Deleting Diagnostic settings is taking or hang much time for service bus and postgress.

raghavendra3553 commented 2 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.3

AzureRM Provider Version

4.0.1

Affected Resource(s)/Data Source(s)

azurerm_monitor_diagnostic_setting

Terraform Configuration Files

## ------------------------------------------------------------------------------
## Postgres Server
## ------------------------------------------------------------------------------

#RG
module "rg" {
  source         = "../resourcegroup"
  count          = var.rgModuleToBeImported == true ? 1 : 0
  standard_input = var.standard_input
  rg             = var.postgres.resourceGroupResource
}

data "azurerm_subnet" "subnet" {
  for_each = {
    for subnet in coalesce(var.postgres.subnets, []) :
    join("-", [subnet.vnet, subnet.name]) => subnet
  }
  name                 = each.value.name
  resource_group_name  = each.value.resourcegroup
  virtual_network_name = each.value.vnet
}

resource "random_password" "password" {
  length      = 20
  min_lower   = 5
  min_upper   = 5
  min_numeric = 5
  special     = false
  lifecycle {
    ignore_changes = [min_lower, min_upper, min_numeric]
  }
}

output "random_sensitive_password" {
  value     = random_password.password.result
  sensitive = true
}

resource "azurerm_postgresql_server" "postgresql" {
  name                             = var.postgres.name
  location                         = var.standard_input.location
  resource_group_name              = var.postgres.resourceGroupResource.name
  administrator_login              = var.postgres.userName == null ? "${var.postgres.name}admin" : var.postgres.userName
  administrator_login_password     = random_password.password.result
  sku_name                         = var.postgresSku.sku_name
  version                          = "11"
  storage_mb                       = var.storage_mb
  public_network_access_enabled    = var.public_network_access_enabled
  ssl_enforcement_enabled          = var.ssl_enforcement_enabled
  ssl_minimal_tls_version_enforced = "TLS1_2"
  tags                             = var.standard_input.tags
}

data "azurerm_key_vault" "keyvaultdata" {
  name                = lower(var.postgres.keyVault == null? var.keyvaultname : var.postgres.keyVault.name)
  resource_group_name = lower(var.postgres.keyVault == null? var.keyvaultresourcegroupname : var.postgres.keyVault.resourcegroup)
}

resource "azurerm_key_vault_secret" "kvsecret" {
  name         = "${var.postgres.name}-password"
  value        = random_password.password.result
  key_vault_id = data.azurerm_key_vault.keyvaultdata.id
}

resource "azurerm_postgresql_firewall_rule" "postgresfirewallrules" {
  count               = length(var.standard_input.cidr_allow_list)
  name                = format("%sfwrule%s", "${var.postgres.name}","${count.index}")
  resource_group_name = var.postgres.resourceGroupResource.name
  server_name         = azurerm_postgresql_server.postgresql.name
  start_ip_address    = cidrhost(element(var.standard_input.cidr_allow_list, count.index),0)
  end_ip_address      = cidrhost(element(var.standard_input.cidr_allow_list, count.index),-1)
}

resource "azurerm_postgresql_virtual_network_rule" "slarti_psql_vnet_rule" {
  for_each = {for subnet in coalesce(var.postgres.subnets, []) :  subnet.name => subnet}
  name                ="${var.postgres.name}${each.value.name}"
  resource_group_name = var.postgres.resourceGroupResource.name
  server_name         = azurerm_postgresql_server.postgresql.name
  subnet_id           = data.azurerm_subnet.subnet[join("-", [each.value.vnet, each.value.name])].id
}

resource "azurerm_monitor_diagnostic_setting" "postgresazurediagnosticssecurity" {
  name                           = format("%s-securitylogs", azurerm_postgresql_server.postgresql.name)
  target_resource_id             = azurerm_postgresql_server.postgresql.id
  eventhub_name                  = var.standard_input.security_eventhub_name
  eventhub_authorization_rule_id = var.standard_input.security_eventhub_authorization_rule_id

  enabled_log {
    category = "PostgreSQLLogs"
  }
  lifecycle {
    ignore_changes = [metric]
  }
}

