LastAccessTimeBasedTiering is not supported for the account

[melvis02]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.3.3

AzureRM Provider Version

3.71.0

Affected Resource(s)/Data Source(s)

azurerm_storage_account

Terraform Configuration Files

resource "azurerm_storage_account" "account" {
  name = join("", [var.prefix, local.entropy_trimmed])

  location            = var.resource_group.location
  resource_group_name = var.resource_group.name

  account_kind = local.account_kind

  network_rules {
    ip_rules                   = var.allowed_ip_addresses
    virtual_network_subnet_ids = var.virtual_network_subnet_ids
    default_action             = "Deny"
    bypass                     = local.bypass_network_rules
  }

  account_replication_type = var.account_replication_type
  account_tier             = var.account_tier
  is_hns_enabled           = var.is_hns_enabled

  allow_nested_items_to_be_public  = false
  cross_tenant_replication_enabled = local.enable_cross_tenant_replication

  enable_https_traffic_only = true
  min_tls_version           = local.min_tls_version
  lifecycle {
    prevent_destroy = true
  }

  blob_properties {
    dynamic "delete_retention_policy" {
      for_each = local.soft_delete_days > 0 ? [1] : []
      content {
        days = local.soft_delete_days
      }
    }

    dynamic "container_delete_retention_policy" {
      for_each = var.blob_container_delete_retention_policy_days > 0 ? [1] : []
      content {
        days = var.blob_container_delete_retention_policy_days
      }
    }

    versioning_enabled = local.blob_versioning_enabled
    change_feed_enabled = local.change_feed_enabled

    dynamic "restore_policy" {
      for_each = var.point_in_time_restore_enabled ? [1]: []
      content {
        days = var.point_in_time_restore_duration
      }
    }
  }

  tags = var.tags
}

Debug Output/Panic Output

Error: updating Azure Storage Account `blob_properties` "stxywqhr5dznsay": storage.BlobServicesClient#SetServiceProperties: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="FeatureNotSupportedForAccount" Message="LastAccessTimeBasedTiering is not supported for the account."

Expected Behaviour

Apply complete! Resources: x added, 0 changed, 0 destroyed.

Actual Behaviour

Error: updating Azure Storage Account `blob_properties` "stxywqhr5dznsay": storage.BlobServicesClient#SetServiceProperties: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="FeatureNotSupportedForAccount" Message="LastAccessTimeBasedTiering is not supported for the account."

Steps to Reproduce

terraform apply

Important Factoids

I'm moving from azurerm 3.46 to latest (3.71) to get past 3.63 to take on some new features. I haven't regression tested each version, but jumping back to 3.69.0 and to 3.63.0 resulted in the same issue.

References

#11853 appears to be the same issue, addressed two years ago, in 2.63.

[justinrush]

I'm seeing the same issue - it seems like having blob_properties specified causes this error. If I omit the blob_properties setting from this, it works fine. Oddly when it does fail, it still creates the storage account.

This seems to have started happening in v3.63.0. v3.62 works fine. I'm wondering if this bugfix caused a regression?

azurerm_storage_account - the last_access_time_enabled and container_delete_retention_policy properties are now supported in usgovernment (https://github.com/hashicorp/terraform-provider-azurerm/issues/22273)

terraform {
  required_version = ">= 1.3.3"
  backend "local" {}

  # See #2 above before changing
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.71.0"
    }
  }
}

provider "azurerm" {
  features {
    key_vault {
      purge_soft_delete_on_destroy = false
    }
  }
}

resource "azurerm_resource_group" "primary" {
  name     = "justintest2"
  location = "eastus"
}

resource azurerm_storage_account "account" {
    account_kind                      = "Storage"
    account_replication_type          = "LRS"
    account_tier                      = "Standard"
    allow_nested_items_to_be_public   = false
    cross_tenant_replication_enabled  = false
    default_to_oauth_authentication   = false
    enable_https_traffic_only         = true
    infrastructure_encryption_enabled = false
    is_hns_enabled                    = false
    location                          = "eastus2"
    min_tls_version                   = "TLS1_2"
    name                              = "stjustinbroken"
    nfsv3_enabled                     = false
    public_network_access_enabled     = true
    queue_encryption_key_type         = "Service"
    resource_group_name               = azurerm_resource_group.primary.name
    sftp_enabled                      = false
    shared_access_key_enabled         = true
    table_encryption_key_type         = "Service"
    # omitting blob_properties will cause this to succeed.
    blob_properties {
        change_feed_enabled      = false
        last_access_time_enabled = false
        versioning_enabled       = false
    }
}

[magodo]

Is this happeninig in usgov cloud, or public cloud?

[melvis02]

Is this happeninig in usgov cloud, or public cloud?

Public cloud

[justinrush]

we're working around it by having our terraform exclude blob properties entirely if the storage account is a v1 account. This works for us since we don't set any blob properties on them - but some of those properties are supported in v1 accounts and its not clear how you would use them if these others are automatically set if you include the blob props stanza.

[magodo]

@melvis02 Could you please provide a minimal valid TF config with values filled so that I can use it to reproduce locally?

@justinrush Yes, it looks like a regression. Whilst as @melvis02 mentioned, the issue also exist in public cloud. Presumably, these are due to different causes?

[justinrush]

@melvis02 Could you please provide a minimal valid TF config with values filled so that I can use it to reproduce locally?

@justinrush Yes, it looks like a regression. Whilst as @melvis02 mentioned, the issue also exist in public cloud. Presumably, these are due to different causes?

My reply can serve as a minimal tf config

[magodo]

@justinrush Then it sounds both the StorageV2 Storage kind + usgov cloud and Storage kind + any cloud doesn't support the lastAccessTimeTrackingPolicy property (and probably the containerDeleteRetentionPolicy as is mentioned in #11960). I'll try to contact the Azure Storage team to confirm and provide a solution back.

[DevopsMercenary]

Ran into this issue when creating a new storage account today with 3.72.0

Hoping this will be resolved soon. I'm trying to move to 3.62.0 to see if that at least gets me un-stuck

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.