Provider produced inconsistent final plan when updating azurerm_windows_web_app

[swiatlamiasta]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.7.5

AzureRM Provider Version

3.95.0

Affected Resource(s)/Data Source(s)

azurerm_windows_web_app

Terraform Configuration Files

provider "azurerm" {
  features {}
}

resource "random_password" "password" {
  length  = 16
  special = true

  keepers = { redeploy = "${timestamp()}" }
}

data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "example" {
  name     = "test"
  location = "west europe"
}

resource "azurerm_service_plan" "example" {
  name                = "test"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  os_type             = "Windows"
  worker_count        = 1
  sku_name            = "S1"
}

resource "azurerm_key_vault" "example" {
  name                       = "test"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  sku_name                   = "standard"
  purge_protection_enabled   = false
  soft_delete_retention_days = 7
}

resource "azurerm_key_vault_access_policy" "servConnPol" {

  certificate_permissions = [
    "Get",
    "List",
    "Update",
    "Create",
    "Import",
    "Delete",
    "Purge",
    "Recover"
  ]

  key_permissions = [
    "Get",
    "Create",
    "Delete",
    "Purge",
    "GetRotationPolicy"
  ]

  secret_permissions = [
    "Get",
    "List",
    "Set",
    "Delete",
    "Purge",
    "Recover"

  ]

  storage_permissions = []

  tenant_id           = <TenantId>
  key_vault_id        = azurerm_key_vault.example.id
  object_id           = <ObjectId>

}

resource "azurerm_key_vault_secret" "example" {
  name         = "test"
  value        = random_password.password.result
  key_vault_id = azurerm_key_vault.example.id
}

resource "azurerm_windows_web_app" "example" {
  name                = "test"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  service_plan_id = azurerm_service_plan.example.id

  site_config {
    application_stack {
      current_stack = "dotnet"
      dotnet_version = "v4.0"
    }
    always_on                 = true
    ftps_state                = "FtpsOnly"
    http2_enabled             = true
    use_32_bit_worker         = false
    websockets_enabled        = false
    minimum_tls_version       = "1.2"
    default_documents         = ["Default.htm", "Default.html", "Default.asp", "index.htm", "index.html", "iisstart.htm", "default.aspx", "index.php", "hostingstart.html"]
    local_mysql_enabled       = false
    managed_pipeline_mode     = "Integrated"
  }

  app_settings = {
    "SOME_KEY"  = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.example.id})"
    "SOME_KEY2" = "@Microsoft.KeyVault(VaultName=${azurerm_key_vault.example.name};SecretName=${azurerm_key_vault_secret.example.name};SecretVersion=${azurerm_key_vault_secret.example.version})"
  }
}

Debug Output/Panic Output

╷
│ Error: Provider produced inconsistent final plan
│
│ When expanding the plan for azurerm_windows_web_app.example to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for .app_settings["SOME_KEY"]: was
│ cty.StringVal("@Microsoft.KeyVault(SecretUri=https://test.vault.azure.net/secrets/test/99162cc14c864d2893c0b0252135e0df)"),
│ but now
│ cty.StringVal("@Microsoft.KeyVault(SecretUri=https://test.vault.azure.net/secrets/test/f7bce7e91246446ebe7694bc879c570b)").
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
╷
│ Error: Provider produced inconsistent final plan
│
│ When expanding the plan for azurerm_windows_web_app.example to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for .app_settings["SOME_KEY2"]: was
│ cty.StringVal("@Microsoft.KeyVault(VaultName=test;SecretName=test;SecretVersion=99162cc14c864d2893c0b0252135e0df)"),│ but now
│ cty.StringVal("@Microsoft.KeyVault(VaultName=test;SecretName=test;SecretVersion=f7bce7e91246446ebe7694bc879c570b)").│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵

Expected Behaviour

App settings should be updated with newly generated secret.

Actual Behaviour

An error is thrown during apply

Steps to Reproduce

To reproduce this you have to run terraform apply few times.

Important Factoids

No response

References

No response

[almmechanics]

I have experienced an identical issue with azurerm_linux_web_app where the application keys (backed by keyvault) are returning different values.

If I re-run the plan there is a good chance this will work on the second on the third attempt

Providers required by configuration: . ├── provider[registry.terraform.io/hashicorp/azurerm] 3.105.0 ├── provider[registry.terraform.io/hashicorp/azuread] 2.50.0 ├── provider[registry.terraform.io/hashicorp/random] 3.6.2

The error output is as follows(the name of the keyvault has been changed to protect the innocent):

Error: Provider produced inconsistent final plan 
│ 
│ When expanding the plan for module.webapp.azurerm_linux_web_app.app to
│ include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for
│ .app_settings["MY_SECRET"]: was
│ cty.StringVal("@Microsoft.KeyVault(SecretUri=[https://broken.vault.azure.net/secrets/my-secret/ed7beabbc0a1487f923b297f07656506)"),](https://broken.vault.azure.net/secrets/my-secret/ed7beabbc0a1487f923b297f07656506)%22),)
│ but now
│ cty.StringVal("@Microsoft.KeyVault(SecretUri=[https://broken.vault.azure.net/secrets/my-secret/12c5ba470af542ffa14263be5b7e0cfb)").](https://broken.vault.azure.net/secrets/my-secret/12c5ba470af542ffa14263be5b7e0cfb)%22).)
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

[mpeckatwork]

Also seeing this with TF v1.9.5 and AzureRM 3.112.