-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failure to delete the parent Azure Firewall Policy #21641
Comments
hi @KuznecovSemen , as the below log shows there two child policies and both of them deleted successfully, do you mean there are other child policies expcet these two?
|
@wuxu92 No, there are no other policies. In the terraform output we see that the policies have been deleted, but in fact one of them has been deleted, the other one still exists |
Hi, @rcskosir |
Hi all dev from Azure Firewall here, Just a reminder that Hashicorp owns this code and we only contribute code when we can. From a quick glance to the provider itself there are no checks / explicitly stated dependencies between child/parent policies in the terraform code I'm not deeply familiar with the internals of terraform code, but I have a feeling that there isn't great dependency support between for loops and modules between these. This could be tested by not using modules and using a single, let's call it "block" of terraform. You'd want to make sure that each child policy has an explicit depends_on to the parent. Also a HUGE HUGE help would be to use the TRACE logs explained here https://developer.hashicorp.com/terraform/internals/debugging Just make sure you clean out all your credentials before providing the logs. Basically for us to track when these request in ARM we need the correlation/trace ids that are provided by the arm client within the azurerm-provider and they cannot be accessed without making the log level more detailed. At the trace level we should also see all of the dependencies between nodes within terraform. We may be able to "hack" the delete action of the resource by polling the delete state of the parent policy id before deleting the child, but these are just thoughts. |
Hello @bewatersmsft , unfortunately this is not true, in our code each child policy depends on parent policy. |
@geek-rb can you provide a reference to your terraform as well, if it's not what @KuznecovSemen posted? Also I was expecting to see the actual execution of the destroy. When I had run it in the past I was able to see all the requests the the azurerm provider was making to ARM. also for instance I want to make sure that a line like https://gist.github.com/geek-rb/8e2f37a6a3323757851f166a9b0365e4#file-tf_output-log-L2485 is not an issue |
@bewatersmsft terraform code the same as @KuznecovSemen was posted |
update with test from 09/05/2023 with 3.71.0 version of provider, issue still exist https://gist.github.com/geek-rb/626d052aac8884b9007de3203a9ad0bd |
Is there an existing issue for this?
Community Note
Terraform Version
1.4.6
AzureRM Provider Version
3.35.0
Affected Resource(s)/Data Source(s)
resource "azurerm_firewall_policy"
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
When Terraform destroy is executed, the child policies should be deleted first, and then the parent policy
Actual Behaviour
The terraform output shows that all of the child policies have been deleted; they disappear from the tfstate file. In fact, one of the child policies is deleted and the other remains in existence, which leads to an error when deleting the parent policy.
Steps to Reproduce
No response
Important Factoids
No response
References
No response
The text was updated successfully, but these errors were encountered: