Issue: Storage account encryption throws error

[pixelicous]

Terraform Version

Terraform v0.11.4

• provider.azurerm v1.3.0

Affected Resource(s)

azurerm_storage_account

Terraform Configuration Files

  name                      = "${var.environment}${var.Number}store"
  resource_group_name       = "${azurerm_resource_group.resource_group.name}"
  location                  = "${var.location}"
  account_tier              = "Standard"
  account_replication_type  = "LRS"

  tags                      = "${var.tags}"
}

Debug Output

• azurerm_storage_account.tenant_storage: Error creating Azure Storage Account "env00001store": storage.AccountsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="FeatureNotSupportedForAccount" Message="Disabling Encryption is not supported for the account."

Expected Behavior

State should have refreshed all resources necessary and finish

Actual Behavior

Failure on storage account, only resource that fails.

Steps to Reproduce

terraform init/apply then rerun apply

Important Factoids

Didnt try to reproduce on test HCL file
I did try to enable enable_https_traffic_only but it failed again, i dont think this property affects a new azure service.
Googling this error yielded no results, not even azure ones..

References

When looking at encryption tab under the storage account i see the following -
Storage service encryption protects your data at rest. Azure Storage encrypts your data as it's written in our datacenters, and automatically decrypts it for you as you access it.
By default, data is encrypted using Microsoft Managed Keys for Azure Blobs, Tables, Files and Queues. You may choose to bring your own key for encryption for Azure Blobs and Files. Encryption for Tables and Queues will always use Microsoft Managed Keys.

[pixelicous]

@tombuildsstuff is this a known issue?
I managed to overcome this first error by providing

  account_replication_type = "LRS"
  enable_blob_encryption   = "true"
  enable_file_encryption   = "true"

but now i fail on the table, it doesn't refresh its state correctly, why is it trying to create it

1 error(s) occurred:

• module.NAME.azurerm_storage_table.storageaccountname: 1 error(s) occurred:

• azurerm_storage_table.tenant_kvstore: Error creating table "some_table" in storage account "storageaccountnamr": storage: service returned error: StatusCode=409, ErrorCode=TableAlreadyExists, ErrorMessage=The table specified already exists.
  RequestId:160ce077-d002-00d5-6782-c0521e000000
  Time:2018-03-20T19:37:16.3957711Z, RequestInitiated=Tue, 20 Mar 2018 19:37:15 GMT, RequestId=160ce077-d002-00d5-6782-c0521e000000, API Version=2016-05-31, QueryParameterName=, QueryParameterValue=

[pixelicous]

@RichardSlater not sure then how to solve it.. it appears you solved it, i still encounter errors

[pixelicous]

Still true on 0.11.5 😭

[tombuildsstuff]

azurerm_storage_account.tenant_storage: Error creating Azure Storage Account "env00001store": storage.AccountsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="FeatureNotSupportedForAccount" Message="Disabling Encryption is not supported for the account."

@pixelicous so we're also seeing this in our nightly test run, I may be wrong but I believe this may be a feature flag change at Azure's end (since this test started failing on 2nd Feb and I can't see any related code changes around that time that'd cause this) - similar to how you now have to opt-in to be able to deploy SQL Azure v11 instances. I'm planning on taking a look at this as part of the SDK upgrade (#1006) due to some other changes affecting storage accounts which also need resolving prior to merging.

[RichardSlater]

@RichardSlater not sure then how to solve it.. it appears you solved it, i still encounter errors

Not sure I fixed it, I deleted my state deleted all resources then redeployed everything - not a solution for most people.

[katbyte]

Hi @pixelicous,

I just merged #1380 that should take care of the first issue you saw by turning encryption on by default. Is the 2nd one still a problem for you?

[pixelicous]

@katbyte I didnt check, i was sure that this is being looked at.. was pushed from 1.3.1 to 1.7.0, so i thought its confirmed and been worked on..

[katbyte]

@pixelicous,

The 2nd issue you mentioned: The table specified already exists seems to just be an instance of the storage table already existing? Either deleting the table or importing it into terraform could resolve it.

[pixelicous]

@katbyte I provisioned this table using this state file.. It should be mapped to that resource and not try to recreate it.. I dont want to delete it, we need it. I can try to remove it from the state and import back maybe. I will try to reproduce this with a clean file.. I will see what happens and ill update

[katbyte]

As disabling encryption is no longer possible and we have not heard back I am going to close this issue.

[pixelicous]

@katbyte yes unforunately i had no time to look at it again.. sorry and thank you!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!