You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.
Terraform Version
1.5.4
AzureRM Provider Version
4.0.1
Affected Resource(s)/Data Source(s)
azurerm_storage_account
Terraform Configuration Files
main.tf--------------------------------------------------------------------resource"azurerm_storage_account""storeacc" {
lifecycle {
ignore_changes=[azure_files_authentication, blob_properties[0].restore_policy["days"]]
}
name=substr(format("sta%s%s", lower(replace(var.storage_account_name, "/[[:^alnum:]]/", "")), random_string.unique.result), 0, 24)
resource_group_name=local.resource_group_namelocation=var.locationaccount_kind=var.account_kindaccount_tier=var.account_tieraccess_tier=var.access_tieraccount_replication_type=var.account_replication_typecross_tenant_replication_enabled=falsepublic_network_access_enabled=trueallow_nested_items_to_be_public=falsehttps_traffic_only_enabled=trueallowed_copy_scope=var.allowed_copy_scopemin_tls_version="TLS1_2"tags=merge({ "ResourceName" = substr(format("sta%s%s", lower(replace(var.storage_account_name, "/[[:^alnum:]]/", "")), random_string.unique.result), 0, 24) }, var.tags, )
# https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overviewdynamic"azure_files_authentication" {
for_each=var.files_authentication_directory_type!=""? [1] : []
content {
directory_type=var.files_authentication_directory_type
}
}
customer_managed_key {
key_vault_key_id=var.cmk_settings.key_vault_key_iduser_assigned_identity_id=var.cmk_settings.key_vault_identity_id
}
dynamic"identity" {
for_each=var.managed_identity_type!=null? [1] : []
content {
type=var.managed_identity_type# limitation of customer managed key can use only userassigned identities# identity_ids = var.managed_identity_type == "UserAssigned" || var.managed_identity_type == "SystemAssigned, UserAssigned" ? var.managed_identity_ids : nullidentity_ids=var.managed_identity_type=="UserAssigned"? var.managed_identity_ids:null
}
}
# Account only valid if account_kind = StorageV2queue_encryption_key_type=var.account_kind!="StorageV2"?"Service":"Account"table_encryption_key_type=var.account_kind!="StorageV2"?"Service":"Account"dynamic"blob_properties" {
for_each=var.account_kind!="FileStorage"? [1] : []
content {
delete_retention_policy {
days=var.blob_soft_delete_retention_days
}
container_delete_retention_policy {
days=var.container_soft_delete_retention_days
}
versioning_enabled=var.enable_versioninglast_access_time_enabled=var.last_access_time_enabledchange_feed_enabled=var.change_feed_enabled
}
}
network_rules {
default_action=local.tag_foundation_baseline=="Palladium"?"Deny":length(var.network_rules.basic_ip_restriction) ==0?"Allow":"Deny"#tfsec:ignore:azure-storage-default-action-denybypass=["AzureServices"]
ip_rules=local.tag_foundation_baseline=="Palladium"? ["IP", "IP"] :length(var.network_rules.basic_ip_restriction) ==0? [] :distinct(flatten([var.network_rules.basic_ip_restriction, ["1IP", "IP"]]))
virtual_network_subnet_ids=local.tag_foundation_baseline=="Palladium"? var.network_rules.subnet_ids:nulldynamic"private_link_access" {
for_each=var.manage_defender_storage.defender_storage_enabled&& var.manage_defender_storage.malware_scanning_on_upload_enabled&& var.account_kind!="FileStorage"? [1] : []
content {
endpoint_resource_id="/subscriptions/${data.azurerm_subscription.current.subscription_id}/providers/Microsoft.Security/datascanners/StorageDataScanner"endpoint_tenant_id=data.azurerm_subscription.current.tenant_id
}
}
}
dynamic"static_website" {
for_each=var.enable_static_website==true? [1] : []
content {
index_document=var.static_website_index_documenterror_404_document=var.static_website_error_404_document
}
}
}
--------------------------------------------------------------------
var.tf--------------------------------------------------------------------variable"create_resource_group" {
description="Whether to create resource group and use it for all storage resources."default=falsetype=bool
}
variable"resource_group_name" {
description="The container for the storage resources."type=string
}
variable"location" {
description="The region for the storage resources."default="switzerlandnorth"type=string
}
variable"storage_account_name" {
description="The name of the storage account."type=string
}
variable"account_tier" {
description="The tier of storage account. Valid options are Premium or Standard."default="Standard"type=string
}
# Blobs with a tier of Premium are of account kind StorageV2.variable"account_kind" {
description="The type of storage account. Valid options are BlobStorage (Premium), BlockBlobStorage (Premium), FileStorage (Premium), StorageV2 (Standard General Purpose)."default="StorageV2"type=string
}
variable"account_replication_type" {
description="The Replication Types supported by Microsoft Azure Storage. Valid options are LRS (Premium and Standard), ZRS (Premium and Standard), GRS (Standard), GZRS (Standard), RAGRS (Standard), RAGZRS (Standard)."default="LRS"type=string
}
variable"access_tier" {
