Terraform Plan and Azure Policy

joerg.lang · September 22, 2023, 9:04am

Hi all,
we are preparing to setup a new Azure Tenent completely from scratch with terraform and observing some strange thing on the Azure Policy configuration.

We have applied the Azure Policy configuration successfully and it’s working like it should.
But when we now run terraform plan again, we see following output.

Even after running terraform apply the output is still the same on the next plan.

Anyone an idea, why this is happening?
thanks
Joerg

apparentlymart · September 22, 2023, 10:09pm

Hi @joerg.lang,

I’m not familiar with this specific resource type, but this symptom seems like a provider bug.

Sometimes remote APIs allow multiple ways to describe the same situation, but when you read an object from the remote API the server “normalizes” the data into some preferred form.

In this case, it seems like the remote API permits parameter_values to be either null or an empty JSON object with equivalent meaning, but when reading from the API it normalizes null to be "{}" instead.

It’s part of a provider’s responsibility to compensate for this sort of normalization rule by noticing if the value returned by the remote system is just a different way to write the same information from the prior state, and then preserving the value from the prior state to avoid proposing a pointless action like the one shown in your screenshot.

It seems that the hashicorp/azurerm provider is lacking a rule to handle this particular situation, and so it’s treating "{}" and null as meaningfully different values, and so it thinks that you’ve changed this value outside of Terraform and is proposing to repair that difference by setting the argument back to null again.

If I’m correct about the above (which I might not be!) then a workaround for now would be to write your configuration so that it sets this argument to be "{}", or equivalently jsonencode({}), in any situation where your configuration would set it to null. (Leaving it totally unset is equivalent to setting it to null.)

That workaround is the best we can do with just changes to your configuration, and a real fix here will require changing the provider itself to include this normalization rule. I think there’s already an issue open for this here, which you could add an upvote reaction to if you agree that this issue is describing the problem you’ve encountered:

github.com/hashicorp/terraform-provider-azurerm

azurerm_policy_set_definition using jsonencode for parameters is throwing a perpetual change

opened 11:30AM - 01 Aug 23 UTC

danielfears

service/policy v/3.x

### Is there an existing issue for this? - [X] I have searched the existing iss…ues ### Community Note * Please vote on this issue by adding a :thumbsup: [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request * Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request * If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the [contribution guide](https://github.com/hashicorp/terraform-provider-azurerm/blob/main/contributing/README.md) to help. ### Terraform Version 1.5.4 ### AzureRM Provider Version 3.61.0 ### Affected Resource(s)/Data Source(s) azurerm_policy_set_definition ### Terraform Configuration Files ```hcl terraform { required_providers { azurerm = { source = "hashicorp/azurerm" version = "=3.61.0" } } required_version = ">= 0.13" } provider "azurerm" { features {} } ``` ### Debug Output/Panic Output ```shell Terraform will perform the following actions: # azurerm_policy_set_definition.policies will be updated in-place ~ resource "azurerm_policy_set_definition" "policies" { id = "/providers/Microsoft.Management/managementGroups/X/providers/Microsoft.Authorization/policySetDefinitions/X" name = "X" # (5 unchanged attributes hidden) ~ policy_definition_reference { - parameter_values = jsonencode({}) # (3 unchanged attributes hidden) } # (17 unchanged blocks hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ``` ### Expected Behaviour Terraform should return that there is no changes, as none of the values have been updated since last deployment. ### Actual Behaviour Terraform is reporting that there is 1 resource to change, as per the above log output. This happens on every subsequent run of Terraform plan or apply. ### Steps to Reproduce Terraform apply ### Important Factoids _No response_ ### References _No response_

joerg.lang · September 25, 2023, 5:54am

Many thanks for your awesome feedback, that was indeed the case.

I have add a comment with a little bit more description to whats “not working” and with the workaround.

Many thanks

Topic		Replies	Views
Recreate Azure resources without changing the code. Why? Azure azure	2	237	October 24, 2023
Policy_definition id output error Azure policy-as-code	0	236	April 16, 2023
Use lifecycle.ignore_changes on dynamic block Terraform azure , policy-as-code	2	5310	August 29, 2023
Value change to null not happening Terraform Providers	1	141	July 11, 2023
Using the property of an AzureRM resource as a string in JSON within Terraform Terraform	1	164	July 13, 2023

Terraform Plan and Azure Policy

Related topics