hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.6k stars 4.64k forks source link

Provider produced inconsistent final plan when updating azurerm_windows_web_app #25254

Open swiatlamiasta opened 7 months ago

swiatlamiasta commented 7 months ago

Is there an existing issue for this?

Community Note

Terraform Version

1.7.5

AzureRM Provider Version

3.95.0

Affected Resource(s)/Data Source(s)

azurerm_windows_web_app

Terraform Configuration Files

provider "azurerm" {
  features {}
}

resource "random_password" "password" {
  length  = 16
  special = true

  keepers = { redeploy = "${timestamp()}" }
}

data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "example" {
  name     = "test"
  location = "west europe"
}

resource "azurerm_service_plan" "example" {
  name                = "test"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  os_type             = "Windows"
  worker_count        = 1
  sku_name            = "S1"
}

resource "azurerm_key_vault" "example" {
  name                       = "test"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  sku_name                   = "standard"
  purge_protection_enabled   = false
  soft_delete_retention_days = 7
}

resource "azurerm_key_vault_access_policy" "servConnPol" {

  certificate_permissions = [
    "Get",
    "List",
    "Update",
    "Create",
    "Import",
    "Delete",
    "Purge",
    "Recover"
  ]

  key_permissions = [
    "Get",
    "Create",
    "Delete",
    "Purge",
    "GetRotationPolicy"
  ]

  secret_permissions = [
    "Get",
    "List",
    "Set",
    "Delete",
    "Purge",
    "Recover"

  ]

  storage_permissions = []

  tenant_id           = <TenantId>
  key_vault_id        = azurerm_key_vault.example.id
  object_id           = <ObjectId>

}

resource "azurerm_key_vault_secret" "example" {
  name         = "test"
  value        = random_password.password.result
  key_vault_id = azurerm_key_vault.example.id
}

resource "azurerm_windows_web_app" "example" {
  name                = "test"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  service_plan_id = azurerm_service_plan.example.id

  site_config {
    application_stack {
      current_stack = "dotnet"
      dotnet_version = "v4.0"
    }
    always_on                 = true
    ftps_state                = "FtpsOnly"
    http2_enabled             = true
    use_32_bit_worker         = false
    websockets_enabled        = false
    minimum_tls_version       = "1.2"
    default_documents         = ["Default.htm", "Default.html", "Default.asp", "index.htm", "index.html", "iisstart.htm", "default.aspx", "index.php", "hostingstart.html"]
    local_mysql_enabled       = false
    managed_pipeline_mode     = "Integrated"
  }

  app_settings = {
    "SOME_KEY"  = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.example.id})"
    "SOME_KEY2" = "@Microsoft.KeyVault(VaultName=${azurerm_key_vault.example.name};SecretName=${azurerm_key_vault_secret.example.name};SecretVersion=${azurerm_key_vault_secret.example.version})"
  }
}

Debug Output/Panic Output

╷
│ Error: Provider produced inconsistent final plan
│
│ When expanding the plan for azurerm_windows_web_app.example to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for .app_settings["SOME_KEY"]: was
│ cty.StringVal("@Microsoft.KeyVault(SecretUri=https://test.vault.azure.net/secrets/test/99162cc14c864d2893c0b0252135e0df)"),
│ but now
│ cty.StringVal("@Microsoft.KeyVault(SecretUri=https://test.vault.azure.net/secrets/test/f7bce7e91246446ebe7694bc879c570b)").
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
╷
│ Error: Provider produced inconsistent final plan
│
│ When expanding the plan for azurerm_windows_web_app.example to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for .app_settings["SOME_KEY2"]: was
│ cty.StringVal("@Microsoft.KeyVault(VaultName=test;SecretName=test;SecretVersion=99162cc14c864d2893c0b0252135e0df)"),│ but now
│ cty.StringVal("@Microsoft.KeyVault(VaultName=test;SecretName=test;SecretVersion=f7bce7e91246446ebe7694bc879c570b)").│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵

Expected Behaviour

App settings should be updated with newly generated secret.

Actual Behaviour

An error is thrown during apply

Steps to Reproduce

To reproduce this you have to run terraform apply few times.

Important Factoids

No response

References

No response

almmechanics commented 4 months ago

I have experienced an identical issue with azurerm_linux_web_app where the application keys (backed by keyvault) are returning different values.

If I re-run the plan there is a good chance this will work on the second on the third attempt

Providers required by configuration: . ├── provider[registry.terraform.io/hashicorp/azurerm] 3.105.0 ├── provider[registry.terraform.io/hashicorp/azuread] 2.50.0 ├── provider[registry.terraform.io/hashicorp/random] 3.6.2

The error output is as follows(the name of the keyvault has been changed to protect the innocent):

Error: Provider produced inconsistent final plan 
│ 
│ When expanding the plan for module.webapp.azurerm_linux_web_app.app to
│ include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for
│ .app_settings["MY_SECRET"]: was
│ cty.StringVal("@Microsoft.KeyVault(SecretUri=[https://broken.vault.azure.net/secrets/my-secret/ed7beabbc0a1487f923b297f07656506)"),](https://broken.vault.azure.net/secrets/my-secret/ed7beabbc0a1487f923b297f07656506)%22),)
│ but now
│ cty.StringVal("@Microsoft.KeyVault(SecretUri=[https://broken.vault.azure.net/secrets/my-secret/12c5ba470af542ffa14263be5b7e0cfb)").](https://broken.vault.azure.net/secrets/my-secret/12c5ba470af542ffa14263be5b7e0cfb)%22).)
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
mpeckatwork commented 2 months ago

Also seeing this with TF v1.9.5 and AzureRM 3.112.