ACR Token resource causing planning issues after recreation of the container registry

[HontoNoRoger]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.8.2

AzureRM Provider Version

3.116.0

Affected Resource(s)/Data Source(s)

azurerm_container_registry_token, azurerm_container_registry_scope_map

Terraform Configuration Files

provider "azurerm" {
  features {}
  subscription_id = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
  tenant_id       = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}

terraform {
  required_version = ">= 1.8"

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~>3.116"
    }
  }
}

resource "azurerm_resource_group" "acr_rg" {
  name     = "acrrecreationtest"
  location = "westeurope"
}

resource "azurerm_container_registry" "container_registry" {
  name                    = "acrrecreationtest"
  resource_group_name     = azurerm_resource_group.acr_rg.name
  location                = azurerm_resource_group.acr_rg.location
  sku                     = "Premium"
}

resource "azurerm_container_registry_scope_map" "cicd_push_pull_token_scope" {
  name                    = "acr-token-scope"
  container_registry_name = azurerm_container_registry.container_registry.name
  resource_group_name     = azurerm_resource_group.acr_rg.name
  actions = [
    "repositories/*/metadata/read",
    "repositories/*/metadata/write",
    "repositories/*/content/read",
    "repositories/*/content/write",
  ]
}

resource "azurerm_container_registry_token" "cicd_push_pull_token" {
  name                    = "cicdpushpulltoken"
  container_registry_name = azurerm_container_registry.container_registry.name
  resource_group_name     = azurerm_resource_group.acr_rg.name
  scope_map_id            = azurerm_container_registry_scope_map.cicd_push_pull_token_scope.id
}

resource "azurerm_container_registry_token_password" "acr_push_pull_token_passwords" {
  container_registry_token_id = azurerm_container_registry_token.cicd_push_pull_token.id

  password1 {
    expiry = timeadd(timestamp(), "8760h")
  }

  password2 {
    expiry = timeadd(timestamp(), "8760h")
  }

  lifecycle {
    ignore_changes = [
      password1,
      password2
    ]
  }
}

Debug Output/Panic Output

╷
│ Error: retrieving Token (Subscription: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
│ Resource Group Name: "acrrecreationtest"
│ Registry Name: "acrrecreationtest"
│ Token Name: "cicdpushpulltoken"): unexpected status 404 (404 Not Found) with error: ResourceNotFound: The resource cicdpushpulltoken could not be found.
│ 
│   with azurerm_container_registry_token_password.acr_push_pull_token_passwords,
│   on main.tf line 49, in resource "azurerm_container_registry_token_password" "acr_push_pull_token_passwords":
│   49: resource "azurerm_container_registry_token_password" "acr_push_pull_token_passwords" {
│ 
│ retrieving Token (Subscription: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
│ Resource Group Name: "acrrecreationtest"
│ Registry Name: "acrrecreationtest"
│ Token Name: "cicdpushpulltoken"): unexpected status 404 (404 Not Found) with error: ResourceNotFound: The resource cicdpushpulltoken
│ could not be found.

https://gist.github.com/HontoNoRoger/5913efb4a2d213b9d2d218a3ae0af30a

Expected Behaviour

During the recreation of the Container Registry, the resources azurerm_container_registry_scope_map, azurerm_container_registry_token and azurerm_container_registry_token_password should have been planned to be recreated.

Actual Behaviour

The recreation of the Container Registry happened without also flagging the resources azurerm_container_registry_scope_map, azurerm_container_registry_token and azurerm_container_registry_token_password to be recreated.

After the recreation of the Container Registry has been done successfully, subsequent plans fail as the azurerm_container_registry_token cannot be found anymore, as it was silently deleted together with the Container Registry.

A workaround that helped me to get over this is to use a lifecycle block like the following to force recreation of the resources in question together with the recreation of the Container Registry:

lifecycle {
    replace_triggered_by = [
      azurerm_container_registry.container_registry.id
    ]
  }

Steps to Reproduce

1. terraform apply for the first rollout
2. terraform taint azurerm_container_registry.container_registry simulating a recreation of the Container Registry, e.g. due to changes to some fields that requires recreation
3. terraform apply for the recreation of the Container Registry
4. terraform plan or terraform apply for seeing the error

Important Factoids

No response

References

No response

[rcskosir]

Thank you for taking the time to open this issue. Please subscribe to PR #27232 created by @magodo for this issue.