Azure Linux VM change passes plan but fails on apply during API call

[davidjsanders]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.19

• provider.azurerm v1.40.0
• provider.null v2.1.2
• provider.random v2.2.1
• provider.template v2.1.2

Affected Resource(s)

• azurerm_virtual_machine

Terraform Configuration Files

  os_profile_linux_config {
    disable_password_authentication = var.vm.disable-password-auth

    ssh_keys {
      path     = "/home/${var.vm.admin-user}/.ssh/authorized_keys"
      key_data = var.azure-secrets.public-key
    }
  }

Debug Output (terraform plan)

      + os_profile_linux_config {
          + disable_password_authentication = false

          + ssh_keys {
              + key_data = "ssh-rsa *** OBFUSCATED ***"
              + path     = "/home/*** OBFUSCATED ***/.ssh/authorized_keys"
            }
        }
      - os_profile_linux_config {
          - disable_password_authentication = true -> null

          - ssh_keys {
              - key_data = "ssh-rsa *** OBFUSCATED ***" -> null
              - path     = "/home/*** OBFUSCATED ***/.ssh/authorized_keys" -> null
            }
        }
...
Plan: 0 to add, 1 to change, 0 to destroy.
------------------------------------------------------------------------
This plan was saved to: targets/dev-run
To perform exactly these actions, run the following command to apply:
    terraform apply "targets/dev-run"

Expected Behavior

The plan expects to change the resource because I had changed disable_password_authentication = var.vm.disable-password-auth and I expected the apply to work successfully.

Actual Behavior

The apply fails and produced the following output:

make apply
Acquiring state lock. This may take a few moments...
module.test-vm.azurerm_virtual_machine.vm[0]: Modifying... [id=/subscriptions/*** OBFUSCATED ***/resourceGroups/*** OBFUSCATED ***/providers/Microsoft.Compute/virtualMachines/VM-TEST-VM-1]

Error: compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: autorest/azure: Service returned an error. Status=<nil> Code="PropertyChangeNotAllowed" Message="Changing property 'linuxConfiguration.disablePasswordAuthentication' is not allowed." Target="linuxConfiguration.disablePasswordAuthentication"

  on lib-virtual-machine/main.tf line 1, in resource "azurerm_virtual_machine" "vm":
   1: resource "azurerm_virtual_machine" "vm" {

Steps to Reproduce

1. Create any resource with azurerm_virtual_machine using Linux and set disable_password_authentication = False
2. Run the plan and apply
3. Change the resource and set disable_password_authentication = True
4. Run terraform plan
5. Run terraform apply

I think this should be trapped if it's not going to be honoured by Azure.

• #0000

[tombuildsstuff]

hey @dgsd-consulting

Thanks for opening this issue.

We're superseding for the existing azurerm_virtual_machine resource in 2.0 (more details can be found in #2807) since the existing resources no longer adequately represent the Azure API's (and can't easily be brought up to date without breaking existing users).

Version 1.43 of the Azure Provider introduces an opt-in Beta for these new resources, which includes fixes for this issue in the new resources - more details can be found in the Beta guide. Unfortunately we have no plans to backport these changes to the existing azurerm_virtual_machine resource since they've been superseded in 2.0 - however this is fixed in the new azurerm_linux_virtual_machine and azurerm_windows_virtual_machine resources.

Since this bug is fixed in the new resources and is available in a Beta form I'm going to close this Github issue for the moment - but since this is in the 2.0 Milestone @hashibot will comment when this goes "GA" (which'll happen in the coming weeks) at which point this should be resolved for the moment - we'll also post an update in #2807 when that happens.

Thanks!

[ghost]

This has been released in version 2.0.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.0.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!