`azurerm_resource_group_template_deployment` and `azurerm_logic_app_workflow` resources cannot be modified together. Error - Root object was present, but now absent

[Konnor5092]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.85

AzureRM Provider Version

3.62.1

Affected Resource(s)/Data Source(s)

azurerm_resource_group_template_deployment

Terraform Configuration Files

resource "azurerm_logic_app_workflow" "logic_app_test_5" {
  name                = "product-feed-${var.env}-5"
  location            = "uksouth"
  resource_group_name = data.azurerm_resource_group.rg.name

  lifecycle {
    ignore_changes = [
      # Ignore changes to parameters as otherwise we will break the $connections
      workflow_parameters,
      parameters
    ]
  }

  access_control {
    trigger {
      allowed_caller_ip_address_range = []
    }
    action {
      allowed_caller_ip_address_range = []
    }
    content {
      allowed_caller_ip_address_range = ["82.38.118.111/32"]
    }
  }
}

resource "azurerm_resource_group_template_deployment" "logic_app_workflow_test_5" {
  resource_group_name = data.azurerm_resource_group.rg.name
  template_content    = file(abspath("../logic-apps/product-feed-5.json"))
  parameters_content  = jsonencode({
    "workflow_name" = { value = azurerm_logic_app_workflow.logic_app_test_5.name }
  })
  name            = "workflow-product-feed-5-${filemd5("../logic-apps/product-feed-5.json")}"
  deployment_mode = "Incremental"

  lifecycle {
    ignore_changes = [
      # Ignore changes to parameters as otherwise we will break the $connections
      parameters_content
    ]
  }
}

Debug Output/Panic Output

https://gist.github.com/Konnor5092/80cf2e45d784ecb56dfbe35df62be8ae

Expected Behaviour

When updating a azurerm_resource_group_template_deployment resource that depends on a azurerm_logic_app_workflow resource that is also updated in the same plan, the azurerm_resource_group_template_deployment resource should finish destroying and recreating before the azurerm_logic_app_workflow resource updates

Actual Behaviour

The azurerm_logic_app_workflow resource tries updating before the azurerm_resource_group_template_deployment resource has finished recreating, resulting in the following error.

│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to azurerm_logic_app_workflow.logic_app_test_5, provider
│ "provider[\"registry.terraform.io/hashicorp/azurerm\"]" produced an unexpected new value: Root object was    
│ present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

You can see the problem here - You get Destruction complete and before azurerm_resource_group_template_deployment has been recreated, it attempts to modify azurerm_logic_app_workflow which now doesn't exist

azurerm_resource_group_template_deployment.logic_app_workflow_test_5: Still destroying... [id=/subscriptions/1df892a8-7803-4661-ae7f-...eed-5-542409e0cedb1c6f17be55805b4e91d7, 10s elapsed]
azurerm_resource_group_template_deployment.logic_app_workflow_test_5: Destruction complete after 18s
azurerm_logic_app_workflow.logic_app_test_5: Modifying... [id=/subscriptions/1df892a8-7803-4661-ae7f-1fd171821a6a/resourceGroups/pip-exec-dev/providers/Microsoft.Logic/workflows/product-feed-dev-5]

Steps to Reproduce

• Have any (Consumption) logic app workflow ARM template at the path ../logic-apps/product-feed-5.json
• Run a terraform plan and apply
• Resources created successfully
• Edit the azurerm_resource_group_template_deployment.logic_app_workflow_test_5 resource, e.g. changing a value on the ip address in access_control
• Edit the ARM template at path ../logic-apps/product-feed-5.json, e.g. changing a value on the ip address in accessControl
• Run a terraform plan and apply
• Resource(s) deleted from the portal and Root object was present, but now absent error generated

Example simple logic app workflow ARM template here...

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "workflow_name": {
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Logic/workflows",
            "apiVersion": "2017-07-01",
            "name": "[parameters('workflow_name')]",
            "location": "uksouth",
            "properties": {
                "state": "Enabled",
                "definition": {
                    "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
                    "actions": {
                        "Compose": {
                            "inputs": "@parameters('compose_name')",
                            "runAfter": {},
                            "type": "Compose"
                        }
                    },
                    "contentVersion": "1.0.0.0",
                    "outputs": {},
                    "triggers": {
                        "manual": {
                            "inputs": {
                                "schema": {}
                            },
                            "kind": "Http",
                            "type": "Request"
                        }
                    }
                },
                "parameters": {},
                "accessControl": {
                    "triggers": {
                        "allowedCallerIpAddresses": []
                    },
                    "contents": {
                        "allowedCallerIpAddresses": [
                            {
                                "addressRange": "82.38.118.112/32"
                            }
                        ]
                    },
                    "actions": {
                        "allowedCallerIpAddresses": []
                    }
                }
            }
        }
    ]
}

Example terraform plan that causes this problem

Terraform will perform the following actions:

  # azurerm_logic_app_workflow.logic_app_test_5 will be updated in-place
  ~ resource "azurerm_logic_app_workflow" "logic_app_test_5" {
        id                                 = "/subscriptions/1df892a8-7803-4661-ae7f-1fd171821a6a/resourceGroups/pip-exec-dev/providers/Microsoft.Logic/workflows/product-feed-dev-5"
        name                               = "product-feed-dev-5"
        tags                               = {}
        # (12 unchanged attributes hidden)

      ~ access_control {
          ~ content {
              ~ allowed_caller_ip_address_range = [
                  - "82.38.118.111/32",
                  + "82.38.118.111/31",
                ]
            }

            # (2 unchanged blocks hidden)
        }
    }

  # azurerm_resource_group_template_deployment.logic_app_workflow_test_5 must be replaced
-/+ resource "azurerm_resource_group_template_deployment" "logic_app_workflow_test_5" {
      ~ id                       = "/subscriptions/1df892a8-7803-4661-ae7f-1fd171821a6a/resourceGroups/pip-exec-dev/providers/Microsoft.Resources/deployments/workflow-product-feed-5-542409e0cedb1c6f17be55805b4e91d7" -> (known after apply)
      ~ name                     = "workflow-product-feed-5-542409e0cedb1c6f17be55805b4e91d7" -> "workflow-product-feed-5-1c01409d0f0ff66ca9ce234031bbe5f0" # forces replacement
      ~ output_content           = jsonencode({}) -> (known after apply)
      - tags                     = {} -> null
      ~ template_content         = jsonencode(
          ~ {
              ~ resources      = [
                  ~ {
                        name       = "[parameters('workflow_name')]"
                      ~ properties = {
                          ~ accessControl = {
                              ~ contents = {
                                  ~ allowedCallerIpAddresses = [
                                      ~ {
                                          ~ addressRange = "82.38.118.111/32" -> "82.38.118.112/32"
                                        },
                                    ]
                                }
                                # (2 unchanged attributes hidden)
                            }
                            # (3 unchanged attributes hidden)
                        }
                        # (3 unchanged attributes hidden)
                    },
                ]
                # (4 unchanged attributes hidden)
            }
        )
        # (5 unchanged attributes hidden)
    }

Plan: 1 to add, 1 to change, 1 to destroy.

Important Factoids

No response

References

No response

[sinbai]

Hi @Konnor5092 thanks for opening this issue. In this case, you could add create_before_destroy = true in the lifecycle of the azurerm_resource_group_template_deployment.logic_app_workflow_test_5 to ensure that the dependent resource is updated after it is re-created. For detailed usage of create_before_destroy, please refer to here.

[Konnor5092]

Hi @Konnor5092 thanks for opening this issue. In this case, you could add create_before_destroy = true in the lifecycle of the azurerm_resource_group_template_deployment.logic_app_workflow_test_5 to ensure that the dependent resource is updated after it is re-created. For detailed usage of create_before_destroy, please refer to here.

This doesn't seem to work unfortunately because although the azurerm_resource_group_template_deployment.logic_app_workflow_test_5 resource now waits for the azurerm_logic_app_workflow.logic_app_test_5 resource to finish it's modifications, it just ends up deleting the logic app in the portal when it does the destroy after the create.

E.g. consider the following plan....

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated 
with the following symbols:
  ~ update in-place
+/- create replacement and then destroy

Terraform will perform the following actions:

  # azurerm_logic_app_workflow.logic_app_test_5 will be updated in-place
  ~ resource "azurerm_logic_app_workflow" "logic_app_test_5" {
        id                                 = "/subscriptions/1df892a8-7803-4661-ae7f-1fd171821a6a/resourceGroups/pip-exec-dev/providers/Microsoft.Logic/workflows/product-feed-dev-5"
        name                               = "product-feed-dev-5"
        tags                               = {}
        # (12 unchanged attributes hidden)

      ~ access_control {
          ~ content {
              ~ allowed_caller_ip_address_range = [
                  - "82.38.118.111/32",
                  + "82.38.118.110/31",
                ]
            }

            # (2 unchanged blocks hidden)
        }
    }

  # azurerm_resource_group_template_deployment.logic_app_workflow_test_5 must be replaced
+/- resource "azurerm_resource_group_template_deployment" "logic_app_workflow_test_5" {
      ~ id                       = "/subscriptions/1df892a8-7803-4661-ae7f-1fd171821a6a/resourceGroups/pip-exec-dev/providers/Microsoft.Resources/deployments/workflow-product-feed-5-542409e0cedb1c6f17be55805b4e91d7" -> (known after apply)
      ~ name                     = "workflow-product-feed-5-542409e0cedb1c6f17be55805b4e91d7" -> "workflow-product-feed-5-3747d1eb0875c87cdc321f95d8c4fa13" # forces replacement
      ~ output_content           = jsonencode({}) -> (known after apply)
      - tags                     = {} -> null
      ~ template_content         = jsonencode(
          ~ {
              ~ resources      = [
                  ~ {
                        name       = "[parameters('workflow_name')]"
                      ~ properties = {
                          ~ accessControl = {
                              ~ contents = {
                                  ~ allowedCallerIpAddresses = [
                                      ~ {
                                          ~ addressRange = "82.38.118.111/32" -> "82.38.118.110/32"
                                        },
                                    ]
                                }
                                # (2 unchanged attributes hidden)
                            }
                            # (3 unchanged attributes hidden)
                        }
                        # (3 unchanged attributes hidden)
                    },
                ]
                # (4 unchanged attributes hidden)
            }
        )
        # (5 unchanged attributes hidden)
    }

Plan: 1 to add, 1 to change, 1 to destroy.

Retuns the following.....

azurerm_logic_app_workflow.logic_app_test_5: Modifying... [id=/subscriptions/1df892a8-7803-4661-ae7f-1fd171821a6a/resourceGroups/pip-exec-dev/providers/Microsoft.Logic/workflows/product-feed-dev-5]
azurerm_logic_app_workflow.logic_app_test_5: Modifications complete after 0s [id=/subscriptions/1df892a8-7803-4661-ae7f-1fd171821a6a/resourceGroups/pip-exec-dev/providers/Microsoft.Logic/workflows/product-feed-dev-5]
azurerm_resource_group_template_deployment.logic_app_workflow_test_5: Creating...
azurerm_resource_group_template_deployment.logic_app_workflow_test_5: Still creating... [10s elapsed]
azurerm_resource_group_template_deployment.logic_app_workflow_test_5: Still creating... [20s elapsed]
azurerm_resource_group_template_deployment.logic_app_workflow_test_5: Still creating... [30s elapsed]
azurerm_resource_group_template_deployment.logic_app_workflow_test_5: Creation complete after 32s [id=/subscriptions/1df892a8-7803-4661-ae7f-1fd171821a6a/resourceGroups/pip-exec-dev/providers/Microsoft.Resources/deployments/workflow-product-feed-5-3747d1eb0875c87cdc321f95d8c4fa13]
azurerm_resource_group_template_deployment.logic_app_workflow_test_5 (deposed object b7097105): Destroying... [id=/subscriptions/1df892a8-7803-4661-ae7f-1fd171821a6a/resourceGroups/pip-exec-dev/providers/Microsoft.Resources/deployments/workflow-product-feed-5-542409e0cedb1c6f17be55805b4e91d7]
azurerm_resource_group_template_deployment.logic_app_workflow_test_5: Still destroying... [id=/subscriptions/1df892a8-7803-4661-ae7f-...eed-5-542409e0cedb1c6f17be55805b4e91d7, 10s elapsed]
azurerm_resource_group_template_deployment.logic_app_workflow_test_5: Destruction complete after 18s

When you create first, you end up with 2 ARM deployments pointing at the same resource after the create completes

It then deletes the old ARM deployment, which unfortunately deletes the resource it's linked to for both ARM deployment records.

If you try to go to the resource via the newer ARM deployment you just see this...