From 32751d4bdff616b42f9fa2ff6d0e37679fdbae82 Mon Sep 17 00:00:00 2001 From: Sam Debruyn Date: Tue, 14 Jul 2020 11:07:57 +0200 Subject: [PATCH 1/2] Add property allow_blob_public_access to azurerm_storage_account --- .../storage/data_source_storage_account.go | 6 ++ .../storage/resource_arm_storage_account.go | 23 +++++ .../resource_arm_storage_account_test.go | 85 +++++++++++++++++++ website/docs/d/storage_account.html.markdown | 2 + website/docs/r/storage_account.html.markdown | 2 + 5 files changed, 118 insertions(+) diff --git a/azurerm/internal/services/storage/data_source_storage_account.go b/azurerm/internal/services/storage/data_source_storage_account.go index 6be24f9baa03..bf361ed79136 100644 --- a/azurerm/internal/services/storage/data_source_storage_account.go +++ b/azurerm/internal/services/storage/data_source_storage_account.go @@ -72,6 +72,11 @@ func dataSourceArmStorageAccount() *schema.Resource { Computed: true, }, + "allow_public_blob_access": { + Type: schema.TypeBool, + Computed: true, + }, + "is_hns_enabled": { Type: schema.TypeBool, Computed: true, @@ -307,6 +312,7 @@ func dataSourceArmStorageAccountRead(d *schema.ResourceData, meta interface{}) e d.Set("access_tier", props.AccessTier) d.Set("enable_https_traffic_only", props.EnableHTTPSTrafficOnly) d.Set("is_hns_enabled", props.IsHnsEnabled) + d.Set("allow_public_blob_access", props.AllowBlobPublicAccess) if customDomain := props.CustomDomain; customDomain != nil { if err := d.Set("custom_domain", flattenStorageAccountCustomDomain(customDomain)); err != nil { diff --git a/azurerm/internal/services/storage/resource_arm_storage_account.go b/azurerm/internal/services/storage/resource_arm_storage_account.go index 9725b253aa92..45c5674a72c5 100644 --- a/azurerm/internal/services/storage/resource_arm_storage_account.go +++ b/azurerm/internal/services/storage/resource_arm_storage_account.go @@ -145,6 +145,12 @@ func resourceArmStorageAccount() *schema.Resource { ForceNew: true, }, + "allow_public_blob_access": { + Type: schema.TypeBool, + Optional: true, + Default: true, + }, + "network_rules": { Type: schema.TypeList, Optional: true, @@ -611,6 +617,7 @@ func resourceArmStorageAccountCreate(d *schema.ResourceData, meta interface{}) e t := d.Get("tags").(map[string]interface{}) enableHTTPSTrafficOnly := d.Get("enable_https_traffic_only").(bool) isHnsEnabled := d.Get("is_hns_enabled").(bool) + allowPublicBlobAccess := d.Get("allow_public_blob_access").(bool) accountTier := d.Get("account_tier").(string) replicationType := d.Get("account_replication_type").(string) @@ -627,6 +634,7 @@ func resourceArmStorageAccountCreate(d *schema.ResourceData, meta interface{}) e EnableHTTPSTrafficOnly: &enableHTTPSTrafficOnly, NetworkRuleSet: expandStorageAccountNetworkRules(d), IsHnsEnabled: &isHnsEnabled, + AllowBlobPublicAccess: &allowPublicBlobAccess, }, } @@ -860,6 +868,20 @@ func resourceArmStorageAccountUpdate(d *schema.ResourceData, meta interface{}) e } } + if d.HasChange("allow_public_blob_access") { + allowPublicBlobAccess := d.Get("allow_public_blob_access").(bool) + + opts := storage.AccountUpdateParameters{ + AccountPropertiesUpdateParameters: &storage.AccountPropertiesUpdateParameters{ + AllowBlobPublicAccess: &allowPublicBlobAccess, + }, + } + + if _, err := client.Update(ctx, resourceGroupName, storageAccountName, opts); err != nil { + return fmt.Errorf("Error updating Azure Storage Account allow_public_blob_access %q: %+v", storageAccountName, err) + } + } + if d.HasChange("identity") { opts := storage.AccountUpdateParameters{ Identity: expandAzureRmStorageAccountIdentity(d), @@ -1014,6 +1036,7 @@ func resourceArmStorageAccountRead(d *schema.ResourceData, meta interface{}) err d.Set("access_tier", props.AccessTier) d.Set("enable_https_traffic_only", props.EnableHTTPSTrafficOnly) d.Set("is_hns_enabled", props.IsHnsEnabled) + d.Set("allow_public_blob_access", props.AllowBlobPublicAccess) if customDomain := props.CustomDomain; customDomain != nil { if err := d.Set("custom_domain", flattenStorageAccountCustomDomain(customDomain)); err != nil { diff --git a/azurerm/internal/services/storage/tests/resource_arm_storage_account_test.go b/azurerm/internal/services/storage/tests/resource_arm_storage_account_test.go index 82c4feffb0f1..a696a48a6930 100644 --- a/azurerm/internal/services/storage/tests/resource_arm_storage_account_test.go +++ b/azurerm/internal/services/storage/tests/resource_arm_storage_account_test.go @@ -234,6 +234,33 @@ func TestAccAzureRMStorageAccount_enableHttpsTrafficOnly(t *testing.T) { }) } +func TestAccAzureRMStorageAccount_allowPublicBlobAccess(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_storage_account", "test") + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acceptance.PreCheck(t) }, + Providers: acceptance.SupportedProviders, + CheckDestroy: testCheckAzureRMStorageAccountDestroy, + Steps: []resource.TestStep{ + { + Config: TestAccAzureRMStorageAccount_allowPublicBlobAccess(data), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMStorageAccountExists(data.ResourceName), + resource.TestCheckResourceAttr(data.ResourceName, "allow_public_blob_access", "true"), + ), + }, + data.ImportStep(), + { + Config: TestAccAzureRMStorageAccount_disAllowPublicBlobAccess(data), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMStorageAccountExists(data.ResourceName), + resource.TestCheckResourceAttr(data.ResourceName, "allow_public_blob_access", "false"), + ), + }, + }, + }) +} + func TestAccAzureRMStorageAccount_isHnsEnabled(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_storage_account", "test") @@ -942,6 +969,64 @@ resource "azurerm_storage_account" "test" { `, data.RandomInteger, data.Locations.Primary, data.RandomString) } +func TestAccAzureRMStorageAccount_allowPublicBlobAccess(data acceptance.TestData) string { + return fmt.Sprintf(` + +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "test" { + name = "acctestRG-storage-%d" + location = "%s" +} + +resource "azurerm_storage_account" "test" { + name = "unlikely23exst2acct%s" + resource_group_name = azurerm_resource_group.test.name + + location = azurerm_resource_group.test.location + account_tier = "Standard" + account_replication_type = "LRS" + allow_public_blob_access = true + + tags = { + environment = "production" + } +} + + `, data.RandomInteger, data.Locations.Primary, data.RandomString) +} + +func TestAccAzureRMStorageAccount_disAllowPublicBlobAccess(data acceptance.TestData) string { + return fmt.Sprintf(` + +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "test" { + name = "acctestRG-storage-%d" + location = "%s" +} + +resource "azurerm_storage_account" "test" { + name = "unlikely23exst2acct%s" + resource_group_name = azurerm_resource_group.test.name + + location = azurerm_resource_group.test.location + account_tier = "Standard" + account_replication_type = "LRS" + allow_public_blob_access = false + + tags = { + environment = "production" + } +} + + `, data.RandomInteger, data.Locations.Primary, data.RandomString) +} + func testAccAzureRMStorageAccount_isHnsEnabledTrue(data acceptance.TestData) string { return fmt.Sprintf(` provider "azurerm" { diff --git a/website/docs/d/storage_account.html.markdown b/website/docs/d/storage_account.html.markdown index