-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error: reading static website for AzureRM Storage Account -facing issue with azurerm version > 3.39.0 #24982
Comments
Duplicate of #2977 |
Hi @kavinkvb, thanks for reporting this issue. The error you're seeing is because in order to set the static site properties for the storage account, it's necessary to use the Storage data plane API which is located at the endpoint of the storage account itself. This means that this API is subject to the same access restrictions as the storage account, and since you have configured a private endpoint, you will need to run Terraform from a location where this endpoint is accessible. This is a known issue that affects all resources that make use of the Storage data plane API, as such I'm going to close this issue out in favor of #2977 and I recommend subscribing to that issue for further updates. In order for us to resolve this however, it's necessary for this functionality to be added to the Resource Manager API which is out of our control. |
@manicminer Why was this closed? Something clearly changed between 3.39 and 3.40 that caused this issue. Is there a new private endpoint needed now that wasn't needed before (i.e. web)? |
@manicminer, I don't think this is exactly a dupe of #2977 because it was working properly in 3.39.0 and started failing in 3.40.0. I looked at the changelog for 3.40.0 and saw that in that release, the provider was changed to no longer silently ignore 404 responses from the storage account. I wonder if that is what caused the issue. |
This comment should help answer why this was closed - specifically the first sentence in regards to the change after version 3.39.0. |
That does help though I have a follow up ... we have storage accounts with private link to services like Data Factory (not private endpoints, so no nic assigned) and they suffer from the same failure even though the storage account itself has the ACLs set to public. It would be nice if the documentation for storage account said that if you enable private endpoint, you need to create all the endpoint types (blob, web, file, dfs, queue) for proper operation. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
I've tried to reproduce this issue with the following config, whilst all works well for me: provider "azurerm" {
features {
resource_group {
prevent_deletion_if_contains_resources = false
}
}
}
resource "azurerm_resource_group" "test" {
name = "mgd24982"
location = "swedencentral"
lifecycle {
ignore_changes = [tags]
}
}
resource "azurerm_storage_account" "main" {
name = "mgd24982"
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
account_tier = "Standard"
account_replication_type = "GRS"
allow_nested_items_to_be_public = false
}
resource "azurerm_storage_account" "main2" {
name = "mgd24982disablepn"
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
account_tier = "Standard"
account_replication_type = "GRS"
allow_nested_items_to_be_public = false
public_network_access_enabled = false
}
resource "azurerm_virtual_network" "example" {
name = "virtnetname"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
}
resource "azurerm_subnet" "example" {
name = "subnetname"
resource_group_name = azurerm_resource_group.test.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.0.2.0/24"]
}
resource "azurerm_private_endpoint" "example" {
name = "example-endpoint"
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
subnet_id = azurerm_subnet.example.id
private_service_connection {
name = "example-privateserviceconnection"
private_connection_resource_id = azurerm_storage_account.main.id
subresource_names = ["blob"]
is_manual_connection = false
}
private_dns_zone_group {
name = "example-dns-zone-group"
private_dns_zone_ids = [azurerm_private_dns_zone.example.id]
}
}
resource "azurerm_private_dns_zone" "example" {
name = "privatelink.blob.core.windows.net"
resource_group_name = azurerm_resource_group.test.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "example" {
name = "example-link"
resource_group_name = azurerm_resource_group.test.name
private_dns_zone_name = azurerm_private_dns_zone.example.name
virtual_network_id = azurerm_virtual_network.example.id
} Note that I'm running BTW, the error in this issue indicates a DNS resolving failure (which unfortunately is hidden by the provider). The behavior of DNS resolving for storage account with PE setup, is that:
|
Is there an existing issue for this?
Community Note
Terraform Version
0.13.4
AzureRM Provider Version
3.68.0
Affected Resource(s)/Data Source(s)
azurerm_storage_account
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
Should get the plan with azurerm version > 3.40.0
Actual Behaviour
While trying to get plan with azurerm version 3.68.0 for storage account with private endpoint enabled , I am facing the above mentioned error.
But after deleting the private endpoint I'm able to get the plan with azurerm version 3.68.0 without any issue.
With private endpoint enabled I'm getting the expected plan with azurerm version < 3.39.0
Steps to Reproduce
Create a storage account and private endpoint.
Try to get terraform plan with azurerm version < 3.39.0 and azurerm version > 3.40.0
Important Factoids
No response
References
No response
The text was updated successfully, but these errors were encountered: