loading...
Cover image for About Terraform State, Azure Blob Storage and network rules

About Terraform State, Azure Blob Storage and network rules

antoinega profile image Antoine ・2 min read

Photo by Toa Heftiba on Unsplash

Problem

I'm a happily Terraform hobbyist, and i enjoy using it from my laptop to setup quickly some infrastructure for my personal project. But, this time i want to use it on a project with shared files.

The recommendation in this case is to use a state stored on a backend. As we are using Azure, i choose the Azure Blob Storage backend.

It works perfectly on my laptop! But we are using private agents on my Azure DevOps projects. Those private agents are hosted on VM in Azure. It seems easy, no containers stuff. I add the public IP of my VM to the Azure Storage Account firewall, and ... i get a 403 ! My access is forbidden even though i use the connection string and the same code is working from my laptop using my Internet connection (with my IP in the firewall).

I think i have messed something with Service Endpoint or something like this. So i declare another VM on another Virtual Network, and try to do the same thing on another Azure Storage Account. It fails !

Workaround

The issue here seems to be related to the IP used between the VM and the Azure Storage Account.

  • I could use Service Endpoint, but i want my Terraform to access other Azure Storage Account.
  • I could use Private Link (as Private Link for Azure Storage Account is GA ), but i don't want to manage a Private DNS Zone for this.
  • So the easiest workaround for me here, is to move my Azure Storage Account to another region. With this setting, the IP used is the public one and my agents can access my Terraform files.

Hope this helps !

Posted on by:

antoinega profile

Antoine

@antoinega

mainly .Net but looking for great stuff about anything

Discussion

markdown guide