From 3c407d7d4f76789c1ecb02e33653726f7cb30df2 Mon Sep 17 00:00:00 2001
From: Ron Shakutai <ronshakutai@microsoft.com>
Date: Wed, 26 Feb 2025 13:04:18 +0000
Subject: [PATCH 1/6] Refactor role assignment check to validate both "Storage
 Blob Data Contributor" and "Storage Account Contributor" roles

---
 devops/terraform/bootstrap.sh | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/devops/terraform/bootstrap.sh b/devops/terraform/bootstrap.sh
index 8abd7bc2c..882352dd1 100755
--- a/devops/terraform/bootstrap.sh
+++ b/devops/terraform/bootstrap.sh
@@ -43,18 +43,36 @@ az role assignment create --assignee "$USER_OBJECT_ID" \
   --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name"
 
 # Function to check if the role assignment exists
-check_role_assignment() {
-  az role assignment list --assignee "$USER_OBJECT_ID" --role "Storage Blob Data Contributor" --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" --query "[].id" --output tsv
+check_role_assignments() {
+  local sbdc=$(az role assignment list \
+    --assignee "$USER_OBJECT_ID" \
+    --role "Storage Blob Data Contributor" \
+    --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" \
+    --query "[].id" --output tsv)
+
+  local sac=$(az role assignment list \
+    --assignee "$USER_OBJECT_ID" \
+    --role "Storage Account Contributor" \
+    --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" \
+    --query "[].id" --output tsv)
+
+  # Return a non-empty value only if both roles are assigned
+  if [[ -n "$sbdc" && -n "$sac" ]]; then
+    echo "both"
+  fi
 }
 
 # Wait for the role assignment to be applied
 echo -e "\n\e[34m»»» ⏳ \e[96mWaiting for role assignment to be applied\e[0m..."
-while [ -z "$(check_role_assignment)" ]; do
+while [ -z "$(check_role_assignments)" ]; do
   echo "Waiting for role assignment..."
   sleep 10
 done
 echo "Role assignment applied."
 
+# shellcheck disable=SC1091
+source ../scripts/mgmtstorage_enable_public_access.sh
+
 # Blob container
 # shellcheck disable=SC2154
 az storage container create --account-name "$TF_VAR_mgmt_storage_account_name" --name "$TF_VAR_terraform_state_container_name" --auth-mode login -o table

From bdb0886d2fa3e074ab76617e06c105d14de1d741 Mon Sep 17 00:00:00 2001
From: Ron Shakutai <ronshakutai@microsoft.com>
Date: Wed, 26 Feb 2025 13:06:05 +0000
Subject: [PATCH 2/6] Remove unused script source from bootstrap.sh

---
 devops/terraform/bootstrap.sh | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/devops/terraform/bootstrap.sh b/devops/terraform/bootstrap.sh
index 882352dd1..377ebcd9f 100755
--- a/devops/terraform/bootstrap.sh
+++ b/devops/terraform/bootstrap.sh
@@ -28,9 +28,6 @@ else
   az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --name "$TF_VAR_mgmt_storage_account_name" --output table
 fi
 
-# shellcheck disable=SC1091
-source ../scripts/mgmtstorage_enable_public_access.sh
-
 # Grant user blob data contributor permissions
 echo -e "\n\e[34m»»» 🔑 \e[96mGranting Storage Blob Data Contributor role to the current user\e[0m..."
 if [ -n "${ARM_CLIENT_ID:-}" ]; then

From c421afb69270139a97ca5295ac2b2f2401e9ec43 Mon Sep 17 00:00:00 2001
From: Ron Shakutai <ronshakutai@microsoft.com>
Date: Wed, 26 Feb 2025 13:30:44 +0000
Subject: [PATCH 3/6] Refactor role assignment check to use local variables for
 clarity

---
 devops/terraform/bootstrap.sh | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/devops/terraform/bootstrap.sh b/devops/terraform/bootstrap.sh
index 377ebcd9f..f413f562c 100755
--- a/devops/terraform/bootstrap.sh
+++ b/devops/terraform/bootstrap.sh
@@ -41,13 +41,15 @@ az role assignment create --assignee "$USER_OBJECT_ID" \
 
