Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failed to create containers when provisioned azure storage account has configured PE and network acl #27607

Closed
1 task done
RyanChen22 opened this issue Oct 10, 2024 · 15 comments · Fixed by #27733
Closed
1 task done

Comments

@RyanChen22
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.7

AzureRM Provider Version

4.0.1

Affected Resource(s)/Data Source(s)

Containers of Azure Storage account

Terraform Configuration Files

required_providers{
 azurerm = {
  source = "hasicorp/azurerm"
  version = "4.0.1"

}

}

Debug Output/Panic Output

024-10-10T06:40:54.883Z [ERROR] provider.terraform-provider-azurerm_v4.0.1_x5: Response contains error diagnostic: diagnostic_severity=ERROR
  diagnostic_summary=
  | retrieving static website properties for Storage Account (Subscription: "xxx"
  | Resource Group Name: "xx"
  | Storage Account Name: "xx"): executing request: Get "https://xx.blob.core.windows.net/?comp=properties&restype=service": context deadline exceeded

Expected Behaviour

the containers should be created successfully after provisioning the storage account

Actual Behaviour

storage account was provisioned successfully but containers were failed to be created with the error in the debug log above. It keeps retrieving static website properties which was not used at all in the client terraform.

We have also tested successfully with similar terraform whereby if the provisioned storage account has public access enabled without PE + network acl, both account and containers are successfully provisioned without issues.

Steps to Reproduce

  1. use azurerm version "4.0.1" in the provider file
  2. have 2 modules - one to provisioning storage account with PE + network acl
  3. the other module to provisioning containers after account was created successfully.

Important Factoids

N.A.

References

Found similar Github issue but failed to succeed it by using azapi:
#2977

@github-actions github-actions bot added the v/4.x label Oct 10, 2024
@RyanChen22 RyanChen22 changed the title Failedto create containers when provisioned azure storage account has configured PE and network acl Failed to create containers when provisioned azure storage account has configured PE and network acl Oct 10, 2024
@mybayern1974
Copy link
Collaborator

mybayern1974 commented Oct 11, 2024

@RyanChen22 thank you for filing this issue. Till now I'm aware there are two main types of Storage resource provisioning issues in TF:

  1. Storage Account (SA) could be provisioned successfully but its sub resources failed say SA Container, as reported by Cannot create azurerm_storage_container in azurerm_storage_account that uses network_rules #2977
  2. SA could NOT be provisioned successfully due to failure in provisioning its sub resources, say static website., as reported by Terraform wants to reach storage account static website endpoint even when none will be created #20257, Error: reading static website for AzureRM Storage Account #27310, Error: reading static website for AzureRM Storage Account -facing issue with azurerm version > 3.39.0 #24982.

Firstly. I suggest do not regard the above two types as the same problem. Treat them separately.
I speculate your issue belong to #[2]. You may not agree by providing justification "but my SA gets provisioned successfully", given there is no full log provided here, I just speculate that success was only from observation from say Azure portal but TF shows SA provisioned failed? Please correct me if my speculation is wrong.
#[2] is well aware by Hashicorp and Microsoft and we are actively looking into it. Meanwhile I'd like to suggest you can subscribe to #27310 and close this one as a duplicate, if you are fine with doing that.
Cc @WodansSon , @jackofallops , @magodo

@RyanChen22
Copy link
Author

@mybayern1974 - thanks for your response. The situation is not falling under point 2. Cos even with PE+network ACL, storage account could be provisioning successfully without issues. The concern is on the creation of container after account was created. If you look at the shared debug error, it seems always retrieving static website properties before attempting to create the container. However, static website was not used at all in the terraform file.

Also, please do not close the thread as the this has been affecting users and required an immediate solution asap.

@mybayern1974
Copy link
Collaborator

@RyanChen22 sure no problem to keep this issue open. Could you please provide a minimum reproducible TF config describing your SA, SA Container, and PE?

@RyanChen22
Copy link
Author

sa&blob_storage_modules.zip
@mybayern1974 - I am attaching the used files for your review.

@mybayern1974
Copy link
Collaborator

@RyanChen22, in the current AzureRM implementation, it's SA that calls static website rather than the Storage Container, ending up in case any issues happen during accessing the static website in SA, the following provisioning to Storage Container would be impacted. Based on that, I think I can understand your saying that SA has already been fully successfully provisioned, then one possibility could be when executing terraform plan / apply to your terraform solution, accessing SA would always happen, which has no direct relationship with managing Storage Container, and accessing SA would trigger the access to static website.

