azurerm_storage_account is failing when azure policy is enabled on storage account

[krupakar1329]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.6.5

AzureRM Provider Version

3.101.0

Affected Resource(s)/Data Source(s)

azurerm_storage_account

Terraform Configuration Files

resource "azurerm_storage_account" "storage_account" {
  name                     = var.storage_account_name
  location                 = var.resource_group_location
  resource_group_name      = var.resource_group_name
  account_kind             = var.account_kind
  account_tier             = var.account_tier
  account_replication_type = var.replication_type
  min_tls_version          = var.min_tls_version
  nfsv3_enabled            = var.nfsv3_enabled == true ? var.nfsv3_enabled : null
  is_hns_enabled           = var.nfsv3_enabled || var.sftp_enabled ? true : var.is_hns_enabled
  sftp_enabled             = var.sftp_enabled == true ? var.sftp_enabled : null

  blob_properties {
    container_delete_retention_policy {

      days = var.storage_blob_data_protection.container_delete_retention_policy_in_days
    }
    delete_retention_policy {
      days = var.storage_blob_data_protection.delete_retention_policy_in_days
    }

    # change_feed_enabled      = var.nfsv3_enabled || var.sftp_enabled ? false : var.storage_blob_data_protection.change_feed_enabled
    versioning_enabled       = var.nfsv3_enabled || var.sftp_enabled || var.is_hns_enabled ? false : var.storage_blob_data_protection.versioning_enabled
    last_access_time_enabled = var.nfsv3_enabled || var.sftp_enabled ? false : var.storage_blob_data_protection.last_access_time_enabled
  }
  tags = var.tags
}

Debug Output/Panic Output

i have enabled Storage accounts should restrict network access policy on my azure subscription and 
terraform apply for azurerm_storage_account is failing to create storage account.
: Failure sending request: StatusCode=403 -- Original Error: Code="RequestDisallowedByPolicy" Message="Resource 'sredl001' was disallowed by policy. Reasons: 'Storage accounts may not be open to the internet.  Exceptions are granted by architect and VP approval only.'. See error details for policy resource IDs." Target="xxxxxx000011" AdditionalInfo=[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.Storage/storageAccounts","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.Storage/storageAccounts"},{"expression":"Microsoft.Storage/storageAccounts/networkAcls.defaultAction","expressionKind":"Field","expressionValue":"Allow","operator":"NotEquals","path":"properties.networkAcls.defaultAction","result":"True","targetValue":"Deny"}],"reason":"Storage accounts may not be open to the internet.  Exceptions are granted by architect and VP approval only."},

Expected Behaviour

No response

Actual Behaviour

No response

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[krupakar1329]

After enabling Storage accounts should restrict network access policy on my azure subscription , terraform is not able to create storage account. I am creating network rules through azurerm_storage_account_network_rules after storage account creation , but its failing at azurerm_storage_account level itself

[phil-bevan]

Have you tried setting public_network_access_enabled to false?

[krupakar1329]

@phil-bevan yes, still it fails because , the policy checks the networkAcls.defaultAction field "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Storage/storageAccounts" }, { "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction", "notEquals": "Deny" } ] }, "then": { "effect": "[parameters('effect')]" } },

[eparisca]

@krupakar1329 In theory, the following may allow you to create the resource and then manage the rules separately under azurerm_storage_account_network_rules

resource "azurerm_storage_account" "storage_account" {
  # ...

  # Add a dummy rule that puts the storage account within compliance, and only used upon creation
  network_rules {
    default_action             = "Deny"
    virtual_network_subnet_ids = []
  }
  # We will manage rules using azurerm_storage_account_network_rules below
  lifecycle {
    ignore_changes = [
      network_rules,
    ]
  }
}

resource "azurerm_storage_account_network_rules" "example_1" { 
  # ...
}

[krupakar1329]

for azurerm_storage_account_network_rules it throws resource already exists error , if we have network_rules section in azurerm_storage_account

[don4of4]

@krupakar1329 In theory, the following may allow you to create the resource and then manage the rules separately under azurerm_storage_account_network_rules

resource "azurerm_storage_account" "storage_account" {
  # ...

  # Add a dummy rule that puts the storage account within compliance, and only used upon creation
  network_rules {
    default_action             = "Deny"
    virtual_network_subnet_ids = []
  }
  # We will manage rules using azurerm_storage_account_network_rules below
  lifecycle {
    ignore_changes = [
      network_rules,
    ]
  }
}

resource "azurerm_storage_account_network_rules" "example_1" { 
  # ...
}

The documentation at the top of the page says you can’t have two network rules blocks, unfortunately.

[eparisca]

@krupakar1329 In theory, the following may allow you to create the resource and then manage the rules separately under azurerm_storage_account_network_rules

resource "azurerm_storage_account" "storage_account" {
  # ...

  # Add a dummy rule that puts the storage account within compliance, and only used upon creation
  network_rules {
    default_action             = "Deny"
    virtual_network_subnet_ids = []
  }
  # We will manage rules using azurerm_storage_account_network_rules below
  lifecycle {
    ignore_changes = [
      network_rules,
    ]
  }
}

resource "azurerm_storage_account_network_rules" "example_1" { 
  # ...
}

The documentation at the top of the page says you can’t have two network rules blocks, unfortunately.

Correct. I'm not discussing having two network_rules blocks, only one.