data.azurerm_arc_machine - Force replacement when dependent resource or module has any change associated with it

[kaovd]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.2

AzureRM Provider Version

4.0.7

Affected Resource(s)/Data Source(s)

data.azurerm_arc_machine

Terraform Configuration Files

See reproduction steps

Debug Output/Panic Output

See issue

Expected Behaviour

Azurerm should have recognized no properties in the resource where changing and continued as normal

Actual Behaviour

All resources dependent on data.azurerm_arc_machine reported the resource id is changing and would be known after apply

Steps to Reproduce

Configuration Sample:

resource "azurerm_resource_group" "datacenter" {
  for_each = { for item in var.arc_sites : item.name => item }
  name     = "arc_example_${each.value.site}"
  location = var.location
}

// The pipeline was deployed first, creating resource groups. After Arc machines where added, then the rest of the below code configuration was written

data "azurerm_arc_machine" "machines" {
  for_each            = { for machine in var.arc_machines : machine.name => machine }
  name                = each.key
  resource_group_name = azurerm_resource_group.datacenter[each.value.site].id
}

resource "azurerm_arc_machine_extension" "dependency_agent_ama" {
  for_each                  = { for machine in var.arc_machines : machine.name => machine }
  name                      = "DependencyAgentWindows"
  arc_machine_id            = data.azurerm_arc_machine.machines[each.key].id
  location                  = data.azurerm_arc_machine.machines[each.key].location
  publisher                 = "Microsoft.Azure.Monitoring.DependencyAgent"
  type                      = "DependencyAgentWindows"
  type_handler_version      = "9.10"
  automatic_upgrade_enabled = true
  settings                  = jsonencode({ "enableAMA" = "true" })
}

When the resource group resource had tagging changes, as tags where changed outside of configuration, this caused the arc data machine resource to reflect the following:

 # azurerm_resource_group.datacenter["site"] will be updated in-place
  ~ resource "azurerm_resource_group" "datacenter" {
        id         = "/subscriptions/blah/blah/blah"
        name       = "arc_example_site"
      ~ tags       = {
          + "blah" = "blah"
        }
        # (2 unchanged attributes hidden)
    }

 # data.azurerm_arc_machine.machines["example"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_arc_machine" "machines" {
      + active_directory_fqdn          = (known after apply)
      + agent                          = (known after apply)
      + agent_version                  = (known after apply)
      + client_public_key              = (known after apply)
      + cloud_metadata                 = (known after apply)
      + detected_properties            = (known after apply)
      + display_name                   = (known after apply)
      + dns_fqdn                       = (known after apply)
      + domain_name                    = (known after apply)
      + id                             = (known after apply)
      + identity                       = (known after apply)
      + last_status_change_time        = (known after apply)
      + location                       = (known after apply)
      + location_data                  = (known after apply)
      + machine_fqdn                   = (known after apply)
      + mssql_discovered               = (known after apply)
      + name                           = "myMachine1"
      + os_name                        = (known after apply)
      + os_profile                     = (known after apply)
      + os_sku                         = (known after apply)
      + os_type                        = (known after apply)
      + os_version                     = (known after apply)
      + parent_cluster_resource_id     = (known after apply)
      + private_link_scope_resource_id = (known after apply)
      + resource_group_name            = "arc_example_site"
      + service_status                 = (known after apply)
      + status                         = (known after apply)
      + tags                           = (known after apply)
      + vm_id                          = (known after apply)
      + vm_uuid                        = (known after apply)
    }

I have sanitized names, but the naming and capitalization of resource group and item where completely unchanged.

Due to this, the terraform configuration seemed unsure if the resource id of these components would change

  # azurerm_arc_machine_extension.dependency_agent_ama["exampleMachine1"] must be replaced
-/+ resource "azurerm_arc_machine_extension" "dependency_agent_ama" {
      ~ arc_machine_id            = "/subscriptions/blah/blah/blah" # forces replacement -> (known after apply) # forces replacement
      ~ id                        = "/subscriptions/blah/blah/blah" -> (known after apply)
      ~ location                  = "uksouth" # forces replacement -> (known after apply) # forces replacement
        name                      = "DependencyAgentWindows"
        tags                      = {
            ...
        }
      - type_handler_version      = "9.10.x.x" -> null
        # (6 unchanged attributes hidden)
    }

This effectively broke my entire setup

I was able to fix this and have it stop changing everything by just manually specifying the resource group as text in the data block

data "azurerm_arc_machine" "machines" {
  for_each            = { for machine in var.arc_machines : machine.name => machine }
  name                = each.key
  resource_group_name = "example_arc_${each.value.site}"
}

It is possible to make it so azurerm is concious of whether a resource change into a data block is actually meaningful to the properties its accessing or the properties would be affected? Is this a limitation?

Important Factoids

N/A

References

None

[liuwuliuyun]

Hi @kaovd, thank you for bringing this to our attention. I noticed that in the reproduction steps, you've used the resource group id instead of its name.

data "azurerm_arc_machine" "machines" {
  for_each            = { for machine in var.arc_machines : machine.name => machine }
  name                = each.key
  resource_group_name = azurerm_resource_group.datacenter[each.value.site].id
}

Could this be the cause of the issue?