azurerm_subnet_network_security_group_association not applying #18724
Comments
|
@arbitmcdonald Thank you for submitting this! We have a nightly test case for the aadds resource, whose configuration is defined here: From the error message, it is something went wrong in Azure when it was checking connectivity internally, during the creation (long running) operation. That most likely because of the service side issue. So I would suggest you to raise an Azure support ticket by providing the By comparing the configurations between what is tested and yours, one possible cause might be the |
|
Thanks @magodo I'll reach out to their support. Interestingly the creation does succeed (within Azure) about an hour later, which is normal for AADDS. Its terraform that bombs out/fails, the resource creation still succeeds. I'll try with Enterprise next and see what happens. I really appreciate your detailed and helpful response! |
|
Just an update on this. I changed my SKU to see if it made a difference and the same error happened. |
|
I just had another swing at this, and rather than destroying all successfully created resources after the AADDS failure I thought it best to have a proper look around. Even though I told Terraform that the AADDS depends on the vNet, AADDS subnet, AADDS NSG, and AADDS NSG/subnet association, the association was not there in Azure. Terraform created the vNet, Subnet, and NSG, but it did not associate the NSG with the Subnet before creating AADDS. Root cause identified... issue still remains. Why is AADDS being created before Terraform associated the NSG with the subnet, when I specifically said AADDS depends on the NSG association? |
arbitmcdonald
changed the title
|
Update on this, I believe there's an issue with the provider, not with Azure, as Terraform reports the creation complete for my NSG association. Here's what happens:
If I manually update the nsg association (to apply the nsg to the subnet) while terraform is applying the plan at step 3 (after supposed creation of the nsg association, before AADDS creation), the Terraform apply succeeds and AADDS is created. Notable console messages:
Console output: |
Is there an existing issue for this?
Community Note
Terraform Version
1.3.2
AzureRM Provider Version
3.26.0
Affected Resource(s)/Data Source(s)
azurerm_active_directory_domain_service
Terraform Configuration Files
Debug Output/Panic Output
{"id":"/subscriptions/ea937dbe-1566-456f-aa68-47f18c44d93e/providers/Microsoft.AAD/locations/uksouth/operationResults/0d491852-d7f4-4687-a5fe-3410ba3a916f","name":"0d491852-d7f4-4687-a5fe-3410ba3a916f","status":"Creating","startTime":"0001-01-01T08:00:00Z","endTime":"0001-01-01T08:00:00Z","percentComplete":0.0}: timestamp=2022-10-12T16:53:01.104+0100 azurerm_active_directory_domain_service.primary: Still creating... [15m40s elapsed] azurerm_active_directory_domain_service.primary: Still creating... [15m50s elapsed] azurerm_active_directory_domain_service.primary: Still creating... [16m0s elapsed] 2022-10-12T16:53:31.110+0100 [DEBUG] provider.terraform-provider-azurerm_v3.26.0_x5.exe: AzureRM Request: GET /subscriptions/ea937dbe-1566-456f-aa68-47f18c44d93e/providers/Microsoft.AAD/locations/uksouth/operationResults/0d491852-d7f4-4687-a5fe-3410ba3a916f?api-version=2021-05-01 HTTP/1.1 Host: management.azure.com User-Agent: Go/go1.18.5 (386-windows) go-autorest/v14.2.1 hashicorp/go-azure-sdk/domainservices/2021-05-01 HashiCorp Terraform/1.3.2 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/dev pid-222c6c49-1b0a-5959-a213-6608f9eb8820 X-Ms-Correlation-Request-Id: 30b7687d-538e-4564-2be5-6acfd84f0498 Accept-Encoding: gzip: timestamp=2022-10-12T16:53:31.109+0100 2022-10-12T16:53:31.809+0100 [DEBUG] provider.terraform-provider-azurerm_v3.26.0_x5.exe: AzureRM Response for https://management.azure.com/subscriptions/ea937dbe-1566-456f-aa68-47f18c44d93e/providers/Microsoft.AAD/locations/uksouth/operationResults/0d491852-d7f4-4687-a5fe-3410ba3a916f?api-version=2021-05-01: HTTP/2.0 200 OK Cache-Control: no-cache Content-Type: application/json; charset=utf-8 Date: Wed, 12 Oct 2022 15:53:30 GMT Expires: -1 Pragma: no-cache Strict-Transport-Security: max-age=31536000; includeSubDomains Vary: Accept-Encoding X-Content-Type-Options: nosniff X-Ms-Correlation-Request-Id: 30b7687d-538e-4564-2be5-6acfd84f0498 X-Ms-Ratelimit-Remaining-Subscription-Reads: 11965 X-Ms-Request-Id: 67c3d721-6c30-4dc9-96ac-a048ebb3c7f7 