search

hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.53k stars 4.6k forks source link

azurerm_storage_account - Missing validation error when nfsv3_enabled = true and replication not in (LRS, ZRS) #13933

Open dvasdekis opened 2 years ago

dvasdekis commented 2 years ago

Community Note

Terraform (and AzureRM Provider) Version

Terraform Configuration Files

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = ">= 2.82"
    }
  }
  required_version = ">= 1.0.1"
}

provider "azurerm" {
  subscription_id =  ##########
  tenant_id =##############
  storage_use_azuread = true
}

resource "azurerm_resource_group" "rg-fs" {
  name     = "my_rg"  # Name of the resource group we're creating
  location = "australiaeast"  # Happens globally
  provider = azurerm
}

resource "azurerm_storage_account" "lake-fs" {
  name                     = "failedlake" # Storage Account names can't have hyphens
  resource_group_name      = azurerm_resource_group.rg-fs.name
  location                 = azurerm_resource_group.rg-fs.location
  account_tier             = "Standard"
  allow_blob_public_access = false
  account_replication_type = "GRS"  # Fails with anything that isn't LRS or ZRS
  account_kind             = "StorageV2"
  is_hns_enabled           = "true"

  # Define options for network file shares (NFSv3 protocol)  # Fails when we enable for any replication setting other than LRS or ZRS
  nfsv3_enabled            = "true"
  network_rules {  
    default_action         = "Deny" # Required for NFS access. Need to explicitly grant access to IPs later
  }
}

Description / Feedback

A validation error - Microsoft have confirmed that NFv3 is only available for LRS or ZRS shares

Instead we get:

azurerm_storage_account.lake-fs: Creating...

│ Error: creating Azure Storage Account "failedlake": storage.AccountsClient#Create: Failure sending request: StatusCode=400 -- Original Error: Code="InvalidRequestPropertyValue" Message="The value 'True' is not allowed for property isNfsv3Enabled."
│
│   with azurerm_storage_account.lake-fs,
│   on fail.tf line 42, in resource "azurerm_storage_account" "lake-fs":
│   42: resource "azurerm_storage_account" "lake-fs" {
│
navba-MSFT commented 2 years ago

Regarding the line account_replication_type = "GRS" ---> Could you change this to either LRS or ZRS ?

Refer the documentation: https://docs.microsoft.com/en-us/azure/storage/blobs/network-file-system-protocol-support-how-to

As of now, it should be either LRS or ZRS as explained in the above article.

<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

Setting | Premium performance | Standard performance -- | -- | -- Replication | Locally-redundant storage (LRS), Zone-redundant storage (ZRS) | Locally-redundant storage (LRS), Zone-redundant storage (ZRS)

dvasdekis commented 2 years ago

Regarding the line account_replication_type = "GRS" ---> Could you change this to either LRS or ZRS ?

Refer the documentation: https://docs.microsoft.com/en-us/azure/storage/blobs/network-file-system-protocol-support-how-to

As of now, it should be either LRS or ZRS as explained in the above article.

Setting Premium performance Standard performance Replication Locally-redundant storage (LRS), Zone-redundant storage (ZRS) Locally-redundant storage (LRS), Zone-redundant storage (ZRS)

This issue isn't for the fact that GRS or other types aren't supported - it is that Terraform is missing the standard validation error when these types are selected.

EmFl commented 9 months ago

Hello, I get similar issue with hashicorp/azurerm v3.81.0 so I'm not sure if this should be tagged as legacy.

If you set GRS and nfsv3 which is unsupported on azure, the error you get on apply is misleading:

Storage Account Name: "mystorageaccount"): storage.AccountsClient#Create: Failure sending request: StatusCode=400 -- Original Error: Code="InvalidRequestPropertyValue" Message="The value 'True' is not allowed for property isNfsv3Enabled."

Also, the documentation states that nfsv3 requires : account_replication_type must be LRS or RAGRS even though RAGRS is unsupported by MS (see https://learn.microsoft.com/en-us/azure/storage/blobs/network-file-system-protocol-known-issues)

I think a check for supported replication type should be added to the code and documentation should be updated to reflect the correct allowed types.

If someone can confirm that this is the way to go, I can try and submit a PR for this.

Thank you !