问题数月后仍然存在, 因此我使用了下面的变通方法。 ADLS gen2 文件系统与常规存储容器有些不同, 您需要 < code> Storage Blob Data所有者 来创建/ 更新文件系统 。

data "azurerm_client_config" "current" {}

# HACK: Role assignment is needed to apply adls gen2 filesystem changes
resource "azurerm_role_assignment" "role_assignment" {
  scope                = var.storage_account_id
  role_definition_name = "Storage Blob Data Owner"
  principal_id         = data.azurerm_client_config.current.object_id
}

resource "azurerm_role_assignment" "role_assignment" {
  scope                = var.storage_account_id
  role_definition_name = "Contributor"
  principal_id         = data.azurerm_client_config.current.object_id
}

# HACK: Sleep is needed to wait for role assignment to propagate
resource "time_sleep" "role_assignment_sleep" {
  create_duration = "60s"

  triggers = {
    role_assignment = azurerm_role_assignment.role_assignment.id
  }
}

resource "azurerm_storage_data_lake_gen2_filesystem" "filesystem" {
  name               = var.filesystem_name
  storage_account_id = var.storage_account_id
  depends_on         = [time_sleep.role_assignment_sleep]
}

造成403 错误的原因:

public_network_access_enabled = false

如果您在本地重新测试, 您可以在 ip_ rules 列表中添加您的公共 IP :

resource "azurerm_storage_account" "lake" {
  # ...

  # Enable the access
  public_network_access_enabled = true

  # Control access with IP rules
  network_rules {
    default_action             = "Deny"
    ip_rules                   = [var.public_ip_address_to_allow]
    virtual_network_subnet_ids = [var.subnet_id]
    bypass                     = ["AzureServices"]
  }
}

在您的输油管中,比如在地貌云上,要将这一功能自动化,应该有可能得到>IP范围 ,并自动使用>hashicorp/http 提供者。

不要忘记集装箱及其目录的ACLs。

MT I had to set the permission to the Resource Group where the stgaccount where created.

设置为 stg 账户无效 。

谢谢你的回答!