azurerm_storage_container: migrating from storage_account_name to storage_account_id forces replacement #27942
Comments
|
The same issue occurs with the azurerm_storage_share resource. The following example also forces a replacement. |
|
Here's a quick fix until this is resolved:
|
|
We have also ran into the same issue (from the original post) and noticed that the container was destroyed in our lower environment. |
|
We are also seeing the |
|
you can re-import those Ressource, so that you dont have to re-create them. The Important Part is to use the resource_manager_id, not the url. if you do a Plan before, you can see the current resource_manager_id and use it in case of Blob. in my Tests, the resource_manager_id shown on File Shares was incorrect. on Position 10 it was printed with "fileshares" instead of "shares" |
|
I have too many repos to adjust state in all environments and the other workaround was not enough as adding the account_id is enough to trigger a replacement. I will postpone this version, is there any plan to implement a proper fix in the code? |
|
@peruzzof - Same here... this "migration" will be pain in the ass. │ This property has been deprecated and will be replaced by |
|
Seriously, this should just work. |
|
I can confirm that re-importing using the resource_manager_id attribute value rather than the URL as specified in the documentation does correctly import the resource and clears the replacement. |
|
The only option we have now is remove from state file and reimport the storage container and storage share resoure? |
|
linking the PR that deprecated the |
|
# azurerm_storage_container.tfstate must be replaced
# (imported from "https://example.blob.core.windows.net/tfstate")
# Warning: this will destroy the imported resource
-/+ resource "azurerm_storage_container" "tfstate" {
container_access_type = "private"
~ default_encryption_scope = "$account-encryption-key" -> (known after apply)
encryption_scope_override_enabled = true
~ has_immutability_policy = false -> (known after apply)
~ has_legal_hold = false -> (known after apply)
~ id = "https://example.blob.core.windows.net/tfstate" -> (known after apply)
~ metadata = {} -> (known after apply)
name = "tfstate"
~ resource_manager_id = "/subscriptions/******resourceGroups/tfstate/providers/Microsoft.Storage/storageAccounts/example/blobServices/default/containers/tfstate" -> (known after apply)
+ storage_account_id = "/subscriptions/******/resourceGroups/tfstate/providers/Microsoft.Storage/storageAccounts/example" # forces replacement
- storage_account_name = "example" -> null # forces replacement
}
Plan: 1 to import, 1 to add, 0 to change, 1 to destroy. |
|
When you do the import, use the value from "resource_manager_id" instead of the ID/URL (disregard the documentation) |
Oh, thanks! I'll try it. |
|
Adding to this issue, as I am using Terraform format in both local (Ubuntu 24.04) and GIthub Actions workflows, the checks will fail/interrupt deployments because my environments cannot decide which it prefers. Storage_account_id is too new for my terraform on Ubuntu 24.04/22.04 (WSL) but storage_account_name is too old (and, doesn't just throw a passable warning) on the Github Actions terraform fmt -check and errors. This is a new behavior apparently, and unlike other 'depreciated' configs is causing issues |
|
Since REF: #28023 |
|
Here's my effort to consolidate the full workaround solution until this is properly fixed:
|
|
Hi folks 👋 Just wanted to clarify this change, and the reason for the addition of the new property. The For broader context: this is part of an effort to separate out, and reduce the use of, Data Plane APIs in the Resource Manager Provider. We understand the value of Resources and Data Sources that are only available via Data Plane and have no comparable RM alternative, so we are continuing to support these where possible and splitting out the Data Plane functionality from RM based resources. For example, the new I'll take a look at adding some additional guidance on this to the resource(s) documentation, since it's apparent this was not sufficiently well explained. Hope that helps. |
|
@jackofallops that's all fine and a laudable goal, however you haven't addressed the issue at the core of this ticket which is that the new attribute appears to be mandatory, and forces a resource replacement. It seems to me that a change of this type would have been better implemented as a new resource, whilst deprecating the old one. |
|
For basic use cases it can be done in a single step with HCL as follows: # resource "azurerm_storage_container" "original" { # The original code needs to be commented.
