Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azure_rm_storageaccount allow_blob_public_access won't update when used on new storage account #325

Closed
jgainey opened this issue Nov 18, 2020 · 14 comments · Fixed by #458
Closed

azure_rm_storageaccount allow_blob_public_access won't update when used on new storage account #325

jgainey opened this issue Nov 18, 2020 · 14 comments · Fixed by #458
Labels
has_pr PR fixes have been made medium_priority Medium priority

Comments

@jgainey
Copy link

jgainey commented Nov 18, 2020
edited
Loading

SUMMARY

on new storage accounts allow_blob_public_access is null and cannot be updated to yes or no using this module

ISSUE TYPE
  • Bug Report
COMPONENT NAME

azure.azcollection.azure_rm_storageaccount won't perform an update if the allow_blob_public_access is None:

    if self.allow_blob_public_access is not None:
        if bool(self.allow_blob_public_access) != bool(self.account_dict.get('allow_blob_public_access')):
            self.results['changed'] = True
            self.account_dict['allow_blob_public_access'] = self.allow_blob_public_access
            if not self.check_mode:
                try:
                    parameters = self.storage_models.StorageAccountUpdateParameters(allow_blob_public_access=self.allow_blob_public_access)
                    self.storage_client.storage_accounts.update(self.resource_group,
                                                              self.name,
                                                              parameters)
                except Exception as exc:
                    self.fail("Failed to update account type: {0}".format(str(exc)))
ANSIBLE VERSION
ansible 2.10.3
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /var/lib/ansible/venv/dco-venv.py3/lib64/python3.6/site-packages/ansible
  executable location = /var/lib/ansible/venv/dco-venv.py3/bin/ansible
  python version = 3.6.8 (default, May  6 2020, 12:04:35) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
CONFIGURATION
OS / ENVIRONMENT

Linux css-ansapp1-d1 3.10.0-1160.2.2.el7.x86_64 #1 SMP Sat Oct 17 05:06:47 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Red Hat Enterprise Linux Server release 7.9 (Maipo)

STEPS TO REPRODUCE
- name: Azure | disable blob public access on everything in {{ rg_name }}
  azure.azcollection.azure_rm_storageaccount:
    resource_group: "{{ rg_name }}"
    name: "{{ item.name }}"
    allow_blob_public_access: False
    client_id: "{{ azure.client_id }}"
    secret: "{{ azure.secret }}"
    tenant: "{{ azure.tenant }}"
    subscription_id: "{{ azure.subscription_id }}"
  when: item.allow_blob_public_access != false
EXPECTED RESULTS

{
"changed": true,
"state": {
"id": "xxxxx",
"name": "xxx",
"location": "northcentralus",
"resource_group": "xxxx",
"type": "Microsoft.Storage/storageAccounts",
"access_tier": null,
"sku_tier": "Standard",
"sku_name": "Standard_LRS",
"provisioning_state": "Succeeded",
"secondary_location": null,
"status_of_primary": "available",
"status_of_secondary": null,
"primary_location": "northcentralus",
"https_only": false,
"minimum_tls_version": null,
"allow_blob_public_access": null,
"network_acls": {
"bypass": "AzureServices",
"default_action": "Allow",
"virtual_network_rules": [],
"ip_rules": []
},
"custom_domain": null,
"primary_endpoints": {
"blob": "https://xxx.blob.core.windows.net/",
"queue": "https://xxx.queue.core.windows.net/",
"table": "https://xxx.table.core.windows.net/"
},
"secondary_endpoints": null,
"tags": {}
},
"invocation": {
"module_args": {
"resource_group": "xxxxx",
"name": "xxxx",
"allow_blob_public_access": false,
"client_id": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"secret": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"tenant": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"subscription_id": "aaaaaaaa-bbbb-xxxx-yyyy-13e62483bb6d",
"auth_source": "auto",
"cloud_environment": "AzureCloud",
"api_profile": "latest",
"append_tags": true,
"state": "present",
"force_delete_nonempty": false,
"kind": "Storage",
"profile": null,
"ad_user": null,
"password": null,
"cert_validation_mode": null,
"adfs_authority_url": null,
"tags": null,
"account_type": null,
"custom_domain": null,
"location": null,
"access_tier": null,
"https_only": null,
"minimum_tls_version": null,
"network_acls": null,
"blob_cors": null
}
},
"_ansible_no_log": false
}

ACTUAL RESULTS

{
"changed": false,
"state": {
"id": "xxxxxx",
"name": "xxxx",
"location": "northcentralus",
"resource_group": "xxxxx",
"type": "Microsoft.Storage/storageAccounts",
"access_tier": null,
"sku_tier": "Standard",
"sku_name": "Standard_LRS",
"provisioning_state": "Succeeded",
"secondary_location": null,
"status_of_primary": "available",
"status_of_secondary": null,
"primary_location": "northcentralus",
"https_only": false,
"minimum_tls_version": null,
"allow_blob_public_access": null,
"network_acls": {
"bypass": "AzureServices",
"default_action": "Allow",
"virtual_network_rules": [],
"ip_rules": []
},
"custom_domain": null,
"primary_endpoints": {
"blob": "https://xxxxx.blob.core.windows.net/",
"queue": "https://xxxx.queue.core.windows.net/",
"table": "https://xxxx.table.core.windows.net/"
},
"secondary_endpoints": null,
"tags": {}
},
"invocation": {
"module_args": {
"resource_group": "xxxxxxx",
"name": "csstestvm3d16800",
"allow_blob_public_access": false,
"client_id": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"secret": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"tenant": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"subscription_id": "aaaaaaaa-bbbb-xxxx-yyyy-13e62483bb6d",
"auth_source": "auto",
"cloud_environment": "AzureCloud",
"api_profile": "latest",
"append_tags": true,
"state": "present",
"force_delete_nonempty": false,
"kind": "Storage",
"profile": null,
"ad_user": null,
"password": null,
"cert_validation_mode": null,
"adfs_authority_url": null,
"tags": null,
"account_type": null,
"custom_domain": null,
"location": null,
"access_tier": null,
"https_only": null,
"minimum_tls_version": null,
"network_acls": null,
"blob_cors": null
}
},
"_ansible_no_log": false
}

