already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_storage_account_network_rule" for more information.

[ronarieke]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.36.0

AzureRM Provider Version

3.36.0

Affected Resource(s)/Data Source(s)

azurerm_storage_account_network_rules

Terraform Configuration Files

provider "azurerm" {
        version = "3.36.0"
        features {
                key_vault {
                        recover_soft_deleted_key_vaults = false
                        purge_soft_deleted_keys_on_destroy = false
                        purge_soft_delete_on_destroy = false
                }
                resource_group {
                        prevent_deletion_if_contains_resources = false
                }
        }
}
# Create storage account and a container
resource "azurerm_storage_account" "this" {
  name                            = "xxxx"
  resource_group_name             = "xxxx-xxxx"
  location                        = "eastus"
  account_kind                    = "StorageV2"
  account_tier                    = "Standard"
  account_replication_type        = "LRS"
  enable_https_traffic_only       = true
  min_tls_version                 = "TLS1_2"
  allow_nested_items_to_be_public = false
  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_storage_account_network_rules" "network_rules" {
  storage_account_id = azurerm_storage_account.this.id
  default_action             = "Deny"
  virtual_network_subnet_ids = ["/subscriptions/51c8377c-xxxx-xxxx-xxxx-ef677da93113/resourceGroups/xxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxx/subnets/xxxx-xxxx"]
}

Debug Output/Panic Output

azurerm_storage_account_network_rules.network_rules: Creating...



Error: A resource with the ID "/subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx/resourceGroups/xxxxxxxxxxxxxx/providers/Microsoft.Storage/storageAccounts/xxxxx" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_storage_account_network_rule" for more information.

  on main.tf line 34, in resource "azurerm_storage_account_network_rules" "network_rules":

  34: resource "azurerm_storage_account_network_rules" "network_rules" {

Expected Behaviour

Should be able to deploy a storage account network rule without updating the state to include the state.
This is a breaking change on an existing workflow.

Need to understand if there are any backward compatibility issues, or recent changes that require the storage account to be added to the state before the network rule can be created.

Actual Behaviour

network rule cannot be created at the same time as the storage account and the storage account needs to be added to the state before the network rule can be created. This is a breaking change of existing workflows.

The azurerm and terraform API versions did not change, but we tried updating the versions to the most recent version and that did not resolve the issue

Steps to Reproduce

add storage account and network rule to the terraform spec, apply the terraform spec.

Storage account successfully gets created, network rule fails with the validation saying the storage account should be added to the state because it already exists.

This is a problem because we need to create the storage account and network rule in the same operation, but that functionality is different from a few days ago.

Important Factoids

Public Azure

References

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules
https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?pivots=deployment-language-terraform#networkruleset-2

[ffforest]

I would like to add more details to this.
I started seeing this from Dec.15th around noon eastern time. This appears to be related to a change in the default value for the storage account properties AccountProperties.NetworkRuleSet.ByPass.
Prior to yesterday, the default value for ByPass is set to AzureServices. Now the value of Bypass is set to None when the storage account is created via azurerm_storage_account, which causes this line in azurerm provider and checkForNonDefaultStorageAccountNetworkRule() to evaluate to true, resulting in the error message via the logic here.

The request including payload that was sent to the management API - as captured by terraform trace log:

PUT /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx/resourceGroups/xxxxxxxxxxxxxx/providers/Microsoft.Storage/storageAccounts/xxxxx?api-version=2021-09-01 HTTP/1.1
Host: management.azure.com
User-Agent: Go/go1.19.3 (amd64-linux) go-autorest/v14.2.1 Azure-SDK-For-Go/v66.0.0 storage/2021-09-01 HashiCorp Terraform/0.14.11 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/dev pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Content-Length: 600
Content-Type: application/json; charset=utf-8
X-Ms-Authorization-Auxiliary: 
X-Ms-Correlation-Request-Id: e89411c4-0003-1a4a-7c94-1a31a76be60f
Accept-Encoding: gzip

{"identity":{"type":"SystemAssigned"},"kind":"StorageV2","location":"eastus","properties":{"publicNetworkAccess":"Enabled","encryption":{"services":{"table":{"keyType":"Service"},"queue":{"keyType":"Service"}},"keySource":"Microsoft.Storage"},"networkAcls":{"defaultAction":"Allow"},"accessTier":"Hot","supportsHttpsTrafficOnly":true,"isSftpEnabled":false,"isHnsEnabled":false,"allowBlobPublicAccess":false,"minimumTlsVersion":"TLS1_2","allowSharedKeyAccess":true,"isNfsV3Enabled":false,"allowCrossTenantReplication":true,"defaultToOAuthAuthentication":false},"sku":{"name":"Standard_LRS"},"tags":{}}

Notice there is no field for ByPass in the payload. In the GET operation after the account is created:

...
"networkAcls":{**"bypass":"None"**,"defaultAction":"Allow"},
...

If I set value of ByPass from None to AzureServices - which must have been the old default, after the account creation and rerun terraform apply, the error do not appear.

[ffforest]

Update - thanks for the suggestion from Azure Support:
This appear to be region-specific. I have tried the same terraform spec in both eastus and westus regions, only eastus is reporting this error.

[srjennings]

Can confirm also affected by this issue version 3.10.0

[srjennings]

@ronarieke @ffforest See #19719 for possible fix

[tju-that1guy]

We are also seeing this issue.

[srjennings]

Workaround is to enable the network_rules block inside the resource azurerm_storage_account rather than using resource azurerm_storage_account_network_rules

[srjennings]

#19719 (comment) reports issue resolved
@ronarieke @ffforest

[ffforest]

@srjennings Yes it seems like Microsoft have reverted some changes on their end with the storage resource provider.
I can confirm the issue is now resolved in eastus region since about 4pm ET yesterday.

[github-actions]

This functionality has been released in v3.38.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.