 # Function to check if the role assignment exists
 check_role_assignments() {
-  local sbdc=$(az role assignment list \
+  local sbdc
+  sbdc=$(az role assignment list \
     --assignee "$USER_OBJECT_ID" \
     --role "Storage Blob Data Contributor" \
     --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" \
     --query "[].id" --output tsv)
 
-  local sac=$(az role assignment list \
+  local sac
+  sac=$(az role assignment list \
     --assignee "$USER_OBJECT_ID" \
     --role "Storage Account Contributor" \
     --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" \

From 52598a6799a98a8f5f57780900ccc0c32f747c29 Mon Sep 17 00:00:00 2001
From: Ron Shakutai <ronshakutai@microsoft.com>
Date: Wed, 26 Feb 2025 14:11:29 +0000
Subject: [PATCH 4/6] Update CHANGELOG and add role assignment for Storage
 Account Contributor in bootstrap.sh

---
 CHANGELOG.md                  | 2 +-
 devops/terraform/bootstrap.sh | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3b5da97ea..42a3fd4d5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,7 +6,7 @@ ENHANCEMENTS:
 * Deny public access to TRE management storage account, and add private endpoint for TRE core [#4353](https://github.com/microsoft/AzureTRE/issues/4353)
 
 BUG FIXES:
-
+* Resolved a 403 storage account error when creating a new TRE environment ([#4405](https://github.com/microsoft/AzureTRE/issues/4405)) in PR [#4406](https://github.com/microsoft/AzureTRE/pull/4406)
 
 ## 0.21.0
 
diff --git a/devops/terraform/bootstrap.sh b/devops/terraform/bootstrap.sh
index f413f562c..cef1702b1 100755
--- a/devops/terraform/bootstrap.sh
+++ b/devops/terraform/bootstrap.sh
@@ -35,6 +35,11 @@ if [ -n "${ARM_CLIENT_ID:-}" ]; then
 else
     USER_OBJECT_ID=$(az ad signed-in-user show --query id --output tsv)
 fi
+
+az role assignment create --assignee "$USER_OBJECT_ID" \
+  --role "Storage Account Contributor" \
+  --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name"
+
 az role assignment create --assignee "$USER_OBJECT_ID" \
   --role "Storage Blob Data Contributor" \
   --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name"

From 10941180fae58b280de5643b01a799b96fe3af98 Mon Sep 17 00:00:00 2001
From: Ron Shakutai <ronshakutai@microsoft.com>
Date: Wed, 26 Feb 2025 20:13:21 +0000
Subject: [PATCH 5/6] Refactor role assignment check to use counts for
 validation and streamline script execution

---
 devops/terraform/bootstrap.sh | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/devops/terraform/bootstrap.sh b/devops/terraform/bootstrap.sh
index cef1702b1..9c54155d6 100755
--- a/devops/terraform/bootstrap.sh
+++ b/devops/terraform/bootstrap.sh
@@ -28,6 +28,9 @@ else
   az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --name "$TF_VAR_mgmt_storage_account_name" --output table
 fi
 
+# shellcheck disable=SC1091
+source ../scripts/mgmtstorage_enable_public_access.sh
+
 # Grant user blob data contributor permissions
 echo -e "\n\e[34m»»» 🔑 \e[96mGranting Storage Blob Data Contributor role to the current user\e[0m..."
 if [ -n "${ARM_CLIENT_ID:-}" ]; then
@@ -46,22 +49,22 @@ az role assignment create --assignee "$USER_OBJECT_ID" \
 
 # Function to check if the role assignment exists
 check_role_assignments() {
-  local sbdc
-  sbdc=$(az role assignment list \
+  local sbdc_count sac_count
+
+  sac_count=$(az role assignment list \
     --assignee "$USER_OBJECT_ID" \
-    --role "Storage Blob Data Contributor" \
+    --role "Storage Account Contributor" \
     --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" \
-    --query "[].id" --output tsv)
+    --query "length([])" --output tsv)
 
-  local sac
-  sac=$(az role assignment list \
+  sbdc_count=$(az role assignment list \
     --assignee "$USER_OBJECT_ID" \
-    --role "Storage Account Contributor" \
+    --role "Storage Blob Data Contributor" \
     --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" \
-    --query "[].id" --output tsv)
+    --query "length([])" --output tsv)
 
-  # Return a non-empty value only if both roles are assigned
-  if [[ -n "$sbdc" && -n "$sac" ]]; then
+  # If both counts are greater than 0, we have both assignments
+  if [[ $sbdc_count -gt 0 && $sac_count -gt 0 ]]; then
     echo "both"
   fi
 }
@@ -74,9 +77,6 @@ while [ -z "$(check_role_assignments)" ]; do
 done
 echo "Role assignment applied."
 
-# shellcheck disable=SC1091
-source ../scripts/mgmtstorage_enable_public_access.sh
-
 # Blob container
 # shellcheck disable=SC2154
 az storage container create --account-name "$TF_VAR_mgmt_storage_account_name" --name "$TF_VAR_terraform_state_container_name" --auth-mode login -o table

From 4c26cde5e0e3578c05eca6537f34442ce932370e Mon Sep 17 00:00:00 2001
From: Ron Shakutai <ronshakutai@microsoft.com>
Date: Wed, 26 Feb 2025 21:21:55 +0000
Subject: [PATCH 6/6] Refactor role assignment check to use non-empty value
 validation and enhance storage container creation with retry logic

---
 devops/terraform/bootstrap.sh | 44 ++++++++++++++++++++++++-----------
 1 file changed, 30 insertions(+), 14 deletions(-)

diff --git a/devops/terraform/bootstrap.sh b/devops/terraform/bootstrap.sh
index 9c54155d6..7cfb14920 100755
--- a/devops/terraform/bootstrap.sh
+++ b/devops/terraform/bootstrap.sh
@@ -49,22 +49,22 @@ az role assignment create --assignee "$USER_OBJECT_ID" \
 
 # Function to check if the role assignment exists
 check_role_assignments() {
-  local sbdc_count sac_count
-
-  sac_count=$(az role assignment list \
+  local sbdc
+  sbdc=$(az role assignment list \
     --assignee "$USER_OBJECT_ID" \
-    --role "Storage Account Contributor" \
+    --role "Storage Blob Data Contributor" \
     --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" \
-    --query "length([])" --output tsv)
+    --query "[].id" --output tsv)
 
-  sbdc_count=$(az role assignment list \
+  local sac
+  sac=$(az role assignment list \
     --assignee "$USER_OBJECT_ID" \
-    --role "Storage Blob Data Contributor" \
+    --role "Storage Account Contributor" \
     --scope "/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$TF_VAR_mgmt_resource_group_name/providers/Microsoft.Storage/storageAccounts/$TF_VAR_mgmt_storage_account_name" \
-    --query "length([])" --output tsv)
+    --query "[].id" --output tsv)
 
-  # If both counts are greater than 0, we have both assignments
-  if [[ $sbdc_count -gt 0 && $sac_count -gt 0 ]]; then
+  # Return a non-empty value only if both roles are assigned
+  if [[ -n "$sbdc" && -n "$sac" ]]; then
     echo "both"
   fi
 }
@@ -76,13 +76,29 @@ while [ -z "$(check_role_assignments)" ]; do
   sleep 10
 done
 echo "Role assignment applied."
-
+sleep 30
 # Blob container
 # shellcheck disable=SC2154
-az storage container create --account-name "$TF_VAR_mgmt_storage_account_name" --name "$TF_VAR_terraform_state_container_name" --auth-mode login -o table
 
-# logs container
-az storage container create --account-name "$TF_VAR_mgmt_storage_account_name" --name "tflogs" --auth-mode login -o table
+echo -e "\n\e[34m»»» 📦 \e[96mCreating storage containers\e[0m..."
+# List of containers to create
+containers=("$TF_VAR_terraform_state_container_name" "tflogs")
+max_retries=5
+
+for container in "${containers[@]}"; do
+  for ((i=1; i<=max_retries; i++)); do
+    if az storage container create --account-name "$TF_VAR_mgmt_storage_account_name" --name "$container" --auth-mode login -o table; then
+      echo "Container '$container' created successfully."
+      break
+    else
+      sleep 10
+    fi
+    if [ $i -eq $max_retries ]; then
+      echo "ERROR: Failed to create container '$container' after $max_retries attempts."
+      exit 1
+    fi
+  done
+done
 
 cat > bootstrap_backend.tf <<BOOTSTRAP_BACKEND
 terraform {