AzureRM - Service returned error: StatusCode=403, ErrorCode=AuthorizationFailure When Public Network Access Disabled

Problem

A user may run into the following error when provisioning resources where the parent resource (i.e., storage account/key vault) has public network access disabled. 

│ Error: containers.Client#GetProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. 
Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation.\nRequestId:f0f0918d-d01e-00b4-28ef-fd3b70000000\nTime:2023-10-13T16:09:05.9583078Z"
│
│ with azurerm_storage_container.test,
│ on main.tf line 96, in resource "azurerm_storage_container" "test":
│ 96: resource "azurerm_storage_container" "test" {

Cause

Due to limitations within the Azure API, the AzureRM Provider has to make use of the Data Plane API when provisioning certain resources (e.g., storage containers, keys). When the parent resource has public network access disabled, these calls against the Data Plane will fail because they are going to the public endpoint which is not authorized to reach the resources which are only available through private access. 

Possible Solution

1. Update the configuration to use the azapi_resource which avoids the Data Plane call for resources failing to provision. 

resource "azurerm_storage_account" "test" {
   name = "hashitestsa"
   resource_group_name = data.azurerm_resource_group.test.name
   location = data.azurerm_resource_group.test.location

   public_network_access_enabled = false

   account_kind = "StorageV2"
   account_tier = "Standard"
   account_replication_type = "LRS"
}

resource "azapi_resource" "container" {
   type = "Microsoft.Storage/storageAccounts/blobServices/containers@2022-09-01"
   name = "testcontainer"
   parent_id = "${azurerm_storage_account.test.id}/blobServices/default"
   body = jsonencode({
      properties = {
      }
   })
}

Full documentation on available properties can be found by reviewing Microsoft Learn documentation for the Terraform AzAPI provider in the References section (see References below). 

Outcome

After using the solution above, Terraform should be able to successfully provision the resource.

Additional Information

If the above solution does not resolve your issue, please open a ticket with HashiCorp Support for additional assistance. 

References

• azapi_resource | Resources | Azure/azapi | Terraform | Terraform Registry

• Microsoft.Storage/storageAccounts - Terraform AzAPI reference | Microsoft Learn
• Microsoft.KeyVault/vaults/keys - Terraform AzAPI reference | Microsoft Learn