azurerm_storage_account_network_rules doesn't accept CIDR notation

[bruceharrison1984]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Issue

• Terraform: 0.12.16
• AzureRM Provider: 1.38.0

Trying to use azurerm_storage_account_network_rules with a CIDR notation fails (X.X.X.X/XX) with an IP validation error.

resource "azurerm_storage_account_network_rules" "mdw" {
  resource_group_name  = azurerm_resource_group.mdw.name
  storage_account_name = azurerm_storage_account.mdw.name

  default_action = "Deny"
  ip_rules       = ["128.252.0.0/16"]
  bypass         = ["AzureServices"]
}

"ip_rules.0" is not a valid IPv4 address: "128.252.0.0/16"

The network_rules section of azurerm_storage_account accepts both IPs and CIDR notation. Looking at the code, it appears that the azurerm_storage_account_network_rules makes use of validation that azurerm_storage_account does not.

https://github.com/terraform-providers/terraform-provider-azurerm/blob/48d259b4894f91f7485644855a47e791264f4007/azurerm/resource_arm_storage_account_network_rules.go#L66-L76

https://github.com/terraform-providers/terraform-provider-azurerm/blob/48d259b4894f91f7485644855a47e791264f4007/azurerm/resource_arm_storage_account.go#L206-L212

I would expect the behavior between these two resources to be identical. Not being able to utilize azurerm_storage_account_network_rules prevents a bunch of different scenarios from being possible due to circular dependencies occuring between storage and other resources.

When configuring the firewall through the Azure Portal, both CIDR and IPs are valid.

[phires]

Seems to be fixed by PR #5201, although maybe we could create a combined validation for CIDR or single IP?

[tombuildsstuff]

@phires agreed this is fixed by #5201 - thanks for the heads up - I'll close this out

although maybe we could create a combined validation for CIDR or single IP?

Agreed, that'd be a great addition 👍

[ghost]

This has been released in version 1.40.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 1.40.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!