OiO.lk Community platform!

Oio.lk is an excellent forum for developers, providing a wide range of resources, discussions, and support for those in the developer community. Join oio.lk today to connect with like-minded professionals, share insights, and stay updated on the latest trends and technologies in the development field.
  You need to log in or register to access the solved answers to this problem.
  • You have reached the maximum number of guest views allowed
  • Please register below to remove this limitation

Mixing Network Acl's and publicNetworkAccess with storage account bicep module?

  • Thread starter Thread starter Filip Drzewiecki
  • Start date Start date
F

Filip Drzewiecki

Guest
So I have a bicep module for storage account that is quite simple tbh:

Code:
resource storage_account 'Microsoft.Storage/storageAccounts@2021-04-01' = {
  sku: {
    name: sku
  }
  kind: 'StorageV2'
  name: name
  location: location
  tags: tags
  identity: identity
  properties: {
    allowBlobPublicAccess: false
    isHnsEnabled: is_hns_enabled == false ? null : is_hns_enabled
    supportsHttpsTrafficOnly: true
    minimumTlsVersion: 'TLS1_2'
    networkAcls: {
      bypass: 'AzureServices'
      virtualNetworkRules: vnet_rules
      defaultAction: network_acls_default_action
    }
    allowSharedKeyAccess: allow_shared_key_access
    accessTier: 'Hot'
  }
}

So this set Storage account with Public Network Access set to: Enabled from selected virtual networks and IP addresses and later, some Private Endpoints are added to the mix.

The thing is, now I need to create just one storage account with Public Network Access set to: Enabled for all networks as I need to store linked templates there and per Micrososft, this is the only way to get them from storage account (so not firewall settings etc).

The problem is, if I set publicNetworkAccess: Enabled, all ACL's and private endpoints does not make to much sense but what is I think bigger problem, is I can't set publicNetworkAccess: to Disabled as this will also brick all network Acls for that storage and only private endpoints will be working, right?

I thought that if I set publicNetworkAccess to "Null" I can still use ACL but it looks like this is not possible, as only correct values are Enabled or Disabled...

Code:
resource storage_account 'Microsoft.Storage/storageAccounts@2021-04-01' = {
  sku: {
    name: sku
  }
  kind: 'StorageV2'
  name: name
  location: location
  tags: tags
  identity: identity
  properties: {
    allowBlobPublicAccess: false
    isHnsEnabled: is_hns_enabled == false ? null : is_hns_enabled
    supportsHttpsTrafficOnly: true
    minimumTlsVersion: 'TLS1_2'
    allowSharedKeyAccess: allow_shared_key_access
    accessTier: 'Hot'
    publicNetworkAccess: enablePublicNetworkAccess ? 'Enabled' : 'Null'

    networkAcls: enablePublicNetworkAccess ? null : {
      bypass: 'AzureServices'
      virtualNetworkRules: vnet_rules
      defaultAction: network_acls_default_action
    }
  }
}

Of course, simples workaround here would be to either use different module or just create resource and not use the module for this single storage account. Any idea if this is possible to achieve?
<p>So I have a bicep module for storage account that is quite simple tbh:</p>
<pre><code>resource storage_account 'Microsoft.Storage/storageAccounts@2021-04-01' = {
sku: {
name: sku
}
kind: 'StorageV2'
name: name
location: location
tags: tags
identity: identity
properties: {
allowBlobPublicAccess: false
isHnsEnabled: is_hns_enabled == false ? null : is_hns_enabled
supportsHttpsTrafficOnly: true
minimumTlsVersion: 'TLS1_2'
networkAcls: {
bypass: 'AzureServices'
virtualNetworkRules: vnet_rules
defaultAction: network_acls_default_action
}
allowSharedKeyAccess: allow_shared_key_access
accessTier: 'Hot'
}
}

</code></pre>
<p>So this set Storage account with Public Network Access set to: <code>Enabled from selected virtual networks and IP addresses</code> and later, some Private Endpoints are added to the mix.</p>
<p>The thing is, now I need to create just one storage account with Public Network Access set to: <code>Enabled for all networks</code> as I need to store linked templates there and per Micrososft, this is the only way to get them from storage account (so not firewall settings etc).</p>
<p>The problem is, if I set <code>publicNetworkAccess: Enabled</code>, all ACL's and private endpoints does not make to much sense but what is I think bigger problem, is I can't set <code>publicNetworkAccess:</code> to <code>Disabled</code> as this will also brick all network Acls for that storage and only private endpoints will be working, right?</p>
<p>I thought that if I set publicNetworkAccess to "Null" I can still use ACL but it looks like this is not possible, as only correct values are Enabled or Disabled...</p>
<pre><code>resource storage_account 'Microsoft.Storage/storageAccounts@2021-04-01' = {
sku: {
name: sku
}
kind: 'StorageV2'
name: name
location: location
tags: tags
identity: identity
properties: {
allowBlobPublicAccess: false
isHnsEnabled: is_hns_enabled == false ? null : is_hns_enabled
supportsHttpsTrafficOnly: true
minimumTlsVersion: 'TLS1_2'
allowSharedKeyAccess: allow_shared_key_access
accessTier: 'Hot'
publicNetworkAccess: enablePublicNetworkAccess ? 'Enabled' : 'Null'

networkAcls: enablePublicNetworkAccess ? null : {
bypass: 'AzureServices'
virtualNetworkRules: vnet_rules
defaultAction: network_acls_default_action
}
}
}
</code></pre>
<p>Of course, simples workaround here would be to either use different module or just create resource and not use the module for this single storage account.
Any idea if this is possible to achieve?</p>
Continue reading...
 

Latest posts

M
Replies
0
Views
1
MusicLovingIndianGirl
M
Q
Replies
0
Views
1
quora question
Q
Top