ok: [localhost] => {"changed": false, "state": {"access_tier": null, "allow_blob_public_access": null, "custom_domain": null, "https_only": false, "id": "/subscriptions/aaaaaaaa-bbbb-xxxx-yyyy-13e62483bb6d/resourceGroups/rg_nam_ss_ncus_workshopdemo2/providers/Microsoft.Storage/storageAccounts/xxxxx", "location": "northcentralus", "minimum_tls_version": null, "name": "xxxxx", "network_acls": {"bypass": "AzureServices", "default_action": "Allow", "ip_rules": [], "virtual_network_rules": []}, "primary_endpoints": {"blob": "https://xxxxx.blob.core.windows.net/", "queue": "https://xxxx.queue.core.windows.net/", "table": "https://cxxxx.table.core.windows.net/"}, "primary_location": "northcentralus", "provisioning_state": "Succeeded", "resource_group": "xxxxx", "secondary_endpoints": null, "secondary_location": null, "sku_name": "Standard_LRS", "sku_tier": "Standard", "status_of_primary": "available", "status_of_secondary": null, "tags": {}, "type": "Microsoft.Storage/storageAccounts"}}
@jgainey
Copy link
Author

jgainey commented Nov 18, 2020

once the storage account is flipped in the UI to enabled this code works to disable it.

@jgainey
Copy link
Author

jgainey commented Nov 18, 2020

this change seems to fix it.
azure/azcollection/plugins/modules/azure_rm_storageaccount.py:

589 allow_blob_public_access=account_obj.allow_blob_public_access,
< 589 allow_blob_public_access=account_obj.allow_blob_public_access or True,

@paultaiton
Copy link
Contributor

@jgainey I've got this one. I'm already working on updating this module. The blob public access was some code I added a while back when I was first learning the Azure python SDK and how this collection does things, so I'm cleaning up the Storage account modules and making it work consistently between create and update.

@Fred-sun
Copy link
Collaborator

@jgainey Thank you for reporting this issue, we will review it as soon as possible, thank you!

@Fred-sun Fred-sun added medium_priority Medium priority work in In trying to solve, or in working with contributors labels Dec 21, 2020
@Fred-sun
Copy link
Collaborator

@jgainey It should have been fixed, and if the account's allow_blob_public_access=null, it can be updated to allow_blob_public=true or false. Thank you very much!

@Tailzip
Copy link

Tailzip commented Jan 12, 2021

Hi! I'm still experiencing this issue (running version 1.3.1).
When you say it has been fixed, I don't see any comment about a bug fix in the CHANGELOG.md file 🤔

@paultaiton
Copy link
Contributor

@Tailzip
I'm still working on fixing the storageaccount module as there are a number of different bugs and bad inefficiencies. I got delayed with the holiday season as well as dealing with / recovering from covid, but it's still on my radar and in progress.

@Fred-sun
Copy link
Collaborator

Hi! I'm still experiencing this issue (running version 1.3.1).
When you say it has been fixed, I don't see any comment about a bug fix in the CHANGELOG.md file 🤔

@Tailzip Thank you for your reply, but I tested this module and when (allow_blob_public_access=null) we can Update the storage account to Update allow_blob_public_access to True or False. I'll check again. Thank you very much!

@arsenicks
Copy link

@paultaiton Hi, we are experiencing a very similar issue with a new storage account creation but with https_only, I will add detail to this issue soon but I was wondering if you've made progress on this problem as it could be the exact same logic causing the problem.

Thanks!

@Tailzip
Copy link

Tailzip commented Mar 14, 2021

Well, it fixed it by itself... Haven't updated collection version, but now it works as expected. My guess is that Azure API was updated (or fixed). 🤷‍♂️

@arsenicks
Copy link

@Tailzip You tried with a new storage account ?

I insist on "new" because the logic in the update_account is working correctly, the problem is within the create_account, so for us https_only failed when creating the first time but the storage account IS created but without the https_only option, if we run a second time the collection update the storage account with the options that haven't worked the first time.. Thanks

@arsenicks arsenicks mentioned this issue Mar 15, 2021
Closed
@Fred-sun
Copy link
Collaborator

fixes by #458

@Fred-sun Fred-sun added has_pr PR fixes have been made and removed work in In trying to solve, or in working with contributors labels Mar 18, 2021
@Tailzip
Copy link

Tailzip commented Mar 18, 2021
edited
Loading

@Tailzip You tried with a new storage account ?

I insist on "new" because the logic in the update_account is working correctly, the problem is within the create_account, so for us https_only failed when creating the first time but the storage account IS created but without the https_only option, if we run a second time the collection update the storage account with the options that haven't worked the first time.. Thanks

@arsenicks
Yes, it works with new and already existing storage accounts.

@paultaiton paultaiton mentioned this issue Mar 19, 2021
Merged
@paultaiton
Copy link
Contributor

@Tailzip @jgainey @arsenicks
I apologize for how long it took me to get this update together and pushed. I believe I fixed everything reported in this issue. Please let me know if you see any problems after updating to the new module update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
has_pr PR fixes have been made medium_priority Medium priority
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update azure_rm_storageaccount.py paultaiton/azure
5 participants
@Tailzip @jgainey @arsenicks @Fred-sun @paultaiton