Terraform-provider-azurerm: `allow_blob_public_access` is not reflecting while upgrading provider version 1.44 to 2.23

Created on 20 Aug 2020  路  4Comments  路  Source: terraform-providers/terraform-provider-azurerm

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.28
+ provider.azurerm v2.23.0

Affected Resource(s)

  • azurerm_storage_account

Terraform Configuration Files

resource "azurerm_storage_account" "example" {
  name                     = "teststoragexxx"
  resource_group_name      = data.azurerm_resource_group.example.name
  location                 = data.azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"

  enable_https_traffic_only = true
  ## ADDED
  allow_blob_public_access  = false

  network_rules {
    default_action = "Deny"
    bypass         = ["AzureServices"]
  }
}

Debug Output


Nothing.

Panic Output


Nothing.

Expected Behavior

The property allow_blob_public_access should disable the configuration property Allow Blob public access of storage account

Actual Behavior

Provision a storage account using AzureRm provider version 1.44 and property allow_blob_public_access is not available in that version. Then change the provider version to above 2.20 and set false for allow_blob_public_access explicitly.

The plan generated with allow_blob_public_access as false and no change, even though the portal shows Enabled.

This is the generated plan for updating Storage with new provider on Step Number 4
allow_blob_public_access-update_plan

After the applying the plan Step Number 5 it did not made any change to configuration property Allow Blob public access, but Account Kind is changed as per the plan.
allow_blob_public_access-azure_portal

Steps to Reproduce

  1. Create storage account using AzureRm provider version 1.44

    terraform {
    required_version = ">= 0.11"
    required_providers {
        azurerm = "~> 1.44"
    }
}

provider "azurerm" {
features {}
}

data "azurerm_resource_group" "example" {
name     = "test-rg"
}

resource "azurerm_storage_account" "example" {
name                     = "teststoragexxx"
resource_group_name      = data.azurerm_resource_group.example.name
location                 = data.azurerm_resource_group.example.location
account_tier             = "Standard"
account_replication_type = "LRS"

enable_https_traffic_only = true

network_rules {
    default_action = "Deny"
    bypass         = ["AzureServices"]
}
}
  2. terraform apply

  3. Change AzureRm provider version to ~> 2.20 and set false for allow_blob_public_access.

    terraform {
    required_version = ">= 0.11"
    required_providers {
        azurerm = "~> 2.20"
    }
}

provider "azurerm" {
features {}
}

data "azurerm_resource_group" "example" {
name     = "test-rg"
}

resource "azurerm_storage_account" "example" {
name                     = "teststoragexxx"
resource_group_name      = data.azurerm_resource_group.example.name
location                 = data.azurerm_resource_group.example.location
account_tier             = "Standard"
account_replication_type = "LRS"

enable_https_traffic_only = true
## ADDED
allow_blob_public_access  = false

network_rules {
    default_action = "Deny"
    bypass         = ["AzureServices"]
}
}
  4. terraform plan
  5. terraform apply

Important Factoids


Nothing.

References

servicstorage
Source
picture jibinpb
👍8

Most helpful comment

Thanks for opening this issue. After investigated, seems api returns nil while not specifying the value of allow_blob_public_access. So terraform should return the default status. So I submit a PR to fix the issue.

picture neil-yechenwei on 24 Aug 2020
👍7

All 4 comments

Thanks for opening this issue. After investigated, seems api returns nil while not specifying the value of allow_blob_public_access. So terraform should return the default status. So I submit a PR to fix the issue.

neil-yechenwei picture neil-yechenwei on 24 Aug 2020
👍7

Thank you so much @neil-yechenwei , will use PowerShell as interim fix

jibinpb picture jibinpb on 24 Aug 2020

Having the exact same issue on:
Terraform v0.12.24

  • provider.azurerm v2.23.0

@jibinpb - could you share a PowerShell example of your interim fix?

smitp11 picture smitp11 on 2 Dec 2020

Here is the script, applied manually.

# Install-Module -Name Az.ResourceGraph
# Install-Module -Name Az.Storage

$Subscription = "YOUR-SUBSCRIPTION-ID"
$StorageAccounts = Search-AzGraph -Query "
Resources 
    | where type =~ 'Microsoft.Storage/storageAccounts' 
        and isempty(properties.allowBlobPublicAccess)" -Subscription $Subscription
foreach ($StorageAccount in $StorageAccounts) {
    Write-Host "$($StorageAccount.resourceGroup) / $($StorageAccount.name)"    
    Set-AzStorageAccount  -ResourceGroupName $StorageAccount.resourceGroup -AccountName $StorageAccount.name -AllowBlobPublicAccess $false
}
jibinpb picture jibinpb on 7 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mjyeaney picture mjyeaney  路  34Comments
hashibot picture hashibot  路  28Comments
josh-barker picture josh-barker  路  73Comments
tombuildsstuff picture tombuildsstuff  路  89Comments
hashibot[bot] picture hashibot[bot]  路  29Comments