hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.59k stars 4.63k forks source link

Support for Resource Instances in the Firewall for Storage Accounts #13544

Open kevinmatthews-kpmg opened 3 years ago

kevinmatthews-kpmg commented 3 years ago

Community Note

Description

There is an option for resource instances in the firewall for storage accounts, this allows you to choose a resource type and resource instance that should be allowed through the firewall. An example of this might be to allow an azure synapse workspace to connect to the storage account

New or Affected Resource(s)

Potential Terraform Configuration

resource "azurerm_storage_account" "example" {
  name                             = "storageaccountname"
  resource_group_name       = azurerm_resource_group.example.name

  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"

  network_rules {
    default_action             = "Deny"
    ip_rules                   = ["100.0.0.1"]
    virtual_network_subnet_ids = [azurerm_subnet.example.id]

    resource_instance {
      resource_type = "Microsoft.Synapse/workspaces"
      instance_name = "<resource name>"
      or
      resource_id = azurerm_synapse_workspace.example.id
    }
  }
}

References

aslatter commented 2 years ago

This feature is now GA: https://azure.microsoft.com/en-us/updates/storage-resource-instance-rules-ga/

It appears that the REST APIs for creating Storage Accounts support this feature: https://docs.microsoft.com/en-us/rest/api/storagerp/storage-accounts/create?tabs=HTTP#networkruleset

jeraldkphilip-ust commented 2 months ago

is there a workaround to add resource instances via terraform?

aslatter commented 2 months ago

It's supported today - it's just called private_link_access:

A private_link_access block supports the following: