New issues introduced by #8270 #8663
Comments
|
Hi @krowlandson thanks for this issue! This is very similar to this issue therefore I have made some similar fix for this issue: #8668 |
|
Just to add some more information for this as I see it didn't make the latest release. If I update my code to use an empty string # Dynamic configuration blocks
dynamic "policy_definition_reference" {
for_each = [
for item in each.value.template.policyDefinitions :
{
policyDefinitionId = item.policyDefinitionId
parameters = item.parameters
policyDefinitionReferenceId = item.policyDefinitionReferenceId
}
if try(length(each.value.template.policyDefinitions) > 0, false)
]
content {
policy_definition_id = policy_definition_reference.value["policyDefinitionId"]
parameter_values = try(length(policy_definition_reference.value["parameters"]) > 0, false) ? jsonencode(policy_definition_reference.value["parameters"]) : ""
reference_id = try(length(policy_definition_reference.value["policyDefinitionReferenceId"]) > 0, false) ? policy_definition_reference.value["policyDefinitionReferenceId"] : policy_definition_reference.value["policyDefinitionId"]
}
}Unfortunately, if I then destroy the Error: expanding `policy_definition_reference`: unmarshalling `parameter_values`: unexpected end of JSON input
on .terraform/modules/enterprise_scale/resources.policy_set_definitions.tf line 1, in resource "azurerm_policy_set_definition" "enterprise_scale":
1: resource "azurerm_policy_set_definition" "enterprise_scale" {Not sure whether this makes any difference to the fix, but thought might be worth sharing. |
|
This has been released in version 2.31.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azurerm" {
version = "~> 2.31.0"
}
# ... other configuration ... |
|
Thank you for this fix. I've been running a few more checks following this update, and we still got the following with our original code when running During ~ policy_definition_reference {
+ parameter_values = jsonencode({})
parameters = {}
policy_definition_id = "/providers/Microsoft.Management/managementGroups/tf/providers/Microsoft.Authorization/policyDefinitions/ES-Deploy-Sql-Tde"
reference_id = "ES-Deploy-Sql-Tde"
}
~ policy_definition_reference {
+ parameter_values = jsonencode({})
parameters = {}
policy_definition_id = "/providers/Microsoft.Management/managementGroups/tf/providers/Microsoft.Authorization/policyDefinitions/ES-Deploy-Sql-SecurityAlertPolicies"
reference_id = "ES-Deploy-Sql-SecurityAlertPolicies"
}
~ policy_definition_reference {
+ parameter_values = jsonencode({})
parameters = {}
policy_definition_id = "/providers/Microsoft.Management/managementGroups/tf/providers/Microsoft.Authorization/policyDefinitions/ES-Deploy-Sql-AuditingSettings"
reference_id = "ES-Deploy-Sql-AuditingSettings"
}During Error: expanding `policy_definition_reference`: cannot set both `parameters` and `parameter_values`
on .terraform/modules/enterprise_scale_custom/resources.policy_set_definitions.tf line 1, in resource "azurerm_policy_set_definition" "enterprise_scale":
1: resource "azurerm_policy_set_definition" "enterprise_scale" {Changing our default response from |
|
I have upgraded the TF provider to 2.31 and the error described above still occurs |
Could you please provide some details on how to reproduce your issue? |
|
Please refer to the entry from krowlandson: _If I update my code to use an empty string "" when no parameters are specified (see code snippet below), I am then able to correctly run terraform apply multiple times on an existing deployment without any changes being detected: Dynamic configuration blocksdynamic "policy_definition_reference" { My own workaround for the error is to delete the Initiative completely then redeploy |
|
I cannot reproduce this issue by using the following config (the definition of the policy set definition is the same, but I have to make up my own variable definitions) I tried the following steps:
|
|
do not perform step 3 if you are executing it as a separate command vs part of the apply |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
Community Note
Terraform (and AzureRM Provider) Version
Affected Resource(s)
azurerm_policy_set_definitionTerraform Configuration Files
The code below is used to create multiple Policy Set Definitions from a
listobjectlocal.es_policy_set_definitions_by_management_group. This list is generated dynamically 'per Management Group' based on a map of Policy Set Definitions to assign per Management Group. The Policy Set Definitions are written in native ARM and stored as.jsonfiles within our module, and loaded into Terraform using thefile()andjsondecode()functions.A typical
local.es_policy_set_definitions_by_management_groupobject looks like this:[ { resource_id = <calculated_resource_id_of_resource_to_create> scope_id = <resource_id_of_the_target_management_group> template = <hcl_object_representation_of_policy_set_definition_from_template_file> } ]The code used to deploy the Policy Set Definitions is as follows:
Much of the logic is to handle situations where a source Policy Set Definition template may not contain certain optional values, and we use a
dynamic blockto generate thepolicy_definition_referenceblock based on the template content.Following the updates released in v2.29.0 we have discovered a couple of issues which appear to be related as described below.
Issue Description
Below is an extract of our code before #8270:
Upon release of v2.29.0 we started to receive the following error:
We were able to narrow this down to the fact that since the changes introduced in #8270, the provider appears to no longer accept
nullfor optionalparametervalues. This usually isn't an issue and is a pattern we use in multiple places within our code.To fix this, we moved to the newly recommended parameter_values format which is actually beneficial to us as it simplifies the code as follows:
When no parameter value is provided in the original ARM template, we simply replace is with an empty JSON string
"{}"which is generated using the syntaxjsonencode(local.empty_map), wherelocals { empty_map = {} }.This initially appears to resolve the issue we were facing, however we've observed the following issues.
Issue 1
When trying to run
terraform applyfor the first time after the code update, Terraform wanted to update our Policy Set Definitions, but upon doing so we were faced with the following error:To work around this, we had to use
terraform taintto force redeployment, at which point the deployment completed successfully.Issue 2
Having got past the above issue, every time we try to run
terraform applywe get prompted to update any Policy Set Definitions where no parameters are defined, or"parameters": {}and when apply is confirmed, we repeatedly get the same error:Debug Output
Extract of debug at error point:
If you can access our Terraform Cloud logs, the latest failed run with debug enabled is under ID
run-oLJ9fvae2xdzu4dt.I previously tested using just an empty string
""as the default value, but this didn't work either.Panic Output
None.
Expected Behavior
Should be able to run
terraform applymultiple times and not have the apply update resources which haven't fundamentally changed, and complete without errors.Actual Behavior
As described above.
Steps to Reproduce
terraform applyImportant Factoids
We are running this in standard public Azure, and are using Terraform Cloud for the remote backend (including deployment).
References
The text was updated successfully, but these errors were encountered: