search

hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.51k stars 4.6k forks source link

azurerm: azurerm_private_dns_zone_virtual_network_link: Root resource was present, but now absent #14858

Open jrec opened 2 years ago

jrec commented 2 years ago

Hello, Trying to create multiple azure dns private zone and associated vnet links. Private dns zones are created but the vnet links are not reliable. most of the time one or 2 vnet-links were successfully created but all others failed.

Version

Terraform v1.1.3
on windows_amd64
+ provider registry.terraform.io/hashicorp/azurerm v2.91.0

The error shown

│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to module.paas-dns["privatelink.file.core.windows.net"].azurerm_private_dns_zone_virtual_network_link.azure_spokeprod_link["001"], provider "provider[\"registry.terraform.io/hashicorp/azurerm\"]" produced an unexpected new value: Root resource was present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
sinbai commented 2 years ago

Hi @jrec Thank you for raising this issue. Could you please provide your terraform config to help repro and troubleshooting?

jrec commented 2 years ago

Hi Sinbai

here is an example of my config files. I hope this will be enough to repro.

Thx

Main config file

#var.dns_zone_paas can be a list ('for expressions' replaced by toset function)  or a list of map, I tried both
#local.list... return a list of object with (key, vnet_name, vnet_id)

module "paas-dns" {

  source   = "../modules/dns"
  for_each = { for dns in  var.dns_zone_paas: dns.name => dns}

  dns_zone_name       = each.value.name
  resource_group_name = azurerm_resource_group.rg-dns-zone.name
  hub_link            = local.list_hub_vnet
  spokeprod_link      = local.list_spoke_prod_vnet
  spokenonprod_link   = local.list_spoke_prod_vnet

  tags = local.default_tags
}

Module Config File

resource "azurerm_private_dns_zone" "azure_dns_zone" {
  name                = var.dns_zone_name
  resource_group_name = var.resource_group_name
  tags = var.tags
}

resource "azurerm_private_dns_zone_virtual_network_link" "azure_hub_link" {
  for_each = { for vnet in  var.hub_link : vnet.key => vnet}
  name                  = "${each.value.vnet_name}-link"
  resource_group_name   = var.resource_group_name
  private_dns_zone_name = azurerm_private_dns_zone.azure_dns_zone.name
  virtual_network_id    = each.value.vnet_id
}

resource "azurerm_private_dns_zone_virtual_network_link" "azure_spokeprod_link" {
  for_each = { for vnet in  var.spokeprod_link : vnet.key => vnet}

  name                  = "${each.value.vnet_name}-link"
  resource_group_name   = var.resource_group_name
  private_dns_zone_name = azurerm_private_dns_zone.azure_dns_zone.name
  virtual_network_id    = each.value.vnet_id
}

resource "azurerm_private_dns_zone_virtual_network_link" "azure_spokenonprod_link" {
  for_each = { for vnet in  var.spokenonprod_link : vnet.key => vnet}

  name                  = "${each.value.vnet_name}-link"
  resource_group_name   = var.resource_group_name
  private_dns_zone_name = azurerm_private_dns_zone.azure_dns_zone.name
  virtual_network_id    = each.value.vnet_id
}
sinbai commented 2 years ago

@jrec thanks for information provided. For the configuration below, I would like to confirm that you want to set "local.list_spoke_prod_vnet" to different variables "spokeprod_link" and "spokenonprod_link"? This means that a VNet would be linked to the private DNS zone twice, which is not allowed. Could you try updating one of "spokeprod_link" and " spokenonprod_link" with other variable and try again?

module "paas-dns" {

  source   = "../modules/dns"
  for_each = { for dns in  var.dns_zone_paas: dns.name => dns}

  dns_zone_name       = each.value.name
  resource_group_name = azurerm_resource_group.rg-dns-zone.name
  hub_link            = local.list_hub_vnet
  spokeprod_link      = local.list_spoke_prod_vnet
  spokenonprod_link   = local.list_spoke_prod_vnet

  tags = local.default_tags
}
eltimmo commented 2 years ago

Hi, I've exactly the same problem but with TF 1.1.9 and the provider 3.5.0. I suspect my issue may have been caused by either a race condition or the VNET being updated by two resources at the same time.

In my case the VNET and PDNS zones will create at the same time. Once these are created the PDNS links will be created, as there's dependencies on the VNET and PDNS zones.

I'm also creating subnets and NSGs, which depends on the VNET. So these will start to create at the same time as the PDNS links. Which may be have helped cause this issue.

I resolved this by creating a dependency within the PDNS Link resource to the NSG. This way the VNET isn't getting updating by parallel resource created.

Hope this helps?

culpinnis commented 1 year ago

We are experiencing the same behaviour with provider version 3.68.0 and latest TF version (1.5.5). Also network peerings are affected in the same way. A quick fix was to set parallelism to 1 as we could not use depends_on because the resources a generated by for/for_each loops.