Cannot terraform destroy without first removing storage firewall

lazarillo commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Affected Resource(s)

Azure Storage Gen 2, associated with Azure Machine Learning Workspace, with a firewall enabled.

azurerm_machine_learning_workspace

I do not know that it only affects storage on AML workspaces, but we do have other storage accounts and they do not have any trouble.

Terraform Configuration Files

We have a large set of configurations, but below is the code relevant to this issue.

resource "azurerm_machine_learning_workspace" "amlws" {
  name                    = var.resource_name
  resource_group_name     = data.azurerm_resource_group.rg.name
  location                = data.azurerm_resource_group.rg.location
  application_insights_id = var.application_insights_id
  key_vault_id            = var.key_vault_id
  storage_account_id      = var.storage_account_id

  identity {
    type = var.identity_type
  }

  container_registry_id = var.container_registry_id
  description           = var.description
  sku_name = var.sku_name
  tags     = var.tags
}

Debug Output

Error: Error retrieving Container "defaultdatacontainer" (Account "" / Resource Group ""): containers.Client#GetProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation."

Panic Output

Expected Behaviour

Terraform destroy should work, even with a firewall established. At least, that it what I understood from resolution of issue3925.

Actual Behaviour

Before turning off the firewall, I receive the error above. After turning it off, I am able to destroy.

Steps to Reproduce

terraform destroy

Important Factoids

References

issue3925.

favoretti commented 3 years ago

Hi, thank you for reporting this. I think the 403 in this case is more related to where and with which credentials you're running terraform alongside permissions terraform SPN has on that storage account/container. It's not uncommon to create a resource with terraform and then lock it down to an extent that SPN that terraform uses can not do anything with it anymore. Provider can not go around access constrains you put on created objects, so you gotta take those into account. :)

nadworny commented 3 years ago

I'm getting the same error. This happens as soon as I enable firewall rules. I can create the storage without a problem, but destroying doesn't work unless I whitelist my IP. This behaviour is different for example for CosmosDB or PostgreSQL resources, there after enabling the firewall, I'm still able to destroy, even without whitelisting my IP.

Not sure if I should open a ticket in azure portal for that? In case it's a Microsoft issue, what would be the best way to go forward? Thanks!

hashicorp / terraform-provider-azurerm