Resource Group az-prod-zone was deleted. This caused all infrastructure that was part of this Resource Group to be deleted as well. Items deleted included:
- Network interfaces
- Azure VMs
- Storage
- Permissions
- NSGs
Using Terraform, I tried to create an EventHub namespace and configure Azure Logging. I configured Terraform to use the Resource Group az-prod-zone. Later, I changed the Resource Group to az-prod-zone-eventhub-test. I used terraform plan to confirm the changes before applying. The plan output indicated a new resource group would be created and wasn’t clear that all resources in the az-prod-zone Resource Group would be deleted. I ran terraform apply against the plan, and Terraform logs showed Resource Group az-prod-zone “destroying”. The end result was the az-prod-zone Resource Group and all infrastructure within it was deleted.
#------------------------------------------------------------------------------#
# file: azure_eventhub.tf (After modification) #
#------------------------------------------------------------------------------#
# Configure the Azure Provider
provider "azurerm" {}
resource "azurerm_resource_group" "test" {
name = "az-prod-zone"
location = "East US"
}
resource "azurerm_eventhub_namespace" "testeventns-az-prod-tech" {
name = "testeventns-az-prod-tech"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"
sku = "Basic"
capacity = 1
tags {
environment = "Test"
}
}
resource "azurerm_eventhub" "test-eventhub" {
name = "testeventhub-az-prod-tech"
namespace_name = "${azurerm_eventhub_namespace.testeventns-az-prod-tech.name}"
resource_group_name = "${azurerm_resource_group.test.name}"
partition_count = 2
message_retention = 1
}#------------------------------------------------------------------------------#
# file: azure_eventhub.tf (After modification) #
#------------------------------------------------------------------------------#
# Configure the Azure Provider
provider "azurerm" {}
resource "azurerm_resource_group" "test" {
name = "az-prod-zone-event-hub-test"
location = "East US"
}
resource "azurerm_eventhub_namespace" "testeventns-az-prod-tech" {
name = "testeventns-az-prod-tech"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"
sku = "Basic"
capacity = 1
tags {
environment = "Test"
}
}
resource "azurerm_eventhub" "test-eventhub" {
name = "testeventhub-az-prod-tech"
namespace_name = "${azurerm_eventhub_namespace.testeventns-az-prod-tech.name}"
resource_group_name = "${azurerm_resource_group.test.name}"
partition_count = 2
message_retention = 1
}Safeguards that can be added to prevent this incident from happening in the future:
- Configure multiple resource groups, and avoid using a single resource group for all infrastructure. (See Organizing subscriptions and resource groups within the Enterprise for more details)
- Configure Lock on Resource Groups.
CanNotDelete Lock- also known as Delete Lock in the portal, allows authorized users to read and modify a resource, but prevents them from deleting the resource. - Configure Backups in Azure
- Configure Terraform Lifecycle Policy -
prevent_destroy- A lifecycle configuration block can be defined for any Terraform resource, and the fieldprevent_destroycan be set to true to cause Terraform to return an error message instead of destroying the resource.
A client of mine is migrating their infrastructure to Azure. They have been trying to configure Azure to send logs to their SIEM, but have been unsuccessful. They requested support from the SIEM vendor, but the vendor was unable to assist.
Following the failed support request, the client reached out to me to see if I could help in any way.
I began researching how to configure sending Azure logs to a remote log server and found these documents:
- Use Azure Monitor to integrate with SIEM tools
- Stream Azure monitoring data to an event hub for consumption by an external tool
I began testing the configuration described in Stream Azure monitoring data to an event hub for consumption by an external tool.
A summary of the configuration:
- Create an EventHub namespace
- Configure Activity Log to export to previously created EventHub namespace
- Configure a resource to consume data from EventHub and send to SIEM
I wanted to be able to provide the client with an exact setup that would accomplish their goal, so I began testing and configuring using Terraform. My goal, once I had the proper Terraform configuration, provide the code/config for the the client to re-use. The client would only need to modify a couple of variables to have a working solution.
