将存储共享添加到 Azure 存储帐户时出错
Error on adding a storage share to the Azure storage account
添加 azurerm_storage_share.
后 运行 terraform apply 出现以下错误
Error: Error checking for existence of existing Storage Share "fileshare"
(Account "sttestforaddingfileshare" / Resource Group "resources"):
shares.Client#GetProperties: Failure responding to request: StatusCode=403
-- Original Error: autorest/azure: Service returned an error.
Status=403 Code="AuthorizationFailure"
Message="This request is not authorized to perform this operation.
\nRequestId:188ae38b-e01a-000b-35b3-a32ea2000000
\nTime:2020-10-16T11:55:16.7337008Z"
我认为原因很可能是 Terraform 试图列出存储帐户中的现有文件共享,直接访问存储帐户的 REST API 而不是 Azure 资源管理器的 REST API。
它失败了,因为存在不包含运行 terraform 的主机 IP 的防火墙规则。当我将笔记本电脑的 IP 添加到防火墙规则时,它就起作用了。但这不是期望的行为。
您知道任何解决方法吗?感谢任何帮助。
我的TF配置如下:
provider "azurerm" {
version = "= 2.32.0"
features {}
}
resource "azurerm_resource_group" "rg" {
name = "resources"
location = var.location
}
resource "azurerm_virtual_network" "vnet" {
name = "vnet"
location = var.location
resource_group_name = azurerm_resource_group.rg.name
address_space = ["10.0.0.0/16"]
}
resource "azurerm_subnet" "snet" {
name = "snet"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.0.1.0/24"]
service_endpoints = [ "Microsoft.Storage" ]
}
resource "azurerm_storage_account" "storage" {
name = "sttestforaddingfileshare"
resource_group_name = azurerm_resource_group.rg.name
location = var.location
account_tier = "Standard"
account_replication_type = "LRS"
network_rules {
default_action = "Deny"
virtual_network_subnet_ids = [ azurerm_subnet.snet.id ]
bypass = [ "None" ]
}
}
resource "azurerm_storage_share" "file_share" {
name = "fileshare"
storage_account_name = azurerm_storage_account.storage.name
quota = 100
}
您可以使用 azurerm_storage_account_network_rules 资源来定义网络规则并删除直接在 azurerm_storage_account 资源上定义的网络规则块。
此外,您可以通过使用 az CLI 而不是单独的资源来创建文件共享 "azurerm_storage_share"
经过我的验证,
PS D:\Terraform> .\terraform.exe -v
Terraform v0.13.4
+ provider registry.terraform.io/hashicorp/azurerm v2.32.0
在 terraform apply 和 terraform destroy 时有效。
resource "azurerm_storage_account" "storage" {
name = "nnnstore1"
resource_group_name = azurerm_resource_group.rg.name
location = var.location
account_tier = "Standard"
account_replication_type = "LRS"
provisioner "local-exec" {
command =<<EOT
az storage share create `
--account-name ${azurerm_storage_account.storage.name} `
--account-key ${azurerm_storage_account.storage.primary_access_key} `
--name ${var.myshare} `
--quota 100
EOT
interpreter = [ "Powershell", "-c"]
}
}
resource "azurerm_storage_account_network_rules" "test" {
resource_group_name = azurerm_resource_group.rg.name
storage_account_name = azurerm_storage_account.storage.name
default_action = "Deny"
virtual_network_subnet_ids = [azurerm_subnet.snet.id]
bypass = ["None"]
}
我最近 运行 在尝试为容器组创建存储共享时遇到了这个问题。它与您的代码几乎相同,但带有额外的容器组。
我在部署新堆栈时遇到了这个问题,我通过部署除存储共享组件和对它的所有引用之外的所有内容来绕过错误。
完成后我引入了存储共享并重新部署没有问题。
糟糕的解决方法但再次部署。
添加 azurerm_storage_share.
terraform apply 出现以下错误
Error: Error checking for existence of existing Storage Share "fileshare"
(Account "sttestforaddingfileshare" / Resource Group "resources"):
shares.Client#GetProperties: Failure responding to request: StatusCode=403
-- Original Error: autorest/azure: Service returned an error.
Status=403 Code="AuthorizationFailure"
Message="This request is not authorized to perform this operation.
\nRequestId:188ae38b-e01a-000b-35b3-a32ea2000000
\nTime:2020-10-16T11:55:16.7337008Z"
我认为原因很可能是 Terraform 试图列出存储帐户中的现有文件共享,直接访问存储帐户的 REST API 而不是 Azure 资源管理器的 REST API。
它失败了,因为存在不包含运行 terraform 的主机 IP 的防火墙规则。当我将笔记本电脑的 IP 添加到防火墙规则时,它就起作用了。但这不是期望的行为。
您知道任何解决方法吗?感谢任何帮助。
我的TF配置如下:
provider "azurerm" {
version = "= 2.32.0"
features {}
}
resource "azurerm_resource_group" "rg" {
name = "resources"
location = var.location
}
resource "azurerm_virtual_network" "vnet" {
name = "vnet"
location = var.location
resource_group_name = azurerm_resource_group.rg.name
address_space = ["10.0.0.0/16"]
}
resource "azurerm_subnet" "snet" {
name = "snet"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.0.1.0/24"]
service_endpoints = [ "Microsoft.Storage" ]
}
resource "azurerm_storage_account" "storage" {
name = "sttestforaddingfileshare"
resource_group_name = azurerm_resource_group.rg.name
location = var.location
account_tier = "Standard"
account_replication_type = "LRS"
network_rules {
default_action = "Deny"
virtual_network_subnet_ids = [ azurerm_subnet.snet.id ]
bypass = [ "None" ]
}
}
resource "azurerm_storage_share" "file_share" {
name = "fileshare"
storage_account_name = azurerm_storage_account.storage.name
quota = 100
}
您可以使用 azurerm_storage_account_network_rules 资源来定义网络规则并删除直接在 azurerm_storage_account 资源上定义的网络规则块。
此外,您可以通过使用 az CLI 而不是单独的资源来创建文件共享 "azurerm_storage_share"
经过我的验证,
PS D:\Terraform> .\terraform.exe -v
Terraform v0.13.4
+ provider registry.terraform.io/hashicorp/azurerm v2.32.0
在 terraform apply 和 terraform destroy 时有效。
resource "azurerm_storage_account" "storage" {
name = "nnnstore1"
resource_group_name = azurerm_resource_group.rg.name
location = var.location
account_tier = "Standard"
account_replication_type = "LRS"
provisioner "local-exec" {
command =<<EOT
az storage share create `
--account-name ${azurerm_storage_account.storage.name} `
--account-key ${azurerm_storage_account.storage.primary_access_key} `
--name ${var.myshare} `
--quota 100
EOT
interpreter = [ "Powershell", "-c"]
}
}
resource "azurerm_storage_account_network_rules" "test" {
resource_group_name = azurerm_resource_group.rg.name
storage_account_name = azurerm_storage_account.storage.name
default_action = "Deny"
virtual_network_subnet_ids = [azurerm_subnet.snet.id]
bypass = ["None"]
}
我最近 运行 在尝试为容器组创建存储共享时遇到了这个问题。它与您的代码几乎相同,但带有额外的容器组。
我在部署新堆栈时遇到了这个问题,我通过部署除存储共享组件和对它的所有引用之外的所有内容来绕过错误。
完成后我引入了存储共享并重新部署没有问题。
糟糕的解决方法但再次部署。