-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_storage_data_lake_gen2_(filesystem,path) default acl mask clashing with tf state #11435
Comments
// cc @stuartleeks One more example of #10814 |
@favoretti thanks for linking, sorry I didn't realise this was a duplicate. So I did some further investigation on my test case above, and have managed to semi resolve my issue. After the resources are created....
Breaking down the acl:
Therefore if you declare your ace blocks for the resource as such:
Then running So it would appear the ordering of the ace blocks is not an issue, as reordering the ace blocks does not cause a state mismatch. However, all of the default ACLs must be explicitly declared in your module to avoid a state mismatch. Whilst this works around the issue it makes the resource declaration extremely verbose. |
This functionality has been released in v3.39.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Terraform (and AzureRM Provider) Version
Terraform v0.15.0
on windows_amd64
provider registry.terraform.io/hashicorp/azurerm v2.56.0
Affected Resource(s)
azurerm_storage_data_lake_gen2_filesystem
azurerm_storage_data_lake_gen2_path
Terraform Configuration Files
main .tf
variables.tf
Expected Behaviour
Once storage account is created, the ACLs declared above should match with the default mask so rerunning "terraform apply" should return:
Actual Behaviour
Once the; storage account, filesystem and path are created then rerunning
terraform apply
detects a state change between auto applied the Azure default mask ACLs and declared ace blocks despite them matching correctly:Therefor every time you run
terraform apply
after creating the initial resources, Terraform will attempt to update and change the resource ACls even though no changes are required leading to a permanent out of sync state and slowing down deployments to make invalid changes.Steps to Reproduce
terraform init
terraform apply
terraform apply
Important Factoids
For a new Data Lake Storage Gen2 container, the mask for the access ACL of the root directory ("/") defaults to 750 for directories and 640 for files (see Azure docs link below). These ACLs clash with the state of the
ace
blocks which are declared in Terraform leading to a permanent out of sync state.References
The text was updated successfully, but these errors were encountered: