Question 104974 in Azure Question posted in
The official documentation to get you started can be found here.

Azure – Disabling allow public blob access using terraform

I have created a storage account using a Terraform. I would like to disable the option found under the storage account settings and configuration in the Azure portal called Allow public blob access, however under the azurerm_storage_account command, I cannot seem to find the option required to achieve this.

Below is my code so far to create the storage account, which works, but if anyone could point me in the right direction that would be great, thank you.

Storage Account

resource "azurerm_storage_account" "st" {
    name = var.st.name
    resource_group_name = var.rg_shared_name
    location = var.rg_shared_location
    account_tier = var.st.tier
    account_replication_type = var.st.replication
    public_network_access_enabled = false
}
Tags:

3

Answers


  1. Chosen as BEST ANSWER
    0

    As soon as I've posted this question, I found the command, so I apologise for wasting your time.

    The command to use is allow_nested_items_to_be_public, if you set this to false it will disable the feature found under Storage Account > Settings > Configuration, Allow blob public access

    Source https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#allow_nested_items_to_be_public

    Updated Code

    resource "azurerm_storage_account" "st" {
    name = var.st.name
    resource_group_name = var.rg_shared_name
    location = var.rg_shared_location
    account_tier = var.st.tier
    account_replication_type = var.st.replication
    public_network_access_enabled = false
    allow_nested_items_to_be_public = false
}

  2. 0

    With the release of version 3.0 of the azurerm provider, the argument allow_blob_public_access changed to allow_nested_items_to_be_public. This can cause confusion if you read old documentation or examples. Furthermore, there are several ways in which you can disable public network access for a storage account.

    • You can set public_network_access_enabled to false.
    • You can use the network_rules block and set default_action to deny.
    • You can use the azurerm_storage_account_network_rules resource and set the default_action to deny.

    Explicitly telling that nobody should be able to publicly enter the storage account is the cleanest/safest option. However, sometimes you want to open a storage account for a specific set of IP addresses and block all the others, then the other options are useful.

    If you disable public network access then you should make use of private endpoints or service endpoints to be able to connect to your storage account from a private network. Example based on this repository:

    resource "azurerm_storage_account" "storage_account" {
  name                            = var.name
  resource_group_name             = var.resource_group_name
  location                        = var.location
  account_kind                    = var.kind
  account_tier                    = var.tier
  account_replication_type        = var.replication_type
  is_hns_enabled                  = true
  enable_https_traffic_only       = true
  public_network_access_enabled   = false
  allow_nested_items_to_be_public = false
  min_tls_version                 = var.min_tls_version
}

resource "azurerm_private_endpoint" "private_endpoint_blob" {
  name                = "pe-blob-${var.name}"
  location            = var.location
  resource_group_name = var.resource_group_name
  subnet_id           = var.subnet_id

  private_service_connection {
    name                           = "psc-blob-${var.name}"
    is_manual_connection           = false
    private_connection_resource_id = azurerm_storage_account.storage_account.id
    subresource_names              = ["blob"]
  }

  # Should be deployed by Azure policy
  lifecycle {
    ignore_changes = [private_dns_zone_group]
  }
}
    Login or Signup to reply.
  3. 0

    Here is what i found on the official Microsoft documentation,
    It seems the line allow_blob_public_access = false works
    https://learn.microsoft.com/en-us/azure/developer/terraform/store-state-in-azure-storage?tabs=terraform

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search