👍 Defaulting to open is a very poor security decision. Please get this reverted back asap.

We just tripped over this and it is causing a bit of churn on our side to secure things back again. When this gets changed would it be possible to go out as a hotfix to the 2.19 version (like v2.19.1)?

👍 Defaulting to open is a very poor security decision. Please get this reverted back asap.

Does anyone have contacts at Azure? The fact that the API (and so all downstream consumers) was chosen to be default open seems like a terrible decision that should be reverted, regardless of it being overridden by default in TF provider etc.

What the heck, how did this make it through? All of a sudden our deployments want to open up our storage accounts to the world.

Folks, this is a really bad change. It needs to be addressed ASAP.

@marc-sensenich @katbyte after closer review, #7784 might need to be backed out.

I've been talking with Barry Dorrans at Microsoft.
The swagger API documentation of the property allowBlobPublicAccess is very poor and will be changed soon.

This documentation is much clearer:
https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent

The no-change behavior of the TF provider would be to have allowBlobPublicAccess unset. It doesn't control whether the containers/contents are publicly accessible, only if they are allowed to be set that way or not...

"The misunderstanding should come from the interpretation. allowBlobPublicAccess is an option to allow or disallow if public access CAN be configured or used. It doesn’t make any blob or container accessible anonymously. It doesn’t introduce security risk but offer to enhance security.

By default, a user with appropriate permissions can configure public access to containers and blobs. You can prevent all public access at the level of the storage account. When you disallow public blob access for the storage account, then containers in the account cannot be configured for public access. Any containers that have already been configured for public access will no longer accept anonymous requests."

Thanks for pointing this to the docs @ericsampson, that reads a lot better than the Swagger spec. @katbyte I'll let the maintainers of the provider decide what to do regarding rolling back or keeping #7784. With either approach, I think referring to the page that @ericsampson provided and adding more detail around the feature in the changelog would be in order as the current wording on the resource docs doesn't make that clear

Some verbiage I came up with as a potential documentation for that setting in the Swagger spec, which I think makes it much clearer what it does:

Allow or disallow configuration of public access for containers in the storage account.
The default value for this property is null, which is equivalent to true.
When true, the container-specific public access configuration settings are respected.
When false, it overrides any public access settings for all containers in the storage account.
Note that setting this property to true does not enable anonymous access to any data in the account.
The additional step of configuring the public access setting for a container is required to enable anonymous access.

This has been released in version 2.20.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.20.0"
}
# ... other configuration ...

Unfortunately this change regresses Azure Govcloud which does not support this API feature.

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!