search

pulumi / pulumi-azure-native

Azure Native Provider
Apache License 2.0
126 stars 33 forks source link

Error when create Storage with network property #1138

Open baoduy opened 3 years ago

baoduy commented 3 years ago

Hi, I got the below error when creating the storage with networkRuleSet property. Seems it try to read something from storage since the storage is not really created.

The storage had been created successfully after removing this property.

However, it was fine when set the property back on the second run after the storage is created. 

azure-native:storage:StorageAccount (storagename):
    error: resource partially created but read failed autorest/azure: Service returned an error. Status=404 Code="StorageAccountNotFound" Message="The storage account sandboxappsstg was not found.": autorest/azure: Service returned an error. Status=404 Code="StorageAccountNotFound" Message="The storage account sandboxappsstg was not found."
mikhailshilkov commented 3 years ago

Hi @baoduy Would it be possible to share a code snippet to reproduce this problem?

baoduy commented 3 years ago

Here is code that has the error

const stg = new storage.StorageAccount(name, {
    accountName: name,
    ...group,

    kind: storage.Kind.StorageV2,
    sku: {
      name:
        !enableStaticWebsite && isPrd
          ? storage.SkuName.Standard_ZRS
          : storage.SkuName.Standard_LRS,
    },
    accessTier: "Hot",

    isHnsEnabled: true,
    enableHttpsTrafficOnly: true,
    allowBlobPublicAccess: false,
    allowSharedKeyAccess: allowSharedKeyAccess,

    identity: { type: "SystemAssigned" },
    minimumTlsVersion: "TLS1_2",

    //1 Year Months
    keyPolicy: { keyExpirationPeriodInDays: 365 },

    customDomain:
      customDomain && !enableStaticWebsite
        ? { name: customDomain, useSubDomainName: true }
        : undefined,

    networkRuleSet: {
          bypass: "Logging, Metrics",
          defaultAction: "Allow",

          virtualNetworkRules: subnetId
            ? [{ virtualNetworkResourceId:subnetId }]
            : undefined,

          ipRules: ipAddresses
            ? ipAddresses.map((i) => ({
                iPAddressOrRange: i,
                action: "Allow",
              }))
            : undefined,
        }

    tags: defaultTags,
  });

And here is code that working fine

const stg = new storage.StorageAccount(name, {
    accountName: name,
    ...group,

    kind: storage.Kind.StorageV2,
    sku: {
      name:
        !enableStaticWebsite && isPrd
          ? storage.SkuName.Standard_ZRS
          : storage.SkuName.Standard_LRS,
    },
    accessTier: "Hot",

    isHnsEnabled: true,
    enableHttpsTrafficOnly: true,
    allowBlobPublicAccess: false,
    allowSharedKeyAccess:allowSharedKeyAccess,

    identity: { type: "SystemAssigned" },
    minimumTlsVersion: "TLS1_2",

    //1 Year Months
    keyPolicy: { keyExpirationPeriodInDays: 365 },

    customDomain:
      customDomain && !enableStaticWebsite
        ? { name: customDomain, useSubDomainName: true }
        : undefined,

    networkRuleSet: { defaultAction: "Allow" },

    tags: defaultTags,
  });
mikhailshilkov commented 2 years ago

I logged the debug messages and got the following actual error (while getting the same message as you do):

Validation of network acls failure: SubnetsHaveNoServiceEndpointsConfigured:Subnets default of virtual network /subscriptions/sub/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/server-networkf do not have ServiceEndpoints for Microsoft.Storage resources configured. Add Microsoft.Storage to subnet's ServiceEndpoints collection before trying to ACL Microsoft.Storage resources to these subnets.."

I'll take a look why we hinder the error message.