Skip to content

chore: private storage account endpoint (ENG-5444) #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
johnsca wants to merge 4 commits into
base: main
Choose a base branch
from
Open

chore: private storage account endpoint (ENG-5444) #18

johnsca wants to merge 4 commits into from

Conversation

@johnsca
Copy link

@johnsca johnsca commented Dec 10, 2025
edited
Loading

ENG-5444

What

  • Disable public network access for the storage account.

Why

  • It's insecure to allow public access and is unnecessary.

Note: This is roughly based off this comment which suggests using azapi_resource to manage the sub-resources while avoiding the need for the data plane, with the addition of using the deferred azapi_update_resource step to close the public endpoint after the function code upload.

Testing

  • Deploy to Azure in sandbox subscription.

Docs

Updated README

@johnsca
chore: private storage account endpoint (ENG-5444)
30661fd 
[ENG-5444](https://stacklet.atlassian.net/browse/ENG-5444)

What
----

- Disable public network access for the storage account.

Why
---

- It's insecure to allow public access and is unnecessary.

Testing
-------

- [ ] Deploy to Azure in sandbox subscription.

Docs
----

Updated README
@johnsca johnsca requested a review from a team as a code owner December 10, 2025 21:20
@johnsca

This comment was marked as resolved.

Sign in to view
@johnsca
Copy link
Author

johnsca commented Dec 11, 2025

It seems the function itself is still not actually working. With public_network_access_enabled = true, I get errors about not being able to assume the AWS role which at least indicates that it's running. But with this (and a few other variations I've tried so far), I'm getting this error:

2025-12-11T23:08:00Z   [Verbose]   Host instance '000000000000000000000000F2729378' failed to acquire host lock lease: Azure.Storage.Blobs: Service request failed.
Status: 403 (This request is not authorized to perform this operation.)
ErrorCode: AuthorizationFailure

Headers:
Transfer-Encoding: chunked
Server: Microsoft-HTTPAPI/2.0
x-ms-request-id: b72d0ae9-901e-0005-01f2-6ac010000000
x-ms-client-request-id: 55f1ee4a-93cc-42c8-a9a1-a2556c12e478
x-ms-error-code: AuthorizationFailure
Date: Thu, 11 Dec 2025 23:07:59 GMT

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@johnsca