-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_pim_eligible_role_assignment attempts to recreate after circa 45 days - error "already exists" #24118
Comments
Hi @andy170583 , This is the first time I am seeing Are you sure |
Hi @harshavmb Thanks for the quick response, According to the time stamp the PIM assignments were originally created at 2023-10-16T12:33:28Z; I have just checked back through the State file version backups and can see the following; 28/11/2023 In State Checking back through the pipelines, the first time we see an issue is when it shows up that the assignments need recreating in a plan 04/12/2023 12:03 output shown below,
The deploy pipeline then failed at 12:16, as per the failure I shared originally I have three Subscription deployed from identical code, with 3 x separate state files, 2 x were deployed on the 16th October and have both now had this issue, the third was deployed last week and the PIM role assignments are still in the State file and pipelines are running without issue. |
Hi @andy170583 , Thanks for sharing more details. Can you send |
This looks a lot like the issues which I and other people are running into that were reported in #23672, #22513, and #23775 - the PIM assignments seem to somehow drop between when Terraform creates them and when it actually adds them to the state, thus leading to a disconnect where it exists in Azure but not TF. |
I have enabled Trace Logs but unfortunately I can't share them as it's a Live environment. Is there anything in particular I could search and extract? |
@harshavmb can you help review #24077 , this issue looks like relate to this PR |
Quick Update: I have this morning tried to add the resource/s manually back into the State file. copying the blocks from the older backups. The Plan still attempts to recreate the objects. I have run the plan with Trace logging with the state file updated and tried to pull out anything that looks relevant.
|
@andy170583 have you assign the roles to the sub resource within this sub recently? Current AzureRM not check the role assignment by scope, one result is it will treat the role assignment on sub resource as assigned on current resource and when you try to import the resource it will report that the resource not exist. |
Heavily related to the recent discussion in #23111 👀 |
Have updated to 3,86 and still facing this issue. Today some ressoruces can not be managed anymore. Even the import fails |
Some more details: |
Hi @srnebu, As @xuzhang3 mentioned this appears to be fixed in #24077. My guess is that your tf statefiles were updated (references of resources were removed) before the usage of If possible for the ones which isn't working you could fallback the statefile which contains |
@harshavmb still facing the issue:
|
Did a quick check with 3.84 to 3.86. it is absolutely the same behaviour. |
Folks, I suspect that is not the root cause, the root cause I outlined here for the 45d problem… I might need to open a new issue for that tomorrow if @xuzhang3 or @MohnJadden reply (or don't) 🚀 |
any news? |
@harshavmb #24077 fixed part of the issue but not all of it. I still trying to reproduce this error. |
You can only reproduce it sadly by waiting 45 days 😢 |
can we help we you with any protocol or some other stuff? |
@srnebu One issue I found is that the API used by the current AzreuRM version cannot get role assignments that will be activated in the future, as for the issue mentioned here I cannot reproduce. |
We are also experiencing this issue. Our plan wants to create the role assignments, which has been previously been created by terraform and exist in both - the state and in azure portal. We also tried using the import block, but it's being ignored by terraform entirely.
azurerm version: |
Same here; another thing is we cannot remove the PIM Role assignment through the portal manually anymore. Have opened a support ticket at Microsoft, if anything usefull comes out of it will post it here. |
@rikribbers you can remove the PIM Role Assignment by the cancel API if the assignment is in pending status(not active). |
@xuzhang3 You can also remove it from the IAM blade on resource level. |
hoping the pull request will be included into the next version :-) |
Is there any update on this? |
still waiting for this function to work correctly. |
Still facing the same issue with provider version |
I created new |
I also still see it 😢 But we should also once mention some kudos for @xuzhang3 and all those that need to deal with PIM. If you read the PIM docs and even use PIM in the portal, you recognise that it's just somehow shabby. Feels like some large enterprises put so much pressure onto M$ (we buy AWS instead if you don't …) that they just stitched on some hobbo entities and processes to normal role assignments with drawbacks left and right and now all API or IaC maintainers need to keep up with this 💩 Thank you all that try to IaC PIM ❤️ |
Improvements and bug fixes to the |
Thanks for the update @manicminer. Could you share wether we need to recreate the resources or stick with the old resources? |
@tomaaron I've been able to keep the resource IDs consistent so it should just start working without needing to recreate or reimport. |
@manicminer Thanks for getting back. I have partially success with the new provider. On one environment TF could reference and maintain the resources with But on another one TF unfortunately wants to recreate the resources for no reason:
I have compared both states and there is no real diff except for the IDs ofcourse. The Ticket block is on both states empty. I have also tried to remove the resource from the state and reimport it without luck. |
Same issue as @tomaaron, Terraform v1.8.3
We just redeployed everything a couple of days ago, after facing the issue with the 45 days window. Versions used back then: Terraform v1.8.2
We do not supply any Advise or help would be very much appreciated, thanks a lot. |
Also to mention: even If you recreated the full resources then the provider wants to recreate it each time you. |
With reference to the comment by @fgebhardt above, we were facing 135 resources being destroyed and created again using this version of Terraform and the azurerm provider. Terraform v1.8.3
As per the comment by @tomaaron the ticket is the attribute change which is forcing replacement:
I compared the tfstate and tfstate-prev files from the tfplan and can see this difference:
and
The previous state was from a plan/apply with azurerm 3.102.0 and Terraform 1.8.2. Even though we do not specify a ticket, these are optional in the docs, the existing and planned tickets differ in their optional state. This is also the same for the azurerm_pim_active_role_assignment resource type (we had both showing as being removed due to the ticket 'change'). To get around this, as we do not use the ticket, we have added a lifecycle ignore to these resources:
Now when we run a plan there are no changes seen due to the 'changes' of the tickets. Of course you could also modify our existing state with these new defaults for the ticket, but I would never publicly recommend that! |
Thanks @tomaaron, @fgebhardt, @sunevnuahs for the feedback - your real world usage reports are very much appreciated. I am hoping to have fixed this persistent diff issue with the |
@manicminer I can confirm that the v3.105.0 resolved the issue. 🎉 Thanks for your work! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Is there an existing issue for this?
Community Note
Terraform Version
1.5.0
AzureRM Provider Version
3.70.0
Affected Resource(s)/Data Source(s)
azurerm_pim_eligible_role_assignment
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
PIM Role assignment should create on first Apply, and on subsequent applies it should exist and recreation not attempted.
Actual Behaviour
After a period of time, circa 45 days Terraform appears to think the assignment has been deleted though it still exists and can be seen in the portal in it's original state. Terraform attempts to recreate it and fails as it already exists.
Steps to Reproduce
Update PIM settings to allow permanent role assignments,
Create a PIM Role assignment without expiry,
Wait circa 45 days, reapply terraform config
Important Factoids
No response
References
No response
The text was updated successfully, but these errors were encountered: