Resource recreation because location is unknown

I have the following code:

data "azurerm_resource_group" "this" {
  name = var.resource_group_name
}
resource "azurerm_cosmosdb_account" "this" {
  name                          = local.cosmos_account_name
  location                      = data.azurerm_resource_group.this.location
  [...]
}

Absolutely every time I run plan/apply it wants to recreate the whole cosmosdb account because:
location = "eastus" -> (known after apply) # forces replacement
But the location didn’t change, so I am a bit confused/annoyed with this behavior.

PS: I already tried to use location as a variable, but as the resource group is a data source, TF complains that I can’t set it, it needs to come from the data source.

What should I change to make this think work without recreating the whole account every time?

Can you show a more complete configuration, or the output of the plan? You have something preventing you from reading the azurerm_resource_group during the plan, and the full plan output or config will show why that is.

sure, here it is what’s showing in the output:

 <= data "azurerm_client_config" "current" {
      + client_id       = (known after apply)
      + id              = (known after apply)
      + object_id       = (known after apply)
      + subscription_id = (known after apply)
      + tenant_id       = (known after apply)
    }

  # module.mongo_cosmosdb.data.azurerm_resource_group.this will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_resource_group" "this" {
      + id         = (known after apply)
      + location   = (known after apply)
      + managed_by = (known after apply)
      + name       = "<redacted>"
      + tags       = (known after apply)
    }

  # module.mongo_cosmosdb.data.azurerm_subnet.private_endpoint_subnet will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_subnet" "private_endpoint_subnet" {
      + address_prefix                                = (known after apply)
      + address_prefixes                              = (known after apply)
      + default_outbound_access_enabled               = (known after apply)
      + id                                            = (known after apply)
      + name                                          = "<redacted>-subnet"
      + network_security_group_id                     = (known after apply)
      + private_endpoint_network_policies             = (known after apply)
      + private_link_service_network_policies_enabled = (known after apply)
      + resource_group_name                           = "<redacted>"
      + route_table_id                                = (known after apply)
      + service_endpoints                             = (known after apply)
      + virtual_network_name                          = "<redacted>"
    }

  # module.mongo_cosmosdb.data.azurerm_virtual_network.private_endpoint_virtual_network will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_virtual_network" "private_endpoint_virtual_network" {
      + address_space           = (known after apply)
      + dns_servers             = (known after apply)
      + guid                    = (known after apply)
      + id                      = (known after apply)
      + location                = (known after apply)
      + name                    = "<redacted>-vnet"
      + resource_group_name     = "<redacted>"
      + subnets                 = (known after apply)
      + tags                    = (known after apply)
      + vnet_peerings           = (known after apply)
      + vnet_peerings_addresses = (known after apply)
    }

# module.mongo_cosmosdb.azurerm_cosmosdb_account.this must be replaced
-/+ resource "azurerm_cosmosdb_account" "this" {
      + create_mode                                  = (known after apply)
      ~ endpoint                                     = "https://<redacted>.documents.azure.com:443/" -> (known after apply)
      ~ id                                           = "/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.DocumentDB/databaseAccounts/<redacted>" -> (known after apply)
      ~ location                                     = "eastus" -> (known after apply) # forces replacement
        name                                         = "<redacted>"
      - network_acl_bypass_ids                       = [] -> null
      ~ primary_key                                  = (sensitive value)
      ~ primary_mongodb_connection_string            = (sensitive value)
      ~ primary_readonly_key                         = (sensitive value)
      ~ primary_readonly_mongodb_connection_string   = (sensitive value)
      + primary_readonly_sql_connection_string       = (sensitive value)
      + primary_sql_connection_string                = (sensitive value)
      ~ read_endpoints                               = [
          - "https://<redacted>-eastus.documents.azure.com:443/",
        ] -> (known after apply)
      ~ secondary_key                                = (sensitive value)
      ~ secondary_mongodb_connection_string          = (sensitive value)
      ~ secondary_readonly_key                       = (sensitive value)
      ~ secondary_readonly_mongodb_connection_string = (sensitive value)
      + secondary_readonly_sql_connection_string     = (sensitive value)
      + secondary_sql_connection_string              = (sensitive value)
        tags                                         = {
            "Application" = "<redacted>"
            "Environment" = "dev"
        }
      ~ write_endpoints                              = [
          - "https://<redacted>-eastus.documents.azure.com:443/",
        ] -> (known after apply)
        # (18 unchanged attributes hidden)

      ~ analytical_storage (known after apply)
      - analytical_storage {
          - schema_type = "FullFidelity" -> null
        }

      ~ backup {
          + tier                = (known after apply)
            # (4 unchanged attributes hidden)
        }


      ~ capacity (known after apply)

      ~ consistency_policy {
          - max_interval_in_seconds = 5 -> null
          - max_staleness_prefix    = 100 -> null
            # (1 unchanged attribute hidden)
        }

      - geo_location {
          - failover_priority = 0 -> null
          - id                = "<redacted>-eastus" -> null
          - location          = "eastus" -> null
          - zone_redundant    = false -> null
        }
      + geo_location {
          + failover_priority = 0
          + id                = (known after apply)
          + location          = "eastus"
          + zone_redundant    = false
        }

        # (1 unchanged block hidden)
    }

  # module.mongo_cosmosdb.azurerm_cosmosdb_mongo_database.this["<redacted>"] will be created
  + resource "azurerm_cosmosdb_mongo_database" "this" {
      + account_name        = "<redacted>"
      + id                  = (known after apply)
      + name                = "<redacted>-platform-app"
      + resource_group_name = "<redacted>-dev"
      + throughput          = (known after apply)
    }

Since you have multiple data sources all with the deferral reason of

(depends on a resource or a module with changes pending)

I’m guessing that your module.mongo_cosmosdb module call is using depends_on and declaring that everything inside that module depends on some other pending changes. This prevents Terraform from determining more precise dependencies, and must wait until all the referenced changes have been applied in order to read the data sources. Using depends_on like that is almost always a mistake, and there’s always some other way to structure the configuration to get a more precise result.

absolutely right, I had the mongodb module with depends_on for a keyvault module output its ID. Didn’t know that would cause such problem. thx for the help, it solved my problem…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.