Feature request - azurerm_storage_account - VNet Endpoint Support

[JasonNguyenTX]

Request that azurerm_storage_account to support VNet Endpoint so that when storage account is created, VNet Endpoint/firewall can be configured to control access to storage account

[JasonNguyenTX]

Based on MS doc: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-configure, the service endpoints for storage and sql can be enabled when creating virtual network, would it make more sense to enable it from there?

[mattpound808]

Hi,

Any news on when this might get implemented now the feature has gone GA please ?

https://azure.microsoft.com/en-gb/blog/virtual-network-service-endpoints-and-firewalls-for-azure-storage-now-generally-available/

Thank you

[murraypete]

+1 - would be great to see this implemented

[HighwayofLife]

Copied from #1110

Feature Request: Add support for Storage Account Firewall and Network Rules.

Affected Resource(s)

• azurerm_storage_account
• azurerm_subnet

Subnets need to be able to create service endpoints. (see below ARM snippet)

References

• Announcement: Virtual Network Integration for Azure Storage and Azure SQL
• Configure Storage Network Security
• Virtual Network Service Endpoints

ARM Template snippet - Storage

"kind": "Storage",
"name": "[parameters('storageAccounts_devworkdiag410_name')]",
"apiVersion": "2017-10-01",
"location": "eastus2",
"tags": {},
"scale": null,
"properties": {
    "networkAcls": {
        "bypass": "AzureServices",
        "virtualNetworkRules": [
            {
                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworks_DevWork_vnet_name'), parameters('subnets_default_name'))]",
                "action": "Allow",
                "state": "Succeeded"
            }
        ],
        "ipRules": [],
        "defaultAction": "Deny"
    },

ARM Template snippet - Subnet

"type": "Microsoft.Network/virtualNetworks/subnets",
"name": "[concat(parameters('virtualNetworks_DevWork_vnet_name'), '/', parameters('subnets_default_name'))]",
"apiVersion": "2018-01-01",
"scale": null,
"properties": {
    "provisioningState": "Succeeded",
    "addressPrefix": "10.0.0.0/24",
    "serviceEndpoints": [
        {
            "provisioningState": "Succeeded",
            "service": "Microsoft.Storage",
            "locations": [
                "eastus2",
                "centralus"
            ]
        }
    ]
}

[steffencircle]

Hi,

are there any news update this feature ?
It's kind of critical for us in order to be able to secure some services.

[tombuildsstuff]

@lw81 this is something we plan to do soon (I believe @mbfrahry may be taking a look into this, actually?) - but we can't give a more specific timeframe at the moment unfortunately. In the interim you should be able to achieve the same thing using the azurerm_template_deployment resource to provision this functionality.

[mbfrahry]

@lw81, I've got a PR open addressing this issue.

[jondkent]

Hi,

Another vote for this. We really need this to restrict access to storage accounts.

Cheers,
Jon

[mbfrahry]

Hey all! This feature has been merged in #1334 so I'm closing this issue and we'll have it in the next release

[katbyte]

@JasonNguyenTX, @jondkent, @lw81, @HighwayofLife, @murraypete, @mattpound808,

Just a friendly heads up that this was included in 1.7 that was released today. I hope it resolves all the issues everyone was having!

[steffencircle]

Awesome. Implemting this in our code right now. Many thanks

[murraypete]

Nice - thanks all!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!