Terraform-provider-azurerm: azurerm_storage_account refresh broken for azurerm~>1.44.0

Created on 30 Sep 2020  ·  11Comments  ·  Source: terraform-providers/terraform-provider-azurerm

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version


Terraform v0.11.14
provider.azurerm v1.44.0

Affected Resource(s)

  • azurerm_storage_account

Terraform Configuration Files

resource "azurerm_storage_account" "example" {
  name                              = "example"
  resource_group_name               = "${azurerm_resource_group.example.name}"
  location                          = "${azurerm_resource_group.example.location}"
  account_tier                      = "Standard"
  account_replication_type          = "LRS"
  enable_https_traffic_only         = "true"
  enable_advanced_threat_protection = "true"
}

Expected Behavior

After the Storage Account is deployed, when running terraform plan Terraform should refresh the resources appropriately and present the plan.

Actual Behavior

When refreshing the Storage Account resources, the following error is produced, halting the workflow.

* azurerm_storage_account.example: Error reading the advanced threat protection settings of AzureRM Storage Account "example": security.AdvancedThreatProtectionClient#Get: Failure responding to request: StatusCode=502 -- Original Error: autorest/azure: Service returned an error. Status=502 Code="ClientNotAllowed" Message="Client authorization failed using [Certificate Validation]" Details=[]

Steps to Reproduce

  1. terraform apply
  2. terraform plan

Important Factoids


This was not behaving this way this morning EST. Has recently began happening in the afternoon on Sept. 29, 2020.

References

  • #0000
bug servicstorage upstream-microsoft
Source
picture philbal611
👍15

Most helpful comment

Hello - Wanted to jump in here as my google search is leading me to this GitHub issue. I don't think this is an issue with Terraform or the provider (yet). If you navigate to your storage account via the portal, and hit the "Advanced Security" tab, you're going to get an error screen.

I think this signals a possible API change that they weren't ready for but that's just speculation. If I find anything, I'll update this comment.

picture nhudacin on 30 Sep 2020
👍10

All 11 comments

hi @philbal611

Thanks for opening this issue.

Version 1.44 of the Azure Provider was released back in February and we've done 30 releases since then - as such can you try upgrading to version 2.0 or later (at the time of writing the latest version is 2.29) and see if this is still an issue?

Whilst we make every effort to design Terraform resources in a manner that they'll remain compatible as time goes on (for example, nil-checking fields in case they're omitted) - unfortunately Azure introduces breaking behavioural changes to API's every now and then (which shouldn't happen, but I digress..) and this appears to be one of those cases.

At this point in time we have no plans to release any further 1.x releases of the Provider - instead if this bug also affects version 2.29 of the Provider we'd look to ship a fix in a 2.x version - so we'd recommend updating here if possible; can you try this and let us know how you get on?

Thanks!

tombuildsstuff picture tombuildsstuff on 30 Sep 2020

I am seeing this same issue on version 2.25.0. It just started happening Sept. 30, 2020.

jmckenzie-midmark picture jmckenzie-midmark on 30 Sep 2020

@tombuildsstuff I just upgraded to 2.29.0 and I am still seeing the same error.

jmckenzie-midmark picture jmckenzie-midmark on 30 Sep 2020

Hello - Wanted to jump in here as my google search is leading me to this GitHub issue. I don't think this is an issue with Terraform or the provider (yet). If you navigate to your storage account via the portal, and hit the "Advanced Security" tab, you're going to get an error screen.

I think this signals a possible API change that they weren't ready for but that's just speculation. If I find anything, I'll update this comment.

nhudacin picture nhudacin on 30 Sep 2020
👍10

Can confirm @nhudacin's statement. Although after some time, when refreshing that page in the portal, the error was gone and the correct pane popped up.

Still, seems like an issue with the underlying API. When replicating @jmckenzie-midmark 's version setup (TF 0.12.29, azurerm 2.29.0), the azurerm_storage_account issue seems resolved (as in azurerm 2.0 doesn't have any dependencies on the security sdk), but when attempting to enable Storage ATP via azurerm_advanced_threat_protection, the same error occurs. Here's my updated config for this setup:

terraform {
  required_version = ">0.12"
}

provider "azurerm" {
  features {}
  version = "2.29.0"
}

resource "azurerm_resource_group" "example" {
  name     = "example-rg-8293"
  location = "eastus2"
}

resource "azurerm_storage_account" "example" {
  name                      = "aldndfkjq342398"
  resource_group_name       = azurerm_resource_group.example.name
  location                  = azurerm_resource_group.example.location
  account_tier              = "Standard"
  account_replication_type  = "LRS"
  enable_https_traffic_only = "true"
}

resource "azurerm_advanced_threat_protection" "example" {
  target_resource_id = azurerm_storage_account.example.id
  enabled            = true
}

Error:

Error: Error checking for presence of existing Advanced Threat Protection for resource "/subscriptions/<sub-id>/resourceGroups/example-rg-8293/providers/Microsoft.Storage/storageAccounts/aldndfkjq342398": security.AdvancedThreatProtectionClient#Get: Failure responding to request: StatusCode=502 -- Original Error: autorest/azure: Service returned an error. Status=502 Code="ClientNotAllowed" Message="Client authorization failed using [Certificate Validation]" Details=[]

  on storage_account_issue.tf line 24, in resource "azurerm_advanced_threat_protection" "example":
  24: resource "azurerm_advanced_threat_protection" "example" {

@tombuildsstuff any thoughts?

EDIT: redacting subscription ID in error

philbal611 picture philbal611 on 30 Sep 2020

@philbal611 this looks to be an internal issue to the ARM API's, so there's not a whole bunch we can do to work around this - I'd suggest opening a ticket with Microsoft Support to ensure the teams see it (we'll raise this on our side too)

tombuildsstuff picture tombuildsstuff on 30 Sep 2020
👍7

Opened a support ticket; they are investigating and internally escalating to engineering

pjvander picture pjvander on 30 Sep 2020

Having this issue on 1.41.0

rfink picture rfink on 30 Sep 2020

This issue appears to be resolved on the Azure end.

jmckenzie-midmark picture jmckenzie-midmark on 30 Sep 2020
👍5

Can confirm that MS support have verified that an "invalid thumbprint" has been updated. Will be closing this issue given that the Terraform is working as intended.

philbal611 picture philbal611 on 30 Sep 2020

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

hashibot[bot] picture hashibot[bot] on 31 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

voyera picture voyera  ·  3Comments
jansepke picture jansepke  ·  3Comments
bentterp picture bentterp  ·  3Comments
tomasaschan picture tomasaschan  ·  3Comments
MMollyy picture MMollyy  ·  3Comments