You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When enabling extended_auditing_policy towards a firewalled (but not with private endpoint) storage account, the SQL Server fails to create successfully saying there are "Insufficient read or write permissions on storage account". However, I made sure I fulfilled all these requirements.
I also noticed the SQL Server Service Principal is not automatically granted the "Storage Blob Data Contributor" role on the Storage Account like it happens when the setting is enabled from the Azure Portal. But even adding an azurerm_role_assignment does not help.
I could workaround the issue by disabling the firewall on the storage account.
Given seems this is a duplicate of #6906 - rather than having multiple issues open tracking the same thing I'm going to close this issue in favour of that one; would you mind subscribing to #6906 for updates? Or feel free to reopen if you believe these two issues are not talking about the same thing.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!
Community Note
Terraform (and AzureRM Provider) Version
Affected Resource(s)
azurerm_mssql_server
Terraform Configuration Files
When enabling
extended_auditing_policy
towards a firewalled (but not with private endpoint) storage account, the SQL Server fails to create successfully saying there are "Insufficient read or write permissions on storage account". However, I made sure I fulfilled all these requirements.I also noticed the SQL Server Service Principal is not automatically granted the "Storage Blob Data Contributor" role on the Storage Account like it happens when the setting is enabled from the Azure Portal. But even adding an
azurerm_role_assignment
does not help.I could workaround the issue by disabling the firewall on the storage account.
Debug Output
https://gist.github.com/mikemowgli/b0ece0be08ba5d29509d031e7f458943
Expected Behavior
Auditing setting applied and SQL server created successfully.
Actual Behavior
Failure to enable extended auditing setting
Steps to Reproduce
terraform apply
References
https://docs.microsoft.com/en-us/azure/azure-sql/database/audit-write-storage-account-behind-vnet-firewall#prerequisites
The text was updated successfully, but these errors were encountered: