Inconsistent final plan with azurerm_mssql_database_vulnerability_assessment_rule_baseline

[flobeier]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

• Terraform v1.1.3
• azurerm 2.99.0

Affected Resource(s)

• azurerm_mssql_database_vulnerability_assessment_rule_baseline

Terraform Configuration Files

resource "azurerm_mssql_database_vulnerability_assessment_rule_baseline" "legitimate_users" {
  # For some reason the vulnerability assessment is created with the name "Default" but read back from the API as "default",
  # which makes the following replacement necessary until this is fixed. Otherwise Terraform wants to recreate the resource on every run.
  server_vulnerability_assessment_id = replace(azurerm_mssql_server_vulnerability_assessment.example_sql_server.id, "Default", "default")
  database_name                      = "master"
  rule_id                            = "VA2130"
  baseline_name                      = "master"
  baseline_result {
    result = [
      "${azurerm_mssql_server.example.administrator_login}",
      "${local.sql_server_admin_sid[local.environment]}"
    ]
  }
}

resource "azurerm_mssql_database_vulnerability_assessment_rule_baseline" "ignore_missing_additional_users" {
  server_vulnerability_assessment_id = replace(azurerm_mssql_server_vulnerability_assessment.example_sql_server.id, "Default", "default")
  database_name                      = "master"
  rule_id                            = "VA1143"
  baseline_name                      = "master"
  baseline_result {
    result = [
      "1",
    ]
  }

Expected Behaviour

Terraform should be able to deploy two baselines without running into an error.

Actual Behaviour

Terraform tried to deploy the two baselines simultaneously after the vulnerability assessment they belong to was created, with one failing because of an inconsistent final plan (missing root element).

Steps to Reproduce

1. terraform apply with two azurerm_mssql_database_vulnerability_assessment_rule_baseline resources. A few tries might be needed to trigger the issue, so far I just encountered it once.

[katbyte]

Hey @flobeier - it looks like this has been fixed in 3.0 by #14759, if possible could you update to the newest version of the provider and see if this is still an issue?

[flobeier]

@katbyte glad to hear that this has already been fixed. I removed my workaround and can confirm that the fix is working as expected.

[flobeier]

@katbyte I just encountered this issue again with azurerm provider version 3.1.0:

Error: Provider produced inconsistent final plan

When expanding the plan for azurerm_mssql_database_vulnerability_assessment_rule_baseline.ignore_missing_additional_users_example1_database to include new values learned so far during apply, provider
"registry.terraform.io/hashicorp/azurerm" produced an invalid new value for .server_vulnerability_assessment_id: was
cty.StringVal("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-example/providers/Microsoft.Sql/servers/example-sqlserver/vulnerabilityAssessments/Default"), but now
cty.StringVal("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-example/providers/Microsoft.Sql/servers/example-sqlserver/vulnerabilityAssessments/default").

This is a bug in the provider, which should be reported in the provider's own issue tracker.

When expanding the plan for azurerm_mssql_database_vulnerability_assessment_rule_baseline.ignore_missing_additional_users_example2_database to include new values learned so far during apply, provider
"registry.terraform.io/hashicorp/azurerm" produced an invalid new value for .server_vulnerability_assessment_id: was
cty.StringVal("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-example/providers/Microsoft.Sql/servers/example-sqlserver/vulnerabilityAssessments/Default"), but now
cty.StringVal("/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-example/providers/Microsoft.Sql/servers/example-sqlserver/vulnerabilityAssessments/default").

This is a bug in the provider, which should be reported in the provider's own issue tracker.

During the first terraform apply I got the errors above, during the second I got no errors.

Edit: Since this happened exactly the same in two environments, I think I now know what happens: When the vulnerability assessment is updated during the same terraform apply run in which the baseline rules are going to be created, the inconsistent final plan error appears.