Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

r/storage_account: defaulting the value for dns_endpoint_type #25367

Merged
merged 1 commit into from
Mar 22, 2024

Conversation

tombuildsstuff
Copy link
Contributor

Community Note

  • Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
  • Please do not leave "+1" or "me too" comments, they generate extra noise for PR followers and do not help prioritize for review

Description

This field defaults to null if unset in the API response, therefore needs to be explicitly defaulted on our side

Fixes #25364

This field defaults to `null` if unset in the API response, therefore needs to be explicitly defaulted on our side
@neiser
Copy link

neiser commented Mar 22, 2024

@tombuildsstuff Thanks for fixing this so quickly. As #22583 was quite a dangerous change and was apparently released without notice, is there any further plan to devise automated checks protecting against such serious regressions?

Copy link
Member

@stephybun stephybun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @tombuildsstuff LGTM 👍

@tombuildsstuff
Copy link
Contributor Author

@neiser

As #22583 was quite a dangerous change and was apparently released without notice, is there any further plan to devise automated checks protecting against such serious regressions?

The root cause of this one is that the API returns null rather than a default value for this field when it's not explicitly configured. We run (a bunch) of automated tests, however, given that design choice this would have been hard to capture without doing upgrade testing (i.e. provision on the latest release [last week] and then against the branch introducing this change - and check there's no diff) but that's not possible to do in an automated manner at this point in time.

I suspect that were this resource fully using hashicorp/go-azure-sdk rather than the legacy Azure/azure-sdk-for-go then this bug would have been caught during development, however. This is because the legacy Azure/azure-sdk-for-go outputs this value as an string constant (that crucially is not a pointer/reference):

// DNSEndpointType - Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription, which creates accounts in an Azure DNS Zone and the endpoint URL will have an alphanumeric DNS Zone identifier. Possible values include: 'DNSEndpointTypeStandard', 'DNSEndpointTypeAzureDNSZone'
DNSEndpointType DNSEndpointType `json:"dnsEndpointType,omitempty"`

On the other hand hashicorp/go-azure-sdk correctly outputs this as an optional string constant, which would have meant we'd have done a change similar to this PR during development:

Whilst it's disappointing this bug slipped through (and we'll ship a fix once the tests have passed) - to be honest the behaviour of the Storage Accounts API is problematic here - if there's an implied default value for a field then (IMO) it should be returned rather than being null (so in this case anything created prior to v3.97.0 has a default value of Standard from the API, therefore imo the API should be returning that).

All that to say, apologies for the inconvenience here - it's unfortunate this slipped through, however I suspect that moving this resource towards hashicorp/go-azure-sdk would probably have helped pick this up during development (but it's hard to test this effectively in an automated manner given the behaviour of the API) - at any rate we'll look to get this resource fully ported over as soon as time allows, to try and help avoid this type of issue in the future.

Thanks!

@tombuildsstuff tombuildsstuff merged commit e0bf475 into main Mar 22, 2024
29 checks passed
@tombuildsstuff tombuildsstuff deleted the b/storage-account-dns-zone branch March 22, 2024 08:42
tombuildsstuff added a commit that referenced this pull request Mar 22, 2024
Copy link

This functionality has been released in v3.97.1 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@ChrisPetr0
Copy link

ChrisPetr0 commented Mar 22, 2024

Shouldn't release 3.97.0 be yanked completely? We don't have our version pinned and got caught with 3.97.0 attempting to wipe out multiple storage accounts. I'd hate to have someone inadvertently lose a production workload on this one. I appreciate the fix was released so quickly. Thanks

@DTurin-IH
Copy link

DTurin-IH commented Mar 22, 2024

Same issue, multiple storage accounts wiped out with 3.97.0, should have been yanked 4 sure. Thumbed up.

@neiser
Copy link

neiser commented Mar 22, 2024

@tombuildsstuff

without doing upgrade testing (i.e. provision on the latest release [last week] and then against the branch introducing this change - and check there's no diff) but that's not possible to do in an automated manner at this point in time.

I'm sure you're aware that the vast majority of users use the azurerm provider in exactly that way: Have infrastructure created with an old release, and then continue managing this infrastructure state with the newly released provider. So, in my opinion, having automated tests exactly for that main use case of your "customers" should be a very high priority.

I've built such end-to-end tests for infrastructure-as-code systems already, and they're tough when it comes to details, such as making them finish in less than a day without much flakiness 😺 But they really do pay off! Is there some public place where I could have a look at the current state of affairs regarding tests? I suppose you already have an Azure subscription/account to run azurerm provider against "the real thing" (aka Azure APIs)?

I also agree that you should really delete the release 3.97.0 as proposed by @ChrisPetr0.

lemeurherve referenced this pull request in jenkins-infra/azure Mar 25, 2024
<Actions>
<action
id="f410411e63aff4bb73a81c2aec1d373cf8a903e63b30dee2006b0030d8a94cc8">
        <h3>Bump Terraform `azurerm` provider version</h3>
<details
id="1d9343c012f5434ac9fe8a98135bae3667b399259be16d9b14302ea3bd424a24">
            <summary>Update Terraform lock file</summary>
<p>changes detected:&#xA;&#x9;&#34;hashicorp/azurerm&#34; updated from
&#34;3.96.0&#34; to &#34;3.97.1&#34; in file
&#34;.terraform.lock.hcl&#34;</p>
            <details>
                <summary>3.97.1</summary>
<pre>Changelog retrieved
from:&#xA;&#x9;https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.97.1&#xA;ENHANCEMENTS:&#xA;&#xA;*
`azurerm_nginx_deployment` - support for the `configuration` block
([#24276](https://github.com/hashicorp/terraform-provider-azurerm/issues/24276))&#xA;&#xA;BUG
FIXES:&#xA;&#xA;* `azurerm_data_factory_integration_runtime_self_hosted`
- ensure that autorizationh keys are exported
([#25246](hashicorp/terraform-provider-azurerm#25246
`azurerm_storage_account` - defaulting the value for `dns_endpoint_type`
to `Standard` when it&#39;s not returned from the Azure API
([#25367](https://github.com/hashicorp/terraform-provider-azurerm/issues/25367))&#xA;&#xA;&#xA;&#xA;</pre>
            </details>
        </details>
<a
href="https://infra.ci.jenkins.io/job/updatecli/job/azure/job/main/69/">Jenkins
pipeline link</a>
    </action>
</Actions>

---

<table>
  <tr>
    <td width="77">
<img src="https://www.updatecli.io/images/updatecli.png" alt="Updatecli
logo" width="50" height="50">
    </td>
    <td>
      <p>
Created automatically by <a
href="https://www.updatecli.io/">Updatecli</a>
      </p>
      <details><summary>Options:</summary>
        <br />
<p>Most of Updatecli configuration is done via <a
href="https://www.updatecli.io/docs/prologue/quick-start/">its
manifest(s)</a>.</p>
        <ul>
<li>If you close this pull request, Updatecli will automatically reopen
it, the next time it runs.</li>
<li>If you close this pull request and delete the base branch, Updatecli
will automatically recreate it, erasing all previous commits made.</li>
        </ul>
        <p>
Feel free to report any issues at <a
href="https://github.com/updatecli/updatecli/issues">github.com/updatecli/updatecli</a>.<br
/>
If you find this tool useful, do not hesitate to star <a
href="https://github.com/updatecli/updatecli/stargazers">our GitHub
repository</a> as a sign of appreciation, and/or to tell us directly on
our <a
href="https://matrix.to/#/#Updatecli_community:gitter.im">chat</a>!
        </p>
      </details>
    </td>
  </tr>
</table>

Co-authored-by: Jenkins Infra Bot (updatecli) <60776566+jenkins-infra-bot@users.noreply.github.com>
@tom-reinders
Copy link
Contributor

@tombuildsstuff Running a upgrade test every week before release sounds to me like something very useful to stop azurerm from making breaking changes in minor version changes all the time.

@marcindulak
Copy link

There is a another, recent #25244 which results in a breaking change due to handling of null values, opening the firewall of the app service.

I opened a meta issue #25394 about possibilities to improve this situation.

@phoehnel
Copy link

This currently leads to terraform re-creating storage-accounts on provider-update when dns_endpoint_type has been null before 3.97.1 and no explicit value is set in the configuration. This probably isn't ideal and should be considered a breaking change.

@sai-gunaranjan
Copy link
Contributor

#25424

@manicminer
Copy link
Contributor

manicminer commented Mar 27, 2024

@phoehnel I'm trying to look into this - would you be able to add any relevant reproduction info to #25424, as so far I am unable to reproduce this with v3.97.1. Thanks!

Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 27, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

New dns_endpoint_type property may delete storage accounts
10 participants