diff --git a/azurerm/internal/services/storage/client/client.go b/azurerm/internal/services/storage/client/client.go index 25a2e40f2e70..94b3f377caff 100644 --- a/azurerm/internal/services/storage/client/client.go +++ b/azurerm/internal/services/storage/client/client.go @@ -29,7 +29,7 @@ type Client struct { StorageTargetsClient *storagecache.StorageTargetsClient SubscriptionId string - environment az.Environment + Environment az.Environment storageAdAuth *autorest.Authorizer } @@ -62,7 +62,7 @@ func NewClient(options *common.ClientOptions) *Client { CachesClient: &cachesClient, SubscriptionId: options.SubscriptionId, StorageTargetsClient: &storageTargetsClient, - environment: options.Environment, + Environment: options.Environment, } if options.StorageUseAzureAD { @@ -74,7 +74,7 @@ func NewClient(options *common.ClientOptions) *Client { func (client Client) AccountsDataPlaneClient(ctx context.Context, account accountDetails) (*accounts.Client, error) { if client.storageAdAuth != nil { - accountsClient := accounts.NewWithEnvironment(client.environment) + accountsClient := accounts.NewWithEnvironment(client.Environment) accountsClient.Client.Authorizer = *client.storageAdAuth return &accountsClient, nil } @@ -89,14 +89,14 @@ func (client Client) AccountsDataPlaneClient(ctx context.Context, account accoun return nil, fmt.Errorf("Error building Authorizer: %+v", err) } - accountsClient := accounts.NewWithEnvironment(client.environment) + accountsClient := accounts.NewWithEnvironment(client.Environment) accountsClient.Client.Authorizer = storageAuth return &accountsClient, nil } func (client Client) BlobsClient(ctx context.Context, account accountDetails) (*blobs.Client, error) { if client.storageAdAuth != nil { - blobsClient := blobs.NewWithEnvironment(client.environment) + blobsClient := blobs.NewWithEnvironment(client.Environment) blobsClient.Client.Authorizer = *client.storageAdAuth return &blobsClient, nil } @@ -111,14 +111,14 @@ func (client Client) BlobsClient(ctx context.Context, account accountDetails) (* return nil, fmt.Errorf("Error building Authorizer: %+v", err) } - blobsClient := blobs.NewWithEnvironment(client.environment) + blobsClient := blobs.NewWithEnvironment(client.Environment) blobsClient.Client.Authorizer = storageAuth return &blobsClient, nil } func (client Client) ContainersClient(ctx context.Context, account accountDetails) (*containers.Client, error) { if client.storageAdAuth != nil { - containersClient := containers.NewWithEnvironment(client.environment) + containersClient := containers.NewWithEnvironment(client.Environment) containersClient.Client.Authorizer = *client.storageAdAuth return &containersClient, nil } @@ -133,7 +133,7 @@ func (client Client) ContainersClient(ctx context.Context, account accountDetail return nil, fmt.Errorf("Error building Authorizer: %+v", err) } - containersClient := containers.NewWithEnvironment(client.environment) + containersClient := containers.NewWithEnvironment(client.Environment) containersClient.Client.Authorizer = storageAuth return &containersClient, nil } @@ -151,7 +151,7 @@ func (client Client) FileShareDirectoriesClient(ctx context.Context, account acc return nil, fmt.Errorf("Error building Authorizer: %+v", err) } - directoriesClient := directories.NewWithEnvironment(client.environment) + directoriesClient := directories.NewWithEnvironment(client.Environment) directoriesClient.Client.Authorizer = storageAuth return &directoriesClient, nil } @@ -169,14 +169,14 @@ func (client Client) FileSharesClient(ctx context.Context, account accountDetail return nil, fmt.Errorf("Error building Authorizer: %+v", err) } - sharesClient := shares.NewWithEnvironment(client.environment) + sharesClient := shares.NewWithEnvironment(client.Environment) sharesClient.Client.Authorizer = storageAuth return &sharesClient, nil } func (client Client) QueuesClient(ctx context.Context, account accountDetails) (*queues.Client, error) { if client.storageAdAuth != nil { - queueAuth := queues.NewWithEnvironment(client.environment) + queueAuth := queues.NewWithEnvironment(client.Environment) queueAuth.Client.Authorizer = *client.storageAdAuth return &queueAuth, nil } @@ -191,7 +191,7 @@ func (client Client) QueuesClient(ctx context.Context, account accountDetails) ( return nil, fmt.Errorf("Error building Authorizer: %+v", err) } - queuesClient := queues.NewWithEnvironment(client.environment) + queuesClient := queues.NewWithEnvironment(client.Environment) queuesClient.Client.Authorizer = storageAuth return &queuesClient, nil } @@ -209,7 +209,7 @@ func (client Client) TableEntityClient(ctx context.Context, account accountDetai return nil, fmt.Errorf("Error building Authorizer: %+v", err) } - entitiesClient := entities.NewWithEnvironment(client.environment) + entitiesClient := entities.NewWithEnvironment(client.Environment) entitiesClient.Client.Authorizer = storageAuth return &entitiesClient, nil } @@ -227,7 +227,7 @@ func (client Client) TablesClient(ctx context.Context, account accountDetails) ( return nil, fmt.Errorf("Error building Authorizer: %+v", err) } - tablesClient := tables.NewWithEnvironment(client.environment) + tablesClient := tables.NewWithEnvironment(client.Environment) tablesClient.Client.Authorizer = storageAuth return &tablesClient, nil } diff --git a/azurerm/internal/services/storage/resource_arm_storage_account.go b/azurerm/internal/services/storage/resource_arm_storage_account.go index 7af3277ec026..c9f83a3f674e 100644 --- a/azurerm/internal/services/storage/resource_arm_storage_account.go +++ b/azurerm/internal/services/storage/resource_arm_storage_account.go @@ -10,6 +10,7 @@ import ( "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-04-01/storage" azautorest "github.com/Azure/go-autorest/autorest" + autorestAzure "github.com/Azure/go-autorest/autorest/azure" "github.com/hashicorp/go-azure-helpers/response" "github.com/hashicorp/go-getter/helper/url" "github.com/hashicorp/terraform-plugin-sdk/helper/schema" @@ -604,6 +605,7 @@ func validateAzureRMStorageAccountTags(v interface{}, _ string) (warnings []stri } func resourceArmStorageAccountCreate(d *schema.ResourceData, meta interface{}) error { + env := meta.(*clients.Client).Storage.Environment client := meta.(*clients.Client).Storage.AccountsClient ctx, cancel := timeouts.ForCreate(meta.(*clients.Client).StopContext, d) defer cancel() @@ -631,7 +633,6 @@ func resourceArmStorageAccountCreate(d *schema.ResourceData, meta interface{}) e location := azure.NormalizeLocation(d.Get("location").(string)) t := d.Get("tags").(map[string]interface{}) enableHTTPSTrafficOnly := d.Get("enable_https_traffic_only").(bool) - minimumTLSVersion := d.Get("min_tls_version").(string) isHnsEnabled := d.Get("is_hns_enabled").(bool) allowBlobPublicAccess := d.Get("allow_blob_public_access").(bool) @@ -639,6 +640,17 @@ func resourceArmStorageAccountCreate(d *schema.ResourceData, meta interface{}) e replicationType := d.Get("account_replication_type").(string) storageType := fmt.Sprintf("%s_%s", accountTier, replicationType) + minimumTLSVersion := d.Get("min_tls_version").