How do you update the virtual network rules for a storage account

Hi,

We have a storage account that was manually created in the azure portal - the virtual network rule was also created manually. Part of our terraform script creates a vnet with a subnet and adds the subnet to the virtual network rules of this storage account, however instead of updating the virtual network rules it wipes the current configuration and just adds the new subnet.

Here is the script I am using:

> resource "azurerm_storage_account_network_rules" "network-rule" {
> resource_group_name = "${var.azure_region}-DEFAULT-STOR"
> storage_account_name = lower("${var.azure_region}packages")
> default_action = "Deny"
> virtual_network_subnet_ids = [module.build_vnet_with_subnet.linux-snet-id]
> }

Terraform version: 0.12.20
azurerm provider: 1.43.0

Is it possible to add a new subnet to the existing virtual network rules of a storage account without losing the current configuration?

To Replicate

1. Create a storage account that has at least 1 virtual network firewall rule
2. Run terraform apply to add the new virtual network

Check the firewall rules and you will just see the new virtual network added

If you wish to use Terraform to modify something which already exists, then you need to write the resource definition and then import the existing resource into the statefile, using Terraform import.

Plan will then show the difference between what is and what you’ve written in the configuration. So, you can adjust until the plan looks right.

But then you’re just duplicating the terraform configuration which created the storage .

IIUC that will also mean that terraform destroy will nuke the storage account when all you want it do to is remove the additional network rule!

Am I missing something? Is there really no way to update a resource which is externally managed?