Not able to deploy azurerm_storage_account with public access disabled

[Annesars90]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.8.3

AzureRM Provider Version

3.103.1

Affected Resource(s)/Data Source(s)

azurerm_storage_account

Terraform Configuration Files

resource "azurerm_storage_account" "test" {
  name                     = var.name
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  access_tier                      = "Hot"
  enable_https_traffic_only        = true
  min_tls_version                  = "TLS1_2"
  allow_nested_items_to_be_public  = false
  shared_access_key_enabled        = false
  default_to_oauth_authentication  = true
  public_network_access_enabled    = false
  cross_tenant_replication_enabled = false
}

Debug Output/Panic Output

╷
│ Error: updating Queue Properties: executing request: Put "https://finopsautomations.queue.core.windows.net/?comp=properties&restype=service": HTTP response was nil; connection may have been reset
│ 
│   with module.storageaccount.azurerm_storage_account.this,
│   on .terraform/modules/storageaccount/main.tf line 1, in resource "azurerm_storage_account" "this":
│    1: resource "azurerm_storage_account" "this" {
│ 
╵

Expected Behaviour

During the creation of the storage account, don't call queue properties before private endpoints are created.

Actual Behaviour

Halfway through provisioning the resource and its settings, the queue properties are being called, but this is done before a private endpoint is in place. This means the call is going outside of Azure, thereby over our firewall, which is blocking the traffic. So we would have to put a rule *.queue.core.windows.net in our firewall to allow the creation of new storage accounts (as we don't know all the storage account names that will be created in the future, but of course this is not desired).

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[Annesars90]

Hello all, no updates on this?

[tombuildsstuff]

hi @Annesars90

Thanks for opening this issue.

Taking a look through this appears to be a duplicate of #2977, where when public network access is disabled on the storgae account the data plane endpoint isn't available - as such rather than having multiple issues open tracking the same thing I'm going to close this issue in favour of that one; would you mind subscribing to #2977 for updates?

Thanks!

[Annesars90]

Hi Tom, not sure if this is actually related./duplicate My issue here is that the queue properties are called during the creation of the storage account. This is routed to the public endpoint, because there is no private endpoint yet. My question is: why are queue properties being called at all when creating the resource storage account, without even a queue resource in there.