With that, as I mentioned above, investigation on either decoupling the static website from SA or be tolerant to issues happening during accessing the static website is actively ongoing by owners of this project.

@RyanChen22
Copy link
Author

@mybayern1974 - Thanks for the reply. Tolerating the issue is definitely not acceptable as the container is not being provisioned after running the TF files since the error of static website will be thrown. Is there any solution or workaround on this? Cos if PE and network ACL is not configured in the TF, the provisioning of both account and containers are working successfully, which conflicts with your saying that accessing SA will trigger the access to static website.

@mybayern1974
Copy link
Collaborator

@RyanChen22 I would suggest to stay tuned to the final solution that has not been finalized yet, so it's out of my current knowledge scope now to share insights what that solution would be like.
Re your two questions:

  1. Re "....the container is not being provisioned...since the error of static website will be thrown..." that is what I mean to internally tolerant the access-static-website error thus the follow up actions say provisioning the container could continue. Again this is only one solution option, which is still under evaluation.
  2. Re "conflict with saying that..." that accessing SA would trigger access static website is an independent operation from setting PE + ACL or just using public network. A relation between the two operations could be setting PE sometimes (again I skip explaining in detail what "sometimes" means here, instead, stay tuned to the final solution) would block accessing static website but using public network won't block that.

@RyanChen22
Copy link
Author

@mybayern1974 - Appreciate your response and information so far. I would check with customers to see if the error could be ignored /skipped when deploying those TF files through pipeline. Meanwhile, will be happy to know if there is any ETA on the final solution. Thanks.

@mybayern1974
Copy link
Collaborator

@mybayern1974 - Appreciate your response and information so far. I would check with customers to see if the error could be ignored /skipped when deploying those TF files through pipeline. Meanwhile, will be happy to know if there is any ETA on the final solution. Thanks.

Re "check with customers...error could be ignored...", I believe not. Customers are innocent and they are unable to swallow this error reported here at their layer (unless they use Terraform AzAPI to manage the SA), instead, the duty is at this provider.

@RyanChen22
Copy link
Author

In such case, when could we expect to have a solution on this?

@mybayern1974
Copy link
Collaborator

In such case, when could we expect to have a solution on this?

Sorry this is out of my current information scope, instead, what I can tell is Hashicorp and Microsoft is actively looking into this issue.

@RyanChen22
Copy link
Author

@mybayern1974 - Appreciate your response and information so far. I would check with customers to see if the error could be ignored /skipped when deploying those TF files through pipeline. Meanwhile, will be happy to know if there is any ETA on the final solution. Thanks.

Re "check with customers...error could be ignored...", I believe not. Customers are innocent and they are unable to swallow this error reported here at their layer (unless they use Terraform AzAPI to manage the SA), instead, the duty is at this provider.

To speed up the process, customer has also tried AzAPI as well but encountering the below exception. Would we have some guidance on how to address the issue?

Error: Failed to query available provider packages

│ Could not retrieve the list of available versions for provider hashicorp/azapi: provider registry
registry.terraform.io
does not have
│ a provider named
registry.terraform.io/hashicorp/azapi

│ Did you intend to use azure/azapi? If so, you must specify that source address in each module which requires that provider. To see
│ which modules are currently depending on hashicorp/azapi, run the following command:
│ terraform providers

@mybayern1974
Copy link
Collaborator

@mybayern1974 - Appreciate your response and information so far. I would check with customers to see if the error could be ignored /skipped when deploying those TF files through pipeline. Meanwhile, will be happy to know if there is any ETA on the final solution. Thanks.

Re "check with customers...error could be ignored...", I believe not. Customers are innocent and they are unable to swallow this error reported here at their layer (unless they use Terraform AzAPI to manage the SA), instead, the duty is at this provider.

To speed up the process, customer has also tried AzAPI as well but encountering the below exception. Would we have some guidance on how to address the issue?

Error: Failed to query available provider packages │ │ Could not retrieve the list of available versions for provider hashicorp/azapi: provider registry registry.terraform.io does not have │ a provider named registry.terraform.io/hashicorp/azapi │ │ Did you intend to use azure/azapi? If so, you must specify that source address in each module which requires that provider. To see │ which modules are currently depending on hashicorp/azapi, run the following command: │ terraform providers

This looks like an AzAPI usage question. To keep this thread focused, please file the AzAPI question here to have discussion there.

@RyanChen22
Copy link
Author

@mybayern1974 - I have helped my customers to raise another GH link for azapi workaround. Will appreciate if you could help to further advice the mitigation. Thanks

Copy link

github-actions bot commented Dec 6, 2024

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 6, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
3 participants