NHSDigital · mrlockstar · Jun 1, 2026 · May 20, 2026
diff --git a/infrastructure/modules/container-app/main.tf b/infrastructure/modules/container-app/main.tf
@@ -81,7 +81,6 @@ resource "azurerm_container_app" "main" {
     }
   }
 
-
   dynamic "secret" {
     for_each = var.secret_variables
     content {

diff --git a/infrastructure/modules/storage/main.tf b/infrastructure/modules/storage/main.tf
@@ -10,6 +10,9 @@ resource "azurerm_storage_account" "storage_account" {
   access_tier                   = var.access_tier
   shared_access_key_enabled     = var.shared_access_key_enabled
 
+  # Public access controls
+  allow_nested_items_to_be_public = var.allow_nested_items_to_be_public
+
   tags = var.tags
 
   blob_properties {

diff --git a/infrastructure/modules/storage/tfdocs.md b/infrastructure/modules/storage/tfdocs.md
@@ -126,6 +126,14 @@ Type: `string`
 
 Default: `"PT5M"`
 
+### <a name="input_allow_nested_items_to_be_public"></a> [allow\_nested\_items\_to\_be\_public](#input\_allow\_nested\_items\_to\_be\_public)
+
+Description: Allows or disallows public access to nested items within a container, such as blobs, when the container itself is public. Defaults to false.
+
+Type: `bool`
+
+Default: `false`
+
 ### <a name="input_availability_low_threshold"></a> [availability\_low\_threshold](#input\_availability\_low\_threshold)
 
 Description: This will alert of storage queue transactions is higher that given value, default will be 99.
@@ -238,7 +246,7 @@ Default: `null`
 
 ### <a name="input_shared_access_key_enabled"></a> [shared\_access\_key\_enabled](#input\_shared\_access\_key\_enabled)
 
-Description: Enables or disables Shared Key authorization for the storage account, defaults will be true.
+Description: Enables or disables Shared Key authorization for the storage account. Defaults to true. If set to false, access must be authenticated using Microsoft Entra ID (Azure AD). Terraform deployments should configure the AzureRM provider with `storage_use_azuread = true` to allow storage data-plane operations without using storage account access keys.
 
 Type: `bool`
 

diff --git a/infrastructure/modules/storage/variables.tf b/infrastructure/modules/storage/variables.tf
@@ -220,10 +220,16 @@ variable "share_properties_retention_policy_days" {
 
 variable "shared_access_key_enabled" {
   type        = bool
-  description = "Enables or disables Shared Key authorization for the storage account, defaults will be true."
+  description = "Enables or disables Shared Key authorization for the storage account. Defaults to true. If set to false, access must be authenticated using Microsoft Entra ID (Azure AD). Terraform deployments should configure the AzureRM provider with `storage_use_azuread = true` to allow storage data-plane operations without using storage account access keys."
   default     = true
 }
 
+variable "allow_nested_items_to_be_public" {
+  type        = bool
+  description = "Allows or disallows public access to nested items within a container, such as blobs, when the container itself is public. Defaults to false."
+  default     = false
+}
+
 locals {
   alert_frequency_map = {
     PT5M  = "PT1M"
-Original file line number
+Diff line change
@@ Expand Up / @@ -81,7 +81,6 @@ resource "azurerm_container_app" "main" { @@
         }
       }
       dynamic "secret" {
         for_each = var.secret_variables
         content {
@@ Expand Down @@