search

Azure / devops-governance

Example end-to-end Governance Model from CI/CD to Azure Resource Manager. Use this project to deploy example AAD, ARM and Azure DevOps resources to learn about e2e RBAC.
MIT License
189 stars 93 forks source link

Random Azure DevOps Errors #24

Closed julie-ng closed 3 years ago

julie-ng commented 3 years ago

Symptom

Sometimes when IaC is changed, the following messages are returned when running terraform apply and even terraform destroy

module.arm_environments["infra_shared"].azurerm_resource_group.workspace: Still destroying... [id=/subscriptions/6e3d4b6a-31b2-423b-a19a-...22/resourceGroups/infra-shared-nsh0-rg, 40s elapsed]
module.arm_environments["fruits_dev"].azurerm_resource_group.workspace: Still destroying... [id=/subscriptions/6e3d4b6a-31b2-423b-a19a-...2822/resourceGroups/fruits-dev-nsh0-rg, 40s elapsed]
module.arm_environments["fruits_prod"].azurerm_resource_group.workspace: Still destroying... [id=/subscriptions/6e3d4b6a-31b2-423b-a19a-...822/resourceGroups/fruits-prod-nsh0-rg, 40s elapsed]
module.arm_environments["veggies_prod"].azurerm_resource_group.workspace: Destruction complete after 46s
module.arm_environments["fruits_dev"].azurerm_resource_group.workspace: Destruction complete after 46s
module.arm_environments["infra_shared"].azurerm_resource_group.workspace: Destruction complete after 46s
module.arm_environments["veggies_dev"].azurerm_resource_group.workspace: Destruction complete after 46s
module.arm_environments["fruits_prod"].azurerm_resource_group.workspace: Destruction complete after 45s

Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-1909980924-2329286727-2170054555-31303424.

Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-1128492131-4123986507-3057368717-147136582.

Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-3734241186-3076090954-2678173946-3324452108.

Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-1909980924-2329286727-2170054555-31303424.

Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-3466419570-1682021700-2205560075-2915369390.

Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-3466419570-1682021700-2205560075-2915369390.

Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-3466419570-1682021700-2205560075-2915369390.

Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-1128492131-4123986507-3057368717-147136582.

Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-3734241186-3076090954-2678173946-3324452108.

Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-1909980924-2329286727-2170054555-31303424.

Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-1909980924-2329286727-2170054555-31303424.

Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-3466419570-1682021700-2205560075-2915369390.

Hypothesis

Terraform is deleting ADO Projects before security groups. So when Terraform tries to remove security groups, it cannot find them and those "security identifier (SID)" are not found in terraform state. So I assume it's a weird legacy Team Foundation Server (TFS) identified.

Action

Use depends_on to force terraform to remove ADO security groups before removing projects.

julie-ng commented 3 years ago

BTW, to remove error by making Terraform forget this orphaned resources, run something like:

terraform state rm 'module.ado_collaboration_permissions_veggies.azuredevops_group.admins_group'
terraform state rm 'module.ado_collaboration_permissions_veggies.azuredevops_group.team_group'
terraform state rm 'module.ado_supermarket_permissions_fruits.azuredevops_group.admins_group'
terraform state rm 'module.ado_supermarket_permissions_fruits.azuredevops_group.team_group'
terraform state rm 'module.ado_supermarket_permissions_veggies.azuredevops_group.team_group'
terraform state rm 'module.ado_team_permissions["proj_fruits"].azuredevops_group.admins_group'
terraform state rm 'module.ado_team_permissions["proj_fruits"].azuredevops_group.team_group'
terraform state rm 'module.ado_team_permissions["proj_veggies"].azuredevops_group.admins_group'
terraform state rm 'module.ado_team_permissions["proj_veggies"].azuredevops_group.team_group'
terraform state rm 'module.team_permissions["proj_fruits"].azuredevops_group.team_group'
terraform state rm 'module.team_permissions["proj_veggies"].azuredevops_group.team_group'

Unfortunately the SID in the error message is useless. So I've just deleted all the security group assignments aka "permissions" 🤷‍♀️