I have created a storage account which has a private endpoint. I am trying to create file shares on the storage account, however when I try to create them using the azurerm_storage_share I get the following error and I am not sure why, please may someone help?
Error
| Error: checking for existence of existing Storage Share "profiles" (Account "stfslogixuks01" / Resource Group "rg-avd-shared-uks-001"): shares.Client#GetProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation.\nRequestId:e010828e-b01a-003c-7dbd-c9065f000000\nTime:2022-09-16T11:12:03.0199276Z"
│
│ with module.storage.azurerm_storage_share.st_shares["profiles"],
│ on modules\storage_accounts\main.tf line 22, in resource "azurerm_storage_share" "st_shares":
│ 22: resource "azurerm_storage_share" "st_shares" {
Storage Account Creation The code below is to create the storage account.
resource "azurerm_storage_account" "st" {
name = var.st.name
resource_group_name = var.rg_shared_name
location = var.rg_shared_location
account_tier = var.st.tier
account_replication_type = var.st.replication
public_network_access_enabled = false
allow_nested_items_to_be_public = false
azure_files_authentication {
directory_type = "AD"
active_directory {
storage_sid = "storage_sid"
domain_name = "domain_name"
domain_sid = "domain_sid"
domain_guid = "domain_guid"
forest_name = "forest_name"
netbios_domain_name = "netbios_domain_name"
}
}
}
File Share Creation The code below is to create the file shares.
resource "azurerm_storage_share" "st_shares" {
depends_on = [azurerm_storage_account.st]
for_each = var.st_shares
name = each.value.name
storage_account_name = azurerm_storage_account.st.name
quota = "5120"
}
CodePudding user response:
I managed to resolve my own issue, basically because I am deploying the storage account from my local machine, using visual studio code and connecting to Azure via Azure CLI, when I blocked public access (in the original code) it prevents me from accessing the storage account once its been deployed and configured.
To resolve this I had to add a network rule to allow my public IP address.
Update Code
resource "azurerm_storage_account" "st" {
name = var.st.name
resource_group_name = var.rg_shared_name
location = var.rg_shared_location
account_tier = var.st.tier
account_replication_type = var.st.replication
public_network_access_enabled = true
allow_nested_items_to_be_public = false
azure_files_authentication {
directory_type = "AD"
active_directory {
storage_sid = "STORAGE_SID"
domain_name = "DOMAIN_NAME"
domain_sid = "DOMAIN_SID"
domain_guid = "DOMAIN_GUID"
forest_name = "FOREST_NAME"
netbios_domain_name = "NETBIOS_DOMAIN_NAME"
}
}
network_rules {
default_action = "Deny"
ip_rules = ["PUBLIC IP ADDRESS"]
}
}
CodePudding user response:
We are using the workaround you see below. It gets your IP address and whitelists it in the firewall of the storage account. Full module can be found here.
# FIXME: https://github.com/hashicorp/terraform-provider-azurerm/issues/6659
data "http" "ip" {
url = "https://ifconfig.me"
}
resource "azurerm_storage_account_network_rules" "storage_account_network_rules" {
storage_account_id = azurerm_storage_account.storage_account.id
default_action = var.network_default_action
ip_rules = concat(var.network_ip_rules, [data.http.ip.body])
virtual_network_subnet_ids = var.network_subnet_ids
bypass = ["Logging", "Metrics", "AzureServices"]
}