Terraform Cloud not able to create container in storage account that is behind firewall

Question

Facing "Unauthorized error (403)" while creating container in storage account that is behind firewall.

As per solution described here, I confirm that Terraform cloud Public IP is getting whitelisted under Networking --> Firewall of storage account. Service Principal of Terraform cloud is having Contributor as well as Storage Blob Data Owner permissions under Access Control (IAM). However, I am still facing the "Unauthorized error (403)" during the creation of Container. Am I missing something from configuration perspective ?

ERROR message: containers.Client#GetProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation.

Terraform Cloud Error

Any help would be appreciated.

Answer 1

I tried to reproduce the same issue in my environment and got the below results

I have the below script to create the storage account and the storage container

I have taken the example script from this URL

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources_new"
  location = "West Europe"
}

resource "azurerm_virtual_network" "example" {
  name                = "virtnetname123"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_subnet" "example" {
  name                 = "subnetname123"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["XXXXX"]
  service_endpoints    = ["Microsoft.Sql", "Microsoft.Storage"]
}

resource "azurerm_storage_account" "example" {
  name                = "storageaccountname123aks"
  resource_group_name = azurerm_resource_group.example.name

  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"

  network_rules {
    default_action             = "Deny"
    ip_rules                   = ["XXXX"]
    virtual_network_subnet_ids = [azurerm_subnet.example.id]
  }

  tags = {
    environment = "staging"
  }
}
resource "azurerm_storage_container" "example" {
  name                  = "vhds123"
  storage_account_name  = azurerm_storage_account.example.name
  container_access_type = "private"
}

When I run the script I got the same error as shown below

To resolve this error I have modified the settings in the azure portal like below

Go-To Portal => storage-account => networking => add the client IP address under the firewall check the below steps to added on the screenshot and saved the modifications.

I have the contributor role and data owner permissions under the access control

Again I ran the terraform script now I am able to see the expected output

terraform plan

terraform apply