azurerm_mssql_server systemassigned identity not idempotent

[IEP-Brewin]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.1

AzureRM Provider Version

3.110.0

Affected Resource(s)/Data Source(s)

azurerm_mssql_server

Terraform Configuration Files

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "3.110.0"
    }
  }
}

provider "azurerm" {
  features{}
}

resource "azurerm_resource_group" "example" {
  name     = "database-rg"
  location = "West Europe"
}

resource "azurerm_mssql_server" "example" {
  name                         = "mssqlserverxyz123"
  resource_group_name          = azurerm_resource_group.example.name
  location                     = azurerm_resource_group.example.location
  version                      = "12.0"
  administrator_login          = "adminuser"
  administrator_login_password = "thisIsKat11"
  minimum_tls_version          = "1.2"

  identity {
    type         = "SystemAssigned"
  }

  tags = {
    environment = "production"
  }
}

output "identity" {
  value = azurerm_mssql_server.example.identity
}

Debug Output/Panic Output

Terraform Apply
Terraform Plan

~identity {
  + identity_ids = []
}

Expected Behaviour

The Terraform plan (after apply) should not show anything new.

Actual Behaviour

The Terraform planTerraform plan shows...

~identity {

identity_ids = [] }

(after apply) should not show anything new.

Steps to Reproduce

Terraform Apply Terraform plan

Important Factoids

Identity = SystemAssigned

References

Looks similar to issue: https://github.com/hashicorp/terraform-provider-azurerm/issues/19216

[xuzhang3]

@IEP-Brewin This is not a AzureRM issue, this is the Terraform feature. You can use toset instead of the default tolist to bypass this issue

output "identity" {
  value = toset(azurerm_mssql_server.example.identity)
}

[IEP-Brewin]

I think I might have confused the situation by adding the output to the example code. Please disregard it. Then run a plan and apply to see the behaviour.

[xuzhang3]

Cannot reproduce this error. Nothing happens. The diff only occurs when output enabled.

[xitzee]

How come this is a Terraform 'feature'? Output shouldnt affect idempotency at all... I am returning entire sqlserver object so cant do toset() even if it helps..

EDIT: toset() doesnt seem to work to me at all anyway.

What seem to happen is that output of identity looks as follow after first run:

"identity": [
{ "identity_ids" : null,
"principal_id" : "43834679847-4324-243-242-24" 
"tenant_id" : "87fd6f-df-23-fdsf-2-fs"
"type": "SystemAssigned"
}
]

After resource is created and you do plan/apply again "identity_ids" will change from null to []. Any subsequent apply will not introduce any further changes.

I tried:

"identity": {
type = "SystemAssigned"
identity_ids = []
}

but that doesnt work either ;/

EDIT 2: Seems same issue was spotted for azurem_app_service:

https://github.com/hashicorp/terraform-provider-azurerm/issues/13212