issue in azurerm_storage_container creation

[manishingole-coder]

Hi there,

Terraform Version

0.12.20

Azure provider version 2.5.0

Terraform Configuration Files

Create storage account

resource "azurerm_storage_account" "terraform_storage" {
name = var.storage_account_name
resource_group_name = var.rg_name
location = var.region
account_tier = "Standard"
account_replication_type = "GRS"
account_kind = "Storage"

network_rules {
default_action = "Deny"
virtual_network_subnet_ids = [data.azurerm_subnet.publicsubnet.id]
}

}

Create container

resource "azurerm_storage_container" "mycontainer" {
name = "walfiles"
storage_account_name = azurerm_storage_account.terraform_storage.name
container_access_type = "private"

}

Debug Output

Error: Error checking for existence of existing Container "walfiles" (Account "storagename" / Resource Group "rgname"): containers.Client#GetProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation.\nRequestId:d0b6a7c2-b01e-00f6-0516-13e510000000\nTime:2020-04-15T11:11:58.4707719Z"

Crash Output

Error: Error checking for existence of existing Container "walfiles" (Account "storagename" / Resource Group "rgname"): containers.Client#GetProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation.\nRequestId:d0b6a7c2-b01e-00f6-0516-13e510000000\nTime:2020-04-15T11:11:58.4707719Z"

Expected Behavior

it should create a container.

Actual Behavior

Error: Error checking for existence of existing Container "walfiles" (Account "storagename" / Resource Group "rgname"): containers.Client#GetProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation.\nRequestId:d0b6a7c2-b01e-00f6-0516-13e510000000\nTime:2020-04-15T11:11:58.4707719Z"

Steps to Reproduce

Please list the full steps required to reproduce the issue, for example:

1. terraform init
2. terraform apply

Additional Context

No

References

• vsphere-provider: Added folder handling for folder-qualified vm names #3939

[danieldreier]

Hi @manishingole-coder! The output you're showing is actually from the AzureRM provider, not terraform core. Based on the information you've provided, I don't immediately see evidence of a bug in Terraform core or in the AzureRM provider.

I do see the text output This request is not authorized to perform this operation which makes me think you may have some kind of authorization or configuration issue in your Azure settings that's preventing the AzureRM provider from making these changes.

There are two possible next steps for you:

1. I think your best bet is to seek support on the community forum.

2. Alternatively, you can open an issue with the AzureRM provider, if you're confident that there is a defect rather than a configuration issue.

I'm going to close this for now, because I think the community forum is the right approach. My recommendation is that you first take this to the community forum, ask for troubleshooting help, and then file an issue with the AzureRM provider if you're able to demonstrate that this is a bug in the provider.

[chris-kolik-8451]

@manishingole-coder (and anyone encountering this), I had a similar problem (TF 12.23, azurerm provider 2.7) and it had to do with the 'default_action = "Deny"' clause in the azurerm_storage_account resource definition. I was able to get this to work by removing the network_rules block from that resource and then adding a separate azurerm_storage_account_network_rules resource with a dependency on my container resource. Not sure if this dependency works this way but I wanted to try to introduce ordering where the container was hopefully created before the network rule was put in place.

Here is my example:

# Storage account
resource "azurerm_storage_account" "sa" {
  name                = local.storage_account_name
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location

  account_kind             = var.storage_account_kind
  account_tier             = var.storage_account_tier
  account_replication_type = var.storage_account_replication_type

  enable_https_traffic_only = "true"

  tags = local.tags
}

# Create container
resource "azurerm_storage_container" "filestore" {
  name                  = "filestore"
  storage_account_name  = azurerm_storage_account.sa.name
  container_access_type = "private"
}

# SA Network rules
resource "azurerm_storage_account_network_rules" "netrules" {
  resource_group_name  = azurerm_resource_group.rg.name
  storage_account_name = azurerm_storage_account.sa.name

  default_action = "Deny"
  bypass = [
    "Metrics",
    "Logging",
    "AzureServices"
  ]

  depends_on = [
    azurerm_storage_container.filestore,
  ]
}

[chris-kolik-8451]

FYI, this allowed me to create the container, but subsequent TF plans failed with the same error. Seems this is related to open issue hashicorp/terraform-provider-azurerm#2977.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.