From fb2d3928a9659eaf06d1a94e35bb59febd45c948 Mon Sep 17 00:00:00 2001
From: Joshua Loeffler <jloeffler@microsoft.com>
Date: Thu, 17 Nov 2022 11:03:43 -0500
Subject: [PATCH] Explicitly disable storage blob public access for workspace
 templates

---
 quickstart/101-machine-learning/workspace.tf                     | 1 +
 .../workspace.tf                                                 | 1 +
 quickstart/301-machine-learning-hub-spoke-secure/workspace.tf    | 1 +
 3 files changed, 3 insertions(+)

diff --git a/quickstart/101-machine-learning/workspace.tf b/quickstart/101-machine-learning/workspace.tf
index 0b018893..c60bcc5a 100644
--- a/quickstart/101-machine-learning/workspace.tf
+++ b/quickstart/101-machine-learning/workspace.tf
@@ -21,6 +21,7 @@ resource "azurerm_storage_account" "default" {
   resource_group_name      = azurerm_resource_group.default.name
   account_tier             = "Standard"
   account_replication_type = "GRS"
+  allow_nested_items_to_be_public = false
 }
 
 resource "azurerm_container_registry" "default" {
diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf
index bda44146..fc0c7a68 100644
--- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf
+++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf
@@ -26,6 +26,7 @@ resource "azurerm_storage_account" "default" {
   resource_group_name      = azurerm_resource_group.default.name
   account_tier             = "Standard"
   account_replication_type = "GRS"
+  allow_nested_items_to_be_public = false
 
   network_rules {
     default_action = "Deny"
diff --git a/quickstart/301-machine-learning-hub-spoke-secure/workspace.tf b/quickstart/301-machine-learning-hub-spoke-secure/workspace.tf
index ddf72ac1..c76745ed 100644
--- a/quickstart/301-machine-learning-hub-spoke-secure/workspace.tf
+++ b/quickstart/301-machine-learning-hub-spoke-secure/workspace.tf
@@ -27,6 +27,7 @@ resource "azurerm_storage_account" "default" {
   resource_group_name      = azurerm_resource_group.default.name
   account_tier             = "Standard"
   account_replication_type = "GRS"
+  allow_nested_items_to_be_public = false
 
   network_rules {
     default_action = "Deny"