azurerm_windows_virtual_machine_scale_set perpetual diff with extension protected_settings

[hbuckle]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.14.11

• provider registry.terraform.io/hashicorp/azurerm v2.60.0

Affected Resource(s)

• azurerm_windows_virtual_machine_scale_set

Terraform Configuration Files

resource "azurerm_windows_virtual_machine_scale_set" "node_type" {
  name                     = "extension"
  resource_group_name      = azurerm_resource_group.extension.name
  location                 = azurerm_resource_group.extension.location
  admin_username           = "azureuser"
  admin_password           = var.admin_password
  license_type             = "None"
  custom_data              = null
  upgrade_mode             = "Automatic"
  computer_name_prefix     = "prefix"
  instances                = 0
  sku                      = "Standard_E8s_v3"
  priority                 = "Regular"
  overprovision            = false
  single_placement_group   = true
  enable_automatic_updates = false
  provision_vm_agent       = true

  source_image_reference {
    publisher = "MicrosoftWindowsServer"
    offer     = "WindowsServer"
    sku       = "datacenter-core-20h2-with-containers-smalldisk-g2"
    version   = "Latest"
  }

  automatic_os_upgrade_policy {
    disable_automatic_rollback  = false
    enable_automatic_os_upgrade = false
  }

  os_disk {
    caching              = "ReadWrite"
    storage_account_type = "Premium_LRS"
  }

  network_interface {
    name    = "primary"
    primary = true

    ip_configuration {
      name      = "primary"
      primary   = true
      subnet_id = var.subnet_id
    }
  }

  extension {
    name                       = "init"
    publisher                  = "Microsoft.Compute"
    type                       = "CustomScriptExtension"
    type_handler_version       = "1.10"
    auto_upgrade_minor_version = true
    protected_settings = jsonencode({
      commandToExecute = "powershell -NonInteractive -NoProfile -Command exit 0"
    })
  }
}

Actual Behaviour

Now that inline extensions are a set if you add an extension with protected_settings you get a perpetual diff

Terraform will perform the following actions:

  # azurerm_windows_virtual_machine_scale_set.node_type will be updated in-place
  ~ resource "azurerm_windows_virtual_machine_scale_set" "node_type" {
        name                                              = "extension"
        tags                                              = {}
        # (22 unchanged attributes hidden)



      - extension {
          - auto_upgrade_minor_version = true -> null
          - name                       = "init" -> null
          - provision_after_extensions = [] -> null
          - publisher                  = "Microsoft.Compute" -> null
          - type                       = "CustomScriptExtension" -> null
          - type_handler_version       = "1.10" -> null
        }
      + extension {
          + auto_upgrade_minor_version = true
          + name                       = "init"
          + protected_settings         = (sensitive value)
          + provision_after_extensions = []
          + publisher                  = "Microsoft.Compute"
          + type                       = "CustomScriptExtension"
          + type_handler_version       = "1.10"
        }



        # (5 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to Reproduce

1. terraform apply
2. terraform plan

Important Factoids

Looking at the old resource there was a custom Set function - https://github.com/terraform-providers/terraform-provider-azurerm/blob/84d710e21fca7abcf36f513f1c278c3151721fb1/azurerm/internal/services/compute/virtual_machine_scale_set_resource.go#L774

I guess this needs to be added to the new resource as well

[magodo]

@hbuckle This is issue relates to #11425. After changing the extension from List to Set, the code below doesn't work any more:
https://github.com/terraform-providers/terraform-provider-azurerm/blob/3dbd4a80597e8ff362ea4e051252cdd91af97874/azurerm/internal/services/compute/virtual_machine_scale_set.go#L1671-L1676

[mivica]

Hi, I am also observing this issue using Terraform v1.0.1 and AzureRM v2.68.0. Can anyone tell when will this get fixed?

[Va55ago]

Same here using terraform v1.0.1 & azurerm v2.68.0.

Any extension with protected settings causes the VMSS to be updated on every apply, even if nothing has changed.

[hbuckle]

Just needs the linked pull request, but it seems to be impossible to get a review on it 😢

[rem-aj]

Hi @mbfrahry will the fix be pushed out in the 2.79 release?

[rem-aj]

Hi @katbyte any thoughts on when this fix will be released? I just noticed it was removed from from the last 3 milestones.
Thanks!

[magodo]

@rem-aj This issue should have been fixed by #13440 (since v2.79.0). Would you please confirm that, or you encounter other issues?

[mivica]

I am still observing this behaviour using azurerm v2.81.0.

[magodo]

@mivica I've just tested locally using v2.81.0. I apply with the config above and run a terraform plan afterwards, it shows no plan diff. Would you please kindly provide a detailed repro step so that I can dig into?

[github-actions]

This functionality has been released in v2.83.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[rem-aj]

Hi @katbyte the bot mentioned this has been released in version 2.83, however there's an update from you it's moved to 2.84 and the issue is still "open", so I assume we have to wait for .84 then? Seems the bot note is inaccurate?

[Va55ago]

I've tried this out today (using terraform v1.0.8 & azurerm v2.83.0) and it successfully recognised that there were no changes to my VMSS.

Based on that, I think the bot is right and this was released in v2.83.0.

Thanks @magodo :)

[tombuildsstuff]

fixed via #13440

[github-actions]

This functionality has been released in v2.88.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.