terraform-provider-azurerm
terraform-provider-azurerm copied to clipboard
hashicorp
Support for publicNetworkAccess in storage_account
Is there an existing issue for this?
- [X] I have searched the existing issues
Community Note
- Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
The underlying Storage Account object has an optional publicNetworkAccess parameter, with possible values Enabled or Disabled. This is not currently surfaced to azurerm_storage_account.
In an enterprise setting, if a policy is applied requiring publicNetworkAccess= Disabled for all storage accounts, then there is no good way to create storage accounts using Terraform. (There is a bad way to do it - by including ARM templates)
New or Affected Resource(s)/Data Source(s)
azurerm_storage_account
Potential Terraform Configuration
resource "azurerm_storage_account" "example" {
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
public_network_access_enabled = false
tags = {
environment = "staging"
}
}
References
https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json#storageaccountpropertiescreateparameters https://docs.microsoft.com/en-us/rest/api/storagerp/storage-accounts/create#publicnetworkaccess
hi @jrhunger
Thanks for opening this issue.
Support for this is available via the allow_nested_items_to_be_public field in the azurerm_storage_account resource - as such support for this is already available.
Thanks!
These are two different options available via Azure CLI:
--allow-blob-public-access- true/false, this is what Terraform sets via itsallow_nested_items_to_be_publicoption--public-network-access- Enabled/Disabled, this is what @jrhunger wants (and me too...)
Here is an example that uses both options to limit access to the account:
{
"kind": "Storage",
"properties": {
"allowBlobPublicAccess": false,
"publicNetworkAccess": "Disabled",
@tombuildsstuff is it possible to re-open this issue, or should i open a new one? Elaborating on the previous comment, there are two different uses of the word "public"
- allowBlobPublicAccess (allow_nested_items_to_be_public) - public here means anonymous, without authentication to the API
- publicNetworkAccess - public here means public networks aka the internet. disabling means that this storage account can only be accessed through private endpoints
excerpt from this page:
To block traffic from all networks, use the az storage account update command and set the --public-network-access parameter to Disabled. Traffic will be allowed only through a private endpoint. You'll have to create that private endpoint.
@jrhunger @kmehkeri thanks for the clarification, yeah this makes sense to reopen 👍
The workaround I found is to use the new AzAPI provider
It would be something like this
resource "azapi_update_resource" "example" {
type = "Microsoft.Storage/storageAccounts@2021-09-01"
resource_id = azurerm_storage_account.example.id
body = jsonencode({
properties = {
publicNetworkAccess = "Disabled"
}
})
}
Would be nice to have native support though :) Hope this helps
cc @kmehkeri @jrhunger @tombuildsstuff
I tried to add the support. Throwing in an extra parameter is quite straightforward, however it seems that Azure Storage API version upgrade would be required - current used by azurerm is 2021-04-01, while publicNetworkAccess attribute is supported from 2021-06-01. Latest version available as of now is 2021-09-01.
I don't feel confident doing this upgrade myself. I found an earlier upgrade here, which could be used as a guide, but honestly it's hard to extract diff from Azure docs about what exactly changed between versions, so I'm not sure what would break.
If it's reasonable I can raise a WIP PR with what I have already.
The workaround I found is to use the new AzAPI provider
It would be something like this
resource "azapi_update_resource" "example" { type = "Microsoft.Storage/storageAccounts@2021-09-01" resource_id = azurerm_storage_account.example.id body = jsonencode({ properties = { publicNetworkAccess = "Disabled" } }) }
Sorry for the newbie question, but is this workaround indeed supposed to enable the creation of the storage account via terraform, or is it just an illustration of how to update the storage account after it has already been created?
I have added this workaround to my .tf script (and updated the variables accordingly), and somehow I am still stopped by the rule requiring public access to be disallowed.
@kmehkeri @tombuildsstuff Any idea on when this functionality will be available? we are also waiting on this from few days.
Any update on this? Definitely important to have as this is a security configuration.
It looks like this has been now added by someone else in #18005, it is available since v3.21.0.
Cool! It seems the documentation has been updated as well: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#public_network_access_enabled
I tried with terraform 1.3.2 and azurerm 3.27.0 and worked!!! Awesome great job! I guess we can close this one now :) cc. @tombuildsstuff
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}