HvrManagedIdentityPermissionMissing error on azurerm_site_recovery_replicated_vm ressource

[pascalrobert]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.4.6

AzureRM Provider Version

3.57.0

Affected Resource(s)/Data Source(s)

azurerm_site_recovery_replicated_vm

Terraform Configuration Files

resource "azurerm_site_recovery_replicated_vm" "rrv_module" {
  name                                      = "rg-xxxx-tst-d-zca2-12"
  resource_group_name                       = var.dr_resource_group_name
  recovery_vault_name                       = var.recovery_vault_name
  source_recovery_fabric_name               = var.primary_recovery_fabric_name
  source_vm_id                              = var.vm_id
  recovery_replication_policy_id            = var.recovery_replication_policy_id
  source_recovery_protection_container_name = var.primary_protection_container_name
  target_resource_group_id                  = var.dr_resource_group_id
  target_recovery_fabric_id                 = var.dr_recovery_fabric_id
  target_recovery_protection_container_id   = var.dr_protection_container_id

  dynamic "managed_disk" {
    for_each = toset(var.managed_disks)
    content {
      disk_id                       = managed_disk.value.disk_id
      staging_storage_account_id    = managed_disk.value.staging_storage_account_id
      target_resource_group_id      = managed_disk.value.target_resource_group_id
      target_disk_type              = "StandardSSD_LRS"
      target_replica_disk_type      = "StandardSSD_LRS"
      target_disk_encryption_set_id = managed_disk.value.target_disk_encryption_set_id
    }
  }
}

variable "environment" {
  type = string
}

variable "location" {
  type = string
}

variable "dr_location" {
  type = string
}

variable "name" {
  type = string
}

variable "client" {
  type    = string
  default = ""
}

variable "instance" {
  type        = number
  description = "Resource instance number"
  default     = null
}

variable "primary_resource_group_name" {
  type = string
}

variable "recovery_vault_name" {
  type = string
}

variable "dr_resource_group_id" {
  type = string
}

variable "dr_resource_group_name" {
  type = string
}

variable "primary_virtual_network_id" {
  type = string
}

variable "dr_virtual_network_id" {
  type = string
}

variable "primary_recovery_fabric_name" {
  type = string
}

variable "vm_id" {
  type = string
}

variable "recovery_replication_policy_id" {
  type = string
}

variable "primary_protection_container_name" {
  type = string
}

variable "dr_recovery_fabric_id" {
  type = string
}

variable "dr_protection_container_id" {
  type = string
}

variable "managed_disks" {
  type = list(object({
    disk_id                       = string
    staging_storage_account_id    = string
    target_resource_group_id      = string
    target_disk_encryption_set_id = string
  }))
}

Debug Output/Panic Output

│ Error: creating replicated vm rg-xxxx-tst-d-zca2-12 (vault rsv-xxxx-tst-d-zca1-12): polling after Create: Code="150060" Message="The requested operation failed with reason: 'Internal Service Error (HvrManagedIdentityPermissionMissing-0)'."
│ 
│   with module.replicated_vm.azurerm_site_recovery_replicated_vm.rrv_module,
│   on ../../replicated_vm/replicated_vm.tf line 1, in resource "azurerm_site_recovery_replicated_vm" "rrv_module":
│    1: resource "azurerm_site_recovery_replicated_vm" "rrv_module" {
│ 
``` 

Expected Behaviour

I would expected an active replication.

Actual Behaviour

Getting an error from the backend, error that is not documented anywhere. If I enable the replication in the portal, it works, and a terraform plan won't show differences except for uppercase versus lowercase in the ID (eg: /Subscriptions/ instead of /subscriptions/):

-/+ resource "azurerm_site_recovery_replicated_vm" "rrv_module" {
      ~ id                                        = "/subscriptions/xxxx-xxxx-401c-a1c4-xxxx/resourceGroups/rg-xxxx-tst-d-zca1-12/providers/Microsoft.RecoveryServices/vaults/rsv-xxxx-tst-d-zca1-12/replicationFabrics/rf-xxxx-tst-d-zca2-12-primary/replicationProtectionContainers/pc-xxxx-tst-d-zca2-12/replicationProtectedItems/xxxx-xxxx-401c-a1c4-xxxx" -> (known after apply)
      ~ name                                      = "xxxx-xxxx-401c-a1c4-xxxx" -> "rg-xxxx-tst-d-zca2-12" # forces replacement
      ~ network_interface                         = [] -> (known after apply)
      ~ recovery_replication_policy_id            = "/Subscriptions/xxxx-xxxx-401c-a1c4-xxxx/resourceGroups/rg-xxxx-tst-d-zca1-12/providers/Microsoft.RecoveryServices/vaults/rsv-xxxx-tst-d-zca1-12/replicationPolicies/rp-xxxx-tst-d-zca2-12" -> "/subscriptions/xxxx-xxxx-401c-a1c4-xxxx/resourceGroups/rg-xxxx-tst-d-zca1-12/providers/Microsoft.RecoveryServices/vaults/rsv-xxxx-tst-d-zca1-12/replicationPolicies/rp-xxxx-tst-d-zca2-12"
      ~ source_vm_id                              = "/subscriptions/xxxx-xxxx-401c-a1c4-xxxx/resourcegroups/rg-xxxx-tst-d-zca2-12/providers/microsoft.compute/virtualmachines/vmw-xxxx-ses-d-zca2-12" -> "/subscriptions/xxxx-xxxx-401c-a1c4-xxxx/resourceGroups/rg-xxxxx-tst-d-zca2-12/providers/Microsoft.Compute/virtualMachines/vmw-xxxx-ses-d-zca2-12"
      + target_network_id                         = (known after apply)
      ~ target_recovery_fabric_id                 = "/Subscriptions/xxxx-xxxx-401c-a1c4-xxxx/resourceGroups/rg-xxxx-tst-d-zca1-12/providers/Microsoft.RecoveryServices/vaults/rsv-xxxx-tst-d-zca1-12/replicationFabrics/rf-xxxx-tst-d-zca2-12-dr" -> "/subscriptions/xxxx-xxxx-401c-a1c4-xxxx/resourceGroups/rg-xxxx-tst-d-zca1-12/providers/Microsoft.RecoveryServices/vaults/rsv-xxxx-tst-d-zca1-12/replicationFabrics/rf-xxxx-tst-d-zca2-12-dr"
      ~ target_recovery_protection_container_id   = "/Subscriptions/xxxx-xxxx-401c-a1c4-xxxx/resourceGroups/rg-xxxx-tst-d-zca1-12/providers/Microsoft.RecoveryServices/vaults/rsv-xxxx-tst-d-zca1-12/replicationFabrics/rf-xxxx-tst-d-zca2-12-dr/replicationProtectionContainers/pc-xxxx-tst-d-zca2-12" -> "/subscriptionsxxxx-xxxx-401c-a1c4-xxxx/resourceGroups/rg-xxxx-tst-d-zca1-12/providers/Microsoft.RecoveryServices/vaults/rsv-xxxx-tst-d-zca1-12/replicationFabrics/rf-xxxx-tst-d-zca2-12-dr/replicationProtectionContainers/pc-xxxx-tst-d-zca2-12"
      + test_network_id                           = (known after apply)
      + unmanaged_disk                            = []
        # (5 unchanged attributes hidden)
    }

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[ziyeqf]

Hi @rcskosir , thanks for opening the issue.

The failure detail could be found on Portal by "Recovery Services Vault" -> "Site Recovery Jobs", where the possible reasons are shown. With the current information I suspect if the storage account specified in staging_storage_account_id is accessible.

For the casing issue, it actually won't take it as a diff but will be shown when there is other differences, in this case is the name property

Thanks!