azurerm_storage_account - Add sanity check for dns_endpoint_type …

…and `blob_properties.restore_policy` (#25450) * `azurerm_storage_account` - Add sanity check for `dns_endpoint_type` and `blob_properties.restore_policy` * add comment to clarify the short-term limitation
hashicorp · Apr 15, 2024 · 1fc8177 · 1fc8177
1 parent d987ebb
commit 1fc8177
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/internal/services/storage/storage_account_resource.go b/internal/services/storage/storage_account_resource.go
@@ -1586,6 +1586,17 @@ func resourceStorageAccountCreate(d *pluginsdk.ResourceData, meta interface{}) e
 			}
 		}
 
+		// TODO: This is a temporary limitation on Storage service. Remove this check once the API supports this scenario.
+		// See https://github.com/hashicorp/terraform-provider-azurerm/pull/25450#discussion_r1542471667 for the context.
+		if dnsEndpointType == string(storage.DNSEndpointTypeAzureDNSZone) {
+			if blobProperties.RestorePolicy != nil && blobProperties.RestorePolicy.Enabled != nil && *blobProperties.RestorePolicy.Enabled {
+				// Otherwise, API returns: "Required feature Global Dns is disabled"
+				// This is confirmed with the SRP team, where they said:
+				// > restorePolicy feature is incompatible with partitioned DNS
+				return fmt.Errorf("`blob_properties.restore_policy` can't be set when `dns_endpoint_type` is set to `%s`", storage.DNSEndpointTypeAzureDNSZone)
+			}
+		}
+
 		if _, err = blobClient.SetServiceProperties(ctx, id.ResourceGroupName, id.StorageAccountName, *blobProperties); err != nil {
 			return fmt.Errorf("updating `blob_properties`: %+v", err)
 		}
@@ -1921,6 +1932,15 @@ func resourceStorageAccountUpdate(d *pluginsdk.ResourceData, meta interface{}) e
 			return fmt.Errorf("`versioning_enabled` can't be true when `is_hns_enabled` is true")
 		}
 
+		if d.Get("dns_endpoint_type").(string) == string(storage.DNSEndpointTypeAzureDNSZone) {
+			if blobProperties.RestorePolicy != nil && blobProperties.RestorePolicy.Enabled != nil && *blobProperties.RestorePolicy.Enabled {
+				// Otherwise, API returns: "Required feature Global Dns is disabled"
+				// This is confirmed with the SRP team, where they said:
+				// > restorePolicy feature is incompatible with partitioned DNS
+				return fmt.Errorf("`blob_properties.restore_policy` can't be set when `dns_endpoint_type` is set to `%s`", storage.DNSEndpointTypeAzureDNSZone)
+			}
+		}
+
 		if _, err = blobClient.SetServiceProperties(ctx, id.ResourceGroupName, id.StorageAccountName, *blobProperties); err != nil {
 			return fmt.Errorf("updating `blob_properties` for %s: %+v", *id, err)
 		}

diff --git a/website/docs/r/storage_account.html.markdown b/website/docs/r/storage_account.html.markdown
@@ -193,6 +193,8 @@ A `blob_properties` block supports the following:
 
 -> **NOTE:** This field cannot be configured when `kind` is set to `Storage` (V1).
 
+-> **NOTE:** `restore_policy` can not be configured when `dns_endpoint_type` is `AzureDnsZone`.
+
 * `versioning_enabled` - (Optional) Is versioning enabled? Default to `false`.
 
 -> **NOTE:** This field cannot be configured when `kind` is set to `Storage` (V1).