Azure storage account firewall rule prevents terraform deployment with azure devops

For Terraform I would suggest running own agent pools. The agent pools for production environments should be separate from non production and should be located in separate vNets. Then add a network rule to your Storage Acconut to allow access from the agent pool subnet. The same will happen to most of the services when you use Service Endpoints as well.

//EDIT:

Check some fresh best practices for creating Terraform pipelines.

You can utilise a data source to dynamically check your agents IP at apply time.The result of which looks like this:

data "http" "myip" {  url = "https://ipv4.icanhazip.com"}resource "azurerm_storage_account_network_rules" "sample" {  resource_group_name  = azurerm_resource_group.rg.name  storage_account_name = zurerm_storage_account.storage.name  default_action             = "Deny"  virtual_network_subnet_ids = [azurerm_subnet.subnet.id]  bypass                     = ["AzureServices", "Logging", "Metrics"]  ip_rules = [chomp(data.http.myip.body)]}

You then need to make sure you have removed the IP once you are done, for which I typically just use Remove-AzStorageAccountNetworkRule or as something like this

Just like @a4c74356b41 said you have to whitelist all the ip ranges for the agents in my region as described here.

Unfortunately there are about 160 ip ranges (you have to remove all ranges bigger than .../29) + my own, but at least it works now.