2.19.0 set azurerm_storage_account with allow_blob_public_access = true by default

[pierreyvesv]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

$ terraform -v
Terraform v0.12.28

• provider.azurerm v2.19.0

Affected Resource(s)

• azurerm_storage_account

Debug Output

Since 2.19.0 allow_blob_public_access is set to "true" by default and update to resource show the following plan:

  ~ resource "azurerm_storage_account" "mystorageaccount" {
        access_tier                    = "Hot"
        account_kind                   = "StorageV2"
        account_replication_type       = "LRS"
        account_tier                   = "Standard"
      ~ allow_blob_public_access       = false -> true
        enable_https_traffic_only      = true
}

Expected Behavior

allow_blob_public_access should be set to false by default.

if I understand it well public access has to be explicitly enable

To configure public access for a container, you must perform two steps:
Allow public access for the storage account.
Configure the container's public access setting.
https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal

Actual Behavior

since 2.19.0 allow_blob_public_access is set to true by default

Steps to Reproduce

terraform plan with the following resource

resource "azurerm_storage_account" "mystorageaccount" {
  name                     = "onestorageaccount"
  resource_group_name   = var.resource_group
  location                 = var.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

[haodeon]

The current behaviour in 2.19 is actually the expected behaviour.

If you run az resource show with --query properties.allowBlobPublicAccess against a default storage account you will get nothing. That is because the property is set to null.

In the link above which explains anonymous read access Azure treats null and true to be the same on the property

The allowBlobPublicAccess property is not set by default and does not return a value until you explicitly set it. The storage account allows public access when the property value is null or when it is true.

In updating the provider to 2.19 it appears Terraform treats null as false which is why the provider is updating the property to true as its default.

So what will happen is the allowBlobPublicAccess property will be set to true which previously null was being treated the same.

[lrxtom2]

@pierreyvesv The default behavior was fixed at #7784 . Could please will for the new feature release. Thanks for opening the issue!

[pierreyvesv]

you are right ! thanks

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!