Securing storage account with remote tfstate

Question

How to disable public access to Azure storage account but still accessible from cloudshell.

What I have and works:

1. Az-storage account that contains "terraform.tfstate" with public access
2. main.tf file in my "Azure Cloudshell" with "backend" config for remote statefile

terraform {
  required_version = ">= 1.2.4"

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 2.98.0"
    }
  }

  
 # To store the state in a storage account
 # Benefit=working with team and if local shell destroyed -> state=lost)

  backend "azurerm" {
    resource_group_name  = "RG-Telco-tf-statefiles"
    storage_account_name = "telcostatefiles"
    container_name       = "tf-statefile-app-1"
    key                  = "terraform.tfstate"
  }
}

This works perfectly. But if I restrict public access in the storage account, my "Azure Cloudshell" has no permission to the statefile anymore.

How can I make it work and what are the best security best practices in this case?

Answer 1

I think this is what you need.

After you set this, you can make a network restriction rule and you can allow the cloud shell virtual network.

Some other best practices:

• The storage account that stores the state file should be in a separate resource group and have a delete lock on it.
• 1 SAS token per user renewed every 6 months with a scope at the folder level, one container per project, and per environment
• Storage with redundancy in a paired region for reading access in case of issues