azurerm_storage_account failures setting allowed_copy_scope back to null

[ddoby]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.12.2

AzureRM Provider Version

4.38.1

Affected Resource(s)/Data Source(s)

azurerm_storage_account

Terraform Configuration Files

resource "azurerm_storage_account" "storage" {
  name                              = "sanamehere
  resource_group_name               = "rgnamehere
  location                          = "eastus2"
  account_kind                      = "StorageV2"
  account_tier                      = "Standard"
  account_replication_type          = "LRS"
  cross_tenant_replication_enabled  = false
  is_hns_enabled                    = false
  allow_nested_items_to_be_public   = false
  infrastructure_encryption_enabled = true
  public_network_access_enabled     = true
  access_tier                       = "Hot"
  allowed_copy_scope                = "AAD" or "PrivateLink"
}

This creates the storage account just fine. But then attempts to change the allowed_copy_scope back to null produces an error "The value '' is not allowed for property AllowedCopyScope"

resource "azurerm_storage_account" "storage" {
  ...
  allowed_copy_scope                = null
}

Debug Output/Panic Output

# azurerm_storage_account.storage will be updated in-place
  ~ resource "azurerm_storage_account" "storage" {
      - allowed_copy_scope                 = "AAD" -> null
        id                                 = "/subscriptions/...."
        name                               = "sanamehere"
        tags                               = {}
        # (96 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }


╷
│ Error: updating Storage Account (Subscription: "blah"
│ Resource Group Name: "rgnamehere"
│ Storage Account Name: "sanamehere"): performing Create: unexpected status 400 (400 Bad Request) with error: InvalidRequestPropertyValue: The value '' is not allowed for property AllowedCopyScope.
│ 
│   with azurerm_storage_account.storage,
│   on test_storage.tf line 1, in resource "azurerm_storage_account" "storage":
│    1: resource "azurerm_storage_account" "storage" {
│ 
╵

Expected Behaviour

Expect storage account to update allowed_copy_scope setting properly to null

Actual Behaviour

Plan runs fine and wants to change :

• allowed_copy_scope = "AAD" -> null

but fails with the above error.

Steps to Reproduce

1. Create storage account with allowed_copy_scope ="AAD" or "PrivateLink"
2. Update configuration to set allowed_copy_scope to null OR remove the allowed_copy_scope property
3. Failure

Important Factoids

No response

References

No response

[magodo]

Thanks for reaching out! Per my test, updating the storage account with a PUT request, with the allowedCopyScope absent in the request body won't be able to update it to null. The only way is to set it allowedCopyScope: null in the body. Unfortunately, the underlying SDK currently doesn't support to explicitly nullify a field, depending on: hashicorp/pandora#4633.