I am guessing that the authorization is not added automatically.
This snippet below:
resource "azurerm_storage_account" "default" {
count = var.storage_account_name == "" ? 1 : 0
name = local.storage_account_name
resource_group_name = local.resource_group_name
location = local.resource_group_location
account_tier = "Standard"
account_replication_type = "ZRS"
tags = {
environment = var.environment
}
}
resource "azurerm_storage_container" "default" {
name = local.storage_container_name
storage_account_name = local.storage_account_name
container_access_type = "private"
}
Will Yield the following result.
Error: Unable to locate Storage Account "myspiffystorage"!
on modules/storage_blob/main.tf line 21, in resource "azurerm_storage_container" "default":
21: resource "azurerm_storage_container" "default" {
This is likekly because there are not permissions in the API, but you would not know given the output from the azurerm provider.
Hopefully this part won’t be painful and is idempotent:
az ad signed-in-user show --query objectId -o tsv | az role assignment create \
--role "Storage Blob Data Contributor" \
--assignee @- \
--scope "/subscriptions/${MY_ACCOUNT_ID}/resourceGroups/${MY_RESOURCE_GROUP}/providers/Microsoft.Storage/storageAccounts/${MY_STORAGE_ACCT}"