Cannot access Azure backend storage using SSL

0
votes

I am using Azure Blob Storage as a state backend, due to new security requirements, I now need to access the azure storage accounts using SSL. This however fails with the following:

module.core_infra.data.terraform_remote_state.mccp_core_infra: data.terraform_remote_state.mccp_core_infra: storage: service returned error: StatusCode=403, ErrorCode=AuthenticationFailed, ErrorMessage=Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

Here’s an example configuration:

resource "azurerm_storage_account" "terraform_state_account" {
   name                     = "${lower(replace(var.azure_tenant_name, "/\\W|_/", ""))}tfstate"
   resource_group_name      = "${azurerm_resource_group.main.name}"
   location                 = "${var.azure_location}"
   account_tier             = "Standard"
   account_replication_type = "LRS"
   enable_https_traffic_only = true

   network_rules {
     ip_rules                   = ["masked/24"]
     virtual_network_subnet_ids = ["${azurerm_subnet.mccp_vnet_subnet.id}"]
   }

   tags = {
     environment = "${var.azure_tenant_name} terraform state account"
   }
 }

data "terraform_remote_state" "mccp_core_infra" {
   backend = "azurerm"
   config = {
     storage_account_name = "${lower(replace(var.azure_tenant_name, "/\\W|_/", ""))}tfstate"
     container_name       = "mccp-core-infra-tf-state"
     key                  = "terraform.tfstate"
     access_key           = "${var.azure_mccp_storage_account_key}"
   }
 }

I am using Terraform 0.11.11 with azurerm provider 1.33.0. This works just fine without the enable_https_traffic_only flag. What am I missing here?

1
azureterraformazure-blob-storage
Does the storage account exist? Right now you have a resource creating the storage account and then a data source trying to access it immediately. This creates an obvious race condition. Using Terraform to manage where you store state (eg Azure blob storage or S3) is tricky as mentioned in stackoverflow.com/q/47913041/2291321 and stackoverflow.com/q/39212826/2291321ydaetskcoR
It does exist. The data source actually exists and is executed in a separate Jenkins pipeline stage, plenty of time for it to be created. Like I mentioned in my post, I had no issues with this prior to adding the enable_https_traffic_only flag.Zhulian Ginev

1 Answers

0
votes

The enable_https_traffic_only feature would not affect on that error. This works fine with enable_https_traffic_only flag in the Terraform v0.12.9 + provider.azurerm v1.35.0 on my side.

It looks like a credential issue. I can reproduce your issue when the access_key is invalid in the data source. You could verify if you could access that storage account blob with that access key or you are getting references from a correct storage account name that hosts the .tfstate.

You could also try to delete the local .terraform folder and try again as it is mentioned in this post.