Support for [signedversion in azurerm_storage_account_blob_container_sas]

SadokLadhari commented 4 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The SAS output is always using the storage service version 2018-11-09 like this:

{
"blob_container_sas":"?sv=2018-11-09&sr=c&st=2020-04-16T16%3A50%3A18Z&se=2220-04-16T16%3A50%3A18Z&sp=rwdl&spr=https&sig=oLnaF7fs1Ozzq%2bFy1tpCzReyqE%3D"
}

Because the sas_token.go file is using the constant blobContainerSignedVersion = "2018-11-09" So I suggest to add a new variable(sas_service_version) that overrides the blobContainerSignedVersion if we need to use a different version.

New or Affected Resource(s)

azurerm_storage_account_blob_container_sas

Potential Terraform Configuration

data "azurerm_storage_account_blob_container_sas" "example" {
  connection_string = azurerm_storage_account.example.primary_connection_string
  container_name    = "A"
  https_only = true
  start  = "2020-04-16T16:50:18Z"
  expiry = "2220-04-16T16:50:18Z"
  permissions {
    read   = true
    add    = false
    create = false
    write  = true
    delete = true
    list   = true
  }

  sas_service_version = "02-02-2019"

}
output "blob_container_sas" {
  value = data.azurerm_storage_account_blob_container_sas.example.sas
}

References

SadokLadhari commented 4 years ago

It can resolve this issue also : #https://github.com/hashicorp/go-azure-helpers/issues/44

sharbag commented 3 years ago

Do you have any plans on resolution of this issue? I can not activate logging on WebApps because of that... :(

promisepreston commented 2 years ago

Having the same issue here, but then as a suggestion, if you're trying to set up Application logs with Azure blob storage for other languages/frameworks other than .NET framework, it is not supported by Azure at the moment. This is only supported for .NET applications. You will have to use filesystem for other languages/frameworks other than .NET framework.

Here's a documentation by Microsoft for it - https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs

Screen Shot 2021-11-05 at 3 54 16 AM

Divya1388 commented 2 years ago

The following app service configuration is working with azurerm version of 2.84.0

resource "azurerm_app_service" "app_service" {
  for_each                = local.apps
  name                    = each.value.app_service_name
  resource_group_name     = var.resource_group_name
  location                = var.location
  app_service_plan_id     = azurerm_app_service_plan.app_plan.id
  enabled                 = "true"
  client_affinity_enabled = each.value.client_affinity_enabled
  https_only              = each.value.https_only

  dynamic "identity" {
    for_each = each.value.identity
    content {
      type = identity.value.type
      # This coded in such a way because if we have system assigned identity, this field is not required so we pass a dummy id
      identity_ids = identity.value.type == "UserAssigned" ? (identity.value.user_assigned_identity_id == "" ? [azurerm_user_assigned_identity.user_assigned_identity[0].id] : [identity.value.user_assigned_identity_id]) : ["/subscriptions/855475ea-5513-423f-85fa-3e78dac457b8/resourceGroups/rg-cloud-ops-dev-uppers-dc-useast2-1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testing"]
    }
  }

  auth_settings {
    enabled = each.value.auth_enabled ? true : false
    active_directory {
      # client_id  = lookup(local.app_registration_application_ids, each.value.app_service_name, "da7da7a6-2a41-1186-9b6c-f1278ca08ad2")
      client_id         = each.value.create_app_registration ? (lookup(azuread_application.app_registration, each.value.app_service_name, "") != "" ? azuread_application.app_registration[each.value.app_service_name].application_id : "da7da7a6-2a41-1186-9b6c-f1278ca08ad2") : each.value.app_registration_id
      allowed_audiences = ["https://${each.value.auth_app_registration_name}.cloud.fiserv.net"]
    }

    default_provider              = "AzureActiveDirectory"
    unauthenticated_client_action = each.value.unauthenticated_client_action == "" ? "RedirectToLoginPage" : each.value.unauthenticated_client_action
    # "RedirectToLoginPage"
    issuer = "https://sts.windows.net/${data.azurerm_client_config.current.tenant_id}/"

    # The following is still creating the legacy auth and we always get unauthenticated client and this is because config_version is missing
    # To work around this we will create AAD and upgrade using az cli
    # microsoft {
    #   client_id = lookup(local.app_registration_application_ids, each.value.app_service_name, "da7da7a6-2a41-1186-9b6c-f1278ca08ad2")
    #   client_secret = lookup(local.app_registration_application_secrets, each.value.app_service_name,"da7da7a6-2a41-1186-9b6c-f1278ca08ad2")
    # }
    # default_provider = "MicrosoftAccount"

    runtime_version = "v2"
  }

  site_config {
    always_on                = each.value.always_on ? "true" : "false"
    dotnet_framework_version = each.value.dotnet_framework_version
    vnet_route_all_enabled   = "true"
    default_documents        = ["Default.htm", "Default.html", "Default.asp", "index.htm", "index.html", "iisstart.htm", "default.aspx", "index.php", "hostingstart.html"]
    min_tls_version          = each.value.min_tls_version == "" ? "1.2" : each.value.min_tls_version
  }

  dynamic "logs" {
    for_each = var.app_service_logs
    content {
      detailed_error_messages_enabled = logs.value["detailed_error_messages_enabled"]
      failed_request_tracing_enabled  = logs.value["failed_request_tracing_enabled"]
      application_logs {
        azure_blob_storage {
          level             = logs.value["application_logs_level"]
          # sas_url           = "${data.azurerm_storage_account.app_service_logs_storage[0].primary_blob_endpoint}${azurerm_storage_container.app_logs[0].name}${data.azurerm_storage_account_blob_container_sas.app_service_logs_blob_sas_token[0].sas}"
          sas_url = format("https://${var.app_service_logs_storage_account}.blob.core.windows.net/${var.app_plan_name}-logs%s", data.azurerm_storage_account_blob_container_sas.app_service_logs_blob_sas_token[0].sas)
          retention_in_days = logs.value["application_logs_retention_days"]
        }
      }
      http_logs {
        azure_blob_storage {
          # sas_url           = "${data.azurerm_storage_account.app_service_logs_storage[0].primary_blob_endpoint}${azurerm_storage_container.app_logs[0].name}${data.azurerm_storage_account_blob_container_sas.app_service_logs_blob_sas_token[0].sas}"
          sas_url = format("https://${var.app_service_logs_storage_account}.blob.core.windows.net/${var.app_plan_name}-logs%s", data.azurerm_storage_account_blob_container_sas.app_service_logs_blob_sas_token[0].sas)
          retention_in_days = logs.value["http_logs_retention_days"]
        }
      }
    }
  }

  lifecycle {
    ignore_changes = [
      # app_settings and connection_string keeps changing out of terraform so ignoring it.
      app_settings,
      connection_string,
      # identity[0].identity_ids
    ]
  }

  depends_on = [var.appservice_dependencies]
}

Earlier it was not working but upgrade to 2.84.0 is working fine

MHacker9404 commented 2 years ago

Something I just noticed - the storage_account_sas has a signed_version property, so this has been done in the past. Data Source: azurerm_storage_account_sas

sarbis commented 7 months ago

Any update on this? Still a problem in a provider v3.88.0. SAS token is generated with signed version 2018-11-09 which doesn't work in the web app logging configuration.

hashicorp / terraform-provider-azurerm