Running terraform plan against a resource group with a ReadOnly lock on it fails

[devblackops]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.11.11

• provider.azurerm v1.24.0
• provider.random v2.1.0

Affected Resource(s)

• azurerm_resource_group
• azurerm_management_lock

Terraform Configuration Files

provider "azurerm" {
  version = ">= 1.22.0"
}

provider "random" {
  version = "~> 2.0"
}

resource "random_string" "stg_name" {
  length  = 16
  lower   = true
  upper   = false
  special = false
}

resource "azurerm_resource_group" "rsg" {
  name     = "scratch"
  location = "westus2"
}

resource "azurerm_storage_account" "standard-storage" {
  name                     = "${random_string.stg_name.result}"
  location                 = "${azurerm_resource_group.rsg.location}"
  resource_group_name      = "${azurerm_resource_group.rsg.name}"
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_management_lock" "rsg-lock" {
  name       = "${azurerm_resource_group.rsg.name}-rsg-lock"
  scope      = "${azurerm_resource_group.rsg.id}"
  lock_level = "ReadOnly"
  notes      = "Safety first"

  depends_on = [
    "azurerm_storage_account.standard-storage",
  ]
}

Debug Output

https://gist.github.com/devblackops/f8523fda1631b6b64de50ed89293d218

Panic Output

Expected Behavior

terraform plan should say no resources need to change instead of producing an error that is can't perform a write operation.

Actual Behavior

The resource group, storage account, and lock are created successfuly but a subsequent terraform plan with zero changes to the Terraform config produce an error.

terraform plan produces an error that is can't perform a write operation because of the ReadOnly resource group lock (what type of write operation is it trying to perform?

Error

Error: Error refreshing state: 1 error(s) occurred:

* azurerm_storage_account.standard-storage: 1 error(s) occurred:

* azurerm_storage_account.standard-storage: azurerm_storage_account.standard-storage: storage.AccountsClient#ListKeys: Failure sending request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=<nil> Code="ScopeLocked" Message="The scope '/subscriptions/0f553e2c-4844-4a0f-bd62-7cc961dd5f58/resourceGroups/scratch/providers/Microsoft.Storage/storageAccounts/hnzj1vqqbqiaqli8' cannot perform write operation because following scope(s) are locked: '/subscriptions/0f553e2c-4844-4a0f-bd62-7cc961dd5f58/resourceGroups/scratch'. Please remove the lock and try again."

Steps to Reproduce

1. terraform apply
2. terraform plan

Important Factoids

References

[tombuildsstuff]

hey @devblackops

Thanks for opening this issue :)

Taking a quick look into this:

terraform plan produces an error that is can't perform a write operation because of the ReadOnly resource group lock (what type of write operation is it trying to perform?

I have a feeling this "write operation" is when we request the keys for the Storage Account from the ListKeys endpoint - out of interest does the Audit Log (Resource Groups -> [name] -> Audit Log) show anything when you see this error?

Thanks!

[devblackops]

Thanks the the quick response @tombuildsstuff!

Yes, the audit log shows a failed entry for listing the storage account keys.

Operation name
List Storage Account Keys
Time stamp
Wed Apr 03 2019 12:45:06 GMT-0700 (Pacific Daylight Time)
Event initiated by
15c03449-7002-40f5-a29b-d7c5cb33f73d
Error code
ScopeLocked
Message
The scope '/subscriptions/0f553e2c-4844-4a0f-bd62-7cc961dd5f58/resourceGroups/scratch/providers/Microsoft.Storage/storageAccounts/hnzj1vqqbqiaqli8' cannot perform write operation because following scope(s) are locked: '/subscriptions/0f553e2c-4844-4a0f-bd62-7cc961dd5f58/resourceGroups/scratch'. Please remove the lock and try again.

Also, this behavior is not present when the resource group is empty. My repro is using a storage account as a simple example but our actual config has many more resources. I'll try and repro using a similarly simple resource.

[devblackops]

I tested with a public IP address instead of the storage account and terraform plan works as expected.

The behavior may be limited to resources that perform list keys or similar operations that are read only in nature but for some reason Azure prevents with a read-only resource lock.

[tombuildsstuff]

Upstream API issue: Azure/azure-rest-api-specs#6363

[tombuildsstuff]

👋

Taking a look into this, since this is an Azure API design I don't think there's something necessarily actionable within Terraform in this issue (since it requires the API changed in Azure). Instead I'm going to close this issue in favour of #4138, which has a proposed solution (gracefully degrading ListAccountKeys fails) which will solve this issue; as such would you mind subscribing to that issue for updates?

Thanks!

[ghost]

This has been released in version 1.34.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 1.34.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!