Perpetual case sensitivity of Resource Groups with azurerm_app_configuration_key

[JiriKovar]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.6.5

AzureRM Provider Version

3.83.0

Affected Resource(s)/Data Source(s)

azurerm_app_configuration_key

Terraform Configuration Files

resource "azurerm_app_configuration_key" "settings" {
  for_each               = var.settings
  configuration_store_id = var.config_store.app_configuration.id
  key                    = each.key
  label                  = local.label
  value                  = each.value
}

Debug Output/Panic Output

# module.settings.azurerm_app_configuration_key.settings["TestingKeyName"] must be replaced
-/+ resource "azurerm_app_configuration_key" "settings" {
    ~ configuration_store_id = "/subscriptions/<SubscriptionId>/resourceGroups/globalservices/providers/Microsoft.AppConfiguration/configurationStores/<AppConfigurationName>" -> "/subscriptions/<SubscriptionId>/resourceGroups/GlobalServices/providers/Microsoft.AppConfiguration/configurationStores/<AppConfigurationName>" # forces replacement
    + content_type           = (known after apply)
    ~ etag                   = "<etag>" -> (known after apply)
    ~ id                     = "https://<AppConfigurationName>.azconfig.io/kv/TestingKeyName?label=test" -> (known after apply)
    - tags                   = {} -> null
      # (5 unchanged attributes hidden)
  }

Expected Behaviour

No change.

Actual Behaviour

• The value in the terraform state is the one with camel cased resouce group name = the target one, meaning that neither reimport, nor apply will help (even upon recreation, the change is still detected and each apply forces recreate of all of the azurerm_app_configuration_key instances)
• Terraform refresh seems to cause the resource group name to become lowercased while terraform plan believes it should be upper cased
• Something has probably changed in the AzureRM provider v 3.83.0 as this issue was not present in 3.82.0. If that;s not the cause, then I presume something must have been changed in the Azure Rest API coincidentally at aproximately the same time.

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[teowa]

Hi @JiriKovar , thanks for submitting this! This is related to https://github.com/hashicorp/terraform-provider-azurerm/pull/24023 and https://github.com/Azure/azure-rest-api-specs/issues/24337, the list API doesn't return the correct case for Resource Group name, I will report this to the service team. https://github.com/Azure/AppConfiguration/issues/842

[majaima]

Something similar here with version = "3.83.0", no issues were in version = "3.80.0": Resource groups are provisioned in capital letters. Terraform tells resource "azurerm_app_configuration_key" must be recreated: configuration_store_id = "/subscriptions//resourceGroups/name_in_lowercase/providers/Microsoft.AppConfiguration/configurationStores/configstore" -> "/subscriptions//resourceGroups/name_in_uppercase/providers/Microsoft.AppConfiguration/configurationStores/configstore" # forces replacement

[teowa]

A workaround for this is to add a ignore_changes:

  lifecycle {
    ignore_changes = [
      configuration_store_id
    ]
  }

[joakimlemb]

the list API doesn't return the correct case for Resource Group name

@teowa Are you sure about this? Microsofts states that case insensitive lookups should always be used in their doc:

"Resource and resource group names are case-insensitive unless specifically noted in the valid characters column.

When using various APIs to retrieve the name for a resource or resource group, the returned value may have different casing than what you originally specified for the name. The returned value may even display different case values than what is listed in the valid characters table.

Always perform a case-insensitive comparison of names." From: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules

This is creating a lot of bugs in azurerm provider: https://github.com/hashicorp/terraform-provider-azurerm/issues/24138 https://github.com/hashicorp/terraform-provider-azurerm/issues/24136 https://github.com/hashicorp/terraform-provider-azurerm/issues/23990 https://github.com/hashicorp/terraform-provider-azurerm/issues/17090 https://github.com/hashicorp/terraform-provider-azurerm/issues/24123

[JiriKovar]

A workaround for this is to add a ignore_changes:

  lifecycle {
    ignore_changes = [
      configuration_store_id
    ]
  }

Beware that this workaround reveals a severe bug: If you have a key with some nonempty value (lets say a value of <listOfAllowedUsers>) and you want to change it to an empty string (because no user should be allowed any more), terraform will for some inexplicable reason ignore this change, only in conjuction with this workaround - without this workaround, or in case of nonempty value, it detects the change properly. It actually caught us off guard because we did not notice this missing change and caused a production issue (the usecase was different from the example I gave here).