f20cdc38a725..138769cb0466 100644 --- a/website/docs/d/storage_account.html.markdown +++ b/website/docs/d/storage_account.html.markdown @@ -46,6 +46,8 @@ output "storage_account_tier" { * `enable_https_traffic_only` - Is traffic only allowed via HTTPS? See [here](https://docs.microsoft.com/en-us/azure/storage/storage-require-secure-transfer/) for more information. +* `allow_public_blob_access` - Is public access allowed to all blobs or containers in the storage account? + * `is_hns_enabled` - Is Hierarchical Namespace enabled? * `custom_domain` - A `custom_domain` block as documented below. diff --git a/website/docs/r/storage_account.html.markdown b/website/docs/r/storage_account.html.markdown index 1ed439955a85..de51297cb1c9 100644 --- a/website/docs/r/storage_account.html.markdown +++ b/website/docs/r/storage_account.html.markdown @@ -97,6 +97,8 @@ The following arguments are supported: * `enable_https_traffic_only` - (Optional) Boolean flag which forces HTTPS if enabled, see [here](https://docs.microsoft.com/en-us/azure/storage/storage-require-secure-transfer/) for more information. Defaults to `true`. +* `allow_public_blob_access` - Allow or disallow public access to all blobs or containers in the storage account. Defaults to `true`. + * `is_hns_enabled` - (Optional) Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 ([see here for more information](https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-quickstart-create-account/)). Changing this forces a new resource to be created. -> **NOTE:** When this is set to `true` the `account_tier` argument must be set to `Standard` From 2c891b19dae4b43b488d97d95bc232fec7145964 Mon Sep 17 00:00:00 2001 From: Sam Debruyn Date: Tue, 14 Jul 2020 11:18:25 +0200 Subject: [PATCH 2/2] fix consistent naming allow_blob_public_access --- .../storage/data_source_storage_account.go | 4 ++-- .../storage/resource_arm_storage_account.go | 16 ++++++++-------- .../tests/resource_arm_storage_account_test.go | 18 +++++++++--------- website/docs/d/storage_account.html.markdown | 2 +- website/docs/r/storage_account.html.markdown | 2 +- 5 files changed, 21 insertions(+), 21 deletions(-) diff --git a/azurerm/internal/services/storage/data_source_storage_account.go b/azurerm/internal/services/storage/data_source_storage_account.go index bf361ed79136..07531d69f4ec 100644 --- a/azurerm/internal/services/storage/data_source_storage_account.go +++ b/azurerm/internal/services/storage/data_source_storage_account.go @@ -72,7 +72,7 @@ func dataSourceArmStorageAccount() *schema.Resource { Computed: true, }, - "allow_public_blob_access": { + "allow_blob_public_access": { Type: schema.TypeBool, Computed: true, }, @@ -312,7 +312,7 @@ func dataSourceArmStorageAccountRead(d *schema.ResourceData, meta interface{}) e d.Set("access_tier", props.AccessTier) d.Set("enable_https_traffic_only", props.EnableHTTPSTrafficOnly) d.Set("is_hns_enabled", props.IsHnsEnabled) - d.Set("allow_public_blob_access", props.AllowBlobPublicAccess) + d.Set("allow_blob_public_access", props.AllowBlobPublicAccess) if customDomain := props.CustomDomain; customDomain != nil { if err := d.Set("custom_domain", flattenStorageAccountCustomDomain(customDomain)); err != nil { diff --git a/azurerm/internal/services/storage/resource_arm_storage_account.go b/azurerm/internal/services/storage/resource_arm_storage_account.go index 45c5674a72c5..8e0d7ea0df5a 100644 --- a/azurerm/internal/services/storage/resource_arm_storage_account.go +++ b/azurerm/internal/services/storage/resource_arm_storage_account.go @@ -145,7 +145,7 @@ func resourceArmStorageAccount() *schema.Resource { ForceNew: true, }, - "allow_public_blob_access": { + "allow_blob_public_access": { Type: schema.TypeBool, Optional: true, Default: true, @@ -617,7 +617,7 @@ func resourceArmStorageAccountCreate(d *schema.ResourceData, meta interface{}) e t := d.Get("tags").