# name = var.container_name
# storage_account_name = var.sa_name
# container_access_type = "private"
# }
removed {
from = azurerm_storage_container.original
lifecycle {
destroy = false
}
}
resource "azurerm_storage_container" "new" {
name = var.container_name
storage_account_id = format("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Storage/storageAccounts/%s", var.subs_id,var.rg_name, var.sa_name)
container_access_type = "private"
lifecycle {
ignore_changes = [ storage_account_name ]
}
}
import {
to = azurerm_storage_container.new
id = format("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Storage/storageAccounts/%s/blobServices/default/containers/%s", var.subs_id,var.rg_name, var.sa_name, var.container_name)
}
After applying changes remove lifecycle block, and import and removed blocks. |
Is not yet mandatory, it will be at version 5.x. You still can continue using the SA name, and you will receive a warning. @jackofallops I think that it will be necessary to track down places in where the "old" container id may be used, and figure it out what to do. |
Thanks @CorrenSoft - Issues with details are always welcome ❤️ . We're working on this as an extended piece of work, and dealing with the down-stream complications as we uncover them (some we are already aware of). The initial work was shipped to unblock users that couldn't use the resource at all in it's previous state, and we're running along behind it working to update things to be compatible, or have option to be able to use either until 5.0. Thanks again! |
|
Might be useful to know that AWS tried something very similar a while back and this was not received well at all by the community - They eventually had to implement a more graceful solution. State migrations are a painful action to take for a lot of folks and can have numerous consequences downstream. If possible, I would recommend a more graceful solution is explored here. |
|
Why not simply allowing both and storing both in the statefile? Making it ok to supply the id AND the name, but internally you can use the id if you need to. Would make the transition more smoooth. |
|
@patsmitty Let's hope a permanent fix is implemented soon. There's too many instances where this needs to be updated and it takes a lot of work with the workaround. |
|
Tried to compose the information and provide a guide for the manual migration: https://gist.github.com/magodo/386c3ff5a9acd4cf6eb76540d39b2e84 |
|
Joy, another series of |
|
As others already pointed out the simple solution here is to do:
locals {
// Insert your values here
subscription_id = ""
resource_group_name = ""
storage_account_name = ""
storage_container_name = ""
}
import {
id = "/subscriptions/${local.subscription_id}/resourceGroups/${local.resource_group_name}/providers/Microsoft.Storage/storageAccounts/${local.storage_account_name}/blobServices/default/containers/${local.storage_container_name}"
to = azurerm_storage_container.your_container_name
}
resource "azurerm_storage_container" "your_container_name" {
// ...
}
|
+1 for this. |
|
The quality of azurerm provider is below acceptable. This change, unless carefully observed is 100% data loss. |
|
There might be good reasons to do this, underlaying api blabla we get that. The problem is:
This is not a good thing... |
|
@jackofallops · he/him Some attention to this would be wonderful. |
|
Just want to add this here in case anyone trips up at the same place I did. The documentation states to use the https endpoint of the container (in my case) to import the resource: This will result in the |
|
@eklesel Yes, it's two problems really:
|
|
The happy path causing data destruction if proper controls and monitoring is not there is plain bad and unacceptable. I wonder how much damage it will cause. This really should be fixed. |
|
I can confirm that the issue is present in the version |
and others
Is there an existing issue for this?
Community Note
Terraform Version
1.9.8
AzureRM Provider Version
4.9.0
Affected Resource(s)/Data Source(s)
azurerm_storage_container
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
I expect that when we get promted by a warning that:
thestorage_account_nameproperty has been deprecated in favour ofstorage_account_idand will be removed in version 5.0 of the Provider.I then would expect that when we change from using thestorage_account_nameto thestorage_account_idthat it will not try to recreate the storage account but just plan with 0 changes.Actual Behaviour
When running a plan I get the message that the
azurerm_storage_accounthas to be recreated because we have added thestorage_account_idproperty and that we have removed thestorage_account_nameSteps to Reproduce
Create a new storage account and a new storage container where you use the
storage_account_nameproperty to reference the storage account. After the resources have been created, try to change from using thestorage_account_nameto thestorage_account_idand observe the plan output.Important Factoids
No response
References
No response
The text was updated successfully, but these errors were encountered: