Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error: reading static website for AzureRM Storage Account -facing issue with azurerm version > 3.39.0 #24982

Closed
1 task done
kavinkvb opened this issue Feb 22, 2024 · 8 comments

Comments

@kavinkvb
Copy link

kavinkvb commented Feb 22, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

0.13.4

AzureRM Provider Version

3.68.0

Affected Resource(s)/Data Source(s)

azurerm_storage_account

Terraform Configuration Files

resource "azurerm_storage_account" "main" {
  name                            = var.storage_account_name
  location                        = var.location
  resource_group_name             = var.resource_group_name
  account_tier                    = "Standard"
  account_replication_type        = "GRS"
  allow_nested_items_to_be_public = false
  tags                            = var.tags_primary
  network_rules {
    default_action = "Deny"
  }

  blob_properties {
    delete_retention_policy {
      days = 14
    }

    container_delete_retention_policy {
      days = 14
    }
    versioning_enabled = true
  }
}
resource "azurerm_private_endpoint" "private_endpoint" {
  name                = var.privatelink_name
  location            = var.location
  resource_group_name = var.resource_group_name
  subnet_id           = var.privateendpoint_subnet_id

  private_service_connection {
    name                           = var.privatelink_name
    private_connection_resource_id = var.resource_account_id
    is_manual_connection           = false
    subresource_names              = var.subresource_names
  }

  private_dns_zone_group {
    name                 = "${var.dns_zone_name}-link"
    private_dns_zone_ids = var.dns_link_id
  }
}

Debug Output/Panic Output

Error: reading static website for AzureRM Storage Account "test": accounts.Client#GetServiceProperties: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded

Expected Behaviour

Should get the plan with azurerm version > 3.40.0

Actual Behaviour

While trying to get plan with azurerm version 3.68.0 for storage account with private endpoint enabled , I am facing the above mentioned error.

But after deleting the private endpoint I'm able to get the plan with azurerm version 3.68.0 without any issue.

With private endpoint enabled I'm getting the expected plan with azurerm version < 3.39.0

Steps to Reproduce

Create a storage account and private endpoint.
Try to get terraform plan with azurerm version < 3.39.0 and azurerm version > 3.40.0

Important Factoids

No response

References

No response

@manicminer
Copy link
Contributor

Duplicate of #2977

@manicminer manicminer marked this as a duplicate of #2977 Mar 1, 2024
@manicminer
Copy link
Contributor

Hi @kavinkvb, thanks for reporting this issue. The error you're seeing is because in order to set the static site properties for the storage account, it's necessary to use the Storage data plane API which is located at the endpoint of the storage account itself. This means that this API is subject to the same access restrictions as the storage account, and since you have configured a private endpoint, you will need to run Terraform from a location where this endpoint is accessible.

This is a known issue that affects all resources that make use of the Storage data plane API, as such I'm going to close this issue out in favor of #2977 and I recommend subscribing to that issue for further updates. In order for us to resolve this however, it's necessary for this functionality to be added to the Resource Manager API which is out of our control.

@manicminer manicminer closed this as not planned Won't fix, can't repro, duplicate, stale Mar 1, 2024
@rmcolbert
Copy link

@manicminer Why was this closed? Something clearly changed between 3.39 and 3.40 that caused this issue. Is there a new private endpoint needed now that wasn't needed before (i.e. web)?

@rmcolbert
Copy link

@manicminer, I don't think this is exactly a dupe of #2977 because it was working properly in 3.39.0 and started failing in 3.40.0. I looked at the changelog for 3.40.0 and saw that in that release, the provider was changed to no longer silently ignore 404 responses from the storage account. I wonder if that is what caused the issue.

@manwithaplandy
Copy link

This comment should help answer why this was closed - specifically the first sentence in regards to the change after version 3.39.0.

@rmcolbert
Copy link

That does help though I have a follow up ... we have storage accounts with private link to services like Data Factory (not private endpoints, so no nic assigned) and they suffer from the same failure even though the storage account itself has the ACLs set to public.

It would be nice if the documentation for storage account said that if you enable private endpoint, you need to create all the endpoint types (blob, web, file, dfs, queue) for proper operation.

Copy link

github-actions bot commented May 4, 2024

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 4, 2024
@magodo
Copy link
Collaborator

magodo commented Sep 4, 2024

I've tried to reproduce this issue with the following config, whilst all works well for me:

provider "azurerm" {
  features {
    resource_group {
      prevent_deletion_if_contains_resources = false
    }
  }
}

resource "azurerm_resource_group" "test" {
    name = "mgd24982"
    location = "swedencentral"
    lifecycle {
        ignore_changes = [tags]
    }
}

resource "azurerm_storage_account" "main" {
  name                            = "mgd24982"
  location                        = azurerm_resource_group.test.location
  resource_group_name             = azurerm_resource_group.test.name
  account_tier                    = "Standard"
  account_replication_type        = "GRS"
  allow_nested_items_to_be_public = false
}

resource "azurerm_storage_account" "main2" {
  name                            = "mgd24982disablepn"
  location                        = azurerm_resource_group.test.location
  resource_group_name             = azurerm_resource_group.test.name
  account_tier                    = "Standard"
  account_replication_type        = "GRS"
  allow_nested_items_to_be_public = false
  public_network_access_enabled = false
}


resource "azurerm_virtual_network" "example" {
  name                = "virtnetname"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
}

resource "azurerm_subnet" "example" {
  name                 = "subnetname"
  resource_group_name  = azurerm_resource_group.test.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.2.0/24"]
}

resource "azurerm_private_endpoint" "example" {
  name                = "example-endpoint"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
  subnet_id           = azurerm_subnet.example.id

  private_service_connection {
    name                           = "example-privateserviceconnection"
    private_connection_resource_id = azurerm_storage_account.main.id
    subresource_names              = ["blob"]
    is_manual_connection           = false
  }

  private_dns_zone_group {
    name                 = "example-dns-zone-group"
    private_dns_zone_ids = [azurerm_private_dns_zone.example.id]
  }
}

resource "azurerm_private_dns_zone" "example" {
  name                = "privatelink.blob.core.windows.net"
  resource_group_name = azurerm_resource_group.test.name
}

resource "azurerm_private_dns_zone_virtual_network_link" "example" {
  name                  = "example-link"
  resource_group_name   = azurerm_resource_group.test.name
  private_dns_zone_name = azurerm_private_dns_zone.example.name
  virtual_network_id    = azurerm_virtual_network.example.id
}

Note that I'm running terraform from my laptop, which is not within Azure network (or vnet). Both azurerm_storage_account.main (the some config as the author's config, with PE setup) and azurerm_storage_account.main2 (similar account, without PE steup, with public network disabled) works, for both the latest v4.0.1 provider and the v3.68.0 (by terraform plan).

BTW, the error in this issue indicates a DNS resolving failure (which unfortunately is hidden by the provider). The behavior of DNS resolving for storage account with PE setup, is that:

  • If you are resolving within the PE enabled vnet (or linked vnet), it resolved to a private ip
  • Otherwise, it resolved to a public ip

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
5 participants