Skip to content
This repository has been archived by the owner on Aug 1, 2024. It is now read-only.

Policy: "Storage accounts should restrict network access" is triggered even public access is completely disabled. #1096

Open
fabio-s-franco opened this issue Apr 3, 2024 · 0 comments

Comments

@fabio-s-franco
Copy link

Which service(blob, file, queue, table) does this issue concern?

None in particular, but instead the storage account as a whole

Which version of the SDK was used?

This is from azurerm terraform provider, which seems to be using these:

import (
	"fmt"

	"github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage" // nolint: staticcheck
	storage_v2023_01_01 "github.com/hashicorp/go-azure-sdk/resource-manager/storage/2023-01-01"
	"github.com/hashicorp/go-azure-sdk/resource-manager/storagesync/2020-03-01/cloudendpointresource"
	"github.com/hashicorp/go-azure-sdk/resource-manager/storagesync/2020-03-01/storagesyncservicesresource"
	"github.com/hashicorp/go-azure-sdk/resource-manager/storagesync/2020-03-01/syncgroupresource"
	"github.com/hashicorp/go-azure-sdk/sdk/auth"
	"github.com/hashicorp/go-azure-sdk/sdk/client/resourcemanager"
	"github.com/hashicorp/terraform-provider-azurerm/internal/common"
)

Which platform are you using? (ex: .NET Core 2.1)

Terraform AzureRM 3.97.1

What problem was encountered?

I am not able to create a storage account with public network access disable due to the police: "Storage accounts should restrict network access".

It requires to have DefaultAction = "Deny", even when it is not applicable. With public access disabled, this rule should not require the network rule, since it only becomes accessible via private link services (that can only be exposed via private endpoint).

How can we reproduce the problem in the simplest way?

Setup a private network and try to create a storage account with public network access disabled.
I am not quite sure how that translates to the API/SDK, but that's what it takes.

Have you found a mitigation/solution?

I set DefaultAction to "Deny", even though it is not applicable. The main problem here is finding the root cause effectively, since this is not an error to be expected in this setup.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant