Error Creating Storage Account Due to Guardrails
Dipak-Mistry-WTW opened this issue · 4 comments
Is there an existing issue for this?
- I have searched the existing issues
Greenfield/Brownfield provisioning
greenfield
Terraform Version
1.7.3
Module Version
0.1.0
AzureRM Provider Version
3.91.0
Affected Resource(s)/Data Source(s)
azurerm_storage_account.this
Terraform Configuration Files
data "http" "myip" {
url = "http://ipinfo.io/ip"
}
module "storage_account" {
source = "git::https://github.com/Azure/terraform-azurerm-avm-res-storage-storageaccount.git"
name = "xxxxxxxx"
resource_group_name = azurerm_resource_group.default.name
is_hns_enabled = true
network_rules = {
default_action = "Deny"
bypass = ["None"]
ip_rules = [data.http.myip.response_body]
}
enable_telemetry = local.enable_telemetry
}
tfvars variables values
**
Debug Output/Panic Output
StatusCode=403 -- Original Error: Code="RequestDisallowedByPolicy" Message="Resource 'xxxxxxxxxxxxx' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"P1-DENY-236-Unrestricted network access to storage accounts\",\"id\":\"/providers/Microsoft.Management/managementgroups/xxxxxxxxxxxxxxxxxxxx/providers/Microsoft.Authorization/policyAssignments/236\"},\"policyDefinition\":{\"name\":\"236-Unrestricted network access to storage accounts\"
Expected Behaviour
The resource should have created as the network rules should have satisfied the guardrail requirements.
Actual Behaviour
Error creating as Azure Policy prevents creation. Using the network rules block on the azurerm_storage_account would have worked however it seems using the network rules block on azurerm_storage_account_network_rules doesn't allow creation when Azure Policy (236-Unrestricted network access to storage accounts) is in effect.
Steps to Reproduce
terraform apply
Important Factoids
No response
References
No response
@Dipak-Mistry-WTW Thank you for reaching out. Let me reproduce this issue and revert back to you
@chinthakaru - Is there any update or timeline as to when this might be resolved?
@Dipak-Mistry-WTW updated the main branch with the requred PR. Please set the following toggle true
and test the configuration.
use_nested_nacl = true
@chinthakaru That works. Thank you