From 0c7e55798d92af458edd2f740ef27a16f7a8e7b3 Mon Sep 17 00:00:00 2001 From: magodo Date: Mon, 10 Aug 2020 10:48:21 +0800 Subject: [PATCH] azurerm_storage_account: filter `min_tls_version` from Azure China --- .../services/storage/client/client.go | 28 +++++++++---------- .../storage/resource_arm_storage_account.go | 16 +++++++++-- website/docs/r/storage_account.html.markdown | 2 ++ 3 files changed, 30 insertions(+), 16 deletions(-) diff --git a/azurerm/internal/services/storage/client/client.go b/azurerm/internal/services/storage/client/client.go index 25a2e40f2e709..94b3f377caff4 100644 --- a/azurerm/internal/services/storage/client/client.go +++ b/azurerm/internal/services/storage/client/client.go @@ -29,7 +29,7 @@ type Client struct { StorageTargetsClient *storagecache.StorageTargetsClient SubscriptionId string - environment az.Environment + Environment az.Environment storageAdAuth *autorest.Authorizer } @@ -62,7 +62,7 @@ func NewClient(options *common.ClientOptions) *Client { CachesClient: &cachesClient, SubscriptionId: options.SubscriptionId, StorageTargetsClient: &storageTargetsClient, - environment: options.Environment, + Environment: options.Environment, } if options.StorageUseAzureAD { @@ -74,7 +74,7 @@ func NewClient(options *common.ClientOptions) *Client { func (client Client) AccountsDataPlaneClient(ctx context.Context, account accountDetails) (*accounts.Client, error) { if client.storageAdAuth != nil { - accountsClient := accounts.NewWithEnvironment(client.environment) + accountsClient := accounts.NewWithEnvironment(client.Environment) accountsClient.Client.Authorizer = *client.storageAdAuth return &accountsClient, nil } @@ -89,14 +89,14 @@ func (client Client) AccountsDataPlaneClient(ctx context.Context, account accoun return nil, fmt.Errorf("Error building Authorizer: %+v", err) } - accountsClient := accounts.NewWithEnvironment(client.environment) + accountsClient := accounts.NewWithEnvironment(client.Environment) accountsClient.Client.Authorizer = storageAuth return &accountsClient, nil } func (client Client) BlobsClient(ctx context.Context, account accountDetails) (*blobs.Client, error) { if client.storageAdAuth != nil { - blobsClient := blobs.NewWithEnvironment(client.environment) + blobsClient := blobs.NewWithEnvironment(client.Environment) blobsClient.Client.Authorizer = *client.storageAdAuth return &blobsClient, nil } @@ -111,14 +111,14 @@ func (client Client) BlobsClient(ctx context.Context, account accountDetails) (* return nil, fmt.Errorf("Error building Authorizer: %+v", err) } - blobsClient := blobs.NewWithEnvironment(client.environment) + blobsClient := blobs.NewWithEnvironment(client.Environment) blobsClient.Client.Authorizer = storageAuth return &blobsClient, nil } func (client Client) ContainersClient(ctx context.Context, account accountDetails) (*containers.Client, error) { if client.storageAdAuth != nil { - containersClient := containers.NewWithEnvironment(client.environment) + containersClient := containers.NewWithEnvironment(client.Environment) containersClient.Client.Authorizer = *client.storageAdAuth return &containersClient, nil } @@ -133,7 +133,7 @@ func (client Client) ContainersClient(ctx context.Context, account accountDetail return nil, fmt.Errorf("Error building Authorizer: %+v", err) } - containersClient := containers.NewWithEnvironment(client.environment) + containersClient := containers.NewWithEnvironment(client.Environment) containersClient.Client.Authorizer = storageAuth return &containersClient, nil } @@ -151,7 +151,7 @@ func (client Client) FileShareDirectoriesClient(ctx context.Context, account acc return nil, fmt.Errorf("Error building Authorizer: %+v", err) } - directoriesClient := directories.NewWithEnvironment(client.environment) + directoriesClient := directories.NewWithEnvironment(client.Environment) directoriesClient.Client.Authorizer = storageAuth return &directoriesClient, nil } @@ -169,14 +169,14 @@ func (client Client) FileSharesClient(ctx context.Context, account accountDetail return nil, fmt.Errorf("Error building Authorizer: %+v", err) } - sharesClient := shares.NewWithEnvironment(client.environment) + sharesClient := shares.NewWithEnvironment(client.Environment) sharesClient.Client.Authorizer = storageAuth return &sharesClient, nil } func (client Client) QueuesClient(ctx context.Context, account accountDetails) (*queues.Client, error) { if client.storageAdAuth != nil { - queueAuth := queues.NewWithEnvironment(client.environment) + queueAuth := queues.NewWithEnvironment(client.Environment) queueAuth.Client.Authorizer = *client.storageAdAuth return &queueAuth, nil } @@ -191,7 +191,7 @@ func (client Client) QueuesClient(ctx context.Context, account accountDetails) ( return