azurerm_storage_account share_properties smb block not updating. sas policy not disabled

[fgarcia-cnb]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.8.5

AzureRM Provider Version

3.111.0

Affected Resource(s)/Data Source(s)

azurerm_storage_account

Terraform Configuration Files

resource "azurerm_storage_account" "storage_account" {
  count               = var.resource_count
  name                = "${replace(var.group_prefix, "-", "")}${format("%02d", count.index)}sa"
  resource_group_name = var.resource_group_name

  location = local.region[var.location]
  tags     = local.tags
...

dynamic "sas_policy" {
    for_each = var.enable_sas_policy && var.shared_access_key_enabled ? [1] : []
    content {
      expiration_period = "90.00:00:00"
      expiration_action = "Log"
    }
  }

  dynamic "share_properties" {
    for_each = var.secure_smb ? [1] : []
    content {
      smb {
        versions                        = ["SMB3.1.1"]
        authentication_types            = ["Kerberos"]
        kerberos_ticket_encryption_type = ["AES-256"]
        channel_encryption_type         = ["AES-256-GCM"]
      }
    }
  }

lifecycle {
    ignore_changes = [
      azure_files_authentication,
      blob_properties[0].restore_policy,
      customer_managed_key,
      network_rules[0].private_link_access,
      share_properties[0].retention_policy,
      static_website,
    ]
  }
}

Debug Output/Panic Output

none

Expected Behaviour

when secure_smb = false, the TF plan should show the dynamic share_properties.smb block as being removed, ideally resetting the share properties to Maximum Compatibility, which is the default setting.

when enable_sas_policy = false, the TF plan should show the sas_policy block being removed, and sas policy should be disabled in the portal

Actual Behaviour

terraform does not remove the share_properties.smb block, and leaves smb settings unchanged.

terraform does correctly remove the sas_policy block, but the sas_policy is not updated, and subsequent TF runs keep showing the same change

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[magodo]

sas_policy not updated is due to an Azure API bug: Azure/azure-rest-api-specs#31949.

For share_properties, it was defined to be Optional & Computed, as storage account can have default settings of share_properties, which will then be populated if users haven't explicitly specified. We can't remove the "Computed" above now as it is a breaking change - otherwise those default settings will show as a change in the next plan. What you can do to mitigate this is to define dynamic blocks for the inner smb. Example: https://github.com/Azure/terraform-azurerm-avm-res-storage-storageaccount/blob/61bd7be913e9ad3bca6d852ed792999c9abd31af/main.tf#L231