azurerm_storage_account: filter min_tls_version from Azure China

hashicorp · Aug 10, 2020 · 0c7e557 · 0c7e557
1 parent 133feda
commit 0c7e557
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 16 deletions.
diff --git a/azurerm/internal/services/storage/client/client.go b/azurerm/internal/services/storage/client/client.go
@@ -29,7 +29,7 @@ type Client struct {
 	StorageTargetsClient     *storagecache.StorageTargetsClient
 	SubscriptionId           string
 
-	environment   az.Environment
+	Environment   az.Environment
 	storageAdAuth *autorest.Authorizer
 }
 
@@ -62,7 +62,7 @@ func NewClient(options *common.ClientOptions) *Client {
 		CachesClient:             &cachesClient,
 		SubscriptionId:           options.SubscriptionId,
 		StorageTargetsClient:     &storageTargetsClient,
-		environment:              options.Environment,
+		Environment:              options.Environment,
 	}
 
 	if options.StorageUseAzureAD {
@@ -74,7 +74,7 @@ func NewClient(options *common.ClientOptions) *Client {
 
 func (client Client) AccountsDataPlaneClient(ctx context.Context, account accountDetails) (*accounts.Client, error) {
 	if client.storageAdAuth != nil {
-		accountsClient := accounts.NewWithEnvironment(client.environment)
+		accountsClient := accounts.NewWithEnvironment(client.Environment)
 		accountsClient.Client.Authorizer = *client.storageAdAuth
 		return &accountsClient, nil
 	}
@@ -89,14 +89,14 @@ func (client Client) AccountsDataPlaneClient(ctx context.Context, account accoun
 		return nil, fmt.Errorf("Error building Authorizer: %+v", err)
 	}
 
-	accountsClient := accounts.NewWithEnvironment(client.environment)
+	accountsClient := accounts.NewWithEnvironment(client.Environment)
 	accountsClient.Client.Authorizer = storageAuth
 	return &accountsClient, nil
 }
 
 func (client Client) BlobsClient(ctx context.Context, account accountDetails) (*blobs.Client, error) {
 	if client.storageAdAuth != nil {
-		blobsClient := blobs.NewWithEnvironment(client.environment)
+		blobsClient := blobs.NewWithEnvironment(client.Environment)
 		blobsClient.Client.Authorizer = *client.storageAdAuth
 		return &blobsClient, nil
 	}
@@ -111,14 +111,14 @@ func (client Client) BlobsClient(ctx context.Context, account accountDetails) (*
 		return nil, fmt.Errorf("Error building Authorizer: %+v", err)
 	}
 
-	blobsClient := blobs.NewWithEnvironment(client.environment)
+	blobsClient := blobs.NewWithEnvironment(client.Environment)
 	blobsClient.Client.Authorizer = storageAuth
 	return &blobsClient, nil
 }
 
 func (client Client) ContainersClient(ctx context.Context, account accountDetails) (*containers.Client, error) {
 	if client.storageAdAuth != nil {
-		containersClient := containers.NewWithEnvironment(client.environment)
+		containersClient := containers.NewWithEnvironment(client.Environment)
 		containersClient.Client.Authorizer = *client.storageAdAuth
 		return &containersClient, nil
 	}
@@ -133,7 +133,7 @@ func (client Client) ContainersClient(ctx context.Context, account accountDetail
 		return nil, fmt.Errorf("Error building Authorizer: %+v", err)
 	}
 
-	containersClient := containers.NewWithEnvironment(client.environment)
+	containersClient := containers.NewWithEnvironment(client.Environment)
 	containersClient.Client.Authorizer = storageAuth
 	return &containersClient, nil
 }
@@ -151,7 +151,7 @@ func (client Client) FileShareDirectoriesClient(ctx context.Context, account acc
 		return nil, fmt.Errorf("Error building Authorizer: %+v", err)
 	}
 
-	directoriesClient := directories.NewWithEnvironment(client.environment)
+	directoriesClient := directories.NewWithEnvironment(client.Environment)
 	directoriesClient.Client.Authorizer = storageAuth
 	return &directoriesClient, nil
 }
@@ -169,14 +169,14 @@ func (client Client) FileSharesClient(ctx context.Context, account accountDetail
 		return nil, fmt.Errorf("Error building Authorizer: %+v", err)
 	}
 
-	sharesClient := shares.NewWithEnvironment(client.environment)
+	sharesClient := shares.NewWithEnvironment(client.Environment)
 	sharesClient.Client.Authorizer = storageAuth
 	return &sharesClient, nil
 }
 
 func (client Client) QueuesClient(ctx context.Context, account accountDetails) (*queues.Client, error) {
 	if client.storageAdAuth != nil {
-		queueAuth := queues.NewWithEnvironment(client.environment)
+		queueAuth := queues.NewWithEnvironment(client.Environment)
 		queueAuth.Client.Authorizer = *client.storageAdAuth
 		return &queueAuth, nil
 	}
@@ -191,7 +191,7 @@ func (client Client) QueuesClient(ctx context.Context, account accountDetails) (
 		return nil, fmt.Errorf("Error building Authorizer: %+v", err)
 	}
 
-	queuesClient := queues.NewWithEnvironment(client.environment)
+	queuesClient := queues.NewWithEnvironment(client.Environment)
 	queuesClient.Client.Authorizer = storageAuth
 	return &queuesClient, nil
 }
@@ -209,7 +209,7 @@ func (client Client) TableEntityClient(ctx context.Context, account accountDetai
 		return nil, fmt.Errorf("Error building Authorizer: %+v", err)
 	}
 
-	entitiesClient := entities.NewWithEnvironment(client.environment)
+	entitiesClient := entities.NewWithEnvironment(client.Environment)
 	entitiesClient.Client.Authorizer = storageAuth
 	return &entitiesClient, nil
 }
@@ -227,7 +227,7 @@ func (client Client) TablesClient(ctx context.Context, account accountDetails) (
 		return nil, fmt.Errorf("Error building Authorizer: %+v", err)
 	}
 
-	tablesClient := tables.NewWithEnvironment(client.environment)
+	tablesClient := tables.NewWithEnvironment(client.Environment)
 	tablesClient.Client.Authorizer = storageAuth
 	return &tablesClient, nil
 }
diff --git a/azurerm/internal/services/storage/resource_arm_storage_account.go b/azurerm/internal/services/storage/resource_arm_storage_account.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-04-01/storage"
 	azautorest "github.com/Azure/go-autorest/autorest"
+	autorestAzure "github.com/Azure/go-autorest/autorest/azure"
 	"github.com/hashicorp/go-azure-helpers/response"
 	"github.com/hashicorp/go-getter/helper/url"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
@@ -142,7 +143,9 @@ func resourceArmStorageAccount() *schema.Resource {
 			"min_tls_version": {
 				Type:     schema.TypeString,
 				Optional: true,
-				Default:  string(storage.TLS10),
+				// We are setting the default in the code below, instead in the schema here.
+				// Since we should avoid users specifying this field in unsupported environment (e.g. Azure China).
+				// Default:  string(storage.TLS10),
 				ValidateFunc: validation.StringInSlice([]string{
 					string(storage.TLS10),
 					string(storage.TLS11),
@@ -605,6 +608,7 @@ func validateAzureRMStorageAccountTags(v interface{}, _ string) (warnings []stri
 
 func resourceArmStorageAccountCreate(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*clients.Client).Storage.AccountsClient
+	env := meta.(*clients.Client).Storage.Environment
 	ctx, cancel := timeouts.ForCreate(meta.(*clients.Client).StopContext, d)
 	defer cancel()
 
@@ -631,14 +635,22 @@ func resourceArmStorageAccountCreate(d *schema.ResourceData, meta interface{}) e
 	location := azure.NormalizeLocation(d.Get("location").(string))
 	t := d.Get("tags").(map[string]interface{})
 	enableHTTPSTrafficOnly := d.Get("enable_https_traffic_only").(bool)
-	minimumTLSVersion := d.Get("min_tls_version").(string)
 	isHnsEnabled := d.Get("is_hns_enabled").(bool)
 	allowBlobPublicAccess := d.Get("allow_blob_public_access").(bool)
 
 	accountTier := d.Get("account_tier").(string)
 	replicationType := d.Get("account_replication_type").(string)
 	storageType := fmt.Sprintf("%s_%s", accountTier, replicationType)
 
+	minimumTLSVersion := d.Get("min_tls_version").(string)
+	// https://github.com/terraform-providers/terraform-provider-azurerm/issues/8057
+	if env.Name == autorestAzure.ChinaCloud.Name && minimumTLSVersion != "" {
+		return fmt.Errorf(`"min_tls_version" is not supported for a Storage Account located in %q`, env.Name)
+	}
+	if env.Name != autorestAzure.ChinaCloud.Name && minimumTLSVersion == "" {
+		minimumTLSVersion = string(storage.TLS10)
+	}
+
 	parameters := storage.AccountCreateParameters{
 		Location: &location,
 		Sku: &storage.Sku{

diff --git a/website/docs/r/storage_account.html.markdown b/website/docs/r/storage_account.html.markdown
@@ -99,6 +99,8 @@ The following arguments are supported:
 
 * `min_tls_version` - (Optional) The minimum supported TLS version for the storage account. Possible values are `TLS1_0`, `TLS1_1`, and `TLS1_2`. Defaults to `TLS1_0` for new storage accounts.
 
+-> **NOTE:** At this time `min_tls_version` is not supported in Azure China.
+
 * `allow_blob_public_access` - Allow or disallow public access to all blobs or containers in the storage account. Defaults to `false`.
 
 * `is_hns_enabled` - (Optional) Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 ([see here for more information](https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-quickstart-create-account/)). Changing this forces a new resource to be created.