Azure Storage Account default network access is set to allow TF-S1035

By default, storage accounts accept connections from clients on any network. The default action must be changed to limit access to selected networks, as restricting default network access helps to provide an additional layer of security.

It is recommend to configure storage accounts to deny access to traffic from all networks, including internet traffic.

Recommended

resource "azurerm_storage_account_network_rules" "recommended" {
    resource_group_name  = azurerm_resource_group.demo.name
    storage_account_name = azurerm_storage_account.demo.name
    ...
    default_action             = "Deny"
}