X-Ms-Routing-Request-Id: UKSOUTH:20221012T155331Z:e5ffce89-2e34-4f69-b96f-4e076c628f06 {"id":"/subscriptions/ea937dbe-1566-456f-aa68-47f18c44d93e/providers/Microsoft.AAD/locations/uksouth/operationResults/0d491852-d7f4-4687-a5fe-3410ba3a916f","name":"0d491852-d7f4-4687-a5fe-3410ba3a916f","status":"Failed","startTime":"0001-01-01T08:00:00Z","endTime":"0001-01-01T08:00:00Z","percentComplete":0.0,"error":{"code":"InternalError","message":"Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.26.9.56:5986"}}: timestamp=2022-10-12T16:53:31.809+0100 2022-10-12T16:53:31.809+0100 [DEBUG] provider.terraform-provider-azurerm_v3.26.0_x5.exe: Unlocking "azurerm_active_directory_domain_service.redacted.onmicrosoft.com": timestamp=2022-10-12T16:53:31.809+0100 2022-10-12T16:53:31.811+0100 [DEBUG] provider.terraform-provider-azurerm_v3.26.0_x5.exe: Unlocked "azurerm_active_directory_domain_service.redacted.onmicrosoft.com": timestamp=2022-10-12T16:53:31.809+0100 2022-10-12T16:53:31.811+0100 [ERROR] provider.terraform-provider-azurerm_v3.26.0_x5.exe: Response contains error diagnostic: tf_provider_addr=provider tf_req_id=18c5d7a9-6269-1bc9-2647-c35cc562f167 tf_rpc=ApplyResourceChange diagnostic_detail= diagnostic_summary="creating/updating Domain Service (Name: "redacted.onmicrosoft.com", Resource Group: "RG-LWL-UKS-AADDS"): polling after CreateOrUpdate: Code="InternalError" Message="Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.26.9.56:5986"" tf_proto_version=5.2 @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/diag/diagnostics.go:56 @module=sdk.proto diagnostic_severity=ERROR tf_resource_type=azurerm_active_directory_domain_service timestamp=2022-10-12T16:53:31.809+0100 2022-10-12T16:53:31.811+0100 [ERROR] vertex "azurerm_active_directory_domain_service.primary" error: creating/updating Domain Service (Name: "redacted.onmicrosoft.com", Resource Group: "RG-LWL-UKS-AADDS"): polling after CreateOrUpdate: Code="InternalError" Message="Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.26.9.56:5986" ╷ │ Warning: Applied changes may be incomplete │ │ The plan was created with the -target option in effect, so some changes requested in the configuration may have been ignored and the output values may not be fully updated. Run the following command to verify that no other changes are pending: │ terraform plan │ │ Note that the -target option is not suitable for routine use, and is provided only for exceptional situations such as recovering from errors or mistakes, or when Terraform specifically suggests to use it as part of an error message. ╵ ╷ │ Error: creating/updating Domain Service (Name: "redacted.onmicrosoft.com", Resource Group: "RG-LWL-UKS-AADDS"): polling after CreateOrUpdate: Code="InternalError" Message="Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.26.9.56:5986" │ │ with azurerm_active_directory_domain_service.primary, │ on main.tf line 918, in resource "azurerm_active_directory_domain_service" "primary": │ 918: resource "azurerm_active_directory_domain_service" "primary" { │ ╵ 2022-10-12T16:53:31.828+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF" 2022-10-12T16:53:31.854+0100 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/azurerm/3.26.0/windows_386/terraform-provider-azurerm_v3.26.0_x5.exe pid=13276 2022-10-12T16:53:31.854+0100 [DEBUG] provider: plugin exitedExpected Behaviour
The creation should have continued for another hour or so, at which point Azure Active Directory Domain Services would have been created. This used to work perfectly, but I updated AzureRM and a ton of my config has been changed as a result due to breaking changes in the more recent version(s). I'm not sure if it's my config somehow at fault, or the provider.
Actual Behaviour
The creation runs for 15-16 minutes before throwing the following error: Error testing domain controller connectivity through PowerShell. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 20.26.9.56:5986
Steps to Reproduce
terraform plan -target="azurerm_active_directory_domain_service.primary" -out="aadds.tfplan"terraform.exe apply "aadds.tfplan"Also happens if I just run
terraform apply, but this config is a snippet of a much larger file. I usually create AADDS first, as it takes so long, and then spin up the rest of the plan. This also fails now.Important Factoids
No response
References
No response
The text was updated successfully, but these errors were encountered: