Storage Account: Enable DefaultAction in Network rules.

azurerm/resource_arm_storage_account.go

@@ -176,15 +176,25 @@ func resourceArmStorageAccount() *schema.Resource {
 						"ip_rules": {
 							Type:     schema.TypeSet,
 							Optional: true,
+							Computed: true,
 							Elem:     &schema.Schema{Type: schema.TypeString},
 							Set:      schema.HashString,
 						},
 						"virtual_network_subnet_ids": {
 							Type:     schema.TypeSet,
 							Optional: true,
+							Computed: true,
 							Elem:     &schema.Schema{Type: schema.TypeString},
 							Set:      schema.HashString,
 						},
+						"default_action": {
+							Type:     schema.TypeString,
+							Required: true,
+							ValidateFunc: validation.StringInSlice([]string{
+								string(storage.DefaultActionAllow),
+								string(storage.DefaultActionDeny),
+							}, false),
+						},
 					},
 				},
 			},
@@ -909,6 +919,11 @@ func expandStorageAccountNetworkRules(d *schema.ResourceData) *storage.NetworkRu
 	networkRule := networkRules[0].(map[string]interface{})
 	networkRuleSet := &storage.NetworkRuleSet{}
 
+	if networkRule["default_action"].(string) == string(storage.DefaultActionAllow) {
+		// If Default Access is enabled then no network rules are set.
+		return &storage.NetworkRuleSet{DefaultAction: storage.DefaultActionAllow}
+	}
+
 	networkRuleSet.IPRules = expandStorageAccountIPRules(networkRule)
 	networkRuleSet.VirtualNetworkRules = expandStorageAccountVirtualNetworks(networkRule)
 	networkRuleSet.Bypass = expandStorageAccountBypass(networkRule)
@@ -970,6 +985,7 @@ func flattenStorageAccountNetworkRules(input *storage.NetworkRuleSet) []interfac
 	networkRules["ip_rules"] = schema.NewSet(schema.HashString, flattenStorageAccountIPRules(input.IPRules))
 	networkRules["virtual_network_subnet_ids"] = schema.NewSet(schema.HashString, flattenStorageAccountVirtualNetworks(input.VirtualNetworkRules))
 	networkRules["bypass"] = schema.NewSet(schema.HashString, flattenStorageAccountBypass(input.Bypass))
+	networkRules["default_action"] = string(input.DefaultAction)
 
 	return []interface{}{networkRules}
 }

azurerm/resource_arm_storage_account_test.go

@@ -543,6 +543,7 @@ func TestAccAzureRMStorageAccount_networkRules(t *testing.T) {
 				Config: preConfig,
 				Check: resource.ComposeTestCheckFunc(
 					testCheckAzureRMStorageAccountExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "network_rules.0.default_action", "Deny"),
 					resource.TestCheckResourceAttr(resourceName, "network_rules.0.ip_rules.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "network_rules.0.virtual_network_subnet_ids.#", "1"),
 				),
@@ -556,8 +557,9 @@ func TestAccAzureRMStorageAccount_networkRules(t *testing.T) {
 				Config: postConfig,
 				Check: resource.ComposeTestCheckFunc(
 					testCheckAzureRMStorageAccountExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "network_rules.0.default_action", "Deny"),
 					resource.TestCheckResourceAttr(resourceName, "network_rules.0.ip_rules.#", "2"),
-					resource.TestCheckResourceAttr(resourceName, "network_rules.0.virtual_network_subnet_ids.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "network_rules.0.virtual_network_subnet_ids.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "network_rules.0.bypass.#", "2"),
 				),
 			},
@@ -571,7 +573,7 @@ func TestAccAzureRMStorageAccount_networkRulesDeleted(t *testing.T) {
 	rs := acctest.RandString(4)
 	location := testLocation()
 	preConfig := testAccAzureRMStorageAccount_networkRules(ri, rs, location)
-	postConfig := testAccAzureRMStorageAccount_basic(ri, rs, location)
+	postConfig := testAccAzureRMStorageAccount_networkRulesReverted(ri, rs, location)
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
@@ -582,6 +584,7 @@ func TestAccAzureRMStorageAccount_networkRulesDeleted(t *testing.T) {
 				Config: preConfig,
 				Check: resource.ComposeTestCheckFunc(
 					testCheckAzureRMStorageAccountExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "network_rules.0.default_action", "Deny"),
 					resource.TestCheckResourceAttr(resourceName, "network_rules.0.ip_rules.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "network_rules.0.virtual_network_subnet_ids.#", "1"),
 				),
@@ -590,7 +593,7 @@ func TestAccAzureRMStorageAccount_networkRulesDeleted(t *testing.T) {
 				Config: postConfig,
 				Check: resource.ComposeTestCheckFunc(
 					testCheckAzureRMStorageAccountExists(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "network_rules.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "network_rules.0.default_action", "Allow"),
 				),
 			},
 		},
@@ -1103,6 +1106,7 @@ resource "azurerm_storage_account" "testsa" {
   account_replication_type = "LRS"
 
   network_rules {
+    default_action             = "Deny"
     ip_rules                   = ["127.0.0.1"]
     virtual_network_subnet_ids = ["${azurerm_subnet.test.id}"]
   }
@@ -1144,8 +1148,51 @@ resource "azurerm_storage_account" "testsa" {
   account_replication_type = "LRS"
 
   network_rules {
-    ip_rules = ["127.0.0.1", "127.0.0.2"]
-    bypass   = ["Logging", "Metrics"]
+    default_action         = "Deny"
+    ip_rules               = ["127.0.0.1", "127.0.0.2"]
+    bypass                 = ["Logging", "Metrics"]
+  }
+
+  tags = {
+    environment = "production"
+  }
+}
+`, rInt, location, rInt, rInt, rString)
+}
+
+func testAccAzureRMStorageAccount_networkRulesReverted(rInt int, rString string, location string) string {
+	return fmt.Sprintf(`
+resource "azurerm_resource_group" "testrg" {
+  name     = "acctestAzureRMSA-%d"
+  location = "%s"
+}
+
+resource "azurerm_virtual_network" "test" {
+  name                = "acctestvirtnet%d"
+  address_space       = ["10.0.0.0/16"]
+  location            = "${azurerm_resource_group.testrg.location}"
+  resource_group_name = "${azurerm_resource_group.testrg.name}"
+}
+
+resource "azurerm_subnet" "test" {
+  name                 = "acctestsubnet%d"
+  resource_group_name  = "${azurerm_resource_group.testrg.name}"
+  virtual_network_name = "${azurerm_virtual_network.test.name}"
+  address_prefix       = "10.0.2.0/24"
+  service_endpoints    = ["Microsoft.Storage"]
+}
+
+resource "azurerm_storage_account" "testsa" {
+  name                     = "unlikely23exst2acct%s"
+  resource_group_name      = "${azurerm_resource_group.testrg.name}"
+  location                 = "${azurerm_resource_group.testrg.location}"
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+
+  network_rules {
+    default_action             = "Allow"
+    ip_rules                   = ["127.0.0.1"]
+    virtual_network_subnet_ids = ["${azurerm_subnet.test.id}"]
   }
 
   tags = {

website/docs/r/storage_account.html.markdown

@@ -63,6 +63,7 @@ resource "azurerm_storage_account" "testsa" {
   account_replication_type = "LRS"
 
   network_rules {
+    default_action             = "Deny"
     ip_rules                   = ["100.0.0.1"]
     virtual_network_subnet_ids = ["${azurerm_subnet.test.id}"]
   }
@@ -127,12 +128,13 @@ The following arguments are supported:
 
 * `network_rules` supports the following:
 
+* `default_action` - (Required) Specifies the default action of allow or deny when no other rules match. Valid options are `Deny` or `Allow`.
 * `bypass` - (Optional)  Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are
 any combination of `Logging`, `Metrics`, `AzureServices`, or `None`. 
 * `ip_rules` - (Optional) List of public IP or IP ranges in CIDR Format. Only IPV4 addresses are allowed. Private IP address ranges (as defined in [RFC 1918](https://tools.ietf.org/html/rfc1918#section-3)) are not allowed.
 * `virtual_network_subnet_ids` - (Optional) A list of resource ids for subnets.
 
-~> **Note:** If specifying `network_rules`, one of either `ip_rules` or `virtual_network_subnet_ids` must be specified.
+~> **Note:** If specifying `network_rules`, one of either `ip_rules` or `virtual_network_subnet_ids` must be specified and `default_action` must be set to `Deny`.
 
 ~> **Note:** [More information on Validation is available here](https://docs.microsoft.com/en-gb/azure/storage/blobs/storage-custom-domain-name)