Add public_network_access to the Storage Account module

[slagathor34]

SUMMARY

The Azure Storage Account module does not allow the option for "public_network_access" and will fail a CIS 1.3 Azure Policy assignment.

ISSUE TYPE

Missing value for storage account as identified in the Azure Python SDK for "public_network_access".

https://docs.microsoft.com/en-us/python/api/azure-mgmt-storage/azure.mgmt.storage.v2021_08_01.models.storageaccountcreateparameters?view=azure-python

COMPONENT NAME

modify azure_rm_storageaccount.py to include the public_network_access option.

ADDITIONAL INFORMATION

This would allow the option to be set that enables or disables public access of the storage account. When securing access to storage accounts and setting Azure Policy to block public storage access, this option allows for the creation of a storage account that passes the CIS 1.3 public access for storage restriction.

Add "public_network_access" to the account_dict

def account_obj_to_dict(self, account_obj, blob_service_props=None):
        account_dict = dict(
            id=account_obj.id,
            name=account_obj.name,
            location=account_obj.location,
            resource_group=self.resource_group,
            type=account_obj.type,
            access_tier=account_obj.access_tier,
            sku_tier=account_obj.sku.tier,
            sku_name=account_obj.sku.name,
            provisioning_state=account_obj.provisioning_state,
            secondary_location=account_obj.secondary_location,
            status_of_primary=account_obj.status_of_primary,
            status_of_secondary=account_obj.status_of_secondary,
            primary_location=account_obj.primary_location,
            https_only=account_obj.enable_https_traffic_only,
            minimum_tls_version=account_obj.minimum_tls_version,
            public_network_access=account_obj.public_network_access,
            allow_blob_public_access=account_obj.allow_blob_public_access,
            network_acls=account_obj.network_rule_set
        )

Add desired state check for value.

if self.public_network_access is not None and self.public_network_access != self.account_dict.get('public_network_access'):
            self.results['changed'] = True
            self.account_dict['public_network_access'] = self.public_network_access
            if not self.check_mode:
                try:
                    parameters = self.storage_models.StorageAccountUpdateParameters(public_network_access=self.public_network_access)
                    self.storage_client.storage_accounts.update(self.resource_group,
                                                                self.name,
                                                                parameters)
                except Exception as exc:
                    self.fail("Failed to update account type: {0}".format(str(exc)))

Workaround

By using the Azure CLI with the "--public-network-access" switch, the creation passes CIS 1.3 control.

- name: "SHELL CMD: Create Storage Account"
    ansible.builtin.shell: | 
      az storage account create -n 56d5638frj -g test_rg -l westus --sku Standard_LRS --public-network-access Disabled
    delegate_to: localhost

[l3ender]

I have opened #875 to resolve this issue, and the PR is under review. Thanks!