Redeployment for azure nva-into-existing-hub fails

[LukasAuSc]

Hi,

firstly thank you for the implementations for different cloud providers and languages. I am currently struggling with an strange issue for deploying the terraform integration on azure, nva-into-existing-hub.

The first deployment works perfectly fine, in under 10 min, but afterwards it tries to deploy again, and fails with the following error:

2024-11-05T12:36:35.614+0100 [ERROR] provider.terraform-provider-azurerm.exe: Response contains error diagnostic: @module=sdk.proto tf_proto_version=5.4 tf_req_id=864f4aa4-0ec7-b9db-478b-4d5b999de45d tf_resource_type=azurerm_managed_application @caller=/home/runner/work/terraform-provider-azurerm/terraform-provider-azurerm/provider/vendor/github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/diag/diagnostics.go:58 diagnostic_detail="" diagnostic_severity=ERROR tf_rpc=ApplyResourceChange
  diagnostic_summary=
  | failed to create Application (Subscription: "***************"
  | Resource Group Name: "***************"
  | Application Name: "***************"): polling after CreateOrUpdate: polling failed: the Azure API returned the following error:
  |
  | Status: "Failed"
  | Code: "RoleAssignmentExists"
  | Message: "The role assignment already exists."
  | Activity Id: ""
  |
  | ---
  |
  | API Response:
  |
  | ----[start]----
  | {"id":"***************","name":"***************","resourceId":"***************","status":"Failed","startTime":"2024-11-05T11:21:21.1914472Z","endTime":"2024-11-05T11:36:34.8203636Z","error":{"code":"RoleAssignmentExists","message":"The role assignment already exists."}}
  | -----[end]-----
   tf_provider_addr=provider timestamp="2024-11-05T12:36:35.614+0100"
2024-11-05T12:36:35.616+0100 [ERROR] vertex "azurerm_managed_application.nva" error: failed to create Application (Subscription: "***************"
Resource Group Name: "***************"
Application Name: "***************"): polling after CreateOrUpdate: polling failed: the Azure API returned the following error:

Status: "Failed"
Code: "RoleAssignmentExists"
Message: "The role assignment already exists."
Activity Id: ""

What I was able to figure out, is that with the first deployment the automatic created UAI vwan-managed-identity, is being created and assigned as Managed Application Operator Role to the NVA. With the second deployment, the above error comes up and the deployment fails after >15min. When I delete the role assignment, the deployment works again smoothly, but if deploying it again, same error.

If you can help me or point me in the right direction, I would greatly appreciate it. Since I can not see into the application, unfortuantely I am stuck here.

[chkp-natanelm]

Hi @LukasAuSc, Could you clarify what you mean by “deploy again”? Did you destroy the previous deployment and start over, or did you simply modify the parameters and re-run the Terraform template? Thanks

[LukasAuSc]

Hi @chkp-natanelm, thank you for the quick response. deploy again really just meaning, run the same apply command than before, not even modifying the parameters. First it recognizes something as changed in the parameter_values, which looks like this

  # azurerm_managed_application.nva will be updated in-place
  ~ resource "azurerm_managed_application" "nva" {
        id                          = "***************"
        name                        = "***************"
      ~ parameter_values            = (sensitive value)
        tags                        = {}
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

(shortened for readability), and then when running it, it fails with the above mentioned error.

And when I delete the role assignment, I can redeploy without issue. It looks to me like the role assignment is recreated with every apply step, even if it was created before. If it would be terraform code, I would say it has not been saved in the state, but I do not know how the managed application works.

[chkp-natanelm]

Hi @LukasAuSc, Thank you for the feedback. We will investigate it, and update the issue with the progress.