azurerm plugin crashes when creating AVM application insights resource with minimum permissions

[maniSbindra]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.7

AzureRM Provider Version

3.115.0, 3.117.0

Affected Resource(s)/Data Source(s)

azurerm_application_insights

Terraform Configuration Files

module "application_insights" {
  source                        = "Azure/avm-res-insights-component/azurerm"
  version                       = "0.1.4"
  resource_group_name           = var.resource_group_name
  workspace_id                  = var.log_analytics_workspace_resource_id
  name                          = var.name
  location                      = var.location
  local_authentication_disabled = var.local_authentication_disabled
  internet_ingestion_enabled    = var.internet_ingestion_enabled
  internet_query_enabled        = var.internet_query_enabled
  tags                          = var.tags
  enable_telemetry              = var.enable_telemetry
}

provider "azurerm" {
  features {}
}

terraform {
  required_version = ">= 1.9.6, < 2.0.0"
  required_providers {

    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">= 3.114.0, < 4.0.0"
    }
    # tflint-ignore: terraform_unused_required_providers
    modtm = {
      source  = "Azure/modtm"
      version = "~> 0.3"
    }
    random = {
      source  = "hashicorp/random"
      version = "~> 3.5"
    }
  }
}

# this fails on both provider versions 3.115.0 and 3.117.0 when using service principle with minimal permission to do the terraform apply. When logging in to az-cli with owner permissions this works fine. The permissions used are
## logging in with service principal having following permissions can be used to replicate this issue:
# "Microsoft.Authorization/policyAssignments/delete",
# "Microsoft.Authorization/policyAssignments/read",
# "Microsoft.Authorization/policyAssignments/write",
# "Microsoft.Authorization/roleAssignments/delete",
# "Microsoft.Authorization/roleAssignments/read",
# "Microsoft.Authorization/roleAssignments/write",
# "Microsoft.ContainerRegistry/registries/PrivateEndpointConnectionsApproval/action",
# "Microsoft.ContainerRegistry/registries/delete",
# "Microsoft.ContainerRegistry/registries/operationStatuses/read",
# "Microsoft.ContainerRegistry/registries/read",
# "Microsoft.ContainerRegistry/registries/write",
# "Microsoft.Insights/components/delete",
# "Microsoft.Insights/components/read",
# "Microsoft.Insights/components/write",
# "Microsoft.Insights/diagnosticSettings/delete",
# "Microsoft.Insights/diagnosticSettings/read",
# "Microsoft.Insights/diagnosticSettings/write",
# "Microsoft.Insights/privateLinkScopes/delete",
# "Microsoft.Insights/privateLinkScopes/read",
# "Microsoft.Insights/privateLinkScopes/write",
# "Microsoft.Insights/workbooks/delete",
# "Microsoft.Insights/workbooks/read",
# "Microsoft.Insights/workbooks/write",
# "Microsoft.KeyVault/vaults/PrivateEndpointConnectionsApproval/action",
# "Microsoft.KeyVault/vaults/delete",
# "Microsoft.KeyVault/vaults/read",
# "Microsoft.KeyVault/vaults/write",
# "Microsoft.Network/natGateways/delete",
# "Microsoft.Network/natGateways/join/action",
# "Microsoft.Network/natGateways/read",
# "Microsoft.Network/natGateways/write",
# "Microsoft.Network/networkSecurityGroups/delete",
# "Microsoft.Network/networkSecurityGroups/join/action",
# "Microsoft.Network/networkSecurityGroups/read",
# "Microsoft.Network/networkSecurityGroups/securityRules/delete",
# "Microsoft.Network/networkSecurityGroups/securityRules/read",
# "Microsoft.Network/networkSecurityGroups/securityRules/write",
# "Microsoft.Network/networkSecurityGroups/write",
# "Microsoft.Network/privateDnsZones/SOA/read",
# "Microsoft.Network/privateDnsZones/delete",
# "Microsoft.Network/privateDnsZones/join/action",
# "Microsoft.Network/privateDnsZones/read",
# "Microsoft.Network/privateDnsZones/virtualNetworkLinks/delete",
# "Microsoft.Network/privateDnsZones/virtualNetworkLinks/read",
# "Microsoft.Network/privateDnsZones/virtualNetworkLinks/write",
# "Microsoft.Network/privateDnsZones/write",
# "Microsoft.Network/privateEndpoints/delete",
# "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/delete",
# "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write",
# "Microsoft.Network/privateEndpoints/read",
# "Microsoft.Network/privateEndpoints/write",
# "Microsoft.Network/publicIPAddresses/delete",
# "Microsoft.Network/publicIPAddresses/read",
# "Microsoft.Network/publicIPAddresses/write",
# "Microsoft.Network/virtualNetworks/delete",
# "Microsoft.Network/virtualNetworks/join/action",
# "Microsoft.Network/virtualNetworks/read",
# "Microsoft.Network/virtualNetworks/subnets/delete",
# "Microsoft.Network/virtualNetworks/subnets/join/action",
# "Microsoft.Network/virtualNetworks/subnets/read",
# "Microsoft.Network/virtualNetworks/subnets/write",
# "Microsoft.Network/virtualNetworks/write",
# "Microsoft.OperationalInsights/workspaces/delete",
# "Microsoft.OperationalInsights/workspaces/read",
# "Microsoft.OperationalInsights/workspaces/sharedKeys/action",
# "Microsoft.OperationalInsights/workspaces/sharedKeys/action",
# "Microsoft.OperationalInsights/workspaces/write",
# "Microsoft.Resources/deployments/delete",
# "Microsoft.Resources/deployments/exportTemplate/action",
# "Microsoft.Resources/deployments/operationStatuses/read",
# "Microsoft.Resources/deployments/read",
# "Microsoft.Resources/deployments/validate/action",
# "Microsoft.Resources/deployments/write",
# "Microsoft.Resources/subscriptions/resourcegroups/delete",
# "Microsoft.Resources/subscriptions/resourcegroups/read",
# "Microsoft.Resources/subscriptions/resourcegroups/write",
# "Microsoft.Security/pricings/delete",
# "Microsoft.Security/pricings/read",
# "Microsoft.Security/pricings/write",
# "Microsoft.Storage/storageAccounts/delete",
# "Microsoft.Storage/storageAccounts/read",
# "Microsoft.Storage/storageAccounts/write",
# "Microsoft.Resources/deployments/read"

