search

hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.6k stars 4.65k forks source link

sql.ExtendedServerBlobAuditingPoliciesClient#CreateOrUpdate: Failure sending request: StatusCode=0 #7519

Closed mikemowgli closed 4 years ago

mikemowgli commented 4 years ago

Community Note

Terraform (and AzureRM Provider) Version

0.12.28

Affected Resource(s)

Terraform Configuration Files

resource "azurerm_mssql_server" "tamers-synapse-server" {
      administrator_login           = "tamers"
      administrator_login_password  = (sensitive value)
      connection_policy             = "Default"
      fully_qualified_domain_name   = (known after apply)
      id                            = (known after apply)
      location                      = "westeurope"
      name                          = "tamerssynapse1"
      public_network_access_enabled = false
      resource_group_name           = "datatamers"
      version                       = "12.0"

      identity {
          principal_id = (known after apply)
          tenant_id    = (known after apply)
          type         = "SystemAssigned"
      }
}

Debug Output

https://gist.github.com/mikemowgli/ab7ac126ce8f92f754f8b5972f2531af

Expected Behavior

SQL Server would be created without error.

Actual Behavior

SQL server is created, but tainted. I know my issue looks similar to 6269 and 6157, but these are supposed to be solved. I think the root cause is that the provider still uses an old API version whereas this ARM template uses a more recent one but I could be wrong.

I get the same result when adding an extended_auditing_policy block to the resource.

Steps to Reproduce

  1. terraform apply

Important Factoids

References

yupwei68 commented 4 years ago

Hi @mikemowgli , thanks for opening this issue. Would you mind providing your terraform config code and your Azurerm Provider version?

mikemowgli commented 4 years ago

provider.azurerm v2.16.0

provider "azurerm" { features {} }

yupwei68 commented 4 years ago

Hi @mikemowgli , sorry that I could not reproduce this error under azurerm 2.16.0, my code is as belows, I run terraform apply and get successfully created this resource:

resource "azurerm_mssql_server" "tamers-synapse-server" {
      administrator_login           = "tamers"
      administrator_login_password  = <sensitive>
      connection_policy             = "Default"
      location                      = "westeurope"
      name                          = "tamerssynapse1"
      public_network_access_enabled = false
      resource_group_name           = azurerm_resource_group.test.name
      version                       = "12.0"

      identity {
          type         = "SystemAssigned"
      }
}

If the error continue to run out, please provide a more detailed reproduce steps.

mikemowgli commented 4 years ago

Hi @yupwei68 , I think I start to understand: do you happen to have the Security Center standard tier enabled on your subscription? I think the extended_auditing_policy Terraform block maps with the Advanced Data Security (ADS) feature. And from what I could read here, ADS requires Security Center Standard tier (in which an extra cost of 15$/server/month applies). Now I know that that the extended_auditing_policy block is absent from both your test and mine; nevetheless, if you check the debug log in the gist of this issue, you'll see that Terraform constantly polls the extendedAuditingSettings/default?api-version=2017-03-01-preview endpoint. So my understanding is that regardless of the extended_auditing_policy block being configured in the code, Terraform will poll that URI, for which Azure will only answer if the Security Center is in the standard tier. If my understanding is correct, then this is a bug and Terraform should poll that URI only if the extended_auditing_policy block is configured, and the AzureRM provider documentation should clearly explain that Security Center must be in standard tier for this to work.

mikemowgli commented 4 years ago

Investigating further: regardless of the tier of the Security Center, it looks necessary to enable ADS for the extendedAuditingSettings/default?api-version=2017-03-01-preview to answer, and 1) it is not clear how to enable ADS in Terraform 2) it is shown in the debug log that this API endpoint is polled regardless of the existence of the extended_auditing_policy block of the Terraform resource.

mikemowgli commented 4 years ago

I tested multiple variations:

@yupwei68 I am surprised you cannot reproduce, and that I am the only one impacted by this problem, while I have a hard time avoiding it. Do you have any idea what else I could test?

mikemowgli commented 4 years ago

We noticed the PUT request against https://management.azure.com/subscriptions/<REDACTED>/resourceGroups/testmssql2/providers/Microsoft.Sql/servers/tamerssynapse21/extendedAuditingSettings/default?api-version=2017-03-01-preview returned nothing (Empty reply from server) whereas the GET request was successful. It must be a problem from our network since the issue disappears when testing from outside our network. We suspect it is related to the Deep Packet Inspection happening on the network. In any case, this isn't a bug in the provider, but rather an HTTP query that behaves differently than other. Why this one in particular, we don't know.

Closing the ticket.

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!