Open krupakar1329 opened 2 months ago
After enabling Storage accounts should restrict network access policy on my azure subscription , terraform is not able to create storage account. I am creating network rules through azurerm_storage_account_network_rules after storage account creation , but its failing at azurerm_storage_account level itself
Have you tried setting public_network_access_enabled to false?
@phil-bevan yes, still it fails because , the policy checks the networkAcls.defaultAction field "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Storage/storageAccounts" }, { "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction", "notEquals": "Deny" } ] }, "then": { "effect": "[parameters('effect')]" } },
@krupakar1329 In theory, the following may allow you to create the resource and then manage the rules separately under azurerm_storage_account_network_rules
resource "azurerm_storage_account" "storage_account" {
# ...
# Add a dummy rule that puts the storage account within compliance, and only used upon creation
network_rules {
default_action = "Deny"
virtual_network_subnet_ids = []
}
# We will manage rules using azurerm_storage_account_network_rules below
lifecycle {
ignore_changes = [
network_rules,
]
}
}
resource "azurerm_storage_account_network_rules" "example_1" {
# ...
}
for azurerm_storage_account_network_rules it throws resource already exists error , if we have network_rules section in azurerm_storage_account
@krupakar1329 In theory, the following may allow you to create the resource and then manage the rules separately under
azurerm_storage_account_network_rules
resource "azurerm_storage_account" "storage_account" { # ... # Add a dummy rule that puts the storage account within compliance, and only used upon creation network_rules { default_action = "Deny" virtual_network_subnet_ids = [] } # We will manage rules using azurerm_storage_account_network_rules below lifecycle { ignore_changes = [ network_rules, ] } } resource "azurerm_storage_account_network_rules" "example_1" { # ... }
The documentation at the top of the page says you can’t have two network rules blocks, unfortunately.
@krupakar1329 In theory, the following may allow you to create the resource and then manage the rules separately under
azurerm_storage_account_network_rules
resource "azurerm_storage_account" "storage_account" { # ... # Add a dummy rule that puts the storage account within compliance, and only used upon creation network_rules { default_action = "Deny" virtual_network_subnet_ids = [] } # We will manage rules using azurerm_storage_account_network_rules below lifecycle { ignore_changes = [ network_rules, ] } } resource "azurerm_storage_account_network_rules" "example_1" { # ... }
The documentation at the top of the page says you can’t have two network rules blocks, unfortunately.
Correct. I'm not discussing having two network_rules
blocks, only one.
Is there an existing issue for this?
Community Note
Terraform Version
1.6.5
AzureRM Provider Version
3.101.0
Affected Resource(s)/Data Source(s)
azurerm_storage_account
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
No response
Actual Behaviour
No response
Steps to Reproduce
No response
Important Factoids
No response
References
No response