Skip to content

fix(azure): create Pulumi state storage accounts as StorageV2#323

Merged
amdove merged 1 commit into
mainfrom
azure-state-account-storagev2
Jun 23, 2026
Merged

fix(azure): create Pulumi state storage accounts as StorageV2#323
amdove merged 1 commit into
mainfrom
azure-state-account-storagev2

Conversation

@amdove

@amdove amdove commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Summary

The bootstrap step created the Pulumi state storage account with the legacy BlobStorage account kind. This switches new accounts to StorageV2, the current general-purpose kind.

StorageV2 is a superset of BlobStorage. Pulumi state access (block blobs via the azblob:// backend) is functionally identical. The legacy BlobStorage kind lacks some newer security/network properties that customer security baselines (Azure Policy) evaluate against, so StorageV2 is the cleaner compliance baseline.

Scope / impact

  • New workloads only. CreateStorageAccount is guarded by an existence check in bootstrap, so this does not touch existing accounts.
  • Existing accounts can be upgraded in place, no downtime, via: 
    az storage account update --name <acct> --resource-group <rg> --set kind=StorageV2
    (in-place metadata change — keeps name, endpoints, keys, data; one-way.)

Testing

  • go build ./..., go vet ./azure/... pass
  • Pre-commit hooks (lib) pass

🤖 Generated with Claude Code

@amdove @claude
Create Pulumi state storage accounts as StorageV2
5aea36f 
The bootstrap step created the Pulumi state storage account with the legacy
BlobStorage kind. StorageV2 is the current general-purpose kind and a superset;
block-blob state access via the azblob:// backend is unchanged. The legacy kind
also lacks newer security/network properties that some customer security
baselines (Azure Policy) evaluate against.

Only affects newly bootstrapped workloads (CreateStorageAccount is guarded by
an existence check). Existing accounts can be upgraded in place via
`az storage account update --set kind=StorageV2` with no downtime.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@amdove amdove changed the title Create Pulumi state storage accounts as StorageV2 fix(azure): create Pulumi state storage accounts as StorageV2 Jun 18, 2026
@amdove amdove marked this pull request as ready for review June 18, 2026 22:19
@amdove amdove requested a review from a team as a code owner June 18, 2026 22:19
@amdove amdove requested a review from stevenolen June 18, 2026 22:20
stevenolen
stevenolen approved these changes Jun 22, 2026
View reviewed changes

@stevenolen stevenolen left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you!

@amdove

amdove commented Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

@claude review please

@claude

claude Bot commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

Claude finished @amdove's task in 38s —— View job

Code Review

  • Read changed file and diff
  • Review code for correctness, security, and best practices
  • Post findings

lib/azure/blobstorage.go — single-line kind change (KindBlobStorageKindStorageV2).

The change is correct. A few notes:

Correctness: StorageV2 is a superset of BlobStorage. Block blob access (which azblob:// uses for Pulumi state) is fully supported, and AccessTier: Cool is valid on StorageV2 accounts. No functional regression.

Scope guard: The PR description correctly notes that CreateStorageAccount is only called after an existence check in bootstrap, so existing accounts are unaffected. Worth confirming — StorageAccountExists returns true when the account already exists, and callers skip CreateStorageAccount in that case. That logic is not in this file, but the claim holds as long as callers respect it.

Comment: The added comment (lines 32–35) is well-motivated — it explains why the legacy kind was a problem and confirms azblob:// compatibility. Reasonable to keep given the non-obvious compliance angle.

Minor: No blank line between CreateStorageAccount and BlobContainerExists at line 53/54 — pre-existing style issue, not introduced here.

Overall: change is small, well-scoped, and correctly reasoned. No issues.

@amdove amdove added this pull request to the merge queue Jun 23, 2026
Merged via the queue into main with commit bc914b7 Jun 23, 2026
5 of 6 checks passed
@amdove amdove deleted the azure-state-account-storagev2 branch June 23, 2026 22:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stevenolen stevenolen stevenolen approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amdove @stevenolen