Skip to content

Instantly share code, notes, and snippets.

@magodo

magodo/StorageDataPlaneAccessTSG.md

Created August 17, 2023 08:12
Show Gist options
  • Save magodo/ceff73dcf6e57cb1a8d5271f20db85e1 to your computer and use it in GitHub Desktop.
Save magodo/ceff73dcf6e57cb1a8d5271f20db85e1 to your computer and use it in GitHub Desktop.
Download ZIP
Azure storage data plane access TSG
Raw
StorageDataPlaneAccessTSG.md

Storage data plane access TSG

1. Create azurerm_storage_account: accounts.Client#GetServiceProperties: Failure sending request: StatusCode=0 -- Original Error: context deadline exceeded

Reason

  1. The private endpoint is not correctly setup. The reference config can be found at https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint

    Fix: Setup the PE correctly

  2. The DNS cache is not refreshed to point to the correct storage account endpoint. This can cause 404 status code, or makes dns resolving failure. The detailed explanation can be found at: hashicorp/terraform-provider-azurerm#13070 (comment)

    Fix: Create the storage account with another name

Related Issues

Trouble shooting

Run nslookup against the storage endpoint that failed on the machine running terraform to ensure the error is indeed a dns resolve issue

Further context

The error above is unfortunately unclear. This should be improved by merging hashicorp/terraform-provider-azurerm#21464.

2. Creating azurerm_storage_account: Error: retrieving Storage Account: (Name "xxx" / Resource Group "xxx"): storage.AccountsClient#GetProperties: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="StorageAccountNotFound" Message="The storage account xxx was not found."

Reason:

  1. The service_endpoints = ["Microsoft.Storage"] isn’t specified in the azurerm_subnet that is used in the network_rules of the azurerm_storage_account.

Related issue

Troubleshoot

Look at the provider log and you shall see something like:

{"status":"Failed","error":{"code":"NetworkAclsValidationFailure","message":"Validation of network acls failure: SubnetsHaveNoServiceEndpointsConfigured:Subnets my-subnet of virtual network xxxx do not have ServiceEndpoints for Microsoft.Storage resources configured. Add Microsoft.Storage to subnet's ServiceEndpoints collection before trying to ACL Microsoft.Storage resources to these subnets.."}}

Further context

The provider’s error message is confusing, we shall either merge the PR hashicorp/terraform-provider-azurerm#16573 or migrate to the new SDK to make the error meaningful.

3. Creating azurerm_storage_conatiner: containers.Client#Create: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="ResourceNotFound"

Reason

  1. The DNS cache is not refreshed to point to the correct storage account endpoint. This can cause 404 status code, or makes dns resolving failure. The detailed explanation can be found at: hashicorp/terraform-provider-azurerm#13070 (comment)

    Fix: Create the storage account with another name

Related Issues

4. Creating azurerm_storage_container: Error creating container "xxx" in storage account "xxx": storage: service returned error: StatusCode=403, ErrorCode=AuthorizationFailure, ErrorMessage=This request is not authorized to perform this operation.

Reason

  1. The provisioning agent’s IP is blocked by the network_rules

Related Issues

Further context

There might be case that the user claims the ip of the agent is indeed whitelisted in the network_rules, while still hit the error. The reason might be that the agent resides in the same region as the target resource, see: hashicorp/terraform-provider-azurerm#2977 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment