Error when trying to create more than one Azure Application Insights API Key

[beaubutton]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.13.6

• provider registry.terraform.io/hashicorp/azuread v1.2.2
• provider registry.terraform.io/hashicorp/azurerm v2.44.0

Affected Resource(s)

• azurerm_application_insights_api_key

Terraform Configuration Files

resource "azurerm_resource_group" "prirg" {
    name     = "application-${var.priloc}-${var.env}-rg-01"
    location = var.prilocation
    tags     = var.tags
}

resource "azurerm_application_insights" "priai" {
    name                = "application-${var.priloc}-${var.env}-ai-01"
    location            = azurerm_resource_group.prirg.location
    resource_group_name = azurerm_resource_group.prirg.name
    application_type    = "web"
    retention_in_days   = "365"
    tags                = var.tags
}

resource "azurerm_application_insights_api_key" "priaiapikread" {
    name                    = "application-${var.priloc}-${var.env}-ai-apik-read-01"
    application_insights_id = azurerm_application_insights.priai.id
    read_permissions        = ["aggregate", "api", "draft", "extendqueries", "search"]
}

resource "azurerm_application_insights_api_key" "priaiapikwrite" {
    name                    = "application-${var.priloc}-${var.env}-ai-apik-write-01"
    application_insights_id = azurerm_application_insights.priai.id
    write_permissions       = ["annotations"]
}

Expected Behaviour

Two Application Insights API Keys should have been created. One with Read permissions and a second with write permissions.

Actual Behaviour

Only one Application Insights API Key was created, the Read key. When trying to create the Write key, the following error was received: A resource with the ID "/subscriptions/****/resourcegroups/application-e1us-hdtest-rg-01/providers/microsoft.insights/components/application-e1us-hdtest-ai-01/apikeys/****" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_application_insights_api_key" for more information.

Steps to Reproduce

1. terraform init
2. terraform plan
3. terraform validate
4. terraform apply

References

• 8472

• 9877

[hkailantzis]

any news on this ? any workaround would be appreciated as well. In my case I have two keys created fine, but need two more to be created. tf plan shows the change (to create 2 more keys) but TF apply fails with above error and those missing keys do not exist in AI on azure.

Tried also to delete one of them from azure portal. next TF plan shows to create 3 keys now, same error as above for 3 keys.

[hkailantzis]

ok, so what fixed it for me was to delete all keys manually from portal, and let TF recreate them again. it seems that this needs to be completed successfully for all keys from the beginning in one go. So, adding a new key afterwards in the future probably won't work :/

[mcalnd70]

Yeah I've just hit this issue today when creating a TF managed Read Key alongside some that have been created manually

The Terraform here is totally unworkable even using AzureRM provider 2.98.0

[peepeepopapapeepeepo]

With AzureRM provider 3.0.2

I have tried to debug the providers and found that after listing the api keys, terraform try to list the key id again and then throw error A resource with the ID "..." already exists which is not make any sense.

Here is the behavior of terraform appeared in debug log

1) terraform lists the APIKey

REQ

GET /subscriptions/xxxxxx/resourceGroups/xxxxxxx/providers/Microsoft.Insights/components/appi-appinsights-az-asse-sbx-001/ApiKeys?api-version=2015-05-01

RESP

{
  "value": [
    {
      "id": "/subscriptions/xxxxxx/resourcegroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/apikeys/35b99a4e-2a98-4a4e-87e7-fde636e74534",
      "name": "cli-demo",
      "linkedReadProperties": [
        "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/api",
        "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/draft",
        "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/extendqueries",
        "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/search",
        "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/aggregate"
      ],
      "linkedWriteProperties": [
        "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/annotations"
      ],
      "createdDate": "Mon, 04 Apr 2022 22:35:20 GMT",
      "integrationType": null,
      "integrationProperty": null
    },
    {
      "id": "/subscriptions/xxxxxx/resourcegroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/apikeys/04f39ba3-e829-4d33-ac04-5287bddc980a",
      "name": "aaaaaaaa",
      "linkedReadProperties": [
        "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/api",
        "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/draft",
        "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/extendqueries",
        "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/search",
        "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/aggregate",
        "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/agentconfig"
      ],
      "linkedWriteProperties": [
        "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/annotations"
      ],
      "createdDate": "Mon, 04 Apr 2022 22:19:39 GMT",
      "integrationType": null,
      "integrationProperty": null
    }
  ]
}

2) Then terraform try to list the key that it get from previous request again

REQ

GET /subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/Microsoft.Insights/components/xxxxxx/APIKeys/35b99a4e-2a98-4a4e-87e7-fde636e74534?api-version=2015-05-01

RESP

{
  "id": "/subscriptions/xxxxxx/resourcegroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/apikeys/35b99a4e-2a98-4a4e-87e7-fde636e74534",
  "name": "cli-demo",
  "linkedReadProperties": [
    "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/api",
    "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/draft",
    "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/extendqueries",
    "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/search",
    "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/aggregate"
  ],
  "linkedWriteProperties": [
    "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/microsoft.insights/components/xxxxxx/annotations"
  ],
  "createdDate": "Mon, 04 Apr 2022 22:35:20 GMT",
  "integrationType": null,
  "integrationProperty": null
}

3) Then terraform throw error A resource with the ID "..." already exists

LOG

2022-04-05T06:03:49.855+0700 [ERROR] vertex "module.app_insights.azurerm_application_insights_api_key.main1" error: A resource with the ID "/subscriptions/xxxxxx/resourceGroups/xxxxxx/providers/Microsoft.Insights/components/xxxxxx/apiKeys/35b99a4e-2a98-4a4e-87e7-fde636e74534" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_application_insights_api_key" for more information.

---

In my opinion rather than checking existance of key listing from 1., terraform should check the name and permissions (linkedReadProperties and linkedWriteProperties) of api key return from 1. and what in terraform code.

• If name and permission are duplicate, it is fine to throw the error.
• But if only name is duplicate, terrform should recreate the resource.
• And if both name and permission are not duplicate with any key, terraform should proceed api key creation.

[tgolly]

I've hit this today as well, using AzureRM 3.x.

Created the first ApiKey fine, then got this error trying to create a second key, even though the new azurerm_application_insights_api_key Terraform resource has a seperate name:

Error: A resource with the ID "/subscriptions/XXX/XXX/providers/Microsoft.Insights/components/XXX/apiKeys/abf14644-8087-42eb-acec-1a5792e4XXXX" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_application_insights_api_key" for more information.

[MaMaek]

The issue is still occurring. Checked with Microsoft azure backend and confirmed that they only received GET requests for the component and didn't receive any POST or PUT requests. Kindly assign a TF engineer to look into the issue.

[guywood13]

I've hit this issue myself this week. MS pointed me to this bug. Any updates on this?

[Socolin]

I have the same problem, is there any workaround ?

[albigi]

we've been experiencing the same for quite a while and would really like to eventually find a solution

[williamoconnorme]

This was resolved in release v3.84.0