azurerm_storage_account_blob_container_sas token not the same format as token from Azure Portal (includes magic)

[ajostergaard]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.4

AzureRM Provider Version

3.35.0

Affected Resource(s)/Data Source(s)

azurerm_storage_account_blob_container_sas

Terraform Configuration Files

resource "azurerm_resource_group" "rg" {
  name     = "resourceGroupName"
  location = "West Europe"
}

resource "azurerm_storage_account" "storage" {
  name                     = "storageaccountname"
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_storage_container" "container" {
  name                  = "mycontainer"
  storage_account_name  = azurerm_storage_account.storage.name
  container_access_type = "private"
}

data "azurerm_storage_account_blob_container_sas" "default" {
  connection_string = azurerm_storage_account.storage.primary_connection_string
  container_name    = azurerm_storage_container.container.name
  https_only        = true

  start  = "2023-01-01"
  expiry = "2023-01-07"

  permissions {
    read   = true
    add    = false
    create = false
    write  = false
    delete = false
    list   = false
  }
}

output "sas_url_query_string" {
  value = nonsensitive(data.azurerm_storage_account_blob_container_sas.default.sas)
}

Debug Output/Panic Output

N/A

Expected Behaviour

The SAS token should be similar in format to the token provided from the Azure Portal. This is the obvious intuitive expectation of the mofule.

Actual Behaviour

The token is prefixed with a ? and has been urlencoded.

This feature is not documented and is not intuitive.

What's worse in some cases it is necessary to undo these magical changes in order to use the token. It is as easy as below but, at least in my case, it took several hours to suss out what was going on.

trimprefix(replace(data.azurerm_storage_account_blob_container_sas.default.sas, "%", "%%"), "?")

Steps to Reproduce

terraform apply

Important Factoids

No response

References

No response

[magodo]

@ajostergaard I find the only difference between the data source's output and the Portal's is the ? prefix. Both have url encoded the SAS token. The motivation of prefixing the ? is to allow users to simply append the sas to the id of the azurerm_storage_container. BTW, the SAS token of the storage account that is generated by Portal also has the ? prefix.

[ajostergaard]

@magodo the provider output also encodes the colons in the time which the portal does not.

Portal:

Provider:

I understand the motivation but to be blunt, the right way to make it easier is to make it explicit - and in this case, provide access to the Blob SAS URL for that use case.

In my case I need that string as is from the portal and have to undo the magic. Doesn't matter now that it's done but I wasted a good amount of time figuring out why this simple think didn't work and would not wish that on others.

[ajostergaard]

@magodo this is, at the very least, a documentation bug but one way or another it's a bug - gone are the days of undocumented features. :)

[ajostergaard]

@magodo thanks for taking a look at this - can't we do the whole lot though? I mean either remove the question mark and provide the URL or document that unlike the portal (and I assume the CLI and the API) this provider adds a question mark.

[magodo]

@ajostergaard We can mention it in the document once above PR got merged. Whilst we can't simply remove the question mark as it is a breaking change.

[ajostergaard]

@magodo fair enough, thanks. What about adding the full URL?

[magodo]

@ajostergaard The full URL should be easily constructed manually, so I'm not gonna do the change.

Since #21725 is merged that upgrades the go-azure-helpers to v0.56.0, so I'm gonna close this issue as the fix is in. Please feel free to reopen it if the issue remains.

[amcsi]

This resource is too problematic. I solved my issue by not using the "azurerm_storage_account_blob_container_sas" resource, but rather "azurerm_storage_account_sas" instead.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.