azurerm_subscription workload parameter 'does not match config value'

[cktwo]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.14.9

• provider registry.terraform.io/hashicorp/azurerm v2.54.0

Affected Resource(s)

• azurerm_subscription - workload

Terraform Configuration Files

resource "azurerm_subscription" "azureSubscription" {
  subscription_name = "testsub"
  billing_scope_id  = "/providers/Microsoft.Billing/billingAccounts/<BILLING_ACCOUNT_ID>/enrollmentAccounts/<ENROLLMENT_ACCOUNT_ID>"
  workload          = "DevTest"
}

Expected Behaviour

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subscription#workload

Terraform plan shows the provided workload parameter.
Subscription will be created using the provided (in this case "DevTest") workload.

Actual Behaviour

Subscription is created using the "Production" workload.

Terraform plan does not display the workload parameter at all:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.components.azurerm_subscription.azureSubscription will be created
  + resource "azurerm_subscription" "azureSubscription" {
      + alias             = (known after apply)
      + billing_scope_id  = "/providers/Microsoft.Billing/billingAccounts/<BILLING_ACCOUNT_ID>/enrollmentAccounts/<ENROLLMENT_ACCOUNT_ID>"
      + id                = (known after apply)
      + subscription_id   = (known after apply)
      + subscription_name = "testsub"
      + tags              = (known after apply)
      + tenant_id         = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Terraform plan using the trace parameter gives the following output:

...
2021/04/07 07:50:53 [WARN] Provider "registry.terraform.io/hashicorp/azurerm" produced an invalid plan for module.components.azurerm_subscription.azureSubscription, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .workload: planned value cty.NullVal(cty.String) does not match config value cty.StringVal("DevTest")
...

We tested the workload parameter with "Production" aswell with the same behaviour in the plan and debug output.

Steps to Reproduce

1. terraform plan/apply

[cktwo]

To get it to work we commented the lines 90-92 in the file '~/terraform-provider-azurerm/azurerm/internal/services/subscription/subscription_resource.go' and used the locally compiled provider for testing.

89 // Workload is not exposed in any way, so must be ignored if the resource is imported.
90 //DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
91 //      return old == ""
92 //},

After which the plan did not suppress the 'workload' parameter anymore and the subscription was created using the 'DevTest' workload.

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.components.azurerm_subscription.azureSubscription will be created
  + resource "azurerm_subscription" "azureSubscription" {
      + alias             = (known after apply)
      + billing_scope_id  = "/providers/Microsoft.Billing/billingAccounts/<BILLING_ACCOUNT>/enrollmentAccounts/<ENROLLMENT_ACCOUNT>"
      + id                = (known after apply)
      + subscription_id   = (known after apply)
      + subscription_name = "testsub_local"
      + tags              = (known after apply)
      + tenant_id         = (known after apply)
      + workload          = "DevTest"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Could you please look into this, since we are unable to fully comprehend the purpose of this piece of code.
Was it only supposed to affect imported subscriptions (judged by the comment in line 89) or also the creation of a new subscription.

[cktwo]

Using the locally compiled provider the replacement of the previously created subscription using the official provider gave the following output:

module.components.azurerm_subscription.azureSubscription: Refreshing state... [id=/providers/Microsoft.Subscription/aliases/<SUBSCRIPTION_ALIAS>]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.components.azurerm_subscription.azureSubscription must be replaced
-/+ resource "azurerm_subscription" "azureSubscription" {
      ~ alias             = "<SUBSCRIPTION_ALIAS>" -> (known after apply)
      ~ id                = "/providers/Microsoft.Subscription/aliases/<SUBSCRIPTION_ALIAS>" -> (known after apply)
      ~ subscription_id   = "<SUBSCRIPTION_ID>" -> (known after apply)
      ~ tags              = {} -> (known after apply)
      ~ tenant_id         = "<TENANT_ID>" -> (known after apply)
      + workload          = "DevTest" # forces replacement
        # (2 unchanged attributes hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Apparently the workload parameter was not used at all even though by my understanding of the documentation it should be set with "Production" as the default if not otherwise provided.

[jackofallops]

Thanks for raising this, we were previously unable to test DevTest subscriptions so this was something of a blind-spot. For info - the DiffSuppress is to help avoid diffs in edge cases, such as in Subscriptions where the workload property value is not readable from the API, and since it cannot be changed we needed to avoid this triggering a force new. In the case here it was unintentionally suppressing all values, meaning we always took the default. The PR above resolves this and I have successfully created a DevTest subscription.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.