Debug Output/Panic Output

│ Error: Plugin did not respond
│ 
│   with module.application_insights.azurerm_application_insights.this,
│   on .terraform/modules/application_insights/main.tf line 3, in resource "azurerm_application_insights" "this":
│    3: resource "azurerm_application_insights" "this" {
│ 
│ The plugin encountered an error, and failed to respond to the plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may
│ contain more details.
╵

Stack trace from the terraform-provider-azurerm_v3.117.0_x5 plugin:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x1048f663c]

goroutine 43 [running]:
github.com/hashicorp/terraform-provider-azurerm/internal/services/applicationinsights.resourceApplicationInsightsCreateUpdate(0x0?, {0x107275300?, 0x14001c10d80})
        github.com/hashicorp/terraform-provider-azurerm/internal/services/applicationinsights/application_insights_resource.go:290 +0x100c
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0x1082fe258?, {0x1082fe258?, 0x14002708d50?}, 0xd?, {0x107275300?, 0x14001c10d80?})
        github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:766 +0x134
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0x14000bcae00, {0x1082fe258, 0x14002708d50}, 0x14001f07450, 0x1400271e800, {0x107275300, 0x14001c10d80})
        github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:909 +0x86c
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0x14000576900, {0x1082fe258?, 0x14002708c60?}, 0x1400053e050)
        github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:1078 +0xb08
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0x14001dff9a0, {0x1082fe258?, 0x14002708240?}, 0x140006f0230)
        github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:865 +0x2b0
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x107f94b20?, 0x14001dff9a0}, {0x1082fe258, 0x14002708240}, 0x1400271e000, 0x0)
        github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:518 +0x164
google.golang.org/grpc.(*Server).processUnaryRPC(0x140001bf000, {0x1082fe258, 0x140027081b0}, {0x10832a7a0, 0x140017b4300}, 0x14002712000, 0x140017f40f0, 0x10d935938, 0x0)
        google.golang.org/[email protected]/server.go:1369 +0xba0
google.golang.org/grpc.(*Server).handleStream(0x140001bf000, {0x10832a7a0, 0x140017b4300}, 0x14002712000)
        google.golang.org/[email protected]/server.go:1780 +0xc80
google.golang.org/grpc.(*Server).serveStreams.func2.1()
        google.golang.org/[email protected]/server.go:1019 +0x8c
created by google.golang.org/grpc.(*Server).serveStreams.func2 in goroutine 71
        google.golang.org/[email protected]/server.go:1030 +0x150

Error: The terraform-provider-azurerm_v3.117.0_x5 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Expected Behaviour

When using service principle with minimal permission (permissions provided in the terraform code block in the issue) to do the terraform apply this error is received. When logging in to az-cli with owner permissions this works fine.Either the application insights resource should get created or terraform error should report what permissions are missing.

Actual Behaviour

When using service principle with minimal permission (permissions provided in the terraform code block in the issue) to do the terraform apply this error is received.

Steps to Reproduce

1. Create a custom role with following permisissions (these permissions were found using the azure minimum permissions finder az-mpf utility). These permissions correspond to our overall terraform script, and not just to replicate the error:

# "Microsoft.Authorization/policyAssignments/delete",
# "Microsoft.Authorization/policyAssignments/read",
# "Microsoft.Authorization/policyAssignments/write",
# "Microsoft.Authorization/roleAssignments/delete",
# "Microsoft.Authorization/roleAssignments/read",
# "Microsoft.Authorization/roleAssignments/write",
# "Microsoft.ContainerRegistry/registries/PrivateEndpointConnectionsApproval/action",
# "Microsoft.ContainerRegistry/registries/delete",
# "Microsoft.ContainerRegistry/registries/operationStatuses/read",
# "Microsoft.ContainerRegistry/registries/read",
# "Microsoft.ContainerRegistry/registries/write",
# "Microsoft.Insights/components/delete",
# "Microsoft.Insights/components/read",
# "Microsoft.Insights/components/write",
# "Microsoft.Insights/diagnosticSettings/delete",
# "Microsoft.Insights/diagnosticSettings/read",
# "Microsoft.Insights/diagnosticSettings/write",
# "Microsoft.Insights/privateLinkScopes/delete",
# "Microsoft.Insights/privateLinkScopes/read",
# "Microsoft.Insights/privateLinkScopes/write",
# "Microsoft.Insights/workbooks/delete",
# "Microsoft.Insights/workbooks/read",
# "Microsoft.Insights/workbooks/write",
# "Microsoft.KeyVault/vaults/PrivateEndpointConnectionsApproval/action",
# "Microsoft.KeyVault/vaults/delete",
# "Microsoft.KeyVault/vaults/read",
# "Microsoft.KeyVault/vaults/write",
# "Microsoft.Network/natGateways/delete",
# "Microsoft.Network/natGateways/join/action",
# "Microsoft.Network/natGateways/read",
# "Microsoft.Network/natGateways/write",
# "Microsoft.Network/networkSecurityGroups/delete",
# "Microsoft.Network/networkSecurityGroups/join/action",
# "Microsoft.Network/networkSecurityGroups/read",
# "Microsoft.Network/networkSecurityGroups/securityRules/delete",
# "Microsoft.Network/networkSecurityGroups/securityRules/read",
# "Microsoft.Network/networkSecurityGroups/securityRules/write",
# "Microsoft.Network/networkSecurityGroups/write",
# "Microsoft.Network/privateDnsZones/SOA/read",
# "Microsoft.Network/privateDnsZones/delete",
# "Microsoft.Network/privateDnsZones/join/action",
# "Microsoft.Network/privateDnsZones/read",
# "Microsoft.Network/privateDnsZones/virtualNetworkLinks/delete",
# "Microsoft.Network/privateDnsZones/virtualNetworkLinks/read",
# "Microsoft.Network/privateDnsZones/virtualNetworkLinks/write",
# "Microsoft.Network/privateDnsZones/write",
# "Microsoft.Network/privateEndpoints/delete",
# "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/delete",
# "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write",
# "Microsoft.Network/privateEndpoints/read",
# "Microsoft.Network/privateEndpoints/write",
# "Microsoft.Network/publicIPAddresses/delete",
# "Microsoft.Network/publicIPAddresses/read",
# "Microsoft.Network/publicIPAddresses/write",
# "Microsoft.Network/virtualNetworks/delete",
# "Microsoft.Network/virtualNetworks/join/action",
# "Microsoft.Network/virtualNetworks/read",
# "Microsoft.Network/virtualNetworks/subnets/delete",
# "Microsoft.Network/virtualNetworks/subnets/join/action",
# "Microsoft.Network/virtualNetworks/subnets/read",
# "Microsoft.Network/virtualNetworks/subnets/write",
# "Microsoft.Network/virtualNetworks/write",
# "Microsoft.OperationalInsights/workspaces/delete",
# "Microsoft.OperationalInsights/workspaces/read",
# "Microsoft.OperationalInsights/workspaces/sharedKeys/action",
# "Microsoft.OperationalInsights/workspaces/sharedKeys/action",
# "Microsoft.OperationalInsights/workspaces/write",
# "Microsoft.Resources/deployments/delete",
# "Microsoft.Resources/deployments/exportTemplate/action",
# "Microsoft.Resources/deployments/operationStatuses/read",
# "Microsoft.Resources/deployments/read",
# "Microsoft.Resources/deployments/validate/action",
# "Microsoft.Resources/deployments/write",
# "Microsoft.Resources/subscriptions/resourcegroups/delete",
# "Microsoft.Resources/subscriptions/resourcegroups/read",
# "Microsoft.Resources/subscriptions/resourcegroups/write",
# "Microsoft.Security/pricings/delete",
# "Microsoft.Security/pricings/read",
# "Microsoft.Security/pricings/write",
# "Microsoft.Storage/storageAccounts/delete",
# "Microsoft.Storage/storageAccounts/read",
# "Microsoft.Storage/storageAccounts/write",
# "Microsoft.Resources/deployments/read"

