Linux VM Plan Success with Password Set While Password Authentication is Disabled

[munavirch]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.4

AzureRM Provider Version

3.14.0

Affected Resource(s)/Data Source(s)

azurerm_linux_virtual_machine

Terraform Configuration Files

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_virtual_network" "example" {
  name                = "example-network"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_subnet" "example" {
  name                 = "internal"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.2.0/24"]
}

resource "azurerm_network_interface" "example" {
  name                = "example-nic"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  ip_configuration {
    name                          = "internal"
    subnet_id                     = azurerm_subnet.example.id
    private_ip_address_allocation = "Dynamic"
  }
}

resource "azurerm_linux_virtual_machine" "example" {
  name                = "example-machine"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
  size                = "Standard_F2"
  admin_username      = "adminuser"
  network_interface_ids = [
    azurerm_network_interface.example.id,
  ]

  admin_password = "password"

  os_disk {
    caching              = "ReadWrite"
    storage_account_type = "Standard_LRS"
  }

  source_image_reference {
    publisher = "Canonical"
    offer     = "UbuntuServer"
    sku       = "16.04-LTS"
    version   = "latest"
  }
}

Debug Output/Panic Output

╷
│ Error: At least one `admin_ssh_key` must be specified when `disable_password_authentication` is set to `true`
│
│   with azurerm_linux_virtual_machine.vm[0],
│   on main.tf line 33, in resource "azurerm_linux_virtual_machine" "vm":
│   33: resource "azurerm_linux_virtual_machine" "vm" {
│
╵

Expected Behaviour

Terraform plan should fail depending on whether ssh key is set or password is provided while password authentication is disabled.

Actual Behaviour

Terraform plan is successful if password is set while password authentication is disabled.

Steps to Reproduce

terraform plan
terraform apply

Important Factoids

No response

References

No response

[myc2h6o]

Hi @munavirch thanks for opening the issue! Like the validations between other property combinations, the validation between admin_ssh_key and disable_password_authentication is done in the Create/Update method, which is invoked only during the apply but not plan. This validation could be moved to CustomizeDiff but that would cause issue when the field value is captured from other resource property which is known after apply (during plan it is always empty). As a result we put such kind of validation in the Create/Update method