Open ssrahul96 opened 2 years ago
From the debug logs, i could see the below issue
{"status":"Failed","error":{"code":"NetworkAclsValidationFailure","message":"Validation of network acls failure: SubnetsHaveNoServiceEndpointsConfigured:Subnets cnatest-subnet of virtual network /subscriptions/6000915e-6d07-4eb2-9b61-5e03f46fb8fb/resourceGroups/devopsnow-poc-rg/providers/Microsoft.Network/virtualNetworks/CnaDev3-VNET do not have ServiceEndpoints for Microsoft.Storage resources configured. Add Microsoft.Storage to subnet's ServiceEndpoints collection before trying to ACL Microsoft.Storage resources to these subnets.."}}
The Subnet i am associating does not have the storage
service endpoint
enabled.
Can we add ignore_missing_virtual_network_service_endpoint
config under network_rules
? Similar to EventHub?https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/eventhub_namespace#ignore_missing_virtual_network_service_endpoint
@ssrahul96 It appears you didn't specify the service_endpoints = ["Microsoft.Storage"]
in your subnet config.
@ssrahul96 It appears you didn't specify the
service_endpoints = ["Microsoft.Storage"]
in your subnet config.
yea i ve noticed that and i ve fixed it at my end! i am raising this issue to throw that error message (or) provide an option to validate it
@ssrahul96
Unfortunately, the API definition of the network rule set for storage account doesn't has the same option ignore_missing_virtual_network_service_endpoint
as the azurerm_eventhub_namespace
: https://github.com/Azure/azure-rest-api-specs/blob/62631144da413d71bf332bd0104bbcbffe55d642/specification/storage/resource-manager/Microsoft.Storage/stable/2021-04-01/storage.json#L2376-L2383.
You are right, the error message is misleading. This is derived from the incorrect status code returned from the creation request of the storage account when the subnet is not correctly configured, where it returns 200, but it shouldn't:
2022-04-26T13:30:56.592+0530 [DEBUG] provider.terraform-provider-azurerm_v3.3.0_x5.exe: AzureRM Request:
GET /subscriptions/6000915e-6d07-4eb2-9b61-5e03f46fb8fb/providers/Microsoft.Storage/locations/eastus/asyncoperations/4ca4f381-0f93-4b0c-a69e-5a8ec147f49c?monitor=true&api-version=2021-04-01 HTTP/1.1
Host: management.azure.com
User-Agent: Go/go1.18.1 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v63.0.0 storage/2021-04-01 HashiCorp Terraform/1.1.9 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/dev pid-222c6c49-1b0a-5959-a213-6608f9eb8820
X-Ms-Correlation-Request-Id: b166e97f-7701-74d4-869c-c9f1eb7bec43
Accept-Encoding: gzip: timestamp=2022-04-26T13:30:56.592+0530
2022-04-26T13:30:56.858+0530 [DEBUG] provider.terraform-provider-azurerm_v3.3.0_x5.exe: AzureRM Response for https://management.azure.com/subscriptions/6000915e-6d07-4eb2-9b61-5e03f46fb8fb/providers/Microsoft.Storage/locations/eastus/asyncoperations/4ca4f381-0f93-4b0c-a69e-5a8ec147f49c?monitor=true&api-version=2021-04-01:
HTTP/2.0 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Tue, 26 Apr 2022 08:00:55 GMT
Expires: -1
Pragma: no-cache
Server: Microsoft-Azure-Storage-Resource-Provider/1.0,Microsoft-HTTPAPI/2.0 Microsoft-HTTPAPI/2.0
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: b166e97f-7701-74d4-869c-c9f1eb7bec43
X-Ms-Ratelimit-Remaining-Subscription-Reads: 11998
X-Ms-Request-Id: f9180172-069c-4af3-bda7-c8c848b7a0eb
X-Ms-Routing-Request-Id: SOUTHINDIA:20220426T080056Z:03e36e7b-18f0-4573-ac4d-2c0c298fb31e
{"status":"Failed","error":{"code":"NetworkAclsValidationFailure","message":"Validation of network acls failure: SubnetsHaveNoServiceEndpointsConfigured:Subnets cnatest-subnet of virtual network /subscriptions/6000915e-6d07-4eb2-9b61-5e03f46fb8fb/resourceGroups/devopsnow-poc-rg/providers/Microsoft.Network/virtualNetworks/CnaDev3-VNET do not have ServiceEndpoints for Microsoft.Storage resources configured. Add Microsoft.Storage to subnet's ServiceEndpoints collection before trying to ACL Microsoft.Storage resources to these subnets.."}}: timestamp=2022-04-26T13:30:56.858+0530
Exacly, When i am running without DEBUG
enabled, I am getting the below, error which is misleading,
azurerm_storage_account.stg: Creating...
azurerm_storage_account.stg: Still creating... [10s elapsed]
azurerm_storage_account.stg: Still creating... [20s elapsed]
╷
│ Error: retrieving Storage Account: (Name "stgissue1" / Resource Group "my-poc-rg"): storage.AccountsClient#GetProperties: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="StorageAccountNotFound" Message="The storage account stgissue1 was not found."
│
│ with azurerm_storage_account.stg,
│ on main.tf line 26, in resource "azurerm_storage_account" "stg":
│ 26: resource "azurerm_storage_account" "stg" {
│
╵
Is this because of incorrect state code? that is returned from the previous API?
@ssrahul96 Yes, the error you see above is a later point after creating the storage account. But the provider should have been errored out during creation.
@ssrahul96 Yes, the error you see above is a later point after creating the storage account. But the provider should have been errored out during creation.
Should a issue be created in https://github.com/Azure/azure-rest-api-specs ?
@ssrahul96 Exactly, I'm working on that! Also trying to provide a workarond in the provider 👍
@ssrahul96 Exactly, I'm working on that! Also trying to provide a workarond in the provider 👍
Sure Thanks
The upstream issue is filed here: https://github.com/Azure/azure-rest-api-specs/issues/18844
Did the work around work for anyone by having
service_endpoints = ["Microsoft.Storage"]
specified?
@dc232 yes, it should work after adding the service_endpoint
Thanks @ssrahul96
Ran into this issue today, thanks @dc232 for your comment. That fixed it for me :) The error message could've been a little bit clearer though.
Ran into this issue today, thanks @dc232 for your comment. That fixed it for me :) The error message could've been a little bit clearer though.
Same here, thanks @dc232
Is there anyone else running into this issue not had @dc232's workaround work for them?!?
The org I work for we have an infrastructure team who deploys the vnets, subnets etc., and that has the Microsoft.Storage enabled for those, and have been enabled for a good couple of years now, but yet I'm trying to recreate one of our deployments (destroyed the old SA and redeployed due to changes in the replication type, which can't be amended when using premium) and now getting this same error, but the vnet/subnet are all configured correctly...
Is there an existing issue for this?
Community Note
Terraform Version
1.1.9
AzureRM Provider Version
3.3.0
Affected Resource(s)/Data Source(s)
azurerm_storage_account
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
The Storage account should be created
Actual Behaviour
The Storage account creation exits with issue
Steps to Reproduce
terraform apply
Important Factoids
No response
References
No response