terraform-provider-azurerm: azurerm_backup_protected_file_share Unable to Create Due to Azure Internal Error
I am unable to create a backup protected file share using Terraform. I can create it without issue manually. I receive the following error:
Terraform Version
0.12.24
provider "azurerm" {
# Whilst version is optional, we /strongly recommend/ using it to pin the version of the Provider being used
version = "=2.8.0"
subscription_id = "xxx"
features {}
}
Affected Resources
azurerm_backup_protected_file_share
Terraform Configuration Files
resource "azurerm_backup_protected_file_share" "share1" {
resource_group_name = azurerm_resource_group.rg.name
recovery_vault_name = azurerm_recovery_services_vault.vault.name
source_storage_account_id = azurerm_backup_container_storage_account.sa01_protection.storage_account_id
source_file_share_name = var.share_01_name
backup_policy_id = azurerm_backup_policy_file_share.policy.id
}
Issue
Error: Azure Backup operation status failed with status “Failed” (Vault “vaultname” Resource Group “vaultrg” Operation ID “xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx”): Microsoft Azure Backup encountered an internal error.
I reached out the Microsoft for support and received the following:
I see below difference when you enable backup job from Azure portal and Terraform. I suspect Friendly name “input” is causing issue with Terraform to enable backups.
From Azure Portal its using file share unique ID name to enable backup, which is successful.
2020-04-30 15:49:25.0439376 client request id is ‘xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx’ 3
2020-04-30 15:49:25.0440571 client app id is ‘xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx’ 3
2020-04-30 15:49:25.0441704 CorrelationRequestId is ‘xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx’ 3
2020-04-30 15:49:25.0442987 Request Method: PUT, Uri: https://pod01-manag1.cus.backup.windowsazure.com/backupmanagement/resources/******/backupFabrics/Azure/protectionContainers/storagecontainer;storage;stroagerg;fileshare/protectedItems/azurefileshare;xxxxx?api-version=2016-06-01 3
2020-04-30 15:49:25.0444218 the culture info is set to: en-US | Params: {Input Accept Languages = en} 3
Whereas, when you use Terraform, its adding as File share name, which failed.
2020-04-30 17:15:53.9530946 client request id is ‘xxxx’ 3
2020-04-30 17:15:53.9531809 client app id is ‘xxxx’ 3
2020-04-30 17:15:53.9532591 CorrelationRequestId is ‘xxxx’ 3
2020-04-30 17:15:53.9533626 Request Method: PUT, Uri: https://pod01-rrp1.cus.backup.windowsazure.com/Subscriptions/**/resourceGroups/**/providers/Microsoft.RecoveryServices/vaults/***/backupFabrics/Azure/protectionContainers/StorageContainer;***;***;***/protectedItems/AzureFileShare;***?api-version=2019-05-13 3
2020-04-30 17:15:53.9534533 the culture info is set to: en-US | Params: {Input Accept Languages = en-US} 3
I see that the API version has changed from 2016 to 2019. How can I know which API calls TF makes and how can I resolve this issue?
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 24
- Comments: 18 (1 by maintainers)
Commits related to this issue
- fix azurerm_backup_protected_file_share Unable to Create Due to Azure Internal Error #6762 azure file share backup protected item get by friendly name does not work in GA azure file share backups ins... — committed to nkiraly/terraform-provider-azurerm by nkiraly 4 years ago
- fix azurerm_backup_protected_file_share Unable to Create Due to Azure Internal Error #6762 azure file share backup protected item get by friendly name does not work in GA azure file share backups ins... — committed to nkiraly/terraform-provider-azurerm by nkiraly 4 years ago
Can confirm 2.46.1 works fine
There is a possible stop-gap solution by using the Azure CLI - you can use it using the
null_resourceand then using thelocal-execprovisioner.It’s not without problems:
destroycommand will error, so you will have to manually delete the backup first in the Azure portal.azinstalled and logged in on whatever machine you are runninglocal-execprovider is an anti-pattern, or at least a last resortI would advise against using the command outside Terraform (which was my initial thought). This is because if you rerun this command, it will fail. Therefore, running it in Terraform and appending it to the state makes a lot of sense.
However, as soon as this issue is fixed, I would strongly recommend changing it back to the officially supported resource.
There may be other configurations that work, but this works for me. For the record, I’m doing this on a Data Lake Gen2 account, but this also seems to work on normal storage accounts although I’ve done much less extensive testing on that.
@rajakesar With the recent GA release of Azure File shares backup, a unique identifier has been introduced for each file share and hence for protecting any share, the recommendation is to pass the unique Id of file share in the PUT call rather than friendly name. To fix the issue, you can follow the below steps:
1.Do GET backupprotectableItems API call for the vault that you want to use for configuring protection for file share. 2. Filter the response of above GET call with the friendly name attribute as the “friendly name of your file share”. 3. After filtering , the response object will have details only for the file share that you are trying to protect. The name attribute of this response is the unique ID for your file share. 4. Do a PUT protecteditems call using this unique ID rather than friendly name. This should configure protection successfully for your share.
Here are few links for your reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-file-share-rest-api#select-the-file-share-you-want-to-back-up
https://docs.microsoft.com/en-us/azure/backup/backup-azure-file-share-rest-api#enable-backup-for-the-file-share