-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure KeyVault Error: Provider produced inconsistent result after apply #11059
Comments
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
@GregBillings I am investigating this issue, but I can't repro it by following the steps below. Could you help confirm whether the following steps can repro this issue on your side? In addition, I would like to confirm whether you have done other operations before doing the following? Any detail information is greatly appreciated. Steps to Reproduce
Note: Remote state is managed by Terraform Cloud, issue can't be reproduced when Execution Mode is remote or local. |
@elthanor I can't repro this issue, below is my repro steps. Could you provide more details to help me repro this issue? Note: Remote state is managed by Terraform Cloud, issue can't be reproduced when Execution Mode is remote or local. |
I would like to Re sinbai's finding that I cannot repro this issue either. The app I used is TF v1.0.5 and AzureRM provider v2.74 (this is the latest Azure provider version when I'm typing now). What I tried is creating a KV + KVSec first, and then use that created KV as a data source and create another KVSec. All the above was done by TF and all of them worked well w/o getting any command line error msg. I admit I just tried them w/ local state rather than remote state. With noticing there are 20+ thump up to this issue, I do believe people ran into issues as described here. While to serve my or sinbai's troubleshooting, can anyone here provide more contexts in terms of step-by-step-repro-this-issue? In addition, it would be helpful if below info can be provided:
|
@mybayern1974
|
When I ran into this issue, I was using a |
@viper4u , I still could not repro after using remote states (use backend "azurerm") and using TF/AzureRM version you specified 😕. With seeing you mentioned 70% repro rate, I ran things 10 times and all of them succeeded. Below are my repro steps with .tf config
===outputs.tf===
@doug-papenthien-by , I also did similar things by using local state and follow your "I was using the resource ID returned by the data source to create additional azurerm_key_vault_secret". While I still could not repro. @ all here, do you see any usage/config difference between yours and mine above? |
@viper4u Thank you for your reply. Below are my repro steps. The issue can't be reproduced. Could you follow the stpes below to reproduce it? If not, could you provide the step-by-step to help me reproduce this issue? My Terraform (and AzureRM Provider) Version Steps
|
@sinbai @mybayern1974 |
@viper4u Mail log to [email protected], thank you. I will try to see if there are any findings in the log, but I think step-by-step-repro-this-issue is the key to investigating this issue. Thank you very much. |
@sinbai |
Can I access that Azure KeyVault? And could you share your script (contains the access token) with me to reproduce it on my side? |
What did you mean by "access token"? I use Service Principal auth |
I've sent all details to your mail |
Thank you. Per details provided, I cannot access the Azure KeyVault due to the access permissions. |
I've reproduced the issue with new keyvault
Step to reproduce:
|
@viper4u Per the log provided, I found the Azure keyVault cannot be found after setting the secret, Could you help confirm whether the keyvault exists after reproducing this issue? It is best to confirm through the following link: Notes:
In addition, could you also check the total resources count of your subscription? |
Results
|
Could you please share with me the screenshot of the above results and obscure sensitive information(Including parameter settings and respond body)? |
I submitted a PR that might solve this issue. Since I can’t reproduce this problem until now, I can’t verify it. Is anyone willing to build it and verify that this issue is fixed? The info to build a TF provider (on Windows) are as follows: Requirements: Using the locally compiled Azure Provider binary: Steps:
After References: |
everything is in one sub. only in different resource groups |
I just did that and it worked. It is literally copy paste from main module (I am using Azure CLI context as auth)
|
This comment was marked as outdated.
This comment was marked as outdated.
@Nemeczek Could you please try out my local branch of the provider, which changes the way of how to determine the Resource ID for the Key Vault at URL? To use that branch, please checkout it locally, and install it to somewhere. Then follow this page to setup terraform to using the locally built provider. If that works, then please let us know. |
FWIW, we experienced this a lot, we have taken to this workaround, this gets added to all our automation. Azure's response has been use Graph API. It seems that the eastus is the primary for Keyvault lookups since it is a global resource (not 100% sure). It seems to work regardless of the region.
