Storage account IP-rules not accepting ARM expressions

[Thorium]

If I pass an arm-expression to restrict_to_ip then the build will fail saying it cannot recognize the IP address format.

I would like to do something like this:

storageAccount {
   //...
   restrict_to_ip (myVMconfig.PublicIpAddress.Value.Eval())
}

[Thorium]

Looking into this a bit, and it might be that it's not possible:

ARM template for StorageAccounts

• ARM supports only a string for ipRules, not ResourceIds.
• There is resourceAccessRules, so that could work. However the resource-types available for that are not clear: If you go to Azure portal, there is a dropdown that has some resources, but does not have virtual machines, ip-addresses, etc.

There are some possible workarounds (with other consequences), for example:

• Attach the VMs to same VNet than the Storage Accounts
• Return the VMs' IPs as output-parameters from a deployment and run another deployment to add those IPs to the Storage Account ipRules.
• Instead of IP firewall, use AD, managed identities or other access policies.

[isaacabraham]

Hmmmm. @Thorium it might be worth reaching out to someone on the Azure Storage team to find out how to do this - the docs are often not clear.

[ninjarobot]

@Thorium I see the issue after trying this. The ipRules field needs the address to be a CIDR block, so for a single IP, it will need to have "/32" appended to the end, so if you VM public IP is 100.72.65.55, you'll need to pass 100.72.64.55/32. This will require a "concat" in the ARM expression so you can reference the VM's IP in the deployment.

[martinbryant]

@Thorium are we ok to close this issue?