Chasing a SharedKey signature mismatch: fix azurerm_storage_table_entity
a day ago
- #Terraform
- #Debugging
- #Azure Storage
- A quiet bug in azurerm_storage_table_entity caused persistent 401 Unauthorized errors, unlike more obvious failures.
- The investigation spanned two days, uncovering four sequential bugs: authentication, HTTP routing, upsert semantics, and stream lifecycle.
- First, key mismatch was ruled out through diagnostic logging, confirming stable keys and no Topaz restarts.
- The root cause was URL encoding: Terraform encoded parentheses and quotes, but Topaz used the decoded path for HMAC signing, causing signature mismatches.
- The fix used IHttpRequestFeature.RawTarget to get the raw wire path, updating all 14 table endpoint classes.
- Second, the MERGE verb for Insert-or-Merge operations was missing from endpoint routing; adding it resolved routing failures.
- Third, upsert semantics were incorrect: MERGE should create entities if missing, but code threw EntityNotFoundException; a fallback path was added.
- Fourth, a disposed stream issue occurred because StreamReader closed the stream; buffering into a MemoryStream with leaveOpen: true fixed it.
- GitHub Copilot assisted by adding logging, generating isolated tests, and suggesting fixes, especially in identifying the URL encoding issue.
- After fixes, Terraform runs succeeded, and API coverage now marks azurerm_storage_table_entity as implemented, with tests running in two minutes.
- The debugging process was sequential, as each bug hid the next; the URL encoding issue was subtle due to ASP.NET Core's path decoding.