terraform-provider-azurerm: Updating an `azurerm_automation_runbook` causes subsequent `terraform apply` to want to recreate the associated `azurerm_automation_job_schedule`

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform 0.13.3 and AzureRM Provider Version 2.24.0

Current providers:

- Using previously-installed hashicorp/time v0.5.0
- Using previously-installed hashicorp/tls v2.2.0
- Using previously-installed hashicorp/azurerm v2.24.0
- Using previously-installed hashicorp/azuread v0.11.0
- Using previously-installed hashicorp/random v2.3.0
- Using previously-installed hashicorp/null v2.1.2
- Using previously-installed hashicorp/external v1.2.0
- Using previously-installed hashicorp/local v1.4.0

Affected Resource(s)

azurerm_automation_job_schedule
azurerm_automation_runbook

Terraform Configuration Files

data "local_file" "sync_group_roles" {
  filename = "${path.module}/runbooks/sync-group-roles.ps1"
}

resource "azurerm_automation_runbook" "sync_group_roles" {
  name        = "Sync-Group-Roles"
  description = "Ensure members of Groups have the appropriate AD roles, since roles cannot be assigned to Groups."

  automation_account_name = azurerm_automation_account.account.name
  resource_group_name     = azurerm_resource_group.automation.name
  location                = azurerm_resource_group.automation.location

  runbook_type = "PowerShell"
  log_progress = false
  log_verbose  = false

  content = data.local_file.sync_group_roles.content

  tags = {
    "team" = local.automation_responsible_team
  }

  depends_on = [
    azurerm_automation_module.az_accounts,
    azurerm_automation_module.azuread,
    azurerm_automation_module.az_resources,
  ]
}

resource "azurerm_automation_schedule" "daily_ad_sync" {
  name = "Daily AD roles sync"

  automation_account_name = azurerm_automation_account.account.name
  resource_group_name     = azurerm_resource_group.automation.name

  frequency  = "Day"
  interval   = 1
  timezone   = local.timezone
  start_time = "${local.date_tomorrow}T07:00:00${data.external.timezone_offset.result["offset"]}"

  # Just making it explicit but from the documentation the start_time is only used on create.
  lifecycle {
    ignore_changes = [start_time]
  }
}

resource "azurerm_automation_job_schedule" "sync_group_roles" {
  automation_account_name = azurerm_automation_account.account.name
  resource_group_name     = azurerm_resource_group.automation.name

  schedule_name = azurerm_automation_schedule.daily_ad_sync.name
  runbook_name  = azurerm_automation_runbook.sync_group_roles.name
}

Expected Behavior

After an update on azurerm_automation_runbook no changes other than the runbook are done even on subsequent terraform apply

Actual Behavior

terraform apply after updating azurerm_automation_runbook

  # module.automation.azurerm_automation_job_schedule.sync_group_roles will be created
  + resource "azurerm_automation_job_schedule" "sync_group_roles" {
      + automation_account_name = "devops-automation"
      + id                      = (known after apply)
      + job_schedule_id         = (known after apply)
      + resource_group_name     = "AutomationRG"
      + runbook_name            = "Sync-Group-Roles"
      + schedule_name           = "Daily AD roles sync"
    }

Steps to Reproduce

Update configuration and/or content of azurerm_automation_runbook resource
terraform apply to update the runbook
terraform plan or terraform apply will now show that azurerm_automation_job_schedule needs be created.

References

This seems to be the exact same issue as #7130 which is supposed to be fixed in v2.21.0

About this issue

Original URL
State: open
Created 4 years ago
Reactions: 15
Comments: 19 (3 by maintainers)

Most upvoted comments

@Pesticles that’s really annoying there is gap between terraform plan and what terraform apply really does. One good news is I just found the cause of the issue and will submit a PR in the next few days(or weeks). Thank you for your detailed description and you patient waiting.

wuxu92 on Jun 12, 2023

Terraform 1.2.5 and AzureRM v3.15.0, still happening. Re-running plan and apply works for me, but now my workflow has to be run twice. Not ideal if I want to put this in a pipeline.

WaitingForGuacamole on Aug 11, 2022

Experiencing this as well @mybayern1974 using the latest version of TF

braunsonm on Sep 29, 2020

I think the underlying issue is that updating a runbook breaks the associated job schedules. I’ve been banging my head against the wall because after deploying a change to a runbook, when I go to look at the associated job schedules in the portal, all but one are missing and the one that remains has had all of the assigned parameter values stripped out of it.

After applying the runbook change, a second subsequent apply will refresh the state, which detects that the job schedules are missing or changed, and recreates them.

In my case, I’ve been trying to figure out a workaround that doesn’t require applying the configuration twice. Honestly, it would be fine if I could just force the job schedules to be recreated whenever a runbook is changed, but I haven’t been able to figure out anything along those lines.

P.S. this is using Terraform 14.9 with AzureRM v. 2.66.0

w3bward on Jul 7, 2021