azurerm provider fails when refreshing existing resources #1005
Labels
Milestone
Comments
|
I am also unable to refresh. Applying the first time works and saves contents to state file, but reapplying clears out the state file with empty resources and it wants to re-add resources during a With the following results during a |
|
@phassingerhi it doesn't seem to be the same issue described in #974 to be honest... they didn't have any panic there and although I listed both keyvault and appinsights as it was shown in the console log, checking panic log only shows problems related to getting response on keyvault through Azure's management API (management.azure.com) |
|
hey @calinmarina Thanks for opening this issue - apologies for the delayed response here! Taking a look into this unfortunately the logs aren't particularly insightful - would it be possible to answer the following so that we could investigate this further:
@phassingerhi the issue you've encountered is unfortunately an unrelated regression which shipped in v0.11.4, which was fixed in v0.11.5 - would you be able to upgrade to the latest version and take another look? Thanks! |
|
@tombuildsstuff - Confirmed, running on v0.11.6 now works. |
|
I seem to still have the same issue. I'm using 0.11.7 & 1.3.3 of the azure provider. Having a keyvault seems to cause a panic if I try running terraform plan again after a successful first run. If I remove the keyvault, then the plan works fine. I tried making a test plan with a keyvault & that works ok. The only significant difference between my test area & the one above, is above there is significant drift between terraform & Azure after 4 web apps have had MSI enabled on them and added to KV. I haven't yet found a way round this or way of testing if this is the issue. |
|
@simongh so that we could take a look into this - would you be able to provide a link to the panic/crash log? |
|
I have a crash log. I'd rather not post the whole thing in a public forum. I've attached the fragment as it fails the Key Vault call. When TF creates the vault, it adds 3 access policies, 1 for a application & 2 for AD groups. I then create a web app with a powershell provisioner script that enables MSI and adds the MSI to the keyvault using:
If I remove this access-policy from the vault, TF can do a plan, or refresh and sees no changes. If I add the access-policy using the portal, TF still works as expected. If I run the above line again, TF will crash. Looking at what is shown in the console I see this fragment:
It seems az CLI creates the policy with a null certificates and null secrets. An access policy created using the portal or by TF has these 2 properties set to an empty array. On the problematic access_policy, if I set these to say just the get permission (ie make them non-null), then TF works once again. It seems TF expects a value for keys, certificates and secrets when these might in fact be null. Sorry this is rambling a bit, I've been finding this out as I type. |
|
@simongh thanks for posting that - this is the relevant crash line: I'm actually looking into this resource at the moment - so I'll try and open a PR to fix this. Thanks! |
|
hey @simongh Just to let you know that v1.4.0 of the Azure Provider has been released which includes the fix for this :) Thanks! |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
ghost
locked and limited conversation to collaborators
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Terraform Version
Note. we initially encountered this problem with terraform v0.11.3 and azurerm v1.2.0, just after azurerm and terraform updated to 1.2 and 11.4 respectively in March 15, 2018 so upgraded but still no luck
Affected Resource(s)
Please list the resources as a list, for example:
It appears to affect multiple resources, it may be an issue with Terraform's core, as we get other modules showing the same
unexpected EOFmessage in other builds but vault definitely comes up everytimeTerraform Configuration Files
https://gist.github.com/calinmarina/bd0fd8236b7a523423f64ffb03875999
Debug Output and Panic Output
https://gist.github.com/calinmarina/e5cbc60084f77ca324bdb5a8083fd47e
Expected Behavior
terraform applyshould have run smooth updating resources as beforeActual Behavior
terraform panicked with
unexpected EOFfor several resources.Note. nothing changed on the code side, it's exactly the same code running to update previously built resources by the same scripts.
Steps to Reproduce
see console log in the attached gist but example of steps to follow on top of existing resources:
terraform init -reconfigure -backend-config storage_account_name=mgmtstatestorenonprod -backend-config container_name=mgmtstatestorecontaineraat -backend-config resource_group_name=mgmt-state-store-nonprod -backend-config key=em-anno-app/aat/terraform.tfstateterraform get -update=trueterraform plan -var env=aat -var name=em-anno-app -var subscription=nonprodImportant Factoids
The text was updated successfully, but these errors were encountered: