Terraform Plan bases its add/change/destroy on the Terraform Resource name and not the Provider name

[ghost]

This issue was originally opened by @SamirFarhat as hashicorp/terraform#20118. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Terraform Version

Terraform v0.11.11

Terraform Configuration Files

main.tf
variable "client_secret" {}
provider "azurerm" {
    version = "=1.7.0"
    subscription_id = "dddddddddddd80527c41"
    tenant_id       = "xxxxxxxxxxxxxxxxxxxxxxxxx"   
    client_id       = "xxxxxxxxxxxxxx"
    client_secret   = "${var.client_secret}"
}


kv3.tf
resource "azurerm_key_vault" "icoma3" {
  name                = "kvtest01samirtest11"
  location            = "westeurope"
  resource_group_name = "test-terraform"
  tenant_id = "dd"

  sku {
    name = "standard"
  }


kv4.tf
resource "azurerm_key_vault" "icoma4" {
  name                = "kvtest01samirtest11"
  location            = "westeurope"
  resource_group_name = "test-terraform"
  tenant_id = "dd"

  sku {
    name = "standard"
  }
  tags {
        Environment = "goliath"
        houya = "rora"
        dfdfd = "gthshs"
        new = "yes"
        newnew = "yes yes"
        Envidronment = "goliath"
        houyda = "rora"
        dfdfdd = "gthshs"
        nedw = "yes"
        nedrmwnew = "yes yes"
    }
}
}

Expected Behavior

kv3.tf and kv4.tf contains the same data, th only differences are:

• the terraform resource name is different. icom3, icom4
• I have added some configurations to kv4.tf
• The Azure Resource name is the same

The Expected behavior is that Terraform stops me or tells me that the same resource will be created then overwritten

Actual Behavior

Terraform plan shows 2 resources to be added

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:

• create

Terraform will perform the following actions:

• azurerm_key_vault.icoma3
  id:
  location: "westeurope"
  name: "kvtest01samirtest11"
  resource_group_name: "test-terraform"
  sku.#: "1"
  sku.0.name: "standard"
  tags.%:
  tenant_id: "3a7fd4f8-30d9-4937-8015-7e20960a52f3"
  vault_uri:

• azurerm_key_vault.icoma4
  id:
  location: "westeurope"
  name: "kvtest01samirtest11"
  resource_group_name: "test-terraform"
  sku.#: "1"
  sku.0.name: "standard"
  tags.%: "10"
  tags.Envidronment: "goliath"
  tags.Environment: "goliath"
  tags.dfdfd: "gthshs"
  tags.dfdfdd: "gthshs"
  tags.houya: "rora"
  tags.houyda: "rora"
  tags.nedrmwnew: "yes yes"
  tags.nedw: "yes"
  tags.new: "yes"
  tags.newnew: "yes yes"
  tenant_id: "3a7fd4f8-30d9-4937-8015-7e20960a52f3"
  vault_uri:

Plan: 2 to add, 0 to change, 0 to destroy.

Steps to Reproduce

Please list the full steps required to reproduce the issue, for example:

1. terraform init
2. terraform plan

[katbyte]

Hi @SamirFarhat,

Sorry that this is a problem for you. We have been aware of this issue for a while and are working on adding checks to all the resources to prevent it: #2773, #2728, #2664, #2592, #2537, #2518, #2511

These fixes will be enabled by default for all resources in v2.0. The specific resource here was fixed in #2664 and is slated to be released in v1.22. At that point you can set the environment variable ARM_PROVIDER_STRICT=true and it will no longer overwrite your resource 🙂

[SamirFarhat]

@katbyte : What ARM_PROVIDER_STRICT=true will do. Will it fix my issue ?

[katbyte]

@SamirFarhat, when ARM_PROVIDER_STRICT=true it will cause the provider to return an error if the resource already exists. The resource you are asking about has this flag in master, and will be officially released in v1.22.

Once 2.0 is released this will be the default behaviour.

[katbyte]

Please see #2807 for more information @SamirFarhat.

[tombuildsstuff]

hey @SamirFarhat

Just to add a little more context to what @katbyte has said: there's a difference in the way that Terraform tracks resource uniqueness and that Azure tracks resource uniqueness.

Terraform handles this using the id of the resource defined in HCL, for example:

resource "foo" "bar" {}
resource "foo" "bar" {}

in the example above Terraform will complain at plan time since there's two elements with the ID bar - which isn't valid.

Azure on the other hand generally uses the name property within the resource to determine the uniqueness of a resource. The issue with this is that the Azure API's are Upserts (meaning they'll be Updated if they already exist, otherwise they're Created) - as such if the existing resource isn't imported into Terraform, when Terraform tries to "create" it Azure updates the existing reference.

In v2.0 we're planning on fixing this behaviour by checking with the Azure API prior to creating the resource and confirming whether or not it exists. This behaviour is supported by the AzureRM Provider in the next version (v1.22) however will be feature-toggled off - you'll be able to opt-into this using the Environment Variable documented above.

Since this behaviour's been fixed (but is feature-toggled off) - I'm going to close this issue in favour of #2807 where this will be feature-toggled on; however in the interim you should be able to set the Environment Variable ARM_PROVIDER_STRICT to true in the upcoming v1.22 of the Provider to get this same behaviour.

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

[ghost]

This has been released in version 2.0.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.0.0"
}
# ... other configuration ...