Provider produced inconsistent result after apply: azurerm_management_lock

[EvaDonnermayer]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.5

AzureRM Provider Version

3.70.0

Affected Resource(s)/Data Source(s)

azurerm_management_lock

Terraform Configuration Files

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.70.0"
    }
  }
  backend "azurerm" {}
  required_version = ">= 1.0.11"
}

...

resource "azurerm_management_lock" "main" {
  name       = "acr-lock"     
  scope      = azurerm_container_registry.main.id
  lock_level = "CanNotDelete"
  notes      = "Prevent accidental deletion of the resource"    
}

Debug Output/Panic Output

│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to
│ azurerm_management_lock.main, provider
│ "provider[\"registry.terraform.io/hashicorp/azurerm\"]" produced an
│ unexpected new value: Root resource was present, but now absent.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

Expected Behaviour

The lock should be created and written in the remote backend.

Actual Behaviour

The resource is created but not gathered in the statefile and thus not known by terraform.

Steps to Reproduce

terraform init
terraform plan
terraform apply

Important Factoids

No response

References

No response

[neil-yechenwei]

Thanks for raising this issue. Seems I can't repro this issue with below tf config that is similar with yours. Could you try below tf config to see if the issue still exists? Thanks.

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "test" {
  name     = "acctestRG-ml-test01"
  location = "westeurope"
}

resource "azurerm_container_registry" "test" {
  name                = "testacccrtest01"
  resource_group_name = azurerm_resource_group.test.name
  location            = azurerm_resource_group.test.location
  sku                 = "Basic"
  network_rule_set    = []
}

resource "azurerm_management_lock" "test" {
  name       = "acctestlock-test01"
  scope      = azurerm_container_registry.test.id
  lock_level = "CanNotDelete"
  notes      = "Prevent accidental deletion of the resource"
}

Result:

[SamyMmr1]

Hello, same issue here, i couldn't say since when, we are using:

terraform {

  required_version = ">=0.12"

  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "~>3.70"
    }
  }

  backend "azurerm" { }
}

provider "azurerm" {
  features {
  
  }
}

resource "azurerm_storage_account" "storage" {
  name                          = var.staName
  resource_group_name           = var.rgName
  location                      = var.location
  account_tier                  = var.account_tier
  account_replication_type      = var.account_replication_type
  enable_https_traffic_only     = true
  access_tier                   = "Hot"
  min_tls_version               = "TLS1_2"
  public_network_access_enabled = true

  blob_properties {
    delete_retention_policy {
      days = var.blob_soft_delete_retention_days
    }
    container_delete_retention_policy {
      days = var.container_soft_delete_retention_days
    }
    versioning_enabled       = false
    last_access_time_enabled = var.last_access_time_enabled
    change_feed_enabled      = false
  }
  
  tags = var.tags
}

resource "azurerm_storage_container" "container" {
  name                          = "tfstates"
  storage_account_name          = azurerm_storage_account.storage.name
  container_access_type         = "blob"
  depends_on = [ azurerm_storage_account.storage ]
}

resource "azurerm_management_lock" "storage_account_lock" {
  name       = "${var.staName}-lock"
  scope      = azurerm_storage_account.storage.id
  lock_level = "CanNotDelete"
  notes      = "Used to store tfstates, to prevent deletion."
  depends_on = [ azurerm_storage_account.storage ]
}

Which results in the following error during the apply:

│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to
│ module.storage[0].azurerm_management_lock.storage_account_lock, provider
│ "provider[\"registry.terraform.io/hashicorp/azurerm\"]" produced an
│ unexpected new value: Root resource was present, but now absent.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

[SamyMmr1]

FYI, just did the test again, and in fact the constraint on the provider version version = "~>3.25" was not locked on the minor version, choosing in fact the last version 3.70 which seems bugged. Downgrading to the 3.25.x by changing the version to version = "~>3.25.0" solved the issue.

Edit1: Also tried the 3.69 which worked without issue btw.

[ClaudiaBaur]

We run version 3.65 and run into the issue multiple times in our validation tests. We have collected the tf debug log which belongs to the test, if this helps to understand the root cause. MSFT support pointed us to you to work on a solution.

[rosenkranzt]

tf.log.zip
Adding the logs to this issue occuring with version 3.65 as my colleague ClaudiaBaur mentioned before.

[nemobis]

FWIW, the workaround for me is to manually delete the log and run terraform apply again; the second attempt succeeds.

[stevehaynes]

We were seeing this on provider version 3.72.0. Pretty sure it was fixed by #23345 (part of 3.75.0).

No issues for us after updating to that provider version. Management locks also take significantly longer to create now - close to 2 minutes now compared to a few seconds before. That's not a problem, just more evidence that the provider is properly waiting for the resource to finish creating before returning.

[rcskosir]

Thanks for taking the time to submit this issue. It looks like this has been resolved as of #23345. As such, I am going to mark this issue as closed. If that is not the case, please provide additional information including the version in which you are still experiencing this issue, thanks!

[Prabu1997]

Hello Team,

we are getting the above error recently.

Code

terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.51.0"
}
resource "azurerm_management_lock" "lock_vnet" {
provider = azurerm.spoke
name = " ${var.vnet}-lock"
scope = azurerm_virtual_network.spoke_vnet.id
lock_level = "ReadOnly"
notes = "Managed by Network Team"
}

Resources are created in the azure portal but not sure code builds are failing.

output

│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to
│ module.d36_spoke["centralus_vnet"].azurerm_management_lock.lock_vnet[0],
│ provider
│ "provider["registry.terraform.io/hashicorp/azurerm"].dzprod"
│ produced an unexpected new value: Root object was present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.