Microsoft Storage Account Network ACL Validation

[marciobarbato]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.4.5

AzureRM Provider Version

3.54.0

Affected Resource(s)/Data Source(s)

azurerm_storage_account

Terraform Configuration Files

required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.54.0"
    }
}

resource "azurerm_storage_account" "storageAccount" {
...
network_rules{
...
virtual_network_subnet_ids = "subnet id from a different region: tested with SA in westeurope and subnet in eastus"
}
}

Debug Output/Panic Output

2023-04-28T10:47:17.085+0100 [DEBUG] provider.terraform-provider-azurerm_v3.54.0_x5: AzureRM Response for https://management.azure.com/subscriptions/<subscription>/resourceGroups/CI-EUWE01-NPAS-DUMMYPROJECT-01/providers/Microsoft.Storage/storageAccounts/euwe01prddumac01?api-version=2021-09-01: 
HTTP/2.0 202 Accepted
Content-Length: 0
Cache-Control: no-cache
Content-Type: text/plain; charset=utf-8
Date: Fri, 28 Apr 2023 09:47:16 GMT
Expires: -1
Location: https://management.azure.com/subscriptions/<subscription>/providers/Microsoft.Storage/locations/westeurope/asyncoperations/ccdc960c-4004-428a-b7ef-fcdcf36ce612?monitor=true&api-version=2021-09-01
Pragma: no-cache
Retry-After: 17
Server: Microsoft-Azure-Storage-Resource-Provider/1.0,Microsoft-HTTPAPI/2.0 Microsoft-HTTPAPI/2.0
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: 46b6cd19-4273-4bb3-ded1-99c920ee06fa
X-Ms-Ratelimit-Remaining-Subscription-Writes: 1199
X-Ms-Request-Id: ccdc960c-4004-428a-b7ef-fcdcf36ce612
X-Ms-Routing-Request-Id: FRANCECENTRAL:20230428T094717Z:fcdd1cbf-2fb4-4494-abf2-ff0956ce868a: timestamp=2023-04-28T10:47:17.085+0100
2023-04-28T10:47:18.552+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.azurerm_storage_share.lakeShare" is waiting for "module.EUWE01PRDQIGMISLA01.data.azurerm_storage_account.storageAccount"
2023-04-28T10:47:18.552+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.blobDiagnosticSettings" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:18.552+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.diagnosticSettings" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:18.553+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.fileDiagnosticSettings" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:18.553+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.tableDiagnosticSettings" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:18.554+0100 [TRACE] dag/walk: vertex "root" is waiting for "module.EUWE01PRDQIGMISLA01 (close)"
2023-04-28T10:47:18.557+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.azurerm_logic_app_standard.logicAppStandard" is waiting for "module.EUWE01PRDQIGMISLA01.azurerm_storage_share.lakeShare"
2023-04-28T10:47:21.170+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.data.azurerm_storage_account.storageAccount" is waiting for "module.EUWE01PRDQIGMISLA01.var.storageAccountID (expand)"
2023-04-28T10:47:21.170+0100 [TRACE] dag/walk: vertex "provider[\"registry.terraform.io/hashicorp/azurerm\"] (close)" is waiting for "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.diagnosticSettings"
2023-04-28T10:47:21.170+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.azurerm_monitor_diagnostic_setting.diagnosticSettings" is waiting for "module.EUWE01PRDQIGMISLA01.azurerm_logic_app_standard.logicAppStandard"
2023-04-28T10:47:21.170+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01 (close)" is waiting for "module.EUWE01PRDQIGMISLA01.azurerm_key_vault_access_policy.systemKeyVaultPolicy"
2023-04-28T10:47:21.170+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.queueDiagnosticSettings" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:21.170+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.var.storageAccountID (expand)" is waiting for "module.EUWE01PRDDUMAC01.output.id (expand)"
2023-04-28T10:47:21.170+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01 (close)" is waiting for "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.fileDiagnosticSettings"
2023-04-28T10:47:21.170+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.output.id (expand)" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:21.170+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.azurerm_key_vault_access_policy.systemKeyVaultPolicy" is waiting for "module.EUWE01PRDQIGMISLA01.azurerm_logic_app_standard.logicAppStandard"
2023-04-28T10:47:23.556+0100 [TRACE] dag/walk: vertex "root" is waiting for "module.EUWE01PRDQIGMISLA01 (close)"
2023-04-28T10:47:23.556+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.diagnosticSettings" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:23.556+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.fileDiagnosticSettings" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:23.557+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.blobDiagnosticSettings" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:23.557+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.azurerm_storage_share.lakeShare" is waiting for "module.EUWE01PRDQIGMISLA01.data.azurerm_storage_account.storageAccount"
2023-04-28T10:47:23.557+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.tableDiagnosticSettings" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:23.557+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.azurerm_logic_app_standard.logicAppStandard" is waiting for "module.EUWE01PRDQIGMISLA01.azurerm_storage_share.lakeShare"
2023-04-28T10:47:26.172+0100 [TRACE] dag/walk: vertex "provider[\"registry.terraform.io/hashicorp/azurerm\"] (close)" is waiting for "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.diagnosticSettings"
2023-04-28T10:47:26.172+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.azurerm_monitor_diagnostic_setting.diagnosticSettings" is waiting for "module.EUWE01PRDQIGMISLA01.azurerm_logic_app_standard.logicAppStandard"
2023-04-28T10:47:26.172+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01 (close)" is waiting for "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.fileDiagnosticSettings"
2023-04-28T10:47:26.172+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.azurerm_key_vault_access_policy.systemKeyVaultPolicy" is waiting for "module.EUWE01PRDQIGMISLA01.azurerm_logic_app_standard.logicAppStandard"
2023-04-28T10:47:26.172+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.output.id (expand)" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:26.172+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.queueDiagnosticSettings" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:26.172+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.data.azurerm_storage_account.storageAccount" is waiting for "module.EUWE01PRDQIGMISLA01.var.storageAccountID (expand)"
2023-04-28T10:47:26.172+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.var.storageAccountID (expand)" is waiting for "module.EUWE01PRDDUMAC01.output.id (expand)"
2023-04-28T10:47:26.172+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01 (close)" is waiting for "module.EUWE01PRDQIGMISLA01.azurerm_key_vault_access_policy.systemKeyVaultPolicy"
2023-04-28T10:47:28.568+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.tableDiagnosticSettings" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:28.568+0100 [TRACE] dag/walk: vertex "root" is waiting for "module.EUWE01PRDQIGMISLA01 (close)"
2023-04-28T10:47:28.568+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.blobDiagnosticSettings" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:28.568+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.azurerm_logic_app_standard.logicAppStandard" is waiting for "module.EUWE01PRDQIGMISLA01.azurerm_storage_share.lakeShare"
2023-04-28T10:47:28.569+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.fileDiagnosticSettings" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:28.569+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.azurerm_storage_share.lakeShare" is waiting for "module.EUWE01PRDQIGMISLA01.data.azurerm_storage_account.storageAccount"
2023-04-28T10:47:28.569+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.diagnosticSettings" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:31.173+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.azurerm_key_vault_access_policy.systemKeyVaultPolicy" is waiting for "module.EUWE01PRDQIGMISLA01.azurerm_logic_app_standard.logicAppStandard"
2023-04-28T10:47:31.173+0100 [TRACE] dag/walk: vertex "provider[\"registry.terraform.io/hashicorp/azurerm\"] (close)" is waiting for "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.diagnosticSettings"
2023-04-28T10:47:31.173+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.azurerm_monitor_diagnostic_setting.diagnosticSettings" is waiting for "module.EUWE01PRDQIGMISLA01.azurerm_logic_app_standard.logicAppStandard"
2023-04-28T10:47:31.173+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.var.storageAccountID (expand)" is waiting for "module.EUWE01PRDDUMAC01.output.id (expand)"
2023-04-28T10:47:31.173+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.output.id (expand)" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:31.173+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.data.azurerm_storage_account.storageAccount" is waiting for "module.EUWE01PRDQIGMISLA01.var.storageAccountID (expand)"
2023-04-28T10:47:31.173+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01 (close)" is waiting for "module.EUWE01PRDQIGMISLA01.azurerm_key_vault_access_policy.systemKeyVaultPolicy"
2023-04-28T10:47:31.174+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.queueDiagnosticSettings" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:31.174+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01 (close)" is waiting for "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.fileDiagnosticSettings"
2023-04-28T10:47:33.580+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.blobDiagnosticSettings" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:33.580+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.tableDiagnosticSettings" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:33.580+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.fileDiagnosticSettings" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:33.580+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.azurerm_storage_share.lakeShare" is waiting for "module.EUWE01PRDQIGMISLA01.data.azurerm_storage_account.storageAccount"
2023-04-28T10:47:33.580+0100 [TRACE] dag/walk: vertex "root" is waiting for "module.EUWE01PRDQIGMISLA01 (close)"
2023-04-28T10:47:33.580+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.diagnosticSettings" is waiting for "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount"
2023-04-28T10:47:33.580+0100 [TRACE] dag/walk: vertex "module.EUWE01PRDQIGMISLA01.azurerm_logic_app_standard.logicAppStandard" is waiting for "module.EUWE01PRDQIGMISLA01.azurerm_storage_share.lakeShare"
2023-04-28T10:47:34.168+0100 [DEBUG] provider.terraform-provider-azurerm_v3.54.0_x5: AzureRM Request: 
GET /subscriptions/<subscription>/providers/Microsoft.Storage/locations/westeurope/asyncoperations/ccdc960c-4004-428a-b7ef-fcdcf36ce612?monitor=true&api-version=2021-09-01 HTTP/1.1
Host: management.azure.com
User-Agent: Go/go1.19.3 (amd64-linux) go-autorest/v14.2.1 Azure-SDK-For-Go/v66.0.0 storage/2021-09-01 HashiCorp Terraform/1.4.5 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/dev pid-222c6c49-1b0a-5959-a213-6608f9eb8820
X-Ms-Correlation-Request-Id: 46b6cd19-4273-4bb3-ded1-99c920ee06fa
Accept-Encoding: gzip: timestamp=2023-04-28T10:47:34.168+0100
2023-04-28T10:47:34.359+0100 [DEBUG] provider.terraform-provider-azurerm_v3.54.0_x5: AzureRM Response for https://management.azure.com/subscriptions/<subscription>/providers/Microsoft.Storage/locations/westeurope/asyncoperations/ccdc960c-4004-428a-b7ef-fcdcf36ce612?monitor=true&api-version=2021-09-01: 
HTTP/2.0 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Fri, 28 Apr 2023 09:47:33 GMT
Expires: -1
Pragma: no-cache
Server: Microsoft-Azure-Storage-Resource-Provider/1.0,Microsoft-HTTPAPI/2.0 Microsoft-HTTPAPI/2.0
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: 46b6cd19-4273-4bb3-ded1-99c920ee06fa
X-Ms-Ratelimit-Remaining-Subscription-Reads: 11988
X-Ms-Request-Id: a9dfb19f-bbd1-4fa7-8624-983e104ecf99
X-Ms-Routing-Request-Id: FRANCECENTRAL:20230428T094734Z:7bffb845-fb1c-48d9-8850-6994be67f39a

{"status":"Failed","error":{"code":"NetworkAclsValidationFailure","message":"Validation of network acls failure: ResourceBeingAcledHasWrongLocation:Microsoft.Storage resources in westeurope cannot be ACL-ed to virtual network /subscriptions/<subscription>/resourceGroups/CI-USEA01-NPAS-VNET-10.68.80.0_21/providers/Microsoft.Network/virtualNetworks/USEA01CINPAS01VNET01 in eastus. Only resources in eastus, westus, westus3 can be ACL-ed to virtual networks in eastus.."}}: timestamp=2023-04-28T10:47:34.359+0100
2023-04-28T10:47:34.359+0100 [DEBUG] provider.terraform-provider-azurerm_v3.54.0_x5: AzureRM Request: 
GET /subscriptions/<subscription>/resourceGroups/CI-EUWE01-NPAS-DUMMYPROJECT-01/providers/Microsoft.Storage/storageAccounts/euwe01prddumac01?api-version=2021-09-01 HTTP/1.1
Host: management.azure.com
User-Agent: Go/go1.19.3 (amd64-linux) go-autorest/v14.2.1 Azure-SDK-For-Go/v66.0.0 storage/2021-09-01 HashiCorp Terraform/1.4.5 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/dev pid-222c6c49-1b0a-5959-a213-6608f9eb8820
X-Ms-Correlation-Request-Id: 46b6cd19-4273-4bb3-ded1-99c920ee06fa
Accept-Encoding: gzip: timestamp=2023-04-28T10:47:34.359+0100
2023-04-28T10:47:34.564+0100 [DEBUG] provider.terraform-provider-azurerm_v3.54.0_x5: AzureRM Response for https://management.azure.com/subscriptions/<subscription>/resourceGroups/CI-EUWE01-NPAS-DUMMYPROJECT-01/providers/Microsoft.Storage/storageAccounts/euwe01prddumac01?api-version=2021-09-01: 
HTTP/2.0 404 Not Found
Content-Length: 107
Cache-Control: no-cache
Content-Type: application/json
Date: Fri, 28 Apr 2023 09:47:33 GMT
Expires: -1
Pragma: no-cache
Server: Microsoft-Azure-Storage-Resource-Provider/1.0,Microsoft-HTTPAPI/2.0 Microsoft-HTTPAPI/2.0
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: 46b6cd19-4273-4bb3-ded1-99c920ee06fa
X-Ms-Ratelimit-Remaining-Subscription-Reads: 11987
X-Ms-Request-Id: 79d0eab0-9eaa-40c8-84e3-eb0a62499486
X-Ms-Routing-Request-Id: FRANCECENTRAL:20230428T094734Z:eaf63767-81ac-4079-882b-f60a1cb7ec32

