search

Azure / azure-storage-net

Microsoft Azure Storage Libraries for .NET
Apache License 2.0
445 stars 370 forks source link

Policy: "Storage accounts should restrict network access" is triggered even public access is completely disabled. #1096

Open fabio-s-franco opened 7 months ago

fabio-s-franco commented 7 months ago

Which service(blob, file, queue, table) does this issue concern?

None in particular, but instead the storage account as a whole

Which version of the SDK was used?

This is from azurerm terraform provider, which seems to be using these:

import (
    "fmt"

    "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage" // nolint: staticcheck
    storage_v2023_01_01 "github.com/hashicorp/go-azure-sdk/resource-manager/storage/2023-01-01"
    "github.com/hashicorp/go-azure-sdk/resource-manager/storagesync/2020-03-01/cloudendpointresource"
    "github.com/hashicorp/go-azure-sdk/resource-manager/storagesync/2020-03-01/storagesyncservicesresource"
    "github.com/hashicorp/go-azure-sdk/resource-manager/storagesync/2020-03-01/syncgroupresource"
    "github.com/hashicorp/go-azure-sdk/sdk/auth"
    "github.com/hashicorp/go-azure-sdk/sdk/client/resourcemanager"
    "github.com/hashicorp/terraform-provider-azurerm/internal/common"
)

Which platform are you using? (ex: .NET Core 2.1)

Terraform AzureRM 3.97.1

What problem was encountered?

I am not able to create a storage account with public network access disable due to the police: "Storage accounts should restrict network access".

It requires to have DefaultAction = "Deny", even when it is not applicable. With public access disabled, this rule should not require the network rule, since it only becomes accessible via private link services (that can only be exposed via private endpoint).

How can we reproduce the problem in the simplest way?

Setup a private network and try to create a storage account with public network access disabled. I am not quite sure how that translates to the API/SDK, but that's what it takes.

Have you found a mitigation/solution?

I set DefaultAction to "Deny", even though it is not applicable. The main problem here is finding the root cause effectively, since this is not an error to be expected in this setup.