Home > Software engineering >  Error adding files shares to a storage account with a private endpoint
Error adding files shares to a storage account with a private endpoint

Time:09-17

I have created a storage account which has a private endpoint. I am trying to create file shares on the storage account, however when I try to create them using the azurerm_storage_share I get the following error and I am not sure why, please may someone help?

Error

|   Error: checking for existence of existing Storage Share "profiles" (Account "stfslogixuks01" / Resource Group "rg-avd-shared-uks-001"): shares.Client#GetProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation.\nRequestId:e010828e-b01a-003c-7dbd-c9065f000000\nTime:2022-09-16T11:12:03.0199276Z"
│
│   with module.storage.azurerm_storage_share.st_shares["profiles"],
│   on modules\storage_accounts\main.tf line 22, in resource "azurerm_storage_share" "st_shares":
│   22: resource "azurerm_storage_share" "st_shares" {

Storage Account Creation The code below is to create the storage account.

resource "azurerm_storage_account" "st" {
    name = var.st.name
    resource_group_name = var.rg_shared_name
    location = var.rg_shared_location
    account_tier = var.st.tier
    account_replication_type = var.st.replication
    public_network_access_enabled = false
    allow_nested_items_to_be_public = false
    azure_files_authentication {
      directory_type = "AD"
      active_directory {
        storage_sid = "storage_sid"
        domain_name = "domain_name"
        domain_sid = "domain_sid"
        domain_guid = "domain_guid"
        forest_name = "forest_name"
        netbios_domain_name = "netbios_domain_name"
      }
    }
}

File Share Creation The code below is to create the file shares.

resource "azurerm_storage_share" "st_shares" {
  depends_on = [azurerm_storage_account.st]
  for_each = var.st_shares
  name = each.value.name
  storage_account_name = azurerm_storage_account.st.name
  quota = "5120"
}

CodePudding user response:

I managed to resolve my own issue, basically because I am deploying the storage account from my local machine, using visual studio code and connecting to Azure via Azure CLI, when I blocked public access (in the original code) it prevents me from accessing the storage account once its been deployed and configured.

To resolve this I had to add a network rule to allow my public IP address.

Update Code

resource "azurerm_storage_account" "st" {
    name = var.st.name
    resource_group_name = var.rg_shared_name
    location = var.rg_shared_location
    account_tier = var.st.tier
    account_replication_type = var.st.replication
    public_network_access_enabled = true
    allow_nested_items_to_be_public = false
    azure_files_authentication {
      directory_type = "AD"
      active_directory {
        storage_sid = "STORAGE_SID"
        domain_name = "DOMAIN_NAME"
        domain_sid = "DOMAIN_SID"
        domain_guid = "DOMAIN_GUID"
        forest_name = "FOREST_NAME"
        netbios_domain_name = "NETBIOS_DOMAIN_NAME"
      }
    }
    network_rules {
      default_action = "Deny"
      ip_rules = ["PUBLIC IP ADDRESS"]
    }
}

CodePudding user response:

We are using the workaround you see below. It gets your IP address and whitelists it in the firewall of the storage account. Full module can be found here.

# FIXME: https://github.com/hashicorp/terraform-provider-azurerm/issues/6659
data "http" "ip" {
  url = "https://ifconfig.me"
}

resource "azurerm_storage_account_network_rules" "storage_account_network_rules" {
  storage_account_id         = azurerm_storage_account.storage_account.id
  default_action             = var.network_default_action
  ip_rules                   = concat(var.network_ip_rules, [data.http.ip.body])
  virtual_network_subnet_ids = var.network_subnet_ids
  bypass                     = ["Logging", "Metrics", "AzureServices"]
}
  • Related