2. Assign these permissions to a service principal via role assignment
3. use az login --service-principal, to login using the service principal
4. use terraform init and apply, and error is received
5. Please note, when logging in to az cli as owner no error is received, however we want to use the minimum permission required in our pipelines.

Important Factoids

No

References

No response

[teowa]

Hi @maniSbindra ,The issue has been resolved in this pull request, which is included in version 4.2.0 of the provider. Please update to use the 4.2.0 or later version of AzureRM provider. Thank you!

[maniSbindra]

Hi @teowa thanks for this. I tried with provider version 4.9.0 and as you mentioned it did return an authorization error with a missing permission. However after I added the missing permission, and tried again I got the error message A resource with the ID "/subscriptions/sub_id/resourceGroups/rg-adfsstdg-189/providers/Microsoft.Insights/components/appinsightadfsstdg" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_application_insights" for more information. The reason for this was that even though authorisation error was returned the resource was created in Azure and this was not updated in state file. This was the case even when plugin was panicking with provider version 3.117.0

[teowa]

Hi @maniSbindra , this is the current design of the AzureRM provider. It will only add the resource to the Terraform state if all creation steps complete successfully. In the case described above, the AzureRM resource creation failed due to a crash or possibly insufficient permissions. Although the resource was created in Azure, it was not added to the Terraform state because Terraform cannot determine whether the resource is usable. You may need to manually import it using the following command:

terraform import module.application_insights.azurerm_application_insights.this /subscriptions/sub_id/resourceGroups/rg-adfsstdg-189/providers/Microsoft.Insights/components/appinsightadfsstdg

If use provider 4.2.0 or later version and the required permissions are correctly assigned before creating a new resource, the resource should be created and imported successfully.

[maniSbindra]

@teowa I tried with provider 4.9.0 (which is latest version),
I did get the correct error that permission "Microsoft.Insights/components/currentbillingfeatures/write" is missing:

Component Name: "appinsightadfsstdg"): unexpected status 403 (403 Forbidden) with error: AuthorizationFailed: The client AAA with object id 'BBB' does not have authorization to perform action 'Microsoft.Insights/components/currentbillingfeatures/write' over scope '/subscriptions/SUBID/resourceGroups/rg-adfsstdg-189/providers/Microsoft.Insights/components/appinsightadfsstdg' or the scope is invalid. If access was recently granted, please refresh your credentials.

However the App Insights resource still got created.

[teowa]

Hi @maniSbindra , the permissions are required for the daily_data_cap_in_gb and daily_data_cap_notifications_disabled properties of the azurerm_application_insights resource. Based on the source code, the Application Insights instance is created at line 245. After creation, the provider attempts to update billing-related settings at line 288, followed by other operations. Finally, the resource ID is saved at line 330.

To resolve this issue, could we add Microsoft.Insights/components/currentbillingfeatures/write to the required permissions? Additionally, since the provider also performs write operations on smart detection rules at line 313, the Microsoft.AlertsManagement/smartDetectorAlertRules/read and Microsoft.AlertsManagement/smartDetectorAlertRules/write permissions may also be needed.

[maniSbindra]

@teowa looking at the code I do understand the behaviour, thanks for this.

From a usability perspective I am not sure this is an ideal behaviour though. In case some one wants to use minimum permissions and is not sure of the exact minimum permissions, they would initially perhaps not think of adding "Microsoft.Insights/components/currentbillingfeatures/write", "Microsoft.AlertsManagement/smartDetectorAlertRules/read" or "Microsoft.AlertsManagement/smartDetectorAlertRules/write" when creating an app insights resource. In this case the new version of the provider does provide the missing permissions, however after adding missing permissions, user would later require to import the Azure App Insights instance into terraform state as it was created despite of the authorization errors.

Another minor issue is that currently the App Insights AVM module is bound to >3.71 <4, so I cannot use provider version 4.2 or 4.9 directly. To test I modified version directly in .terraform folder

Thanks for your help,
Mani