From 69a898c0018d31e3835ca7ab32edb69cbd585182 Mon Sep 17 00:00:00 2001
From: Shahid Azim <shahid.azim2@nhs.net>
Date: Fri, 27 Mar 2026 15:22:16 +0000
Subject: [PATCH] feat: [DTOSS-12154] provide a functionality to enable or
 disable shared access key

---
 infrastructure/modules/storage/main.tf      |  3 +-
 infrastructure/modules/storage/tfdocs.md    | 40 +++++++++++++++++++++
 infrastructure/modules/storage/variables.tf |  6 ++++
 3 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/infrastructure/modules/storage/main.tf b/infrastructure/modules/storage/main.tf
index 8ba596c8..d2d9cde2 100644
--- a/infrastructure/modules/storage/main.tf
+++ b/infrastructure/modules/storage/main.tf
@@ -8,6 +8,7 @@ resource "azurerm_storage_account" "storage_account" {
   account_tier                  = var.account_tier
   public_network_access_enabled = var.public_network_access_enabled
   access_tier                   = var.access_tier
+  shared_access_key_enabled     = var.shared_access_key_enabled
 
   tags = var.tags
 
@@ -177,7 +178,7 @@ module "diagnostic-settings-sa-resource" {
   source = "../diagnostic-settings"
 
   name                       = "${azurerm_storage_account.storage_account.name}-diagnotic-setting-storage-account"
-  target_resource_id         = "${azurerm_storage_account.storage_account.id}"
+  target_resource_id         = azurerm_storage_account.storage_account.id
   log_analytics_workspace_id = var.log_analytics_workspace_id
   enabled_metric             = var.monitor_diagnostic_setting_storage_account_resource_metrics
 
diff --git a/infrastructure/modules/storage/tfdocs.md b/infrastructure/modules/storage/tfdocs.md
index 9546da04..794cc8e2 100644
--- a/infrastructure/modules/storage/tfdocs.md
+++ b/infrastructure/modules/storage/tfdocs.md
@@ -129,6 +129,14 @@ Type: `number`
 
 Default: `99`
 
+### <a name="input_blob_properties_change_feed_enabled"></a> [blob\_properties\_change\_feed\_enabled](#input\_blob\_properties\_change\_feed\_enabled)
+
+Description: Is the blob service properties for change feed events enabled? Required for Point-in-Time Restore.
+
+Type: `bool`
+
+Default: `false`
+
 ### <a name="input_blob_properties_delete_retention_policy"></a> [blob\_properties\_delete\_retention\_policy](#input\_blob\_properties\_delete\_retention\_policy)
 
 Description: The value set for blob properties delete retention policy.
@@ -137,6 +145,14 @@ Type: `number`
 
 Default: `null`
 
+### <a name="input_blob_properties_restore_policy_days"></a> [blob\_properties\_restore\_policy\_days](#input\_blob\_properties\_restore\_policy\_days)
+
+Description: Specifies the number of days that the blob can be restored. Set to null to disable by default. Note: Must be less than blob and container delete retention policy days.
+
+Type: `number`
+
+Default: `null`
+
 ### <a name="input_blob_properties_versioning_enabled"></a> [blob\_properties\_versioning\_enabled](#input\_blob\_properties\_versioning\_enabled)
 
 Description: To enable versioning for blob.
@@ -145,6 +161,14 @@ Type: `bool`
 
 Default: `false`
 
+### <a name="input_container_delete_retention_policy_days"></a> [container\_delete\_retention\_policy\_days](#input\_container\_delete\_retention\_policy\_days)
+
+Description: Specifies the number of days that the container should be retained. Defaulting to 7 for baseline data protection.
+
+Type: `number`
+
+Default: `7`
+
 ### <a name="input_enable_alerting"></a> [enable\_alerting](#input\_enable\_alerting)
 
 Description: Whether monitoring and alerting is enabled for the PostgreSQL Flexible Server.
@@ -199,6 +223,22 @@ Type: `list(string)`
 
 Default: `[]`
 
+### <a name="input_share_properties_retention_policy_days"></a> [share\_properties\_retention\_policy\_days](#input\_share\_properties\_retention\_policy\_days)
+
+Description: Specifies the number of days that the file share should be retained. Set to null to disable by default, or provide a number to enable.
+
+Type: `number`
+
+Default: `null`
+
+### <a name="input_shared_access_key_enabled"></a> [shared\_access\_key\_enabled](#input\_shared\_access\_key\_enabled)
+
+Description: Enables or disables Shared Key authorization for the storage account, defaults will be true.
+
+Type: `bool`
+
+Default: `true`
+
 ### <a name="input_storage_account_service"></a> [storage\_account\_service](#input\_storage\_account\_service)
 
 Description: n/a
diff --git a/infrastructure/modules/storage/variables.tf b/infrastructure/modules/storage/variables.tf
index 17687488..3e3318eb 100644
--- a/infrastructure/modules/storage/variables.tf
+++ b/infrastructure/modules/storage/variables.tf
@@ -213,6 +213,12 @@ variable "share_properties_retention_policy_days" {
   default     = null
 }
 
+variable "shared_access_key_enabled" {
+  type        = bool
+  description = "Enables or disables Shared Key authorization for the storage account, defaults will be true."
+  default     = true
+}
+
 locals {
   alert_frequency_map = {
     PT5M  = "PT1M"