Skip to content

Reconciling azure terraform state with what is actually deployed to azure #8454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Reconciling azure terraform state with what is actually deployed to azure #8454

wants to merge 6 commits into from
+239 −48

Conversation

marosset
Copy link
Contributor

@marosset marosset commented Aug 28, 2025
edited
Loading

There has been a lot of drift between what is actually deployed in the azure CNCF sub and what is listed in the terraform config and this PR aims to reconcile that.

There were a few PRs that went stale such as

As well as other updates to address breaking changes in the terraform resource specifications.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/infra Infrastructure management, infrastructure design, code in infra/ area/infra/azure Issues or PRs related to Kubernetes Azure infrastructure area/provider/azure Issues or PRs related to azure provider labels Aug 28, 2025
@k8s-ci-robot k8s-ci-robot added sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 28, 2025
@marosset marosset changed the title Reconciling azure terraform state with what is actually deployed to azure WIP - Reconciling azure terraform state with what is actually deployed to azure Aug 28, 2025
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 28, 2025
@marosset marosset changed the title WIP - Reconciling azure terraform state with what is actually deployed to azure Reconciling azure terraform state with what is actually deployed to azure Sep 3, 2025
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 3, 2025
@marosset
Copy link
Contributor Author

marosset commented Sep 3, 2025

OK - These changes should be ready to review.

Now when I run terraform plan I only see the following changes that will get applied


Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.capz_monitoring.azurerm_kubernetes_cluster.capz-monitoring will be updated in-place
  ~ resource "azurerm_kubernetes_cluster" "capz-monitoring" {
        id                                  = "/subscriptions/46678f10-4bbb-447e-98e8-d2829589f2d8/resourceGroups/capz-monitoring/providers/Microsoft.ContainerService/managedClusters/capz-monitoring"
        name                                = "capz-monitoring"
      ~ tags                                = {
          - "DO-NOT-DELETE" = "contact capz"
        } -> (known after apply)
        # (36 unchanged attributes hidden)

      ~ web_app_routing {
          ~ dns_zone_ids             = [
              ~ "/subscriptions/46678f10-4bbb-447e-98e8-d2829589f2d8/resourceGroups/capz-monitoring/providers/Microsoft.Network/dnszones/capz-monitoring.org" -> "/subscriptions/46678f10-4bbb-447e-98e8-d2829589f2d8/resourceGroups/capz-monitoring/providers/Microsoft.Network/dnsZones/capz-monitoring.org",
            ]
            # (2 unchanged attributes hidden)
        }

        # (6 unchanged blocks hidden)
    }

  # module.role_assignments.azurerm_role_assignment.acr_pull_private[0] has moved to module.role_assignments.azurerm_role_assignment.acr_pull_private
    resource "azurerm_role_assignment" "acr_pull_private" {
        id                                     = "/subscriptions/46678f10-4bbb-447e-98e8-d2829589f2d8/resourceGroups/capz-ci/providers/Microsoft.ContainerRegistry/registries/e2eprivatecommunity/providers/Microsoft.Authorization/roleAssignments/d555c53e-c50f-4d12-fec0-0c962a914404"
        name                                   = "d555c53e-c50f-4d12-fec0-0c962a914404"
        # (9 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

One is just a casing issue (dnszones -> dnsZones) and the other is a deleted tag but the tag is in the terraform config so I'm not entirely sure what is going on with that...

@marosset
Copy link
Contributor Author

marosset commented Sep 3, 2025

/assign @jsturtevant @jackfrancis @nojnhuh

@marosset
Copy link
Contributor Author

marosset commented Sep 4, 2025

I'm adding the terraform lock file because this is recommended by terraform

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

jsturtevant
jsturtevant reviewed Sep 4, 2025
View reviewed changes
infra/azure/terraform/capz/variables.tf
Comment on lines +35 to +38
variable "subscription_id" {
type = string
default = "46678f10-4bbb-447e-98e8-d2829589f2d8"
description = "Azure Subscription ID to use for the azurerm provider."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure why you added this specifically, but I just a note that I had to still switch my az cli login to the correct sub to run terraform init. But this does make it clear that this is the sub we wish to be operating on in the rest of the scripts.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was having issues where terraform wasn't picking up the subscription from my az cli login context.
I don't remember what exactly the error was but this fixed it.

@jsturtevant
Copy link
Contributor

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 4, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jsturtevant, marosset
Once this PR has been reviewed and has the lgtm label, please assign xmudrii for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@marosset
Copy link
Contributor Author

marosset commented Sep 4, 2025

/assign @ameukam @BenTheElder @dims
Could you us get this PR merged?
Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@willie-yao willie-yao Awaiting requested review from willie-yao

1 more reviewer

@jsturtevant jsturtevant jsturtevant left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@dims dims

@jsturtevant jsturtevant

@BenTheElder BenTheElder

@jackfrancis jackfrancis

@ameukam ameukam

@nojnhuh nojnhuh

Labels
area/infra/azure Issues or PRs related to Kubernetes Azure infrastructure area/infra Infrastructure management, infrastructure design, code in infra/ area/provider/azure Issues or PRs related to azure provider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@marosset @jsturtevant @k8s-ci-robot @dims @BenTheElder @jackfrancis @ameukam @nojnhuh @ritikaguptams