(map[string]interface{}) enableHTTPSTrafficOnly := d.Get("enable_https_traffic_only").(bool) isHnsEnabled := d.Get("is_hns_enabled").(bool) - allowPublicBlobAccess := d.Get("allow_public_blob_access").(bool) + allowBlobPublicAccess := d.Get("allow_blob_public_access").(bool) accountTier := d.Get("account_tier").(string) replicationType := d.Get("account_replication_type").(string) @@ -634,7 +634,7 @@ func resourceArmStorageAccountCreate(d *schema.ResourceData, meta interface{}) e EnableHTTPSTrafficOnly: &enableHTTPSTrafficOnly, NetworkRuleSet: expandStorageAccountNetworkRules(d), IsHnsEnabled: &isHnsEnabled, - AllowBlobPublicAccess: &allowPublicBlobAccess, + AllowBlobPublicAccess: &allowBlobPublicAccess, }, } @@ -868,17 +868,17 @@ func resourceArmStorageAccountUpdate(d *schema.ResourceData, meta interface{}) e } } - if d.HasChange("allow_public_blob_access") { - allowPublicBlobAccess := d.Get("allow_public_blob_access").(bool) + if d.HasChange("allow_blob_public_access") { + allowBlobPublicAccess := d.Get("allow_blob_public_access").(bool) opts := storage.AccountUpdateParameters{ AccountPropertiesUpdateParameters: &storage.AccountPropertiesUpdateParameters{ - AllowBlobPublicAccess: &allowPublicBlobAccess, + AllowBlobPublicAccess: &allowBlobPublicAccess, }, } if _, err := client.Update(ctx, resourceGroupName, storageAccountName, opts); err != nil { - return fmt.Errorf("Error updating Azure Storage Account allow_public_blob_access %q: %+v", storageAccountName, err) + return fmt.Errorf("Error updating Azure Storage Account allow_blob_public_access %q: %+v", storageAccountName, err) } } @@ -1036,7 +1036,7 @@ func resourceArmStorageAccountRead(d *schema.ResourceData, meta interface{}) err d.Set("access_tier", props.AccessTier) d.Set("enable_https_traffic_only", props.EnableHTTPSTrafficOnly) d.Set("is_hns_enabled", props.IsHnsEnabled) - d.Set("allow_public_blob_access", props.AllowBlobPublicAccess) + d.Set("allow_blob_public_access", props.AllowBlobPublicAccess) if customDomain := props.CustomDomain; customDomain != nil { if err := d.Set("custom_domain", flattenStorageAccountCustomDomain(customDomain)); err != nil { diff --git a/azurerm/internal/services/storage/tests/resource_arm_storage_account_test.go b/azurerm/internal/services/storage/tests/resource_arm_storage_account_test.go index a696a48a6930..e24b7dd1216b 100644 --- a/azurerm/internal/services/storage/tests/resource_arm_storage_account_test.go +++ b/azurerm/internal/services/storage/tests/resource_arm_storage_account_test.go @@ -234,7 +234,7 @@ func TestAccAzureRMStorageAccount_enableHttpsTrafficOnly(t *testing.T) { }) } -func TestAccAzureRMStorageAccount_allowPublicBlobAccess(t *testing.T) { +func TestAccAzureRMStorageAccount_allowBlobPublicAccess(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_storage_account", "test") resource.ParallelTest(t, resource.TestCase{ @@ -243,18 +243,18 @@ func TestAccAzureRMStorageAccount_allowPublicBlobAccess(t *testing.T) { CheckDestroy: testCheckAzureRMStorageAccountDestroy, Steps: []resource.TestStep{ { - Config: TestAccAzureRMStorageAccount_allowPublicBlobAccess(data), + Config: testAccAzureRMStorageAccount_allowBlobPublicAccess(data), Check: resource.ComposeTestCheckFunc( testCheckAzureRMStorageAccountExists(data.ResourceName), - resource.TestCheckResourceAttr(data.ResourceName, "allow_public_blob_access", "true"), + resource.TestCheckResourceAttr(data.ResourceName, "allow_blob_public_access", "true"), ), }, data.ImportStep(), { - Config: TestAccAzureRMStorageAccount_disAllowPublicBlobAccess(data), + Config: testAccAzureRMStorageAccount_disAllowBlobPublicAccess(data), Check: resource.ComposeTestCheckFunc( testCheckAzureRMStorageAccountExists(data.ResourceName), - resource.TestCheckResourceAttr(data.ResourceName, "allow_public_blob_access", "false"), + resource.TestCheckResourceAttr(data.ResourceName, "allow_blob_public_access", "false"), ), }, }, @@ -969,7 +969,7 @@ resource "azurerm_storage_account" "test" { `, data.RandomInteger, data.Locations.Primary, data.RandomString) } -func TestAccAzureRMStorageAccount_allowPublicBlobAccess(data acceptance.TestData) string { +func testAccAzureRMStorageAccount_allowBlobPublicAccess(data acceptance.TestData) string { return fmt.Sprintf(` provider "azurerm" { @@ -988,7 +988,7 @@ resource "azurerm_storage_account" "test" { location = azurerm_resource_group.test.location account_tier = "Standard" account_replication_type = "LRS" - allow_public_blob_access = true + allow_blob_public_access = true tags = { environment = "production" @@ -998,7 +998,7 @@ resource "azurerm_storage_account" "test" { `, data.RandomInteger, data.Locations.Primary, data.RandomString) } -func TestAccAzureRMStorageAccount_disAllowPublicBlobAccess(data acceptance.TestData) string { +func testAccAzureRMStorageAccount_disAllowBlobPublicAccess(data acceptance.TestData) string { return fmt.Sprintf(` provider "azurerm" { @@ -1017,7 +1017,7 @@ resource "azurerm_storage_account" "test" { location = azurerm_resource_group.test.location account_tier = "Standard" account_replication_type = "LRS" - allow_public_blob_access = false + allow_blob_public_access = false tags = { environment = "production" diff --git a/website/docs/d/storage_account.html.markdown b/website/docs/d/storage_account.html.markdown index 138769cb0466..c7f18fb4d8a2 100644 --- a/website/docs/d/storage_account.html.markdown +++ b/website/docs/d/storage_account.html.markdown @@ -46,7 +46,7 @@ output "storage_account_tier" { * `enable_https_traffic_only` - Is traffic only allowed via HTTPS? See [here](https://docs.microsoft.com/en-us/azure/storage/storage-require-secure-transfer/) for more information. -* `allow_public_blob_access` - Is public access allowed to all blobs or containers in the storage account? +* `allow_blob_public_access` - Is public access allowed to all blobs or containers in the storage account? * `is_hns_enabled` - Is Hierarchical Namespace enabled? diff --git a/website/docs/r/storage_account.html.markdown b/website/docs/r/storage_account.html.markdown index de51297cb1c9..c5a91a96ddcc 100644 --- a/website/docs/r/storage_account.html.markdown +++ b/website/docs/r/storage_account.html.markdown @@ -97,7 +97,7 @@ The following arguments are supported: * `enable_https_traffic_only` - (Optional) Boolean flag which forces HTTPS if enabled, see [here](https://docs.microsoft.com/en-us/azure/storage/storage-require-secure-transfer/) for more information. Defaults to `true`. -* `allow_public_blob_access` - Allow or disallow public access to all blobs or containers in the storage account. Defaults to `true`. +* `allow_blob_public_access` - Allow or disallow public access to all blobs or containers in the storage account. Defaults to `true`. * `is_hns_enabled` - (Optional) Is Hierarchical Namespace enabled? This can be used with Azure Data Lake Storage Gen 2 ([see here for more information](https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-quickstart-create-account/)). Changing this forces a new resource to be created.