|
I just experienced this issue, where the workaround of adding an aliased provider with same subscription as my default provider, and adding that provider to key vault and key vault secrets resources fixed the issue. |
Having the same issue. I use a module with multiple providers that contains two more modules. One of them is provisioning a keyvault in subscription A, the other one looks up a keyvault using a datasource from subscription B. When removing the module that fetches the keyvault from sub B, the deployment of keyvault to sub A works fine. Even though the apply fails the keyvault is deployed properly to sub A and I get an error that it already exists when running another apply. Using TF version 1.3.6 with azurerm V3.34.0, happy to provide trace logs if needed. Edit: Adding an additional provider that basically mirrors the default provider for the key vault as suggested above solves the issue. |
I upgrade azurerm to 3.41 and fixed the issue |
I am getting the same issue with azurerm_service_plan resource. I use a module to deploy a bunch of apps, everything works fine expect the app service plan resource fails with this error. if I run a plan/apply again it says a resource with same name already exists. When I refresh the azure portal, I see it. I deleted the app service plan from portal and retry this again, it fails with same error. It is a loop. It appears as if terraform is not able to reach azure api in time to see the created resource. I use three different providers in the module. I am using terraform 1.3.9 and azurerm version 3.45.0. it worked fine until few days ago with version 3.2.0 and it stopped working all of a sudden. I opened a support case with hashicorp and their recommendation is to use version latest of azurerm. So, I did that and it still does not work. pls help with this issue. |
I was getting the same error with azurerm version 3.13.0, then I moves to 3.45.0 and I managed to create the resource without getting an error. But now when I run a terraform apply the second time, it tries to create the same resource a second time , so I get an error that the resource already exists. When I checked the state file, I couldn't find the resource there after the second apply (it was there after the first successful apply) |
Thanks everyone for info here in this issue. Having different subscriptions in We also had this error:
In our case we use two providers for 2 different subscription -
This key vault ID was later used in a module to create The fix was to pass provider to the module, so the
|
We are experiencing the same kind of issue with the azurerm_app_service_certificate resource. We're passing in the fully qualified certificate secret ID (the only resource input related to the KV) but since the API to create call to Microsoft.Web/certificates requires the KV's resource ID, the provider has to try and resolve the resource ID. This is a big issue for us because the App Service Certificate will always be in a different subscription from the KV. In our case, if the azurerm_app_service_certificate accepted either kv_cert_secret_id or {kv id + cert name}, we could get around this ... or just a way to pass in the kv subscription id for it to use in the id resolution. |
I randomly for this error on one of our environments. Worked around by adding the lock manually into the statefile |
same here, when running it for the second time, I get the "already exists" error. Using azurerm 3.105.0. I haven't verified that but the error might be thrown when the secret was already once deleted. |
👋 hey folks We've recently updated the behaviour of the Key Vault cache such that we check both the Key Vaults List API and the same (old) Resources API that the current version of Azure CLI is currently using - and as such it'd be good to hear if this is still being encountered when using the latest version of the Provider? This fix is included in Thanks! |
I just hit this problem with version 3.108 of the provider. |
I tried it with 3.108 and it still doesn't work |
I've been experiencing this issue for a while.. Here's my current state
|
In my case I am using a time_rotating provider to set the expiration_date
|
we're still seeing this with v3.109.0. A similar one is mentioned here: #24948. And a potential fix was made here: hashicorp/go-azure-sdk#927 not for terraform-provider-azurerm, but for pandora. The root cause IMO is nextLink is not read(unmarshalled) properly from http repsonse, effectively causing the ExecutePaged function to return prematurely, leading ListBySubscriptionComplete to return 10(default size of a list call) keyvaults instead of the full list. The same thing applies to ListComplete, which has a bigger default size: 24. I verified locally that changing "NextLink *Link |
Hi @fy-openai , the custom pager ( x-ms-pageable.nextLinkName ) was handled in hashicorp/go-azure-sdk PR hashicorp/go-azure-sdk#1039 on Jun 28, and this was introduced to Azurerm at PR #26502 , released at 3.111.0 version (Jul 4) , so after this version the issue should be resolved. |
Confirmed fixed for me on 3.111.0 |
Ran into this issue again. Current versions include
|
Community Note
Terraform (and AzureRM Provider) Version
Terraform v0.14.8
AzureRM: terraform-provider-azurerm_v2.52.0_x5
Affected Resource(s)
azurerm_key_vault_secret
Terraform Configuration Files
Debug Output
Error: Provider produced inconsistent result after apply
When applying changes to azurerm_key_vault_secret.mysecretvalue,
provider "registry.terraform.io/hashicorp/azurerm" produced an unexpected new
value: Root resource was present, but now absent.
This is a bug in the provider, which should be reported in the provider's own
issue tracker.
Expected Behaviour
secret added to the keyvault
Actual Behaviour
The keyvault secret was added to the keyvault with the correct value, but the terraform apply failed with the error above. When re-running again, the new error is that the value already exists but isn't tracked in the terraform state
Steps to Reproduce
References
The text was updated successfully, but these errors were encountered: