I have created a storage account which has a private endpoint. I am trying to create file shares on the storage account, however when I try to create them using the azurerm_storage_share I get the following error and I am not sure why, please may someone help?
Error
| Error: checking for existence of existing Storage Share "profiles" (Account "stfslogixuks01" / Resource Group "rg-avd-shared-uks-001"): shares.Client#GetProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation.nRequestId:e010828e-b01a-003c-7dbd-c9065f000000nTime:2022-09-16T11:12:03.0199276Z"
│
│ with module.storage.azurerm_storage_share.st_shares["profiles"],
│ on modulesstorage_accountsmain.tf line 22, in resource "azurerm_storage_share" "st_shares":
│ 22: resource "azurerm_storage_share" "st_shares" {
Storage Account Creation
The code below is to create the storage account.
resource "azurerm_storage_account" "st" {
name = var.st.name
resource_group_name = var.rg_shared_name
location = var.rg_shared_location
account_tier = var.st.tier
account_replication_type = var.st.replication
public_network_access_enabled = false
allow_nested_items_to_be_public = false
azure_files_authentication {
directory_type = "AD"
active_directory {
storage_sid = "storage_sid"
domain_name = "domain_name"
domain_sid = "domain_sid"
domain_guid = "domain_guid"
forest_name = "forest_name"
netbios_domain_name = "netbios_domain_name"
}
}
}
File Share Creation
The code below is to create the file shares.
resource "azurerm_storage_share" "st_shares" {
depends_on = [azurerm_storage_account.st]
for_each = var.st_shares
name = each.value.name
storage_account_name = azurerm_storage_account.st.name
quota = "5120"
}
2
Answers
I managed to resolve my own issue, basically because I am deploying the storage account from my local machine, using visual studio code and connecting to Azure via Azure CLI, when I blocked public access (in the original code) it prevents me from accessing the storage account once its been deployed and configured.
To resolve this I had to add a network rule to allow my public IP address.
Update Code
We are using the workaround you see below. It gets your IP address and whitelists it in the firewall of the storage account. Full module can be found here.