Getting storage account authorization error while running terraform scripts from virtual machine
here is my provider file
terraform {
required_version = "1.2.4"
azurerm = {
source = "hashicorp/azurerm"
version = "=2.57.0"
}
backend "azurerm" {
resource_group_name = "tstate"
storage_account_name = "tstate6073"
container_name = "tstate"
key = "terraform.tfstate"
}
provider "azurerm" {
features {}
}
}
sample main.tf as
resource "azurerm_resource_group" "mydemo" {
name = "mydemo-resources"
location = "West Europe"
}
resource "azurerm_virtual_network" "example" {
name = "acctvn"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.mydemo.location
resource_group_name = azurerm_resource_group.mydemo.name
}
resource "azurerm_subnet" "example" {
name = "acctsub"
resource_group_name = azurerm_resource_group.mydemo.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.0.2.0/24"]
}
resource "azurerm_public_ip" "example" {
name = "test"
location = azurerm_resource_group.mydemo.location
resource_group_name = azurerm_resource_group.mydemo.name
allocation_method = "Static"
domain_name_label = azurerm_resource_group.mydemo.name
tags = {
environment = "staging"
}
}
resource "azurerm_lb" "example" {
name = "test"
location = azurerm_resource_group.mydemo.location
resource_group_name = azurerm_resource_group.mydemo.name
frontend_ip_configuration {
name = "PublicIPAddress"
public_ip_address_id = azurerm_public_ip.example.id
}
}
resource "azurerm_lb_backend_address_pool" "bpepool" {
resource_group_name = azurerm_resource_group.mydemo.name
loadbalancer_id = azurerm_lb.example.id
name = "BackEndAddressPool"
}
resource "azurerm_lb_nat_pool" "lbnatpool" {
resource_group_name = azurerm_resource_group.mydemo.name
name = "ssh"
loadbalancer_id = azurerm_lb.example.id
protocol = "Tcp"
frontend_port_start = 50000
frontend_port_end = 50119
backend_port = 22
frontend_ip_configuration_name = "PublicIPAddress"
}
resource "azurerm_lb_probe" "example" {
resource_group_name = azurerm_resource_group.mydemo.name
loadbalancer_id = azurerm_lb.example.id
name = "http-probe"
protocol = "Http"
request_path = "/health"
port = 8080
}
resource "azurerm_virtual_machine_scale_set" "example" {
name = "mytestscaleset-1"
location = azurerm_resource_group.mydemo.location
resource_group_name = azurerm_resource_group.mydemo.name
# automatic rolling upgrade
automatic_os_upgrade = true
upgrade_policy_mode = "Rolling"
rolling_upgrade_policy {
max_batch_instance_percent = 20
max_unhealthy_instance_percent = 20
max_unhealthy_upgraded_instance_percent = 5
pause_time_between_batches = "PT0S"
}
# required when using rolling upgrade policy
health_probe_id = azurerm_lb_probe.example.id
sku {
name = "Standard_F2"
tier = "Standard"
capacity = 2
}
storage_profile_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}
storage_profile_os_disk {
name = ""
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
storage_profile_data_disk {
lun = 0
caching = "ReadWrite"
create_option = "Empty"
disk_size_gb = 10
}
os_profile {
computer_name_prefix = "testvm"
admin_username = "myadmin"
}
os_profile_linux_config {
disable_password_authentication = true
ssh_keys {
path = "/home/myadmin/.ssh/authorized_keys"
key_data = file("~/.ssh/demo_key.pub")
}
}
network_profile {
name = "terraformnetworkprofile"
primary = true
ip_configuration {
name = "TestIPConfiguration"
primary = true
subnet_id = azurerm_subnet.example.id
load_balancer_backend_address_pool_ids = [azurerm_lb_backend_address_pool.bpepool.id]
load_balancer_inbound_nat_rules_ids = [azurerm_lb_nat_pool.lbnatpool.id]
}
}
tags = {
environment = "staging"
}
}
when run the terraform plan am getting this error
I have verified storae account access its on Blob only. Can any one suggest whats wrong here! something wrong with access ?
Error while access Azure storage container using terraform.
CodePudding user response:
Issue was caused because of firewall blocking at storage account. Replicate the same with below code
NOTE: The SSH key used here was fetched from a local variable. While running code base, please use your key. and reference code base is from Hashi Crop site
Step1: Provider tf file as follows
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=3.0.0"
}
}
backend "azurerm" {
resource_group_name = "v-swarnarg-demo"
storage_account_name = "tstate60766"
container_name = "tstate"
key = "terraform.tfstate"
}
}
provider "azurerm" {
features {}
}
main tf code as follows
resource "azurerm_resource_group" "example" {
name = "v-swarnarg-demo"
location = "East US"
}
locals {
first_public_key = "ssh-rsa ********** [email protected]"
}
resource "azurerm_virtual_network" "example" {
name = "example-network"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
address_space = ["10.0.0.0/16"]
}
resource "azurerm_subnet" "internal" {
name = "internal"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.0.2.0/24"]
}
resource "azurerm_linux_virtual_machine_scale_set" "example" {
name = "example-vmss"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
sku = "Standard_F2"
instances = 1
admin_username = "adminuser"
admin_ssh_key {
username = "adminuser"
public_key = local.first_public_key
}
source_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "16.04-LTS"
version = "latest"
}
os_disk {
storage_account_type = "Standard_LRS"
caching = "ReadWrite"
}
network_interface {
name = "example"
primary = true
ip_configuration {
name = "internal"
primary = true
subnet_id = azurerm_subnet.internal.id
}
}
}
Output getting after disable the network on the firewall
Error:
Solution: There are 2 ways to allow network traffic.
Recommended way is to allow respective VM IP range in firewall so that it could not be public
We can allow public and able to access the storage accounts
Upon running below command
terraform plan
