Firewall on azurerm_storage_account with Terraform


I would like to use this option on an Azure Storage Account.

With this code :

resource "azurerm_storage_account" "Terra-Sta" {
  count = length(local.StaNames)
  name  = element(local.StaNames, count.index)
  location = var.AzureRegion
  resource_group_name =
  account_tier             = local.StaTier
  account_replication_type = local.StaReplicaType
  allow_nested_items_to_be_public = element(local.StaNames, count.index) == local.StaNameExploit ? true : false

  tags = local.tags

This code let me an access to this storage account ‘local.StaNameExploit’. The others must be in deactivated.

For others storage accounts, I create a filter on subnets like this code :

resource "azurerm_storage_account_network_rules" "Terra-Sta02-VnetRule" {
  storage_account_id = azurerm_storage_account.Terra-Sta[1].id
  default_action             = local.StaVnetRuledDefaultAction
  virtual_network_subnet_ids = local.Sta02VnetRuleSubIds

resource "azurerm_storage_account_network_rules" "Terra-Sta03-VnetRule" {
  storage_account_id = azurerm_storage_account.Terra-Sta[2].id
  default_action             = local.StaVnetRuledDefaultAction
  virtual_network_subnet_ids = local.Sta03VnetRuleSubIds

resource "azurerm_storage_account_network_rules" "Terra-Sta04-VnetRule" {
  storage_account_id = azurerm_storage_account.Terra-Sta[3].id
  default_action             = local.StaVnetRuledDefaultAction
  virtual_network_subnet_ids = local.Sta04VnetRuleSubIds

The problem is that after aplying this code, all storage accounts are in 'Enabled from all networks
'. If I select manually 'Enabled from selected virtual networks and IP addresses
’ on the others storage accounts, I can see my network rules.

So is there a way to make Terraform understand, I want (and apply) the second option ?

Thank you so much.

1 Like

For me following worked:

on storage account set “public_network_access_enabled” to “true” and within the associated network rule the default action must be set to “Deny”.

1 Like

Hello @hitty5 ,

Sorry for the delay.
I need to use the second option on the storage account firewall : Enabled from selected virtual networks and IP addresses.

The problem is on : azurerm_storage_account
The option to do this is : public_network_access_enabled

The possible values are only True or False.
But I need an option like this : True with selected networks

Thanks, that worked for me.

@Brownie9 you can’t set “Enabled from selected virtual networks and IP addresses” with one setting in the definition of the Storage account. Leave it as default (public_network_access_enabled = true). Then set default action in network rules to “deny”

Example highlighted:

resource "azurerm_storage_account" "stacc1" {
  name                     = var.storage_account_name1
  resource_group_name      =
  location                 = azurerm_resource_group.rg1.location
  account_tier             = "Standard"
  account_replication_type = var.storage_account_replication
  **public_network_access_enabled = true /* doesn't need to be included as this is default setting  */ **


resource "azurerm_storage_account_network_rules" "stnetrules1" {
  storage_account_id    =
  **default_action        = "Deny"**
  bypass                = var.storage_account_bypass_settings
  ip_rules              = var.storage_account_public_ip_allow

variable "storage_account_bypass_settings" {
  type = list
  description = "any combination of Logging, Metrics, AzureServices, or None."
  default = ["Metrics", "Logging", "AzureServices"]

variable "storage_account_public_ip_allow" {
  type = list
  description = "Public IPs allowed to view / access storage account contents"
  default = ["x.x.x.x"]