- Azure Storage uses private IP space when the client is in the same region even when Private Endpoints are not used. The client IP address as seen by the Storage Firewall is a private IP address that cannot be predicted. Hence Storage Firewall can't be used to allow/block access over the public endpoint
- Terraform will need storage data plane read access during plan stage, hence any dependency tricks during apply stage will not work
- Run deploy.ps1 without the
-OpenStorageFirewallparameter. This script will detect the Azure region it is run from using the Azure Instance Metadata and deploy to the same region by setting theTF_VAR_locationenvironment variable. - Run terraform-ci-with-template.yml with the
modeparameter set to 'ReproduceConstraint'. This relies on deploy.ps1 and therefore works the same way.
There are 2 strategies:
- A workaround is to open up the Storage Firewall prior to Terraform plan stage. This is done using a default allow rule as the client IP address as seen by the Storage Firewall cannot be predicted. Run terraform-ci-with-template.yml with the
modeparameter set to 'MitigateWithJITFWUpdate'.
This approach is deterministic, but compromises on security. - Another workaround is try and find a pipeline agent in a region other than the target region. An agent can run in multiple regions in the same geography (e.g. northeurope & westeurope in the EU). The pipeline will submit jobs in sequence until either an alternate region (from the deployment target) has been found or the maxmum number of attempts has been reached. Run terraform-ci-with-template.yml with the
modeparameter set to 'TryMitigateWithRegion'.
This approach is more secure, but non-deterministic.