AzureRM - Service returned error: StatusCode=403, ErrorCode=AuthorizationFailure When Public Network Access Disabled

Problem

When you provision Azure resources where a parent resource, such as a storage account or key vault, has public network access disabled, you may encounter a StatusCode=403 and ErrorCode=AuthorizationFailure error.

│ Error:
│ containers.Client#GetProperties:
│ Failure responding to request:
│ StatusCode=403 -- Original Error:
│ autorest/azure:
│ Service returned an error.
│ Status=403 Code="AuthorizationFailure"
│ Message="This request is not authorized to
│ perform this
│ operation.\nRequestId:f0f0918d-d01e-00b4-28ef-fd3b70000000\nTime:2023-10-
│ 13T16:09:05.9583078Z"
│
│ with azurerm_storage_container.test,
│ on main.tf line 96,
│ in resource "azurerm_storage_container" "test":
│ 96: resource "azurerm_storage_container" "test" {

Cause

Due to limitations within the Azure API, the AzureRM provider must use the Data Plane API when provisioning certain resources, such as storage containers or keys. When the parent resource has public network access disabled, these calls to the Data Plane fail because they target a public endpoint that is not authorized to reach resources only available through private access.

Solution

To resolve this issue, update the configuration to use the azapi_resource resource from the AzAPI provider. This approach avoids the Data Plane call that causes the provisioning failure.

The following example demonstrates how to create a storage container using azapi_resource for a storage account with public network access disabled.

resource "azurerm_storage_account" "test" {
  name                          = "hashitestsa"
  resource_group_name           = data.azurerm_resource_group.test.name
  location                      = data.azurerm_resource_group.test.location
  public_network_access_enabled = false
  account_kind                  = "StorageV2"
  account_tier                  = "Standard"
  account_replication_type      = "LRS"
}

resource "azapi_resource" "container" {
  type      = "Microsoft.Storage/storageAccounts/blobServices/containers@2022-09-01"
  name      = "testcontainer"
  parent_id = "${azurerm_storage_account.test.id}/blobServices/default"
  body = jsonencode({
    properties = {}
  })
}

Outcome

After applying this solution, Terraform should successfully provision the resource without authorization errors.

Additional Information

• azapi_resource documentation
• Microsoft Learn: Microsoft.Storage/storageAccounts AzAPI reference
• Microsoft Learn: Microsoft.KeyVault/vaults/keys AzAPI reference