search

hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.47k stars 4.55k forks source link

Problem with azurerm_iothub_dps_shared_access_policy always applying #5630

Open mark-greene opened 4 years ago

mark-greene commented 4 years ago

Using provider "azurerm" (hashicorp/azurerm) 1.43.0

I have the following Terraform code:

resource "azurerm_iothub_dps_shared_access_policy" "iot_dps" {
  name                = "${local.policy_name}"
  resource_group_name = azurerm_iothub.iot.resource_group_name
  iothub_dps_name     = azurerm_iothub_dps.iot_dps.name

  enrollment_write    = true
  enrollment_read     = true

  registration_write  = true
  registration_read   = true
}

When I apply it works as expected but when I do a plan enrollment_read, registration_write and registration_read are detected as false thus causing a change. If I change them to false the plan will not detect changes but a subsequent apply generates the following error. Correcting the error puts me in a state where plan always detects changes and apply makes changes.

Apply

Error: Error building Access Rights: 1 error occurred:
    * If `enrollment_write` is set to true, `enrollment_read`, `registration_read`, and `registration_write` must also be set to true

  on main.tf line 306, in resource "azurerm_iothub_dps_shared_access_policy" "iot_dps":
 306: resource "azurerm_iothub_dps_shared_access_policy" "iot_dps" {

Plan

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # azurerm_iothub_dps_shared_access_policy.iot_dps will be updated in-place
  ~ resource "azurerm_iothub_dps_shared_access_policy" "iot_dps" {
      ~ enrollment_read     = false -> true
        enrollment_write    = true
        id       = "/subscriptions/.../dev2-dps-policy"
        iothub_dps_name     = "dev2-dps"
        name                = "dev2-dps-policy"
        primary_connection_string = (sensitive value)
        primary_key         = (sensitive value)
      ~ registration_read   = false -> true
      ~ registration_write  = false -> true
        resource_group_name = "iot"
        secondary_connection_string = (sensitive value)
        secondary_key       = (sensitive value)
        service_config      = false
    }

Plan: 0 to add, 1 to change, 0 to destroy.

------------------------------------------------------------------------
markti commented 4 years ago

same problem here :(

neil-yechenwei commented 3 years ago

Thanks for opening this issue. After tested, I found seems api doesn't return the values "enrollmentRead/registrationWrite/registrationRead" after created successfully. I assume it's an api issue. So I filed an issue on Azure/azure-rest-api-specs#10356.

szymon-wlodarczyk commented 3 years ago

Any updates on this issue?

dkisselev commented 3 years ago

+1 I'm also encountering this issue.

Since the Azure API doesn't return the current values for those attributes, TF tries to re-set them every time.

I'm also integrating the ownerpolicy into a keyvault secret. When TF tries to publish an updated secret for the (otherwise identical) ownerpolicy it triggers an inconsistent final plan error.

Tiduster commented 2 years ago

I have the same issue.

I used a lifecycle as a workaround for now:

  lifecycle {
    ignore_changes = [
      enrollment_read,
      registration_read,
      registration_write
    ]
  }