'Terraform Azure provider - Azure Public access level for containers
I’m trying to change the container_access_type value from “private”, but I keep getting an error.
I'm able to do this action from the Azure UI. Something is probably missing in the Terraform code.
Please assist, thanks.
provider "azurerm" {
version = "=2.25.0"
features {}
}
resource "azurerm_resource_group" "storage" {
name = "tfstorageresourcegroup"
location = "North Europe"
}
resource "azurerm_storage_account" "account" {
name = "${azurerm_resource_group.storage.name}"
location = "${azurerm_resource_group.storage.location}"
account_tier = "Standard"
resource_group_name = "${azurerm_resource_group.storage.name}"
account_replication_type = "LRS"
enable_https_traffic_only = true
allow_blob_public_access = true
}
resource "azurerm_storage_container" "container" {
name = "tftestcontainer"
storage_account_name = "${azurerm_storage_account.account.name}"
container_access_type = "container"
}
resource "azurerm_storage_blob" "blob" {
name = "tftestblob"
storage_account_name = "${azurerm_storage_account.account.name}"
storage_container_name = "${azurerm_storage_container.container.name}"
type = "Page"
size = "5120"
}
Error: Error updating the Access Control for Container “tftestcontainer” (Storage Account “tfstorageresourcegroup” / Resource Group “tfstorageresourcegroup”): containers.Client#SetAccessControl: Failure sending request: StatusCode=409 – Original Error: autorest/azure: Service returned an error. Status= Code=“PublicAccessNotPermitted” Message=“Public access is not permitted on this storage account.\nRequestId:80d021ca-501e-009f-4aa6-86a404000000\nTime:2020-09-09T12:38:47.5769058Z”
Solution 1:[1]
This could be the open issue.
So if you have network_rules in the storage account.
Take network rule depends on the container, meaning, create container first then apply the network rules. Non-working Sample code:
resource "azurerm_storage_account" "terraform_storage" {
name = var.storage_account_name
resource_group_name = var.rg_name
location = var.region
account_tier = "Standard"
account_replication_type = "GRS"
account_kind = "Storage"
network_rules {
default_action = "Deny"
virtual_network_subnet_ids = [data.azurerm_subnet.publicsubnet.id]
}
}
# Create container
resource "azurerm_storage_container" "filestore" {
name = "filestore"
storage_account_name = azurerm_storage_account.sa.name
container_access_type = "private"
}
Working Sample code:
# Storage account
resource "azurerm_storage_account" "sa" {
name = local.storage_account_name
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
account_kind = var.storage_account_kind
account_tier = var.storage_account_tier
account_replication_type = var.storage_account_replication_type
enable_https_traffic_only = "true"
tags = local.tags
}
# Create container
resource "azurerm_storage_container" "filestore" {
name = "filestore"
storage_account_name = azurerm_storage_account.sa.name
container_access_type = "private"
}
# SA Network rules
resource "azurerm_storage_account_network_rules" "netrules" {
resource_group_name = azurerm_resource_group.rg.name
storage_account_name = azurerm_storage_account.sa.name
default_action = "Deny"
bypass = [
"Metrics",
"Logging",
"AzureServices"
]
depends_on = [
azurerm_storage_container.filestore,
]
}
Solution 2:[2]
I got the same error while creating azure infra with terraform.
I editted for :
container_access_type = "private"
inside:
resource "azurerm_storage_container" "container" {
...
...
...
}
in the main.tf file.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | |
| Solution 2 | DharmanBot |