Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redeployment for azure nva-into-existing-hub fails #425

Open
LukasAuSc opened this issue Nov 5, 2024 · 3 comments
Open

Redeployment for azure nva-into-existing-hub fails #425

LukasAuSc opened this issue Nov 5, 2024 · 3 comments

Comments

@LukasAuSc
Copy link

Hi,

firstly thank you for the implementations for different cloud providers and languages.
I am currently struggling with an strange issue for deploying the terraform integration on azure, nva-into-existing-hub.

The first deployment works perfectly fine, in under 10 min, but afterwards it tries to deploy again, and fails with the following error:

2024-11-05T12:36:35.614+0100 [ERROR] provider.terraform-provider-azurerm.exe: Response contains error diagnostic: @module=sdk.proto tf_proto_version=5.4 tf_req_id=864f4aa4-0ec7-b9db-478b-4d5b999de45d tf_resource_type=azurerm_managed_application @caller=/home/runner/work/terraform-provider-azurerm/terraform-provider-azurerm/provider/vendor/github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/diag/diagnostics.go:58 diagnostic_detail="" diagnostic_severity=ERROR tf_rpc=ApplyResourceChange
  diagnostic_summary=
  | failed to create Application (Subscription: "***************"
  | Resource Group Name: "***************"
  | Application Name: "***************"): polling after CreateOrUpdate: polling failed: the Azure API returned the following error:
  |
  | Status: "Failed"
  | Code: "RoleAssignmentExists"
  | Message: "The role assignment already exists."
  | Activity Id: ""
  |
  | ---
  |
  | API Response:
  |
  | ----[start]----
  | {"id":"***************","name":"***************","resourceId":"***************","status":"Failed","startTime":"2024-11-05T11:21:21.1914472Z","endTime":"2024-11-05T11:36:34.8203636Z","error":{"code":"RoleAssignmentExists","message":"The role assignment already exists."}}
  | -----[end]-----
   tf_provider_addr=provider timestamp="2024-11-05T12:36:35.614+0100"
2024-11-05T12:36:35.616+0100 [ERROR] vertex "azurerm_managed_application.nva" error: failed to create Application (Subscription: "***************"
Resource Group Name: "***************"
Application Name: "***************"): polling after CreateOrUpdate: polling failed: the Azure API returned the following error:

Status: "Failed"
Code: "RoleAssignmentExists"
Message: "The role assignment already exists."
Activity Id: ""

What I was able to figure out, is that with the first deployment the automatic created UAI vwan-managed-identity, is being created and assigned as Managed Application Operator Role to the NVA.
With the second deployment, the above error comes up and the deployment fails after >15min. When I delete the role assignment, the deployment works again smoothly, but if deploying it again, same error.

If you can help me or point me in the right direction, I would greatly appreciate it. Since I can not see into the application, unfortuantely I am stuck here.
@chkp-natanelm
Copy link
Collaborator

Hi @LukasAuSc,
Could you clarify what you mean by “deploy again”? Did you destroy the previous deployment and start over, or did you simply modify the parameters and re-run the Terraform template?
Thanks

@LukasAuSc
Copy link
Author

Hi @chkp-natanelm, thank you for the quick response.
deploy again really just meaning, run the same apply command than before, not even modifying the parameters.
First it recognizes something as changed in the parameter_values, which looks like this


  # azurerm_managed_application.nva will be updated in-place
  ~ resource "azurerm_managed_application" "nva" {
        id                          = "***************"
        name                        = "***************"
      ~ parameter_values            = (sensitive value)
        tags                        = {}
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

(shortened for readability), and then when running it, it fails with the above mentioned error.

And when I delete the role assignment, I can redeploy without issue. It looks to me like the role assignment is recreated with every apply step, even if it was created before. If it would be terraform code, I would say it has not been saved in the state, but I do not know how the managed application works.

@chkp-natanelm
Copy link
Collaborator

Hi @LukasAuSc,
Thank you for the feedback.
We will investigate it, and update the issue with the progress.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chkp-natanelm @LukasAuSc