Bug suspected in Microsoft API when enabling storage threat protection - error parsing URI

[peteneville]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Affected Resource(s)

Terraform v0.12.30
provider.azurerm v2.42.0

Terraform Configuration Files

resource "azurerm_advanced_threat_protection" "business" {
  target_resource_id = azurerm_storage_account.business.id
  enabled            = true
}

Debug Output

Panic Output

Expected Behaviour

Advanced Threat Protection should successfully be enabled for the given storage account

Actual Behaviour

Terraform errored with:

Error: [ERROR] Unable to parse Advanced Threat Protection Set ID "subscriptions/ece6...c45/resourceGroups/test_xyz_shared/providers/Microsoft.Storage/storageAccounts/xyzbusiness/providers/Microsoft.Security/advancedThreatProtectionSettings/current": Cannot parse Azure ID: parse "subscriptions/ece6...c45/resourceGroups/test_xyz_shared/providers/Microsoft.Storage/storageAccounts/xyzbusiness/providers/Microsoft.Security/advancedThreatProtectionSettings/current": invalid URI for request

Steps to Reproduce

1. terraform apply

Important Factoids

State file showed the resource as tainted and looking closely we can see the leading '/' is missing on the id (ignore the ...):

  "mode": "managed",
  "type": "azurerm_advanced_threat_protection",
  "name": "business",
  "provider": "provider.azurerm",
  "instances": [
    {
      "status": "tainted",
    ...
        "id": "subscriptions/ece6...c45/resourceGroups/..../providers/Microsoft.Storage/storageAccounts/..../providers/Microsoft.Security/advancedThreatProtectionSettings/current",
        "target_resource_id": "/subscriptions/ece6...45/resourceGroups/..../providers/Microsoft.Storage/storageAccounts/...",

...
},

Updating the state file by adding the leading '/', re-running the apply and it works.

Noticed that the unit test in resourceid_test.go checks for missing leading '/' so can only assume that the Microsoft API is broken.
Whilst this may not be a terraform provider bug, the community here should be aware and also might be in a position to help.

References

[sbl-matter]

Thanks, I have the same problem with different versions of azurerm provider and terraform (2.14.0 and 0.12.29).

Is it safe to manually update the state file ? Or should we wait for a fix ?

[csdaraujo]

Also happens when using TF 13 (13.5).

[peteneville]

Thanks, I have the same problem with different versions of azurerm provider and terraform (2.14.0 and 0.12.29).

Is it safe to manually update the state file ? Or should we wait for a fix ?

Hi, For a production system, I'd wait for a fix unless it's preventing an urgent change. Hopefully you can test on a non-production system / take a backup of the state file etc if you needed to.

[danielbmeireles]

We were able to workaround this issue editing the state directly:

FROM:

      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "enabled": true,
            "id": "subscriptions/SUBSCRIPTION_ID/resourceGroups/RG_NAME/providers/Microsoft.Storage/storageAccounts/STRACC_NAME/providers/Microsoft.Security/advancedThreatProtectionSettings/current",
            "target_resource_id": "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RG_NAME/providers/Microsoft.Storage/storageAccounts/STRACC_NAME",
            "timeouts": null
          },

TO:

      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "enabled": true,
            "id": "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RG_NAME/providers/Microsoft.Storage/storageAccounts/STRACC_NAME/providers/Microsoft.Security/advancedThreatProtectionSettings/current",
            "target_resource_id": "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RG_NAME/providers/Microsoft.Storage/storageAccounts/STRACC_NAME",
            "timeouts": null
          },

The problem is, every time someone runs the terraform apply, the ID's are replaced again.

[jamescross91]

For us (Terraform 13.5, AzureRM 2.36.0) this was solved by upgrading to AzureRM 2.40.0

[ghost]

This has been released in version 2.43.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.43.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!