---
constants:
  __name: "{{ name }}_{{ __guid }}"
variables:
  name:
    desc: "Name of the storage account. Must be globally unique."
    required: true
    group: Storage Account Details
  resource_group_name:
    desc: "Name of the resource group."
    required: true
    group: Storage Account Details
    links_to: resource.azurerm_resource_group.name
  location:
    desc: "Azure region where the storage account will be created."
    required: true
    group: Storage Account Details
    default: "eastus"
  account_tier:
    desc: "Performance tier of the storage account."
    required: false
    group: Storage Account Details
    default: "Standard"
    suggested: "Standard"
  account_replication_type:
    desc: "Replication type for the storage account."
    required: false
    group: Storage Account Details
    default: "LRS"
    suggested: "LRS"
  account_kind:
    desc: "Kind of storage account."
    required: false
    group: Storage Account Details
    default: "StorageV2"
    suggested: "StorageV2"
  access_tier:
    desc: "Access tier for BlobStorage and StorageV2 accounts."
    required: false
    group: Storage Account Details
    default: "Hot"
    suggested: "Hot"
  enable_https_traffic_only:
    desc: "Enforce HTTPS traffic only."
    required: false
    group: Security
    default: true
  min_tls_version:
    desc: "Minimum TLS version to be permitted on requests."
    required: false
    group: Security
    default: "TLS1_2"
  network_rules:
    group: Network Rules
    required: false
    advanced: true
  tags:
    group: Tags
    required: false
groups:
  Storage Account Details:
    order: 1
    desc: "Basic settings for the storage account."
  Security:
    order: 2
    desc: "Security settings for the storage account."
  Network Rules:
    order: 3
    desc: "Network access rules for the storage account."
  Tags:
    order: 4
    desc: "Tags to assign to the storage account."
---

resource "azurerm_storage_account" "__name" {
  name                     = {{ name }}
  resource_group_name      = {{ resource_group_name }}
  location                 = {{ location }}
  account_tier             = {{ account_tier }}
  account_replication_type = {{ account_replication_type }}
  account_kind             = {{ account_kind }}
  access_tier              = {{ access_tier }}
  enable_https_traffic_only = {{ enable_https_traffic_only }}
  min_tls_version          = {{ min_tls_version }}

  {{# network_rules }}
  network_rules {
    default_action = {{ network_rules.default_action | desc: "Allow or Deny access when no network rules match." | required: true | default: "Deny" }}

    ip_rules = [
      {{# network_rules.ip_rules }}
        "{{ network_rules.ip_rules }}",
      {{/ network_rules.ip_rules }}
    ]

    virtual_network_subnet_ids = [
      {{# network_rules.virtual_network_subnet_ids }}
        {{ network_rules.virtual_network_subnet_ids }},
      {{/ network_rules.virtual_network_subnet_ids }}
    ]

    bypass = [
      {{# network_rules.bypass }}
        "{{ network_rules.bypass }}",
      {{/ network_rules.bypass }}
    ]
  }
  {{/ network_rules }}

  tags = {
    Name = {{ name }}
    {{# tags }}
      {{ tags.key | required: false }} = {{ tags.value | required: false }}
    {{/ tags }}
  }
}

// Enforces HTTPS traffic only and sets minimum TLS version to TLS 1.2 for enhanced security.
// Defaults to StorageV2 account kind and LRS replication for best compatibility and cost-effectiveness.
// Allows configuration of network rules to restrict access.
// Encourages tagging for resource identification and management.
//