{"error":{"code":"StorageAccountNotFound","message":"The storage account euwe01prddumac01 was not found."}}: timestamp=2023-04-28T10:47:34.564+0100
2023-04-28T10:47:34.564+0100 [DEBUG] provider.terraform-provider-azurerm_v3.54.0_x5: Unlocking "azurerm_storage_account.euwe01prddumac01": timestamp=2023-04-28T10:47:34.564+0100
2023-04-28T10:47:34.564+0100 [DEBUG] provider.terraform-provider-azurerm_v3.54.0_x5: Unlocked "azurerm_storage_account.euwe01prddumac01": timestamp=2023-04-28T10:47:34.564+0100
2023-04-28T10:47:34.564+0100 [TRACE] provider.terraform-provider-azurerm_v3.54.0_x5: Called downstream: tf_rpc=ApplyResourceChange @module=sdk.helper_schema tf_provider_addr=provider tf_resource_type=azurerm_storage_account @caller=github.com/hashicorp/terraform-plugin-sdk/v2@v2.24.1/helper/schema/resource.go:838 tf_req_id=a7fe1014-6719-2bba-4e86-269d91c73653 timestamp=2023-04-28T10:47:34.564+0100
2023-04-28T10:47:34.566+0100 [TRACE] provider.terraform-provider-azurerm_v3.54.0_x5: Received downstream response: diagnostic_error_count=1 diagnostic_warning_count=0 tf_req_duration_ms=20993 tf_req_id=a7fe1014-6719-2bba-4e86-269d91c73653 tf_resource_type=azurerm_storage_account @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/internal/tf5serverlogging/downstream_request.go:37 @module=sdk.proto tf_proto_version=5.3 tf_provider_addr=provider tf_rpc=ApplyResourceChange timestamp=2023-04-28T10:47:34.565+0100
2023-04-28T10:47:34.566+0100 [ERROR] provider.terraform-provider-azurerm_v3.54.0_x5: Response contains error diagnostic: @module=sdk.proto diagnostic_severity=ERROR diagnostic_summary="retrieving Storage Account: (Name "euwe01prddumac01" / Resource Group "CI-EUWE01-NPAS-DUMMYPROJECT-01"): storage.AccountsClient#GetProperties: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="StorageAccountNotFound" Message="The storage account euwe01prddumac01 was not found."" tf_proto_version=5.3 tf_provider_addr=provider tf_rpc=ApplyResourceChange tf_req_id=a7fe1014-6719-2bba-4e86-269d91c73653 tf_resource_type=azurerm_storage_account @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/internal/diag/diagnostics.go:55 diagnostic_detail= timestamp=2023-04-28T10:47:34.566+0100
2023-04-28T10:47:34.566+0100 [TRACE] provider.terraform-provider-azurerm_v3.54.0_x5: Served request: tf_proto_version=5.3 tf_provider_addr=provider tf_req_id=a7fe1014-6719-2bba-4e86-269d91c73653 tf_resource_type=azurerm_storage_account tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/tf5server/server.go:831 @module=sdk.proto timestamp=2023-04-28T10:47:34.566+0100
2023-04-28T10:47:34.568+0100 [TRACE] maybeTainted: module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount encountered an error during creation, so it is now marked as tainted
2023-04-28T10:47:34.568+0100 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount
2023-04-28T10:47:34.568+0100 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: writing state object for module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount
2023-04-28T10:47:34.569+0100 [TRACE] evalApplyProvisioners: module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount is tainted, so skipping provisioning
2023-04-28T10:47:34.569+0100 [TRACE] maybeTainted: module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount was already tainted, so nothing to do
2023-04-28T10:47:34.569+0100 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount
2023-04-28T10:47:34.569+0100 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: writing state object for module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount
2023-04-28T10:47:34.570+0100 [ERROR] vertex "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount" error: retrieving Storage Account: (Name "euwe01prddumac01" / Resource Group "CI-EUWE01-NPAS-DUMMYPROJECT-01"): storage.AccountsClient#GetProperties: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="StorageAccountNotFound" Message="The storage account euwe01prddumac01 was not found."
2023-04-28T10:47:34.570+0100 [TRACE] vertex "module.EUWE01PRDDUMAC01.azurerm_storage_account.storageAccount": visit complete, with errors
2023-04-28T10:47:34.570+0100 [TRACE] dag/walk: upstream of "module.EUWE01PRDDUMAC01.output.id (expand)" errored, so skipping
2023-04-28T10:47:34.570+0100 [TRACE] dag/walk: upstream of "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.tableDiagnosticSettings" errored, so skipping
2023-04-28T10:47:34.570+0100 [TRACE] dag/walk: upstream of "module.EUWE01PRDQIGMISLA01.var.storageAccountID (expand)" errored, so skipping
2023-04-28T10:47:34.570+0100 [TRACE] dag/walk: upstream of "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.queueDiagnosticSettings" errored, so skipping
2023-04-28T10:47:34.570+0100 [TRACE] dag/walk: upstream of "module.EUWE01PRDQIGMISLA01.data.azurerm_storage_account.storageAccount" errored, so skipping
2023-04-28T10:47:34.570+0100 [TRACE] dag/walk: upstream of "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.blobDiagnosticSettings" errored, so skipping
2023-04-28T10:47:34.570+0100 [TRACE] dag/walk: upstream of "module.EUWE01PRDQIGMISLA01.azurerm_storage_share.lakeShare" errored, so skipping
2023-04-28T10:47:34.570+0100 [TRACE] dag/walk: upstream of "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.diagnosticSettings" errored, so skipping
2023-04-28T10:47:34.570+0100 [TRACE] dag/walk: upstream of "module.EUWE01PRDQIGMISLA01.azurerm_logic_app_standard.logicAppStandard" errored, so skipping
2023-04-28T10:47:34.570+0100 [TRACE] dag/walk: upstream of "module.EUWE01PRDDUMAC01.azurerm_monitor_diagnostic_setting.fileDiagnosticSettings" errored, so skipping
2023-04-28T10:47:34.570+0100 [TRACE] dag/walk: upstream of "module.EUWE01PRDQIGMISLA01.azurerm_key_vault_access_policy.systemKeyVaultPolicy" errored, so skipping
2023-04-28T10:47:34.570+0100 [TRACE] dag/walk: upstream of "module.EUWE01PRDDUMAC01 (close)" errored, so skipping
2023-04-28T10:47:34.570+0100 [TRACE] dag/walk: upstream of "module.EUWE01PRDQIGMISLA01.azurerm_monitor_diagnostic_setting.diagnosticSettings" errored, so skipping
2023-04-28T10:47:34.570+0100 [TRACE] dag/walk: upstream of "provider[\"registry.terraform.io/hashicorp/azurerm\"] (close)" errored, so skipping
2023-04-28T10:47:34.571+0100 [TRACE] dag/walk: upstream of "module.EUWE01PRDQIGMISLA01 (close)" errored, so skipping
2023-04-28T10:47:34.571+0100 [TRACE] dag/walk: upstream of "root" errored, so skipping