Debug Output/Panic Output

stdout: module.postgres["s00457ppgdbinappnotifyprod"].module.diagnostic_settings[0].azurerm_monitor_diagnostic_setting.postgresazurediagnosticssecurity[0]: Still destroying... [id=/subscriptions/XXX-...00457ppgdbinappnotifyprod-securitylogs, 37m41s elapsed] 
stdout: module.postgres["s00457ppgdbinappnotifyprod"].module.diagnostic_settings[0].azurerm_monitor_diagnostic_setting.postgresazurediagnosticssecurity[0]: Still destroying... [id=/subscriptions/XXX-...00457ppgdbinappnotifyprod-securitylogs, 37m51s elapsed] 
stdout: module.postgres["s00457ppgdbinappnotifyprod"].module.diagnostic_settings[0].azurerm_monitor_diagnostic_setting.postgresazurediagnosticssecurity[0]: Still destroying... [id=/subscriptions/XXX-...00457ppgdbinappnotifyprod-securitylogs, 38m1s elapsed] 
stdout: module.postgres["s00457ppgdbinappnotifyprod"].module.diagnostic_settings[0].azurerm_monitor_diagnostic_setting.postgresazurediagnosticssecurity[0]: Still destroying... [id=/subscriptions/XXX-...00457ppgdbinappnotifyprod-securitylogs, 38m11s elapsed] 
stdout: module.postgres["s00457ppgdbinappnotifyprod"].module.diagnostic_settings[0].azurerm_monitor_diagnostic_setting.postgresazurediagnosticssecurity[0]: Still destroying... [id=/subscriptions/XXX-...00457ppgdbinappnotifyprod-securitylogs, 38m21s elapsed] 
stdout: module.postgres["s00457ppgdbinappnotifyprod"].module.diagnostic_settings[0].azurerm_monitor_diagnostic_setting.postgresazurediagnosticssecurity[0]: Still destroying... [id=/subscriptions/XXX-...00457ppgdbinappnotifyprod-securitylogs, 38m31s elapsed] 
stdout: module.postgres["s00457ppgdbinappnotifyprod"].module.diagnostic_settings[0].azurerm_monitor_diagnostic_setting.postgresazurediagnosticssecurity[0]: Still destroying... [id=/subscriptions/XXX-...00457ppgdbinappnotifyprod-securitylogs, 38m41s elapsed] 
stdout: module.postgres["s00457ppgdbinappnotifyprod"].module.diagnostic_settings[0].azurerm_monitor_diagnostic_setting.postgresazurediagnosticssecurity[0]: Still destroying... [id=/subscriptions/XXX-...00457ppgdbinappnotifyprod-securitylogs, 38m51s elapsed] 
stdout: module.postgres["s00457ppgdbinappnotifyprod"].module.diagnostic_settings[0].azurerm_monitor_diagnostic_setting.postgresazurediagnosticssecurity[0]: Still destroying... [id=/subscriptions/XXX-...00457ppgdbinappnotifyprod-securitylogs, 39m1s elapsed]

Expected Behaviour

diagnostic_settings should be deleted in a minute. Note, Actual diagnostic settings were deleted at azure side in less than 60 sec, I have able to see in activity log, with start and success status. we are guessing tf is waiting for the status

Actual Behaviour

tf is hanged at deleting diagnostic_settings

Steps to Reproduce

terraform apply

Important Factoids

No response

References

No response

sinbai commented 2 months ago

Hi @raghavendra3553 thanks for raising this issue. Could you please provide the minimal reproducible TF config (with dependencies and variable values) of this issue so that we could reproduce /troubleshoot?

raghavendra3553 commented 2 months ago

variable standard_input { type = object({ app_name = string, location = string, tags = map(string), profile = string, security_eventhub_name = string, security_eventhub_authorization_rule_id = string, log_analytics_workspace_id = string, default_ngw_name = string, default_ngw_rg = string, cidr_allow_list = list(string), slarti_subnets = list(string) }) }

variable "postgres" { type = object({ name = string, userName = optional(string), logAnalyticsWorkspaceId = optional(string), postgresResource = optional(object({ name = optional(string), resourceGroupResource = optional(object({ name = optional(string), resourcegroup = optional(string), tobeCreated = optional(bool) })), tobeCreated = optional(bool) })), resourceGroupResource = optional(object({ name = optional(string), resourcegroup = optional(string), tobeCreated = optional(bool) })), keyVault = optional(object({ name = optional(string), resourcegroup = optional(string) })), subnets = optional(list(object({ name = optional(string) vnet = optional(string) resourcegroup = optional(string) }))), }) description = "Postgres Specific Parameters" }

variable "postgresSku" { type = object({ sku_name = string }) }

variable "rgModuleToBeImported" { type = bool default = true }

variable "keyvaultname" { type = string } variable "keyvaultresourcegroupname" { type = string }

variable "public_network_access_enabled"{ type = bool default = true }

variable "ssl_enforcement_enabled"{ type = bool default = true }

variable "storage_mb"{ type = number default = 640000 }

hashicorp / terraform-provider-azurerm