(string) + // For Azure China, don't specify "min_tls_version" in request body. + // https://github.com/terraform-providers/terraform-provider-azurerm/issues/8057 + if env.Name == autorestAzure.ChinaCloud.Name { + if minimumTLSVersion == string(storage.TLS10) { + minimumTLSVersion = "" + } else { + return fmt.Errorf(`"min_tls_version" is not supported for a Storage Account located in %q`, env.Name) + } + } + parameters := storage.AccountCreateParameters{ Location: &location, Sku: &storage.Sku{ @@ -784,6 +796,7 @@ func resourceArmStorageAccountCreate(d *schema.ResourceData, meta interface{}) e } func resourceArmStorageAccountUpdate(d *schema.ResourceData, meta interface{}) error { + env := meta.(*clients.Client).Storage.Environment client := meta.(*clients.Client).Storage.AccountsClient ctx, cancel := timeouts.ForUpdate(meta.(*clients.Client).StopContext, d) defer cancel() @@ -888,6 +901,16 @@ func resourceArmStorageAccountUpdate(d *schema.ResourceData, meta interface{}) e if d.HasChange("min_tls_version") { minimumTLSVersion := d.Get("min_tls_version").(string) + // For Azure China, don't specify "min_tls_version" in request body. + // https://github.com/terraform-providers/terraform-provider-azurerm/issues/8057 + if env.Name == autorestAzure.ChinaCloud.Name { + if minimumTLSVersion == string(storage.TLS10) { + minimumTLSVersion = "" + } else { + return fmt.Errorf(`"min_tls_version" is not supported for a Storage Account located in %q`, env.Name) + } + } + opts := storage.AccountUpdateParameters{ AccountPropertiesUpdateParameters: &storage.AccountPropertiesUpdateParameters{ MinimumTLSVersion: storage.MinimumTLSVersion(minimumTLSVersion), @@ -1005,6 +1028,7 @@ func resourceArmStorageAccountUpdate(d *schema.ResourceData, meta interface{}) e } func resourceArmStorageAccountRead(d *schema.ResourceData, meta interface{}) error { + env := meta.(*clients.Client).Storage.Environment client := meta.(*clients.Client).Storage.AccountsClient endpointSuffix := meta.(*clients.Client).Account.Environment.StorageEndpointSuffix ctx, cancel := timeouts.ForRead(meta.(*clients.Client).StopContext, d) @@ -1066,7 +1090,13 @@ func resourceArmStorageAccountRead(d *schema.ResourceData, meta interface{}) err if props := resp.AccountProperties; props != nil { d.Set("access_tier", props.AccessTier) d.Set("enable_https_traffic_only", props.EnableHTTPSTrafficOnly) - d.Set("min_tls_version", string(props.MinimumTLSVersion)) + + // https://github.com/terraform-providers/terraform-provider-azurerm/issues/8057 + if env.Name == autorestAzure.ChinaCloud.Name { + d.Set("min_tls_version", string(storage.TLS10)) + } else { + d.Set("min_tls_version", string(props.MinimumTLSVersion)) + } d.Set("is_hns_enabled", props.IsHnsEnabled) d.Set("allow_blob_public_access", props.AllowBlobPublicAccess) diff --git a/website/docs/r/storage_account.html.markdown b/website/docs/r/storage_account.html.markdown index 8995d98e6d14..6d616586423b 100644 --- a/website/docs/r/storage_account.html.markdown +++ b/website/docs/r/storage_account.html.markdown @@ -99,6 +99,8 @@ The following arguments are supported: * `min_tls_version` - (Optional) The minimum supported TLS version for the storage account. Possible values are `TLS1_0`, `TLS1_1`, and `TLS1_2`. Defaults to `TLS1_0` for new storage accounts. +-> **NOTE:** At this time `min_tls_version` is not supported in Azure China. + * `allow_blob_public_access` - Allow or disallow public access to all blobs or containers in the storage account. Defaults to `false`. * `is_hns_enabled` - (Optional) Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 ([see here for more information](https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-quickstart-create-account/)). Changing this forces a new resource to be created.