Change of azurerm_data_protection_backup_policy_blob_storage should trigger recreation also of azurerm_data_protection_backup_instance_blob_storage

[slzmruepp]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.7

AzureRM Provider Version

3.45.0

Affected Resource(s)/Data Source(s)

azurerm_data_protection_backup_policy_blob_storage

Terraform Configuration Files

resource "azurerm_data_protection_backup_policy_blob_storage" "oc_backup_policy" {
  name               = "oc-backup-policy"
  vault_id           = azurerm_data_protection_backup_vault.oc_blob.id
  retention_duration = var.env_config[var.ENV][ "backup_retention_duration" ]
}

resource "azurerm_data_protection_backup_instance_blob_storage" "oc_backup_instance" {
  name               = "oc-backup-instance"
  vault_id           = azurerm_data_protection_backup_vault.oc_blob.id
  location           = var.AZREGION
  storage_account_id = module.storage_account_oc_blob.id
  backup_policy_id   = azurerm_data_protection_backup_policy_blob_storage.oc_backup_policy.id

  depends_on = [azurerm_role_assignment.oc_backup_role]
}

Debug Output/Panic Output

│ Error: deleting DataProtection BackupPolicy ("Backup Policy (Subscription: \"XXX\"\nResource Group Name: \"XXX\"\nBackup Vault Name: \"backup-vault\"\nBackup Policy Name: \"backup-policy\")"): backuppolicies.BackupPoliciesClient#Delete: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="UserErrorDppPolicyObjectInUse" Message="Cannot delete the backup policy as one or more backup instances have been configured for protection with this policy." AdditionalInfo=[{"info":{"code":"UserErrorDppPolicyObjectInUse","details":null,"innerError":null,"isRetryable":false,"isUserError":false,"message":"Cannot delete the backup policy as one or more backup instances have been configured for protection with this policy.","properties":{"ActivityId":"XXX"},"recommendedAction":["Ensure that no backup instances are configured for protection with this backup policy and then try deleting the policy."],"target":""},"type":"UserFacingError"}]
│ 
│ 
╵
##[error]Terraform command 'apply' failed with exit code '1'.
##[error]╷

Expected Behaviour

Its expected that Terraform recognizes the dependencies of azurerm_data_protection_backup_policy_blob_storage and azurerm_data_protection_backup_instance_blob_storage

So if a policy is used by a backup instance, and changed, it should trigger the recreation of the instance as well. Otherwise apply fails every time.

Actual Behaviour

The apply run does not recreate the instance only the policy and fails all the time because of the interdependency.

Steps to Reproduce

Create a storage account, backup vault, backup policy and instance. Try to change the backup policy parameter retention_duration = "P30D" to (example) retention_duration = "P15D"

Important Factoids

No response

References

No response

[neil-yechenwei]

Thanks for raising this issue. Seems I cannot repro this issue. Could you re-try with below tf config that is similar with yours to see if the issue still exists? Thanks.

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "test" {
  name     = "acctest-dataprotection-test01"
  location = "west europe"
}

resource "azurerm_storage_account" "test" {
  name                     = "acctestsatest01"
  resource_group_name      = azurerm_resource_group.test.name
  location                 = azurerm_resource_group.test.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_data_protection_backup_vault" "test" {
  name                = "acctest-dataprotection-vault-test01"
  resource_group_name = azurerm_resource_group.test.name
  location            = azurerm_resource_group.test.location
  datastore_type      = "VaultStore"
  redundancy          = "LocallyRedundant"
  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_role_assignment" "test" {
  scope                = azurerm_storage_account.test.id
  role_definition_name = "Storage Account Backup Contributor"
  principal_id         = azurerm_data_protection_backup_vault.test.identity[0].principal_id
}

resource "azurerm_data_protection_backup_policy_blob_storage" "test" {
  name               = "acctest-dbp-test01"
  vault_id           = azurerm_data_protection_backup_vault.test.id
  retention_duration = "P30D"
}

resource "azurerm_data_protection_backup_policy_blob_storage" "another" {
  name               = "acctest-dbp-other-test01"
  vault_id           = azurerm_data_protection_backup_vault.test.id
  retention_duration = "P15D"
}

resource "azurerm_data_protection_backup_instance_blob_storage" "test" {
  name               = "acctest-dbi-test01"
  location           = azurerm_resource_group.test.location
  vault_id           = azurerm_data_protection_backup_vault.test.id
  storage_account_id = azurerm_storage_account.test.id
  backup_policy_id   = azurerm_data_protection_backup_policy_blob_storage.test.id

  depends_on = [azurerm_role_assignment.test]
}

[IfthikharAhamed]

similar issue is happening for azurerm_data_protection_backup_policy_disk as well when modified after creation.

Error: deleting DataProtection BackupPolicy ("Backup Policy (")"): unexpected status 400 with error: UserErrorDppPolicyObjectInUse: Cannot delete the backup policy as one or more backup instances have been configured for protection with this policy.