nil, fmt.Errorf("Error building Authorizer: %+v", err) } - queuesClient := queues.NewWithEnvironment(client.environment) + queuesClient := queues.NewWithEnvironment(client.Environment) queuesClient.Client.Authorizer = storageAuth return &queuesClient, nil } @@ -209,7 +209,7 @@ func (client Client) TableEntityClient(ctx context.Context, account accountDetai return nil, fmt.Errorf("Error building Authorizer: %+v", err) } - entitiesClient := entities.NewWithEnvironment(client.environment) + entitiesClient := entities.NewWithEnvironment(client.Environment) entitiesClient.Client.Authorizer = storageAuth return &entitiesClient, nil } @@ -227,7 +227,7 @@ func (client Client) TablesClient(ctx context.Context, account accountDetails) ( return nil, fmt.Errorf("Error building Authorizer: %+v", err) } - tablesClient := tables.NewWithEnvironment(client.environment) + tablesClient := tables.NewWithEnvironment(client.Environment) tablesClient.Client.Authorizer = storageAuth return &tablesClient, nil } diff --git a/azurerm/internal/services/storage/resource_arm_storage_account.go b/azurerm/internal/services/storage/resource_arm_storage_account.go index 7af3277ec026b..af529058d27cd 100644 --- a/azurerm/internal/services/storage/resource_arm_storage_account.go +++ b/azurerm/internal/services/storage/resource_arm_storage_account.go @@ -10,6 +10,7 @@ import ( "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-04-01/storage" azautorest "github.com/Azure/go-autorest/autorest" + autorestAzure "github.com/Azure/go-autorest/autorest/azure" "github.com/hashicorp/go-azure-helpers/response" "github.com/hashicorp/go-getter/helper/url" "github.com/hashicorp/terraform-plugin-sdk/helper/schema" @@ -142,7 +143,9 @@ func resourceArmStorageAccount() *schema.Resource { "min_tls_version": { Type: schema.TypeString, Optional: true, - Default: string(storage.TLS10), + // We are setting the default in the code below, instead in the schema here. + // Since we should avoid users specifying this field in unsupported environment (e.g. Azure China). + // Default: string(storage.TLS10), ValidateFunc: validation.StringInSlice([]string{ string(storage.TLS10), string(storage.TLS11), @@ -605,6 +608,7 @@ func validateAzureRMStorageAccountTags(v interface{}, _ string) (warnings []stri func resourceArmStorageAccountCreate(d *schema.ResourceData, meta interface{}) error { client := meta.(*clients.Client).Storage.AccountsClient + env := meta.(*clients.Client).Storage.Environment ctx, cancel := timeouts.ForCreate(meta.(*clients.Client).StopContext, d) defer cancel() @@ -631,7 +635,6 @@ func resourceArmStorageAccountCreate(d *schema.ResourceData, meta interface{}) e location := azure.NormalizeLocation(d.Get("location").(string)) t := d.Get("tags").(map[string]interface{}) enableHTTPSTrafficOnly := d.Get("enable_https_traffic_only").(bool) - minimumTLSVersion := d.Get("min_tls_version").(string) isHnsEnabled := d.Get("is_hns_enabled").(bool) allowBlobPublicAccess := d.Get("allow_blob_public_access").(bool) @@ -639,6 +642,15 @@ func resourceArmStorageAccountCreate(d *schema.ResourceData, meta interface{}) e replicationType := d.Get("account_replication_type").(string) storageType := fmt.Sprintf("%s_%s", accountTier, replicationType) + minimumTLSVersion := d.Get("min_tls_version").(string) + // https://github.com/terraform-providers/terraform-provider-azurerm/issues/8057 + if env.Name == autorestAzure.ChinaCloud.Name && minimumTLSVersion != "" { + return fmt.Errorf(`"min_tls_version" is not supported for a Storage Account located in %q`, env.Name) + } + if env.Name != autorestAzure.ChinaCloud.Name && minimumTLSVersion == "" { + minimumTLSVersion = string(storage.TLS10) + } + parameters := storage.AccountCreateParameters{ Location: &location, Sku: &storage.Sku{ diff --git a/website/docs/r/storage_account.html.markdown b/website/docs/r/storage_account.html.markdown index 8995d98e6d148..6d616586423ba 100644 --- a/website/docs/r/storage_account.html.markdown +++ b/website/docs/r/storage_account.html.markdown @@ -99,6 +99,8 @@ The following arguments are supported: * `min_tls_version` - (Optional) The minimum supported TLS version for the storage account. Possible values are `TLS1_0`, `TLS1_1`, and `TLS1_2`. Defaults to `TLS1_0` for new storage accounts. +-> **NOTE:** At this time `min_tls_version` is not supported in Azure China. + * `allow_blob_public_access` - Allow or disallow public access to all blobs or containers in the storage account. Defaults to `false`. * `is_hns_enabled` - (Optional) Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 ([see here for more information](https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-quickstart-create-account/)). Changing this forces a new resource to be created.