terraform-provider-azurerm: Intermittent Error: Unable to locate Storage Account when RAGRS/RAZGRS account kind is used

When using GH Actions in combination with AzureRM and account_replication_type LRS you have the same problem. When I run the same terraform apply locally I don’t have any issues. Seems related to GH actions.

azrumrm version 3.12.0

resource "azurerm_storage_account" "redacted" {
  name                     = local.storage_account_name
  resource_group_name      = azurerm_resource_group.redacted.name
  location                 = azurerm_resource_group.redacted.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

@roehrijn / @andrey-dubnik - we’ve experienced this issue over the past month or so: We found that a call to the /resources?%24filter=resourceType+eq+%27Microsoft.KeyVault% endpoint provided different results depending on the region that serviced that ARM API call. Essentially if the X-Ms-Routing-Request-Id value was the same as the location of the resource, the call returned the key vault - but if not it sporadically would return an empty array. This had a downstream effect on the rest of the TF deployment as it treated the resource as missing. It would be interesting for you to check the X-Ms-Routing-Request-Id of your calls to see if there’s a correlation between successful and failed ones.

We have an open case with the ARM API team, and so far they’ve confirmed that it’s an issue with the ARM API cross-region Cache not being updated quick enough.

In terms of fixes / workarounds - they’re currently a bit limited:

• Recommendation from the API team is to use the Azure Resource Graph for list operations, which has a 1 minute SLO for replication. Potentially a pretty big change to the provider code.
• Wait for the replication issues to die down + backend to improve
• Find some way of manually targeting the ARM API at the location that contains the resource

cc: @stuartleeks

This is correct, terraform was able to obtain the keys and all the data for the account but the list api returned blanc hence the account can’t be found error.

There was another account in the sub which was having an issue originally so in total there are 2 accounts in there. After tagging at least one the second account also appeared in the api call.

Using azurerm 3.16.0, storage account type LRS, this happens fairly frequently.

This issue is also causing sleepless nights on our side here. What I can say so far: most likely this issue is caused by some race condition hitting sorts of ARM API limits. We’re experiencing this on a Terraform project with around 100 resources (1 storage account, 1 key vault, a lot of role assignments to them) and I’m not able to reproduce the issue in a smaller project. However, calling terraform apply -parallelism=1 seems to help.

Furthermore: We’re experiencing the very same behaviour also on Key Vaults (is switches randomly from Storage Account to Key Vault, whatever Terraform tries to access first). Here is a log example from that:

    2022-03-03T06:57:41.0852887Z 2022-03-03T06:57:40.565Z [INFO]  Starting apply for azurerm_key_vault_secret.githubtoken
    2022-03-03T06:57:41.0853464Z 2022-03-03T06:57:40.565Z [DEBUG] azurerm_key_vault_secret.githubtoken: applying the planned Update change
    2022-03-03T06:57:41.0854255Z 2022-03-03T06:57:40.567Z [INFO]  provider.terraform-provider-azurerm_v2.98.0_x5: preparing arguments for AzureRM KeyVault Secret update.: timestamp=2022-03-03T06:57:40.566Z
    2022-03-03T06:57:41.0854946Z 2022-03-03T06:57:40.567Z [DEBUG] provider.terraform-provider-azurerm_v2.98.0_x5: AzureRM Request: 
    2022-03-03T06:57:41.0855810Z GET /subscriptions/***/resources?%24filter=resourceType+eq+%27Microsoft.KeyVault%2Fvaults%27+and+name+eq+%27net-prod-839977%27&%24top=5&api-version=2020-06-01 HTTP/1.1
    2022-03-03T06:57:41.0856269Z Host: management.azure.com
    2022-03-03T06:57:41.0857164Z User-Agent: Go/go1.17.5 (amd64-linux) go-autorest/v14.2.1 Azure-SDK-For-Go/v61.4.0 resources/2020-06-01 HashiCorp Terraform/1.1.6 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/2.98.0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820
    2022-03-03T06:57:41.0857908Z X-Ms-Correlation-Request-Id: b01b3074-24a4-9613-dd3f-c0a93338159e
    2022-03-03T06:57:41.0858375Z Accept-Encoding: gzip: timestamp=2022-03-03T06:57:40.566Z
    2022-03-03T06:57:41.0859118Z 2022-03-03T06:57:40.635Z [ERROR] vertex "azurerm_key_vault_secret.githubtoken" error: Unable to determine the Resource ID for the Key Vault at URL "https://net-prod-839977.vault.azure.net/"
    2022-03-03T06:57:41.0860401Z 2022-03-03T06:57:40.635Z [DEBUG] provider.terraform-provider-azurerm_v2.98.0_x5: AzureRM Response for https://management.azure.com/subscriptions/***/resources?%24filter=resourceType+eq+%27Microsoft.KeyVault%2Fvaults%27+and+name+eq+%27net-prod-839977%27&%24top=5&api-version=2020-06-01: 
    2022-03-03T06:57:41.0861012Z HTTP/2.0 200 OK
    2022-03-03T06:57:41.0861306Z Cache-Control: no-cache
    2022-03-03T06:57:41.0861671Z Content-Type: application/json; charset=utf-8
    2022-03-03T06:57:41.0861971Z Date: Thu, 03 Mar 2022 06:57:39 GMT
    2022-03-03T06:57:41.0862330Z Expires: -1
    2022-03-03T06:57:41.0862605Z Pragma: no-cache
    2022-03-03T06:57:41.0863019Z Strict-Transport-Security: max-age=31536000; includeSubDomains
    2022-03-03T06:57:41.0863386Z Vary: Accept-Encoding
    2022-03-03T06:57:41.0863725Z X-Content-Type-Options: nosniff
    2022-03-03T06:57:41.0864181Z X-Ms-Correlation-Request-Id: b01b3074-24a4-9613-dd3f-c0a93338159e
    2022-03-03T06:57:41.0864686Z X-Ms-Ratelimit-Remaining-Subscription-Reads: 11997
    2022-03-03T06:57:41.0865152Z X-Ms-Request-Id: f6f7065a-d272-43ec-9bf3-526a820189ac
    2022-03-03T06:57:41.0865654Z X-Ms-Routing-Request-Id: WESTUS3:20220303T065740Z:f6f7065a-d272-43ec-9bf3-526a820189ac
    2022-03-03T06:57:41.0865936Z 
    2022-03-03T06:57:41.0866144Z {"value":[]}: timestamp=2022-03-03T06:57:40.634Z

Seem the workaround is to create a TAG on the storage account (via portal), after that the issue goes away and above API returns the value. More to it it started to return value for all the storage account in that sub which were having the issue…

suspect it is related to the call which comes back empty - https://docs.microsoft.com/en-us/rest/api/storagerp/storage-accounts/list

2022-02-03T16:14:30.610Z [DEBUG] provider.terraform-provider-azurerm_v2.94.0_x5: AzureRM Response for https://management.azure.com/subscriptions/264f194d-71cc-41d9-9bf4-c4f5456285e8/providers/Microsoft.Storage/storageAccounts?api-version=2021-04-01: 
HTTP/2.0 200 OK
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Date: Thu, 03 Feb 2022 16:14:30 GMT
Expires: -1
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: fc3a2733-bb7a-9fdc-09e6-d9510d90bf10
X-Ms-Request-Id: 612cc49f-6921-4522-9a25-c7eaa4e7b3b2
X-Ms-Routing-Request-Id: EASTUS2:20220203T161430Z:612cc49f-6921-4522-9a25-c7eaa4e7b3b2

{"value":[]}: timestamp=2022-02-03T16:14:30.609Z