Backup Policy resources' tags are reported as added, but in fact are not

shybbko commented 4 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.11.14
provider.azurerm v1.44.0
provider.dns v2.2.0
provider.template v2.1.2

Affected Resource(s)

At least the following two:

azurerm_backup_policy_vm
azurerm_backup_protected_vm

Terraform Configuration Files

resource "azurerm_recovery_services_vault" "test-generic-recovery-vault" {
    name                = "${var.cluster_name}-recovery-vault"
    location            = "${var.region}"
    resource_group_name = "${var.test_rg}"
    sku                 = "standard"

    tags {
        deployment = "terraform",
        environment = "${var.environment}",
        type = "${var.type}",
        component = "${var.component}"
        division = "${var.division}"
        creator = "testuser"
    }
}

resource "azurerm_backup_policy_vm" "test-generic-backup-policy" {
  name                = "${var.cluster_name}-backup-policy"
  resource_group_name = "${var.test_rg}"
  recovery_vault_name = "${azurerm_recovery_services_vault.test-generic-recovery-vault.name}"

  timezone = "UTC"

  backup {
    frequency = "Daily"
    time      = "03:00"
  }

  retention_daily {
    count = 7
  }

    tags {
        deployment = "terraform",
        environment = "${var.environment}",
        type = "${var.type}",
        component = "${var.component}"
        division = "${var.division}"
        creator = "testuser"
    }
}

Expected Behavior

Tags are added to the resources.

Actual Behavior

Tags are not being added to the resources, however Terraform reports they are.

azurerm_backup_policy_vm.test-generic-backup-policy: Creating...
    (...)
  tags.%:                  "" => "6"
  tags.component:          "" => "users-test"
  tags.creator:            "" => "testuser"
  tags.deployment:         "" => "terraform"
  tags.division:           "" => "core"
  tags.environment:        "" => "production"
  tags.type:               "" => "test-cluster"
  timezone:                "" => "UTC"
azurerm_backup_policy_vm.test-generic-backup-policy: Still creating... (10s elapsed)
azurerm_backup_policy_vm.test-generic-backup-policy: Creation complete after 12s (ID: /subscriptions/xxx-...kupPolicies/test-generic-backup-policy)

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

# az backup policy list -g test-generic1 -v test-generic-recovery-vault

  {
    "eTag": null,
    "id": "/Subscriptions/xxx/resourceGroups/test-generic1/providers/Microsoft.RecoveryServices/vaults/test-generic-recovery-vault/backupPolicies/test-generic-backup-policy",
    "location": null,
    "name": "test-generic-backup-policy",
    "properties": {
    (...)
    "resourceGroup": "test-generic1",
    "tags": null,
    "type": "Microsoft.RecoveryServices/vaults/backupPolicies"
  }

Steps to Reproduce

Observed it in my production environment. Replicated in a completely new Resource Group. The scenario would be:

create a RG
deploy Recovery Services Vault and Backup Policy (with tags)
TF reports all resources as created with tags
in reality the Backup Policy was created but has no tags
rerunning TF provides the same result - TF says tags were added to the existing Backup Policy, but in fact were not

Debug Output

Would be able to provide it if necessary. However since there are some sensitive data inside (which would require sanitisation) and the issue seems easily reproducible, as of now I've decided not to upload the debug output.

neil-yechenwei commented 4 years ago

Thanks for opening this issue. Seems service API doesn't return/take effect for tags. Filed an issue for this problem in swagger (https://github.com/Azure/azure-rest-api-specs/issues/9251).

DenWin commented 4 years ago

Is this actually an "upstream-microsoft" issue? Backup Policies do not have tags in the 1st place, thus why do we need a way to add them?

Regards

DenWin commented 3 years ago

@tombuildsstuff: a) Your request at https://github.com/Azure/azure-rest-api-specs/issues/9251 was closed with "This is a general question for ARM team. Whenever they start supporting tags for proxy resources, then we can plan to leverage that." b) if one would add tags this would cause an indefinit loop of updating this resource (#8984) c) it is neither possible to add tags in the Azure Portal nor through Azure CLI or API d) I personally doubt many do use tags for these resources in their terraform configuration - see point b

I do understand, that the request to add tags seems to be opened via this issue, but this should not be raised here but at Azure/ARM directly. Instead the PR to remove the tags should be re-introduced - maybe only for the next major version. with a deprecate flag for now.

hashicorp / terraform-provider-azurerm