Policy: "Storage accounts should restrict network access" is triggered even public access is completely disabled.

[fabio-s-franco]

Which service(blob, file, queue, table) does this issue concern?

None in particular, but instead the storage account as a whole

Which version of the SDK was used?

This is from azurerm terraform provider, which seems to be using these:

import (
	"fmt"

	"github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage" // nolint: staticcheck
	storage_v2023_01_01 "github.com/hashicorp/go-azure-sdk/resource-manager/storage/2023-01-01"
	"github.com/hashicorp/go-azure-sdk/resource-manager/storagesync/2020-03-01/cloudendpointresource"
	"github.com/hashicorp/go-azure-sdk/resource-manager/storagesync/2020-03-01/storagesyncservicesresource"
	"github.com/hashicorp/go-azure-sdk/resource-manager/storagesync/2020-03-01/syncgroupresource"
	"github.com/hashicorp/go-azure-sdk/sdk/auth"
	"github.com/hashicorp/go-azure-sdk/sdk/client/resourcemanager"
	"github.com/hashicorp/terraform-provider-azurerm/internal/common"
)

Which platform are you using? (ex: .NET Core 2.1)

Terraform AzureRM 3.97.1

What problem was encountered?

I am not able to create a storage account with public network access disable due to the police: "Storage accounts should restrict network access".

It requires to have DefaultAction = "Deny", even when it is not applicable. With public access disabled, this rule should not require the network rule, since it only becomes accessible via private link services (that can only be exposed via private endpoint).

How can we reproduce the problem in the simplest way?

Setup a private network and try to create a storage account with public network access disabled.
I am not quite sure how that translates to the API/SDK, but that's what it takes.

Have you found a mitigation/solution?

I set DefaultAction to "Deny", even though it is not applicable. The main problem here is finding the root cause effectively, since this is not an error to be expected in this setup.