Firewall on azurerm_storage_account with Terraform


I would like to use this option on an Azure Storage Account.

With this code :

resource "azurerm_storage_account" "Terra-Sta" {
  count = length(local.StaNames)
  name  = element(local.StaNames, count.index)
  location = var.AzureRegion
  resource_group_name =
  account_tier             = local.StaTier
  account_replication_type = local.StaReplicaType
  allow_nested_items_to_be_public = element(local.StaNames, count.index) == local.StaNameExploit ? true : false

  tags = local.tags

This code let me an access to this storage account ‘local.StaNameExploit’. The others must be in deactivated.

For others storage accounts, I create a filter on subnets like this code :

resource "azurerm_storage_account_network_rules" "Terra-Sta02-VnetRule" {
  storage_account_id = azurerm_storage_account.Terra-Sta[1].id
  default_action             = local.StaVnetRuledDefaultAction
  virtual_network_subnet_ids = local.Sta02VnetRuleSubIds

resource "azurerm_storage_account_network_rules" "Terra-Sta03-VnetRule" {
  storage_account_id = azurerm_storage_account.Terra-Sta[2].id
  default_action             = local.StaVnetRuledDefaultAction
  virtual_network_subnet_ids = local.Sta03VnetRuleSubIds

resource "azurerm_storage_account_network_rules" "Terra-Sta04-VnetRule" {
  storage_account_id = azurerm_storage_account.Terra-Sta[3].id
  default_action             = local.StaVnetRuledDefaultAction
  virtual_network_subnet_ids = local.Sta04VnetRuleSubIds

The problem is that after aplying this code, all storage accounts are in 'Enabled from all networks
'. If I select manually 'Enabled from selected virtual networks and IP addresses
’ on the others storage accounts, I can see my network rules.

So is there a way to make Terraform understand, I want (and apply) the second option ?

Thank you so much.

1 Like

For me following worked:

on storage account set “public_network_access_enabled” to “true” and within the associated network rule the default action must be set to “Deny”.

Hello @hitty5 ,

Sorry for the delay.
I need to use the second option on the storage account firewall : Enabled from selected virtual networks and IP addresses.

The problem is on : azurerm_storage_account
The option to do this is : public_network_access_enabled

The possible values are only True or False.
But I need an option like this : True with selected networks