Skip to content
This repository has been archived by the owner on Feb 16, 2024. It is now read-only.

avoid azapi #4

Closed
davidkarlsen opened this issue Nov 19, 2023 · 4 comments
Closed

avoid azapi #4

davidkarlsen opened this issue Nov 19, 2023 · 4 comments

Comments

@davidkarlsen
Copy link

Isn't the data-plane roles tied to the ARM api anyways? So that instead of using azapi to create container, one could use https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container ?
@kewalaka
Copy link
Owner

the create container acts as a control plane operation in the REST API, but the Terraform azurerm equivalent appears to make use of the shared keys (if they are enabled), or otherwise requires a data plane RBAC applied.

it is an odd behavioural difference between the two, which probably should be raised as a bug, if it isn't already.

Happy to be shown an example where this isn't the case (noting the point regarding the shared keys), but this is my experience, and I believe I did try without azapi first this time around as well (but, happy if you wanted to take that example and confirm...)

@davidkarlsen
Copy link
Author

It would be nice to see an example - also note that it takes some time from a RBAC assignment until the role takes effect due to eventual consistency. AFAIR we've been able to do this in the past, but I can double check.

@kewalaka
Copy link
Owner

hi @davidkarlsen - here is a related bug that illustrates the difference between azurerm & azapi.

hashicorp/terraform-provider-azurerm#2977

The key thing that many miss is this setting in their provider block:

provider "azurerm" {
  features {}
  # this setting switches Terraform from using Shared Key Authentication to using Entra ID
  storage_use_azuread        = true
}

Missing this step is a common oversight I see, especially with storage containers used for terraform state - I see "least privileges" on the data plane (e.g. Storage Blob Data Contributor), not realising that under the hood Terraform is just using the shared keys :).

Shared Key authorisation is disabled by default in this resource (as per AVM specs which require aligning to WAF principles), this behaviour can be overridden by setting the shared_access_key_enabled variable.

It's worth noting there are some limitations when disabling Shared Key authorisation, e.g. when using the table & files API as per the AzureRM provider documentation, however this approach works well for things like Terraform state (or any blob workload).

If you wanted to try it our yourself, you could simply take the default example and try create a storage container using the azurerm resource, i.e. something like this:

resource "azurerm_storage_container" "this" {
  name                 = module.naming.storage_container.name_unique
  storage_account_name = module.storage_account.resource.name
}

Hope that's useful & answers this question.

@kewalaka
Copy link
Owner

@davidkarlsen, so, curiosity got the better of me:

https://github.com/kewalaka/terraform-storagecontainer-sharedkeys

closing on the basis of this output, which shows the behaviour conclusively.

@kewalaka kewalaka mentioned this issue Nov 29, 2023
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davidkarlsen @kewalaka