Error Creating Storage Account Due to Guardrails

Question

Error Creating Storage Account Due to Guardrails

Dipak-Mistry-WTW opened this issue 7 months ago · 4 comments

Dipak-Mistry-WTW commented 7 months ago

Is there an existing issue for this?

I have searched the existing issues

Greenfield/Brownfield provisioning

greenfield

Terraform Version

1.7.3

Module Version

0.1.0

AzureRM Provider Version

3.91.0

Affected Resource(s)/Data Source(s)

azurerm_storage_account.this

Terraform Configuration Files

data "http" "myip" {
  url = "http://ipinfo.io/ip"
}

module "storage_account" {
  source = "git::https://github.com/Azure/terraform-azurerm-avm-res-storage-storageaccount.git"

  name                = "xxxxxxxx"
  resource_group_name = azurerm_resource_group.default.name
  is_hns_enabled      = true
  network_rules = {
    default_action = "Deny"
    bypass         = ["None"]
    ip_rules       = [data.http.myip.response_body]
  }
  enable_telemetry = local.enable_telemetry
}

tfvars variables values

**

Debug Output/Panic Output

StatusCode=403 -- Original Error: Code="RequestDisallowedByPolicy" Message="Resource 'xxxxxxxxxxxxx' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"P1-DENY-236-Unrestricted network access to storage accounts\",\"id\":\"/providers/Microsoft.Management/managementgroups/xxxxxxxxxxxxxxxxxxxx/providers/Microsoft.Authorization/policyAssignments/236\"},\"policyDefinition\":{\"name\":\"236-Unrestricted network access to storage accounts\"

Expected Behaviour

The resource should have created as the network rules should have satisfied the guardrail requirements.

Actual Behaviour

Error creating as Azure Policy prevents creation. Using the network rules block on the azurerm_storage_account would have worked however it seems using the network rules block on azurerm_storage_account_network_rules doesn't allow creation when Azure Policy (236-Unrestricted network access to storage accounts) is in effect.

Steps to Reproduce

terraform apply

Important Factoids

No response

References

No response

Answer 1 · 2024-02-20T17:30:13.000Z

@Dipak-Mistry-WTW Thank you for reaching out. Let me reproduce this issue and revert back to you

Answer 2 · 2024-02-28T16:04:47.000Z

@chinthakaru - Is there any update or timeline as to when this might be resolved?

Answer 3 · 2024-03-06T13:46:24.000Z

@Dipak-Mistry-WTW updated the main branch with the requred PR. Please set the following toggle true and test the configuration.

use_nested_nacl = true

Answer 4 · 2024-03-06T21:35:17.000Z

@chinthakaru That works. Thank you