azurerm_postgresql_server threat_detection_policy is not idempotent

dkirrane commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v1.0.8

Affected Resource(s)

azurerm_v2.79.1

Terraform Configuration Files

resource "azurerm_postgresql_server" "example" {
  name                = "example-psqlserver"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  administrator_login          = "psqladminun"
  administrator_login_password = "H@Sh1CoR3!"

  sku_name   = "GP_Gen5_4"
  version    = "9.6"
  storage_mb = 640000

  threat_detection_policy {
    enabled                    = var.threat_detection_policy
    disabled_alerts            = lookup(local.final_config, "disabled_alerts", null)
    email_account_admins       = lookup(local.final_config, "email_account_admins", null)
    email_addresses            = lookup(local.final_config, "email_addresses", null)
    retention_days             = lookup(local.final_config, "retention_days", null)
    storage_account_access_key = lookup(local.final_config, "storage_account_access_key", null)
    storage_endpoint           = lookup(local.final_config, "storage_endpoint", null)
  }

}

Debug Output

Panic Output

Expected Behaviour

idempotency

Actual Behaviour

Set to true or false the terraform threat_detection_policy is not idempotent. Resource plan also shows a changes for no reason, in the threat_detection_policy.

~ resource "azurerm_postgresql_server" "this" {
    ....
    # (17 unchanged attributes hidden)

  - threat_detection_policy {
      - disabled_alerts      = [] -> null
      - email_account_admins = false -> null
      - email_addresses      = [] -> null
      - enabled              = true -> null
      - retention_days       = 0 -> null
    }

    # (2 unchanged blocks hidden)
}

References

It looks like this issue was previously fixed. But I'm using latest provider version and still hit it.

https://github.com/hashicorp/terraform-provider-azurerm/issues/7992

tao-zhang-shell commented 2 years ago

Yes, I see the same issue. Previously it worked fine, not sure from which version it broke.

neiser commented 2 years ago

@tao-zhang-shell Don't know if helpful, but we're also seeing this with hashicorp/azurerm v2.98.0

dkirrane commented 2 years ago

Still seeing this with latest:

terraform {
  required_version = "1.2.9"

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.24.0"
    }
  }
}

maciej-skorupka commented 2 years ago

Same is happening with 3.29. TF_LOG=DEBUG shows that I'm setting this in PUT:

{"disabledAlerts":[],"emailAccountAdmins":false,"emailAddresses":[],"retentionDays":0,"state":"Enabled"}

And I'm getting this in response. Therefore there's a difference between request and response for disabledAlerts and emailAddresses.

{"state":"Enabled","disabledAlerts":[""],"emailAddresses":[""],"emailAccountAdmins":false,"storageEndpoint":"","storageAccountAccessKey":"","retentionDays":0,"creationTime":"2022-11-13T07:13:14.427Z"}

Therefore I assumed that I may set [""] for disabledAlerts and emailAddresses to stop this. Unfortunately I get below error when I'm trying to do that:

Error: expected threat_detection_policy.0.disabled_alerts.0 to be one of [Sql_Injection Sql_Injection_Vulnerability Access_Anomaly Data_Exfiltration Unsafe_Action]

hashicorp / terraform-provider-azurerm