diff --git a/azurerm/internal/services/storage/resource_arm_storage_account.go b/azurerm/internal/services/storage/resource_arm_storage_account.go index 7af3277ec026..2fbb319d386a 100644 --- a/azurerm/internal/services/storage/resource_arm_storage_account.go +++ b/azurerm/internal/services/storage/resource_arm_storage_account.go @@ -10,6 +10,7 @@ import ( "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-04-01/storage" azautorest "github.com/Azure/go-autorest/autorest" + autorestAzure "github.com/Azure/go-autorest/autorest/azure" "github.com/hashicorp/go-azure-helpers/response" "github.com/hashicorp/go-getter/helper/url" "github.com/hashicorp/terraform-plugin-sdk/helper/schema" @@ -604,6 +605,7 @@ func validateAzureRMStorageAccountTags(v interface{}, _ string) (warnings []stri } func resourceArmStorageAccountCreate(d *schema.ResourceData, meta interface{}) error { + envName := meta.(*clients.Client).Account.Environment.Name client := meta.(*clients.Client).Storage.AccountsClient ctx, cancel := timeouts.ForCreate(meta.(*clients.Client).StopContext, d) defer cancel() @@ -648,13 +650,23 @@ func resourceArmStorageAccountCreate(d *schema.ResourceData, meta interface{}) e Kind: storage.Kind(accountKind), AccountPropertiesCreateParameters: &storage.AccountPropertiesCreateParameters{ EnableHTTPSTrafficOnly: &enableHTTPSTrafficOnly, - MinimumTLSVersion: storage.MinimumTLSVersion(minimumTLSVersion), NetworkRuleSet: expandStorageAccountNetworkRules(d), IsHnsEnabled: &isHnsEnabled, - AllowBlobPublicAccess: &allowBlobPublicAccess, }, } + // For US Government Cloud, don't specify "allow_blob_public_access" and "min_tls_version" in request body. + // https://github.com/terraform-providers/terraform-provider-azurerm/issues/7812 + // https://github.com/terraform-providers/terraform-provider-azurerm/issues/8083 + if envName == autorestAzure.USGovernmentCloud.Name { + if allowBlobPublicAccess || minimumTLSVersion != string(storage.TLS10) { + return fmt.Errorf(`"allow_blob_public_access" and "min_tls_version" are not supported for a Storage Account located in %q`, envName) + } + } else { + parameters.AccountPropertiesCreateParameters.AllowBlobPublicAccess = &allowBlobPublicAccess + parameters.AccountPropertiesCreateParameters.MinimumTLSVersion = storage.MinimumTLSVersion(minimumTLSVersion) + } + if _, ok := d.GetOk("identity"); ok { storageAccountIdentity := expandAzureRmStorageAccountIdentity(d) parameters.Identity = storageAccountIdentity @@ -784,6 +796,7 @@ func resourceArmStorageAccountCreate(d *schema.ResourceData, meta interface{}) e } func resourceArmStorageAccountUpdate(d *schema.ResourceData, meta interface{}) error { + envName := meta.(*clients.Client).Account.Environment.Name client := meta.(*clients.Client).Storage.AccountsClient ctx, cancel := timeouts.ForUpdate(meta.(*clients.Client).StopContext, d) defer cancel() @@ -888,28 +901,44 @@ func resourceArmStorageAccountUpdate(d *schema.ResourceData, meta interface{}) e if d.HasChange("min_tls_version") { minimumTLSVersion := d.Get("min_tls_version").(string) - opts := storage.AccountUpdateParameters{ - AccountPropertiesUpdateParameters: &storage.AccountPropertiesUpdateParameters{ - MinimumTLSVersion: storage.MinimumTLSVersion(minimumTLSVersion), - }, - } + // For US Government Cloud, don't specify "min_tls_version" in request body. + // https://github.com/terraform-providers/terraform-provider-azurerm/issues/8083 + if envName == autorestAzure.USGovernmentCloud.Name { + if minimumTLSVersion != string(storage.TLS10) { + return fmt.Errorf(`"min_tls_version" is not supported for a Storage Account located in %q`, envName) + } + } else { + opts := storage.AccountUpdateParameters{ + AccountPropertiesUpdateParameters: &storage.AccountPropertiesUpdateParameters{ + MinimumTLSVersion: storage.MinimumTLSVersion(minimumTLSVersion), + }, + } - if _, err := client.Update(ctx, resourceGroupName, storageAccountName, opts); err != nil { - return fmt.Errorf("Error updating Azure Storage Account min_tls_version %q: %+v", storageAccountName, err) + if _, err := client.Update(ctx, resourceGroupName, storageAccountName, opts); err != nil { + return fmt.Errorf("Error updating Azure Storage Account min_tls_version %q: %+v", storageAccountName, err) + } } } if d.HasChange("allow_blob_public_access") { allowBlobPublicAccess := d.Get("allow_blob_public_access").(bool) - opts := storage.AccountUpdateParameters{ - AccountPropertiesUpdateParameters: &storage.AccountPropertiesUpdateParameters{ - AllowBlobPublicAccess: &allowBlobPublicAccess, - }, - } + // For US Government Cloud, don't specify "allow_blob_public_access" in request body. + // https://github.com/terraform-providers/terraform-provider-azurerm/issues/7812 + if envName == autorestAzure.USGovernmentCloud.Name { + if allowBlobPublicAccess { + return fmt.Errorf(`"allow_blob_public_access" is not supported for a Storage Account located in %q`, envName) + } + } else { + opts := storage.AccountUpdateParameters{ + AccountPropertiesUpdateParameters: &storage.AccountPropertiesUpdateParameters{ + AllowBlobPublicAccess: &allowBlobPublicAccess, + }, + } - if _, err := client.Update(ctx, resourceGroupName, storageAccountName, opts); err != nil { - return fmt.Errorf("Error updating Azure Storage Account allow_blob_public_access %q: %+v", storageAccountName, err) + if _, err := client.Update(ctx, resourceGroupName, storageAccountName, opts); err != nil { + return fmt.Errorf("Error updating Azure Storage Account allow_blob_public_access %q: %+v", storageAccountName, err) + } } } @@ -1066,9 +1095,16 @@ func resourceArmStorageAccountRead(d *schema.ResourceData, meta interface{}) err if props := resp.AccountProperties; props != nil { d.Set("access_tier", props.AccessTier) d.Set("enable_https_traffic_only", props.EnableHTTPSTrafficOnly) - d.Set("min_tls_version", string(props.MinimumTLSVersion)) d.Set("is_hns_enabled", props.IsHnsEnabled) d.Set("allow_blob_public_access", props.AllowBlobPublicAccess) + // For US Government Cloud, "min_tls_version" is not returned from Azure so always persist the default values for "min_tls_version". + // https://github.com/terraform-providers/terraform-provider-azurerm/issues/7812 + // https://github.com/terraform-providers/terraform-provider-azurerm/issues/8083 + if meta.(*clients.Client).Account.Environment.Name == autorestAzure.USGovernmentCloud.Name { + d.Set("min_tls_version", string(storage.TLS10)) + } else { + d.Set("min_tls_version", string(props.MinimumTLSVersion)) + } if customDomain := props.CustomDomain; customDomain != nil { if err := d.Set("custom_domain", flattenStorageAccountCustomDomain(customDomain)); err != nil { diff --git a/website/docs/r/storage_account.html.markdown b/website/docs/r/storage_account.html.markdown index 8995d98e6d14..ffc0b3f03e3c 100644 --- a/website/docs/r/storage_account.html.markdown +++ b/website/docs/r/storage_account.html.markdown @@ -99,8 +99,12 @@ The following arguments are supported: * `min_tls_version` - (Optional) The minimum supported TLS version for the storage account. Possible values are `TLS1_0`, `TLS1_1`, and `TLS1_2`. Defaults to `TLS1_0` for new storage accounts. +-> **NOTE:** At this time `min_tls_version` is not supported in US Government. + * `allow_blob_public_access` - Allow or disallow public access to all blobs or containers in the storage account. Defaults to `false`. +-> **NOTE:** At this time `allow_blob_public_access` is not supported in US Government. + * `is_hns_enabled` - (Optional) Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 ([see here for more information](https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-quickstart-create-account/)). Changing this forces a new resource to be created. -> **NOTE:** When this is set to `true` the `account_tier` argument must be set to `Standard`