"Error: Provider produced inconsistent final plan" - Private Endpoints

AliMBajwa commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.14.8 *provider registry.terraform.io/hashicorp/azurerm v2.55.0

Affected Resource(s)

azurerm_private_endpoint

Terraform Configuration Files

resource "azurerm_private_endpoint" "synapse_workspace" {
  name                = var.synapse_workspace_pe_name
  location            = var.location
  resource_group_name = var.resource_group_name
  subnet_id           = var.pep_exclusive_subnet_id

  private_service_connection {
    name                           = "synapse-studio"
    is_manual_connection           = false
    private_connection_resource_id = var.synapse_studio_id
    subresource_names              = ["Dev"]
  }

  private_dns_zone_group {
    name = "synapse-studio"
    private_dns_zone_ids = [azurerm_private_dns_zone.synapse_workspace.id]
  }
}

resource "azurerm_private_dns_zone" "synapse_workspace" {
  name                = "privatelink.dev.azuresynapse.net"
  resource_group_name = var.resource_group_name

  soa_record {
    email = "azureprivatedns-host.microsoft.com"
    tags  = var.tags
  }
}

resource "azurerm_private_dns_zone_virtual_network_link" "synapse_workspace" {
  name                  = "synapse_workspace_link"
  resource_group_name   = var.resource_group_name
  private_dns_zone_name = azurerm_private_dns_zone.synapse_workspace.name
  virtual_network_id    = var.virtual_network_id
}

resource "azurerm_private_dns_a_record" "synapse_workspace" {
  name                = var.synapse_workspace_name
  zone_name           = azurerm_private_dns_zone.synapse_workspace.name
  resource_group_name = var.resource_group_name
  ttl                 = 10
  records             = [azurerm_private_endpoint.synapse_workspace.private_service_connection.0.private_ip_address]
}

Panic Output

Error: Provider produced inconsistent final plan

When expanding the plan for module.private_link.azurerm_private_endpoint.synapse_serverless_sql to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for .private_dns_zone_group[0].private_dns_zone_ids: new element 0 has appeared.

This is a bug in the provider, which should be reported in the provider's own issue tracker.

Expected Behaviour

The private Endpoint, DNS Zone and DNS A record should be created. A NIC (which isn't specified in the terraform code) should also be created with the private endpoint.

Actual Behaviour

When I plan and apply the configuration - I try to change the value and re plan and apply. A plan is successfully generated, however - the apply step will fail with the panic error above.

Steps to Reproduce

Create a Private DNS Zone in the portal which is identical the the one you are about to create.
terraform plan and terraform apply - this will fail with an error telling you to import the resource if you want to manage it.
Delete the non-terraform managed private DNS Zone in the portal.
'''terraform planandterraform apply```

Important Factoids

The terraform is being run via Azure Devops (no marketplace extensions used to init/plan/apply).

References

5529 (https://github.com/terraform-providers/terraform-provider-azurerm/issues/5529)

favoretti commented 3 years ago

Hi there and thank you for reporting this. From the looks of it you're trying to add the same record twice:

resource "azurerm_private_endpoint" "synapse_workspace" {
  name                = var.synapse_workspace_pe_name

<snip>

  private_dns_zone_group {
    name = "synapse-studio"
    private_dns_zone_ids = [azurerm_private_dns_zone.synapse_workspace.id]
  }
}

This block will take care of creating the records.

This block, however, will try to do the same:

resource "azurerm_private_dns_a_record" "synapse_workspace" {
  name                = var.synapse_workspace_name
  zone_name           = azurerm_private_dns_zone.synapse_workspace.name
  resource_group_name = var.resource_group_name
  ttl                 = 10
  records             = [azurerm_private_endpoint.synapse_workspace.private_service_connection.0.private_ip_address]
}

Hence I think if you leave one of the 2 - you'll get the desired result.

AliMBajwa commented 3 years ago

@favoretti

Thanks for your response - I've removed the explicit 'a' records and I can confirm it worked.

ghost commented 3 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

hashicorp / terraform-provider-azurerm