Expected Behaviour

Microsoft has launched a new feature that allows add cross region subnets in storage account firewall, this is already in GA and describe bellow. The expected behavior is that azurerm validation won't block the add of different region subnet in storage account.

Actual Behaviour

apply fails with debug provided above

Steps to Reproduce

Create a storage account in west europe and add a subnet allowed to it's firewall coming from us east, that will fail on the ACL validation

Important Factoids

No response

References

Cross region service endpoints are now available: https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?toc=%2Fazure%2Fvirtual-network%2Ftoc.json&tabs=azure-portal#azure-storage-cross-region-service-endpoints

[marciobarbato]

guys, any news on that ?

[Mohid-A]

hello, is there any update on this?

[lgp1985]

Validation of network acls failure: ResourceBeingAcledHasWrongLocation:Microsoft.Storage resources in eastus2 cannot be ACL-ed to virtual network /subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/virtualNetworks/REDACTED in eastus. Only resources in eastus, westus, westus3 can be ACL-ed to virtual networks in eastus.. (Code: NetworkAclsValidationFailure)

I've stumbled on above error, which is misleading. Why would I be able to ACL from a region on the other side of the country but not the region right next to it?

[waza-ari]

This is not a bug in the Terraform provider but rather a limitation of Azure. You need to make sure that the service endpoint Microsoft.Storage.Global is enabled on the subnet that you want to apply the ACL to.

The regular Microsoft.Storage endpoint only works for the local region and the paired region, not for any other region (even though they might be neighbouring regions such as eastus and eastus2, they're not paired).

More information can be found here: https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security#azure-storage-cross-region-service-endpoints