When applying azurerm_role_assignment with terraform resource is created but terraform state file is not updated

[pawel-akonom]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform version: 0.13.7
provider registry.terraform.io/hashicorp/azurerm: v2.62.0

Affected Resource(s)

• azurerm_role_assignment

Terraform Configuration Files

####### integration.tfvars #######

resource_group_name = "NBB-RG-APP-I-000002"
location = "West Europe"
aks_subnet_name = "NBB-SNT-APP-I-000002-AKS"
aks_subnet_address_prefix = "15.0.0.0/24"
aks_service_principal_object_id = "e8607dfb-3bca-4d68-976f-3db8382a4a8a"
storage_identity_name = "nbbidiapp00002"

####### network.tf #######

resource "azurerm_subnet" "akssubnet" {
    name           = var.aks_subnet_name
    resource_group_name = var.resource_group_name
    virtual_network_name = azurerm_virtual_network.infra.name
    address_prefixes = [var.aks_subnet_address_prefix]
    service_endpoints    = ["Microsoft.Sql", "Microsoft.Storage", "Microsoft.ServiceBus"]
  }

####### identities.tf #######

resource "azurerm_user_assigned_identity" "storageIdentity" {
  resource_group_name = var.resource_group_name
  location            = var.location
  name = var.storage_identity_name
}

####### roles.tf #######

resource "azurerm_role_assignment" "ra1" {
  scope                = azurerm_subnet.akssubnet.id
  role_definition_name = "Network Contributor"
  principal_id         = var.aks_service_principal_object_id
}

resource "azurerm_role_assignment" "ra2" {
  scope                = azurerm_user_assigned_identity.infraIdentity.id
  role_definition_name = "Managed Identity Operator"
  principal_id         = var.aks_service_principal_object_id
}

resource "azurerm_role_assignment" "ra3" {
  scope                = azurerm_application_gateway.network.id
  role_definition_name = "Contributor"
  principal_id         = azurerm_user_assigned_identity.infraIdentity.principal_id
}

Debug Output

Panic Output

Error: Provider produced inconsistent result after apply

When applying changes to azurerm_role_assignment.ra1, provider
"registry.terraform.io/hashicorp/azurerm" produced an unexpected new value:
Root resource was present, but now absent.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.


Error: Provider produced inconsistent result after apply

When applying changes to azurerm_role_assignment.ra2, provider
"registry.terraform.io/hashicorp/azurerm" produced an unexpected new value:
Root resource was present, but now absent.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.


Error: Provider produced inconsistent result after apply

When applying changes to azurerm_role_assignment.ra3, provider
"registry.terraform.io/hashicorp/azurerm" produced an unexpected new value:
Root resource was present, but now absent.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

Expected Behaviour

All roles assignments which are defined in terraform code are created and newly created resources are added to terraform state file. When trying to apply same terraform code second time terraform is not trying to create them because they are already exist.

Actual Behaviour

All roles assignments which are defined in terraform code are created but and newly created resources are not added to terraform state file. When trying to apply same terraform code second time terraform is trying to create them again even they are already exist.

Following Error appears when trying to create same terraform code second time:

Status=409 Code="RoleAssignmentExists" Message="The role assignment already exists."

  on roles.tf line 6, in resource "azurerm_role_assignment" "ra1":
   6: resource "azurerm_role_assignment" "ra1" {

Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="RoleAssignmentExists" Message="The role assignment already exists."

  on roles.tf line 14, in resource "azurerm_role_assignment" "ra2":
  14: resource "azurerm_role_assignment" "ra2" {

Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="RoleAssignmentExists" Message="The role assignment already exists."

  on roles.tf line 21, in resource "azurerm_role_assignment" "ra3":
  21: resource "azurerm_role_assignment" "ra3" {

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[gbark13]

I am experiencing this issue as well. terraform import doesn't work to import the resource either. It will report success, but will not update the state file. azurerm version 2.61 works though.

[aristosvo]

Hi @pawel-akonom @gregbarkerdcsg

I believe this is a duplicate of #12057, at least seven other issues covering this bug are opened the last few days. The PR fixing this problem is ready to released as a hotfix version, v2.62.1

Most information how to solve your troubles can be found under #12060

[magodo]

I'm gonna close this issue as it is fixed by #12076, which is delivered in v2.62.1. Please feel free to reopen if the issue remains.

[pawel-akonom]

I confirm that issue has been fixed in provider registry.terraform.io/hashicorp/azurerm: v2.62.1

[justin-chizer]

@pawel-akonom @magodo I updated to v2.62.1 and I'm still getting

Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="RoleAssignmentExists" Message="The role assignment already exists."

Did I miss something? Thank you for your help :)

[aristosvo]

Have you tried to Remove the role assignment from the resource in Azure? Although Terraform failed, the role assignment itself is created.

You could try to import it as well, but the ID is a bit harder to come by than the average resource.

[justin-chizer]

@aristosvo Sorry I should have been more specific. It did create the role assignment with no issues but now just shows the error. I will delete the role assignments tonight and try a terraform apply when we have some down time. Thank you again for getting this fixed!

EDIT:

tf import 'module.key_vault.azurerm_role_assignment.dev3["cportal"]' "/subscriptions/***/resourceGroups/***/providers/Microsoft.KeyVault/vaults/***/providers/Microsoft.Authorization/roleAssignments/***"

This import command worked for me. found the resource ID with this one:

az role assignment list --scope /subscriptions/***/resourceGroups/***/providers/Microsoft.KeyVault/vaults/***

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.