azurerm_storage_account_network_rules not clearing out ip_rules nor virtual_network_subnet_ids

[jorrite]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.26
+ provider.azurerm v2.14.0
+ provider.random v2.2.1

Affected Resource(s)

• azurerm_storage_account_network_rules

Terraform Configuration Files

provider "azurerm" {
  version         = "=2.14.0"
  features {}
}


resource "random_string" "resource_string_random" {
  length  = 10
  upper   = false
  number  = false
  special = false
}

resource "azurerm_resource_group" "example" {
  name     = format("example-resources-%s", random_string.resource_string_random.result)
  location = "West Europe"
}

resource "azurerm_virtual_network" "example" {
  name                = format("example-vnet-%s", random_string.resource_string_random.result)
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_subnet" "example" {
  name                 = format("example-subnet-%s", random_string.resource_string_random.result)
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.2.0/24"]
  service_endpoints    = ["Microsoft.Storage"]
}

resource "azurerm_storage_account" "example" {
  name                     = format("example0%s", random_string.resource_string_random.result)
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "GRS"

  tags = {
    environment = "staging"
  }
}

resource "azurerm_storage_account_network_rules" "example" {
  resource_group_name  = azurerm_resource_group.example.name
  storage_account_name = azurerm_storage_account.example.name

  default_action             = "Deny"
  ip_rules                   = ["127.0.0.1"]
  virtual_network_subnet_ids = [azurerm_subnet.example.id]
  bypass                     = ["Metrics"]
}

Debug Output

1st apply (gist).
2nd apply (gist).

• I included the apply of 1st and 2nd run (see steps to reproduce).
• Note that I have sanitized my debug output here and removed things like subscription and tenant ID's.

Panic Output

Not applicable.

Expected Behavior

Terraform should clear out both ip_range as well as virtual_network_subnet_ids whenever it is given empty array's.

Actual Behavior

Terraform does not clear out ip_range nor virtual_network_subnet_ids whenever it is given empty array's. Going from a list of 2 IP items or 2 subnet items to 1 works fine, the problem only occurs when either of the lists need to be cleared out entirely. You can see the erroneous updates (still including items) in the 2nd apply (gist).

Steps to Reproduce

1. terraform apply the configuration as above.
2. Change azurerm_storage_account_network_rules.example.ip_ranges and azurerm_storage_account_network_rules.example.virtual_network_subnet_ids to [].
3. terraform apply again, and observe that Terraform is planning to clear out both ip_range and virtual_network_subnet_ids.
4. Open up portal.azure.com and navigate to the Firewall section of the Storage Account. Both IP and Subnet are still present. You can also repeat step 3. and observe that Terraform is again detecting it needs to change both attributes.

Important Factoids

• I am using tfenv to manage TF versions on my machine.

References

Not applicable.

Context

To provide some context as to how I encountered this problem and why I need this to work properly. We're using a bunch of storage accounts in conjunction with an AKS cluster. We generally lock down every SA with Firewall so that only the AKS subnet can access these storage accounts. Occasionally it happens that Developers need direct access to a Storage Account (for debugging purposes), so we just manually add the IP's and go in. We usually relied on frequent TF applies (which run with CI/CD pipelines) to clear out these residual IPs that keep floating around even after the Developers are done debugging. This previously worked fine when we used to define the network rules directly inside the azurerm_storage_account block itself, but we recently moved to the newer resource azurerm_storage_account_network_rules (keeping in mind to only define rules here and not in the SA block anymore) , and thats when I started noticing this issue.

[njuCZ]

@jorrite thanks for pointing this issue, I have submit a PR to fix: #7385, Hope it will unblock you soon

[ghost]

This has been released in version 2.16.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.16.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!