Open marciobarbato opened 1 year ago
guys, any news on that ?
hello, is there any update on this?
Validation of network acls failure: ResourceBeingAcledHasWrongLocation:Microsoft.Storage resources in eastus2 cannot be ACL-ed to virtual network /subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/virtualNetworks/REDACTED in eastus. Only resources in eastus, westus, westus3 can be ACL-ed to virtual networks in eastus.. (Code: NetworkAclsValidationFailure)
I've stumbled on above error, which is misleading. Why would I be able to ACL from a region on the other side of the country but not the region right next to it?
This is not a bug in the Terraform provider but rather a limitation of Azure. You need to make sure that the service endpoint Microsoft.Storage.Global
is enabled on the subnet that you want to apply the ACL to.
The regular Microsoft.Storage
endpoint only works for the local region and the paired region, not for any other region (even though they might be neighbouring regions such as eastus
and eastus2
, they're not paired).
More information can be found here: https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security#azure-storage-cross-region-service-endpoints
Is there an existing issue for this?
Community Note
Terraform Version
1.4.5
AzureRM Provider Version
3.54.0
Affected Resource(s)/Data Source(s)
azurerm_storage_account
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
Microsoft has launched a new feature that allows add cross region subnets in storage account firewall, this is already in GA and describe bellow. The expected behavior is that azurerm validation won't block the add of different region subnet in storage account.
Actual Behaviour
apply fails with debug provided above
Steps to Reproduce
Create a storage account in west europe and add a subnet allowed to it's firewall coming from us east, that will fail on the ACL validation
Important Factoids
No response
References
Cross region service endpoints are now available: https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?toc=%2Fazure%2Fvirtual-network%2Ftoc.json&tabs=azure-portal#azure-storage-cross-region-service-endpoints