Setting CORS in Azure storage account from Terraform

2
votes

I have written some Terraform code to create an Azure storage account. Here is the code:

resource "azurerm_storage_account" "i_ten_prov_storage" {
  name                     = "${var.storage_account_name}"
  resource_group_name      = "${azurerm_resource_group.i_resource_group.name}"
  location                 = "${var.location}"
  account_tier             = "Standard"
  account_replication_type = "LRS"
  account_kind             = "StorageV2"

/*  cors_rule {
    allowed_headers = "${var.allowed_headers}"
    allowed_methods = "${var.allowed_methods}"
    allowed_origins = "${var.allowed_origins}"
    exposed_headers = "${var.exposed_headers}"
    max_age_in_seconds = "${var.max_age_in_seconds}"
  }*/
  cors_rule {
    allowed_headers = ["*"]
    allowed_methods = ["*"]
    allowed_origins = ["*"]
    exposed_headers = ["*"]
    max_age_in_seconds = ["*"]
  }
  tags = "${local.tags}"
}

I am following this documentation which says that CORS is allowed in Terraform for azure storage account: https://www.terraform.io/docs/providers/azurerm/r/storage_account.html#allowed_headers

But I am getting the following error when I am running terraform apply:

Error: azurerm_storage_account.idl_tenant_provisioning_storage: : invalid or unknown key: cors_rule
ERROR: Job failed: exit code 1

I am using Terraform 0.11.11.

From the azure portal I can see that cors can be applied seperatly for all kind of storage

Screenshot from azure portal

and I want to apply for all kind of objects

4
azureterraformterraform-provider-azureazure-storage-account

4 Answers

1
votes

I think the possible solution is that executes the Azure CLI command inside the Terraform.

I find the CLI command az storage cors add can add the cors rule to all the service if you set the parameter --services with value bfqt. Then you can use the Terraform null_resource to execute the command. The example code would like this:

resource "null_resource" "test" {
    provisioner "local-exec" {
        command = "az storage cors add --methods GET POST PUT --origins '*' --services bqft --account-name xxx"       
    }
}

You can more parameters as you need inside the CLI command. PowerShell command Set-AzStorageCORSRule, but the CLI command is more convenient and suitable.

0
votes

The documentation isn't clear here but the cors_rule block should be nested under a queue_properties block as mentioned further down in the documentation for the resource:

A queue_properties block supports the following:

  • cors_rule - (Optional) A cors_rule block as defined below.

  • logging - (Optional) A logging block as defined below.

  • minute_metrics - (Optional) A minute_metrics block as defined below.

  • hour_metrics - (Optional) A hour_metrics block as defined below.

You can also see this in the schema for the resource in the source code:

// ...
            "queue_properties": {
                Type:     schema.TypeList,
                Optional: true,
                Computed: true,
                MaxItems: 1,
                Elem: &schema.Resource{
                    Schema: map[string]*schema.Schema{
                        "cors_rule": {
                            // ...
0
votes

The cors_rule has to be inside the blob_properties block.

resource "azurerm_storage_account" "strgacc" {
  name                     = "strgacc"
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  account_tier             = "Standard"
  account_replication_type = "GRS"
  blob_properties{
    cors_rule{
        allowed_headers = ["*"]
        allowed_methods = ["GET","HEAD","POST","PUT"]
        allowed_origins = ["https://example.com"]
        exposed_headers = ["*"]
        max_age_in_seconds = 3600
        }
    }
}
0
votes
resource "azurerm_storage_account" "storage" {
  name                      = var.storage_account_name
  resource_group_name       = data.terraform_remote_state.rg.outputs.rg_name
  location                  = data.terraform_remote_state.rg.outputs.rg_location
  account_tier              = "Standard"
  account_replication_type  = "LRS"

  allow_blob_public_access  = true

  blob_properties {
    cors_rule {
      allowed_headers = ["*"]
      allowed_methods = ["GET","HEAD","OPTIONS","PUT"]
      allowed_origins = ["https://google.ga", "http://localhost:4200"]
      exposed_headers = ["*"]
      max_age_in_seconds = 200
    }
  }

  tags = {
    Environment = "QA"
    Team        = "Yes"
  }
}