Bug: Terraform Init Fails Due to Azure Storage Account Network Configuration in Landing Zone Deployment

[ifeanyindukwe]

The deployment of the Azure Landing Zone consistently fails during the Terraform initialization (terraform init) stage. The deployment only succeeds when I manually alter the Azure Storage Account’s network configuration. Specifically, I need to change the network access setting from its default (restricted access) to "Enabled from all networks" in the Azure Portal.

Steps to Reproduce:

• Deploy the Azure Landing Zone.
• During the Terraform initialization stage, the deployment fails.
• Manually adjust the Storage Account settings:
  • Go to Azure Portal ->
  • Storage Accounts ->
  • Select the relevant account ->
  • Networking ->
  • Set network access to "Enabled from all networks."
• Retry the deployment, which then succeeds

Encountered a 403 Authorization Failure when attempting to initialize Terraform with Azure.
Error: Failed to get existing workspaces: containers.Client#ListBlobs: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation.\nRequestId:XXXX\nTime:2024-08-26T01:37:53.6259929Z"

Please investigate why the default network configuration is causing the deployment to fail and recommend a solution that doesn't require manual intervention.

[jaredfholgate]

@ifeanyindukwe We would need to understand your inputs to investigate this. Are you using the local option?

[ifeanyindukwe]

I am using Azure Pipeline Agent Pools in Azure DevOps, and I've set my azure_devops_personal_access_token to token-1 in my inputs.yaml file. However, I'm not quite sure I understand what you mean by the 'local option.' Could you please provide more details or clarify if my response is not addressing your question?

[ifeanyindukwe]

@ifeanyindukwe We would need to understand your inputs to investigate this. Are you using the local option?

Please find attached my input.yaml file. Identifiable information such as subscription IDs, emails, and generated tokens have been masked with "XXXX" for privacy reasons.

[jaredfholgate]

Thanks for this info. I see you are using Microsoft-hosted agents use_self_hosted_agents: "false" and have use_private_networking: "true". This combination is not possible and should be handled by the code, it should be ignoring the use_private_networking option. So it looks like you may have uncovered a bug here, that we'll investigate. In the meantime, setting use_private_networking: "false" should hopefully fix it for you.