The ‘deny’ mode prohibits their creation without the exemption tag.

Please Note:

When the policy is active in ‘deny’ mode, it prevents specific actions on affected existing storage accounts (writes) unless they change their SKU to Standard_GRS or have the exemption tag “Exempt: Disallow Standard_RAGRS”.

Usage Example

Here’s a Terraform code snippet showing how to deploy the definition in deny mode:

module "disallow_ragrs_policy" {
  source  = "RCFromCLE/disallow-ragrs-policy/azurerm"
# use v1.0.1 because I ran into issues with 1.0.0 in the tf public registry  
  version = "1.0.1"
  policy_effect = "deny"
  management_group_id = "/providers/Microsoft.Management/managementGroups/Your_Management_Group_ID"
}


The policy rule is defined in the main.tf file. It checks for storage accounts with Standard_RAGRS SKU type and without the exemption tag, enforcing the effect specified in the policy_effect variable.

For additional usage examples, you can view the readme inside the module located in Github or the Terraform public registry. Links are below.

Conclusion

This module brings efficiency and cost-effectiveness to your Azure storage management. By steering the creation of storage accounts towards Standard_GRS, it ensures we only pay for what we need, saving costs and promoting resource optimization.

That’s all for now. My plan for the near future is to create more of these types of posts, outlining how one can create and use Terraform modules to deploy custom policy definitions into Azure.

Thanks for reading my post!

Relevant Links:

https://registry.terraform.io/modules/RCFromCLE/disallow-ragrs-policy/azurerm/latest
https://github.com/RCFromCLE/terraform-azurerm-disallow-ragrs-policy
https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy

Leave a Reply