Creating Azure Storage Containers in a storage account with network rules, with Terraform
I am trying to write Terraform that will create an Azure Storage account and then a bunch of storage containers inside it. An important detail is that the storage account has network rules that restrict access to a specific address space. This was causing the container creation to fail.
I managed to get around this by using azurerm_storage_account_network_rules, depending on the containers so not to block their creation. Something like this:
resource "azurerm_storage_account" "this" {
name = local.storage_name
resource_group_name = azurerm_resource_group.this.name
location = var.location
account_tier = "Standard"
account_kind = "StorageV2"
is_hns_enabled = true
account_replication_type = "LRS"
}
resource "azurerm_storage_container" "data" {
for_each = toset(var.storage_containers)
name = each.value
storage_account_name = azurerm_storage_account.this.name
container_access_type = "private"
}
# FIXME This order prevents destruction of infrastructure :(
resource "azurerm_storage_account_network_rules" "this" {
storage_account_id = azurerm_storage_account.this.id
default_action = "Deny"
bypass = ["AzureServices"]
virtual_network_subnet_ids = [
# Some address space here...
]
# NOTE The order here matters: We cannot create storage
# containers once the network rules are locked down
depends_on = [
azurerm_storage_container.data
]
}
This works for creating the infrastructure, but when I try to terraform destroy, I get a 403 authentication error:
Error: retrieving Container "data" (Account "XXX" / Resource Group "XXX"): containers.Client#GetProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation.\nRequestId:XXX\nTime:XXX"
This is with my Service Principal, which has Contributor and User Access Administrator roles on the same subscription. Interestingly, when I'm logged in to the Azure Portal as myself (with the Owner role), I can add and remove storage containers regardless of the network rules being present.
So, is there a way of setting the Terraform dependencies such that they can both be built and destroyed without hitting any authentication conflicts? Alternatively, would upgrading my SP's role to Owner (or adding another, more targeted role) solve the problem?
This is an expected behavior as you are setting up the network rules for the storage account to deny and only bypassing the Azure Services.
When you deny and bypass Azure Services the Azure Services like Azure Portal's IP gets the access to the storage account and you are able to delete it . But at the same time , when you use terraform to perform a destroy , then it denies because your IP which is being used by your machine to send terraform requests to Azure is not bypassed.
I tested your code like below with the same permissions:
As a Solution you will have to add ip rules while creating the storage account to the add the client_ip like below :
provider "azurerm" {
features{}
client_id="f6a2f33d-xxxx-xxxx-xxxx-xxxx"
client_secret= "GZ67Q~xxxx~3N-qLT"
tenant_id = "72f988bf-xxxx-xxxx-xxxx-2d7cd011db47"
subscription_id="948d4068-xxxx-xxxx-xxxx-xxxx"
}
locals {
storage_name = "ansumantestsacc12"
subnet_id_list = [
"/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.Network/virtualNetworks/xxxx/subnets/xxxx"
]
my_ip = ["xx.xx.xx.xxx"] # IP used by me
}
variable "storage_containers" {
default = [
"test",
"terraform"
]
}
data "azurerm_resource_group" "this" {
name = "ansumantest"
}
resource "azurerm_storage_account" "this" {
name = local.storage_name
resource_group_name = data.azurerm_resource_group.this.name
location = data.azurerm_resource_group.this.location
account_tier = "Standard"
account_kind = "StorageV2"
is_hns_enabled = true
account_replication_type = "LRS"
}
resource "azurerm_storage_container" "data" {
for_each = toset(var.storage_containers)
name = each.value
storage_account_name = azurerm_storage_account.this.name
container_access_type = "private"
}
# FIXED
resource "azurerm_storage_account_network_rules" "this" {
storage_account_id = azurerm_storage_account.this.id
default_action = "Deny"
bypass = ["AzureServices"]
ip_rules = local.my_ip # need to set this to use terraform in our machine
virtual_network_subnet_ids = local.subnet_id_list
# NOTE The order here matters: We cannot create storage
# containers once the network rules are locked down
depends_on = [
azurerm_storage_container.data
]
}
Output:
- How to take max value and replace it in drived column in data factory
- Synapse/ ADF - How to Truncate table if dynamic config column is True in pre-copy script
- Azure Cost Management - track costs associated with Databricks job
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How to check Debug.Writeline() output in VS code?
- C# API - Provide download of files from Azure Blobstorage
- localhost:300/api is not working : "This page isn’t working"
- Creating an Azure Linux VM with Ubuntu 20.04 with Terraform
- Failed to deploy path that does not exist
- Using Azure WAF for my server(not in Azure)
- How and where to define an environment variable on Azure
- Azure Data Factory - Unable to preview data
- Azure yaml trigger pipeline every 14 days on a Saturday
- Diagnostic setting not included in Azure Portal ARM template export
- How do I read the original pdf file in set indexer datasource in a custom WebApiSkill after enabling "Allow Skillset to read file data"
- How do I store vectors generated by AzureOpenAIEmbeddingSkill in indexer given my current setup
- Authenticating using the Azure CLI is only supported as a User (not a Service Principal)
- Azure Function App - frequent hang and deadlocks
- Sign Tool for Azure Trusted Service Account Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
- How to convert the premium file share to premium block blob storage account or standard general purpose v2 storage account?
- How to generate an azure blob url with SAS signature in nodejs sdk v12?
- How to Assign Role to New User with Graph API
- Directory disappears from azure cloud shell (home)
- Application Insights Logging Exceptions as Trace
- Issue with Azure key vault and Azure storage account deployment
- AddDataProtection().PersistKeysToAzureBlobStorage().ProtectKeysWithAzureKeyVault() getting httpVerb Error while accessing the blob storage
- temporary_name_for_rotation must be specified when changing any of the following properties: pod_subnet_id
- Native Node.js Metrics in Application Insights
- Azure Key Vault Disabled public access, how to access it through the portal via internet
- Using Google.Cloud.BigQuery.V2 API in Azure Functions