description="Defines the access tier for BlobStorage, FileStorage and StorageV2 accounts. Valid options are Hot and Cool, defaults to Hot."default="Hot"type=string
}
variable"blob_soft_delete_retention_days" {
description="Specifies the number of days that the blob should be retained, between `1` and `365` days. Defaults to `7`."default=7type=number
}
variable"container_soft_delete_retention_days" {
description="Specifies the number of days that the blob should be retained, between `1` and `365` days. Defaults to `7`."default=7type=number
}
variable"enable_versioning" {
description="Is Blob versioning enabled? Default to `false`."default=falsetype=bool
}
variable"last_access_time_enabled" {
description="Is the last access time based tracking enabled? Default to `false`."default=falsetype=bool
}
variable"change_feed_enabled" {
description="Is the blob service properties for change feed events enabled?"default=falsetype=bool
}
variable"manage_defender_storage" {
description="Manage Defender for Storage."type=object({ defender_storage_enabled =bool, sensitive_data_discovery_enabled =optional(bool), malware_scanning_on_upload_enabled =optional(bool, false) })
default={
defender_storage_enabled =false
}
}
variable"enable_static_website" {
description="Boolean flag which controls if blob static website is enabled. For account_kind FileStorage/BlobStorage must be set to false."default=falsetype=bool
}
variable"static_website_index_document" {
description="The webpage that Azure Storage serves for requests to the root of a website or any subfolder. For example, index.html. The value is case-sensitive."default=""type=string
}
variable"static_website_error_404_document" {
description="The absolute path to a custom webpage that should be used when a request is made which does not correspond to an existing file."default=""type=string
}
variable"network_rules" {
description=""type=object({
subnet_ids =optional(list(string), [])
basic_ip_restriction =optional(list(string), [])
})
}
variable"lifecycles" {
description="Configure lifecycle for Append and Block Blobs."type=list(object({ prefix_match =set(string), tier_to_cool_after_days =number, tier_to_archive_after_days =number, delete_after_days =number, snapshot_delete_after_days =number }))
default=[]
}
variable"managed_identity_type" {
description="The type of Managed Identity which should be assigned to the Storage Account. Due to CMK limitation, the only possible values is `UserAssigned`."default=nulltype=string
}
variable"managed_identity_ids" {
description="A list of User Managed Identity ID's which should be assigned to the Storage Account."default=nulltype=list(string)
}
variable"tags" {
description="A map of tags to add to all resources."type=map(string)
default={}
}
variable"private_endpoint_spoke_subnet_id" {
description="Palladium only. The Spoke Subnet id where to create the Private Endpoint."type=stringdefault=""
}
variable"subresource_names" {
description="Palladium only. The name of the subresources to create Private Endpoint for. Can be one or more of ['file','blob','queue','table','web']."type=list(string)
default=null
}
variable"cmk_settings" {
type=object({ key_vault_key_id =string, key_vault_identity_id =string })
description="Customer managed keys settings for storage account encryption."validation {
condition=var.cmk_settings.key_vault_key_id!=""&& var.cmk_settings.key_vault_identity_id!=""error_message="The cmk_settings are mandatory, please provide a valid key_vault_key_id and key_vault_identity_id."
}
}
variable"files_authentication_directory_type" {
type=stringdescription="Specifies the directory service used for azure file share authentication. refer to: https://learn.microsoft.com/en-us/azure/storage/common/authorize-data-access"default=""validation {
condition=contains(["AADKERB", ""], var.files_authentication_directory_type)
error_message="The directory Type can only be 'AADKERB'."
}
}
variable"allowed_copy_scope" {
type=stringdescription="Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet. Possible values are AAD, PrivateLink or null."default="AAD"
}
Is there an existing issue for this?
Community Note
Terraform Version
1.5.4
AzureRM Provider Version
4.0.1
Affected Resource(s)/Data Source(s)
azurerm_storage_account
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
Terraform should write network config to state. You can reproduce this problem with all providers > 3.112.0.
Actual Behaviour
Existing network config in azure is not written into state. Terraform wants to create network config on every run but doesn't write to state.
Steps to Reproduce
Important Factoids
Resource is created by module but you can reproduce with plain resource
References
This seems to be bug as the azurerm Provider just updated the storage account resource multiple times in the last few releases.
Provider Versions: 3.113.0; 3.114.0; 3.115.0
https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG-v3.md
The text was updated successfully, but these errors were encountered: