What is New with CBS Terraform Provider 0.9.0

Added support to new CBS SKU Model, security enhancement, and more ...

Posted by Adam Mazouz on Friday, July 7, 2023
Reading Time: 4 minutes

Header Photo by Juli Kosolapova on Unsplash


If you are a public cloud user, you must have used or plan on using automation to deploy infrastructure resources and service. In Pure Storage, we have built a Terraform Provider that can be used to deploy Pure Cloud Block Store (CBS). I have been using this Provider for internal testing and also delivering demos and proof of concepts.

In this blog post, I will cover what is new with CBS Terraform Provider latest versions. If you haven’t used it before, no worries, I got you covered in the previous Blog.

Supporting New CBS Model

CBS Terraform Provider version is released in parallel to Purity//FA version 6.4.7. This is an important release to Pure CBS, as new SKU model added to the original two model V10MUR1, V20MUR1. The new V20MP2R2 is based on newly Azure infrastructure, replacing Dsv3 Azure VMs by EbdsV5, this pumps the performance to 30% higher than V20MUR1 for IOPS and Bandwidth. Also replacing the Ultra SSD used as a backend storage in the old SKU to the relatively new PremiumV2 Managed Disk, which drives down the total price of running CBS Azure infrastructure up to 70%.

CBS’s latest release is a significant milestone, it is not only enhances cost savings for Pure customers but also amplifies their ability to achieve even greater savings through its enterprise-grade data reduction capabilities. I will cover the cost optimization in details in a future blog. For now, lets stick to the changes in the Terraform Provider.

    resource "cbs_array_azure" "azure_instance" {
        array_model = "V20MP2R2"    #<--  CBS Models available are (V10MUR1, V20MUR1, V20MP2R2)

Before going forward to deploying CBS with the new SKU make sure to check the regions supported here. If the region you want to deploy to is not available you can request it by contacting your Pure Storage account team.

Adding support for User Managed Identity

Previously, CBS arrays are deployed with open access to CosmosDB and Key Vault resources that are deployed within the managed application. This doesn’t particularly mean the open access is a security vulnerability, since both resources are using key based authentication. Unless you get those keys, you can not authenticate. The motive for this enhancement is to restrict access and to cover any security flags during auditing.

In order to reconfigure those resources and restrict access to only from incoming traffic from array VNet/ System Subnet. Therefore, User Managed Identity is required and has to be assigned with joinViaServiceEndpoint/action permission over the CBS VNet, this is done with Azure least privilege access rule.

cbs_array_azure has new required argument user_assigned_identity where to pass the User Managed Identity Id.

resource "cbs_array_azure" "azure_instance" {
    user_assigned_identity = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx/resourcegroups/mock_resource_group_name/providers/Microsoft.ManagedIdentity/userAssignedIdentities/xxxxxxx"

If you would like to create and configure User Managed Identity with Terraform, check the module I have built here. or here in the implementation guide.

Adding cbs_azure_plans

Another significant update pushed in 0.8.0 I though I have to mention here. Previously, we have to fetch the CBS marketplace plan for each version and hard code it or pass it as variable to cbs_array_azure.plan block.

This release has new data cbs_azure_plans block, where it programmatically fetches and provides a list of all CBS Azure plans available in the Marketplace. It is sorted by the version, the latest being on top [0]. See example below.

data "cbs_azure_plans" "azure_plans" {}

resource "cbs_array_azure" "azure_instance" {

    plan {
        name = data.cbs_azure_plans.azure_plans.plans[0].name
        product = data.cbs_azure_plans.azure_plans.plans[0].product
        publisher = data.cbs_azure_plans.azure_plans.plans[0].publisher
        version = data.cbs_azure_plans.azure_plans.plans[0].version

    lifecycle {
        ignore_changes = [

# This will list all the available plans on the Marketplace, if you would like to output the deployed "latest" plan. add [0] at the end of the value. 
output "cbs_azure_available_plans" {
    value = data.cbs_azure_plans.azure_plans.plans

Useful Links

A couple of useful links if you would like to read more or give it a spin yourself.

If you have a feature request or you hit an issue, I recommend raising an issue on the GitHub page.


Terraform remains the go-to tool for deploying cloud infrastructure, continuously proving its worth. The modifications introduced in this release not only align with the latest CBS updates but also focus on provider maintenance, incorporating new features, and resolving any issues.

Should you have any inquiries or feedback, kindly leave them in the comments section below. Thank you for your readership, and happy coding with Terraform!

comments powered by Disqus