Closed gfctam closed 2 years ago
Since the default tls is 1.0 (ref: link) when creating azurerm_storage_account, the script will produce error as below:
azurerm_storage_account.detectionlab-storageaccount: Creating... ╷ │ Error: creating Azure Storage Account "diag68b2870546ba9caf": storage.AccountsClient#Create: Failure sending request: StatusCode=403 -- Original Error: Code="RequestDisallowedByPolicy" Message="Resource 'diag68b2870546ba9caf' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"MG-01-0006-cs-069-cs-deny-Storage-sa-require-minimum-tls1.2\",\"id\":\"/providers/Microsoft.Management/managementGroups/MG-01-0006/providers/Microsoft.Authorization/policyAssignments/MG-01-0006-cs-069-deny\"},\"policyDefinition\":{\"name\":\"cs-secure-Storage-sa-require-minimum-tls1.2-cs-069\",\"id\":\"/providers/Microsoft.Management/managementGroups/MG-01-0006/providers/Microsoft.Authorization/policyDefinitions/cs-secure-Storage-sa-require-minimum-tls1.2\"}}]'." Target="diag68b2870546ba9caf" AdditionalInfo=[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.Storage/storageAccounts","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.Storage/storageAccounts"},{"expression":"Microsoft.Storage/storageAccounts/minimumTlsVersion","expressionKind":"Field","expressionValue":"TLS1_0","operator":"Equals","path":"properties.minimumTlsVersion","result":"False","targetValue":"TLS1_2"},{"expression":"id","expressionKind":"Field","expressionValue":"/subscriptions/<subscriptions-id>/resourceGroups/DetectionLab-terraform/providers/Microsoft.Storage/storageAccounts/diag68b2870546ba9caf","operator":"NotContains","path":"id","result":"True","targetValue":"/resourceGroups/MC_"},{"expression":"tags.enforcementId","expressionKind":"Field","operator":"Exists","path":"tags.enforcementId","result":"False","targetValue":"true"}]},"policyAssignmentDisplayName":"MG-01-0006-cs-069-cs-deny-Storage-sa-require-minimum-tls1.2","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/MG-01-0006/providers/Microsoft.Authorization/policyAssignments/MG-01-0006-cs-069-deny","policyAssignmentName":"MG-01-0006-cs-069-deny","policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/MG-01-0006","policyDefinitionDisplayName":"cs-secure-Storage-sa-require-minimum-tls1.2-cs-069","policyDefinitionEffect":"deny","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/MG-01-0006/providers/Microsoft.Authorization/policyDefinitions/cs-secure-Storage-sa-require-minimum-tls1.2","policyDefinitionName":"cs-secure-Storage-sa-require-minimum-tls1.2"},"type":"PolicyViolation"}] │ │ with azurerm_storage_account.detectionlab-storageaccount, │ on main.tf line 206, in resource "azurerm_storage_account" "detectionlab-storageaccount": │ 206: resource "azurerm_storage_account" "detectionlab-storageaccount" {
Therefore, the script should make this update to force using a secure tls version to create azure storage account.
Thank you!
clong
commented
2 years ago clong
commented
2 years ago
Since the default tls is 1.0 (ref: link) when creating azurerm_storage_account, the script will produce error as below:
azurerm_storage_account.detectionlab-storageaccount: Creating... ╷ │ Error: creating Azure Storage Account "diag68b2870546ba9caf": storage.AccountsClient#Create: Failure sending request: StatusCode=403 -- Original Error: Code="RequestDisallowedByPolicy" Message="Resource 'diag68b2870546ba9caf' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"MG-01-0006-cs-069-cs-deny-Storage-sa-require-minimum-tls1.2\",\"id\":\"/providers/Microsoft.Management/managementGroups/MG-01-0006/providers/Microsoft.Authorization/policyAssignments/MG-01-0006-cs-069-deny\"},\"policyDefinition\":{\"name\":\"cs-secure-Storage-sa-require-minimum-tls1.2-cs-069\",\"id\":\"/providers/Microsoft.Management/managementGroups/MG-01-0006/providers/Microsoft.Authorization/policyDefinitions/cs-secure-Storage-sa-require-minimum-tls1.2\"}}]'." Target="diag68b2870546ba9caf" AdditionalInfo=[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.Storage/storageAccounts","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.Storage/storageAccounts"},{"expression":"Microsoft.Storage/storageAccounts/minimumTlsVersion","expressionKind":"Field","expressionValue":"TLS1_0","operator":"Equals","path":"properties.minimumTlsVersion","result":"False","targetValue":"TLS1_2"},{"expression":"id","expressionKind":"Field","expressionValue":"/subscriptions/<subscriptions-id>/resourceGroups/DetectionLab-terraform/providers/Microsoft.Storage/storageAccounts/diag68b2870546ba9caf","operator":"NotContains","path":"id","result":"True","targetValue":"/resourceGroups/MC_"},{"expression":"tags.enforcementId","expressionKind":"Field","operator":"Exists","path":"tags.enforcementId","result":"False","targetValue":"true"}]},"policyAssignmentDisplayName":"MG-01-0006-cs-069-cs-deny-Storage-sa-require-minimum-tls1.2","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/MG-01-0006/providers/Microsoft.Authorization/policyAssignments/MG-01-0006-cs-069-deny","policyAssignmentName":"MG-01-0006-cs-069-deny","policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/MG-01-0006","policyDefinitionDisplayName":"cs-secure-Storage-sa-require-minimum-tls1.2-cs-069","policyDefinitionEffect":"deny","policyDefinitionId":"/providers/Microsoft.Management/managementGroups/MG-01-0006/providers/Microsoft.Authorization/policyDefinitions/cs-secure-Storage-sa-require-minimum-tls1.2","policyDefinitionName":"cs-secure-Storage-sa-require-minimum-tls1.2"},"type":"PolicyViolation"}] │ │ with azurerm_storage_account.detectionlab-storageaccount, │ on main.tf line 206, in resource "azurerm_storage_account" "detectionlab-storageaccount": │ 206: resource "azurerm_storage_account" "detectionlab-storageaccount" {Therefore, the script should make this update to force using a secure tls version to create azure storage account.