Error: reading static website for AzureRM Storage Account

[Tbohunek]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.2

AzureRM Provider Version

3.116.0 / 4.0.1

Affected Resource(s)/Data Source(s)

azurerm_storage_account

Terraform Configuration Files

resource "azurerm_storage_account" "friday" {
  name                            = "friday25a"
  resource_group_name             = "friday"
  location                        = "westeurope"
  account_tier                    = "Standard"
  account_replication_type        = "LRS"
  allow_nested_items_to_be_public = false
}

Debug Output/Panic Output

Error: retrieving static website properties for Storage Account (Subscription: "sss" Resource Group Name: "friday" Storage Account Name: "friday25a"): executing request: Get "https://friday25a.blob.core.windows.net/?comp=properties&restype=service": context deadline exceeded

Expected Behaviour

I understand the challenge - I have seen the other closed issues.
What would help is a bool flag that will instruct the provider to not refresh the Static Website properties because I don't want it to. I can remove this flag after I deploy the PE, but I cannot deploy the PE if the prerequisite - SA creation - blocks its creation.

Actual Behaviour

Terraform is properly trying to honor DSC in this case, but causes an impossible scenario in regulated environment. A deadlock.

Steps to Reproduce

No response

Important Factoids

The Storage Account doesn't have Private Endpoint yet.
It will work just fine after it has a Private Endpoint...
... but I cannot create the Private Endpoint, because the Storage Account itself will not finish creating.

My TFE doesn't and will not have connectivity to internet.

References

#24982
#20257

[Tbohunek]

Alternatively the required PE deployment option could be embedded into the azurerm_storage_account resource for these scenarios? Then the provider would just be retrying to read the website until the PE kicks in, and succeed.

[Tbohunek]

Actually, why does terraform even check the website property on create? Assuming you didn't have it in the config, it's not there. The next time I care whether it's been added through other means and drifted is on next refresh, by when the PE would be in place, and all would be fine. :)

[magodo]

@Tbohunek Sorry for running into this. In fact, not only the website property will be accessed, the others will also be accessed during creation, e.g. queue, file, etc., as long as the current SA supports them.

The issue you saw here is due to your environment can't resolve the blob endpoint domain name, see this for an example. I'd like to understand more about the setup of your environment, especially about the DNS configuration and why it failed to resolve the blob domain name.

In fact, there is a PR to resolve this issue. The main concern is that we are not able to reproduce this issue locally. If you can help us on the reproduction, it would be most helpful!

[Tbohunek]

Hey @magodo, happy to help! What do I need to do to reproduce?
My email is in my profile so you can hit me up (on Teams also).

The TFE runner can resolve the DNS name...to the public IP... But then can't connect to it (timeout).

[petr-stupka]

Hi, @magodo i ran in the same issue.

Steps i performed:

1. tf apply > no issue
2. tf plan > issue
3. tf plan > no issue

It is worth mentioned i run the step nr.2 around 10 sec straight after tf create (the account has been created) so i guess the static website endpoint wasn't available yet.
The step nr.3 ran without issues, so i guess the endpoint was already available so this may help with reproducing it

Issue:

Config:

resource "azurerm_storage_account" "backend" {
  name                = aztools_resource_name.storage_account_backend.result
  resource_group_name = azurerm_resource_group.backend.name
  location            = var.backend_resources.location

  account_tier                     = "Standard"
  account_replication_type         = "GRS"
  shared_access_key_enabled        = false
  cross_tenant_replication_enabled = false

  lifecycle {
    ignore_changes = [
      tags,
    ]
  }
}