Rather than create a new, empty Resource Group that would not have any log data, I decided to use the existing az-prod-zone Resource Group.
The only changes I needed to make:
- create the EventHub namespace
- configure Activity Log to export to EventHub
I tried to create the EventHub namespace with Terraform, but received errors that I did not have permissions for EventHub with this subscription. To troubleshoot, I tried creating a new Resource Group where it would be safe to configure and test the right roles and permissions. I modified my Terraform configuration to use a new Resource Group and ran terraform plan. I didn’t recognize or understand from the plan output that the entire Resource Group would be deleted when it was applied. I performed a terraform apply against the plan and saw the Resource Group was being destroyed. I looked back in the Azure Portal and saw the Resource Group being deleted, at which point I canceled (CTRL+C) the terraform apply. I frantically searched for a way to halt the deletion of the Resource Group but found nothing.
I immediately contacted Azure Support to ask for the Resource Group to be restored, if possible. Azure Support (contacted through Twitter, since I didn’t have permission to create a support request through the portal) granted me a free technical support ticket.
[docker-for-desktop] ~/projects/terraform-test-azure $ az --help
Group
az
Subgroups:
account : Manage Azure subscription information.
acr : Manage private registries with Azure Container Registries.
acs : Manage Azure Container Services.
ad : Manage Azure Active Directory Graph entities needed for Role Based Access
Control.
advisor : Manage Azure Advisor.
aks : Manage Azure Kubernetes Services.
ams : Manage Azure Media Services resources.
appservice : Manage App Service plans.
backup : Manage Azure Backups.
batch : Manage Azure Batch.
batchai : Manage Batch AI resources.
billing : Manage Azure Billing.
bot : Manage Microsoft Bot Services.
cdn : Manage Azure Content Delivery Networks (CDNs).
cloud : Manage registered Azure clouds.
cognitiveservices : Manage Azure Cognitive Services accounts.
consumption : Manage consumption of Azure resources.
container : Manage Azure Container Instances.
cosmosdb : Manage Azure Cosmos DB database accounts.
deployment : Manage Azure Resource Manager deployments at subscription scope.
disk : Manage Azure Managed Disks.
dla : (PREVIEW) Manage Data Lake Analytics accounts, jobs, and catalogs.
dls : (PREVIEW) Manage Data Lake Store accounts and filesystems.
dms : Manage Azure Data Migration Service (DMS) instances.
eventgrid : Manage Azure Event Grid topics and subscriptions.
eventhubs : Manage Azure Event Hubs namespaces, eventhubs, consumergroups and geo
recovery configurations - Alias.
extension : Manage and update CLI extensions.
feature : Manage resource provider features.
functionapp : Manage function apps.
group : Manage Resource Groups and template deployments.
identity : Managed Service Identities.
image : Manage custom virtual machine images.
iot : Manage Internet of Things (IoT) assets.
iotcentral : Manage IoT Central assets.
keyvault : Manage KeyVault keys, secrets, and certificates.
lab : Manage Azure DevTest Labs.
lock : Manage Azure locks.
managedapp : Manage template solutions provided and maintained by Independent Software
Vendors (ISVs).
maps : Manage Azure Maps.
mariadb : Manage Azure Database for MariaDB servers.
monitor : Manage the Azure Monitor Service.
mysql : Manage Azure Database for MySQL servers.
network : Manage Azure Network resources.
policy : Manage resource policies.
postgres : Manage Azure Database for PostgreSQL servers.
provider : Manage resource providers.
redis : Manage dedicated Redis caches for your Azure applications.
relay : Manage Azure Relay Service namespaces, WCF relays, hybrid connections, and
rules.
reservations : Manage Azure Reservations.
resource : Manage Azure resources.
role : Manage user roles for access control with Azure Active Directory and service
principals.
search : Manage Azure Search services, admin keys and query keys.
servicebus : Manage Azure Service Bus namespaces, queues, topics, subscriptions, rules
and geo-disaster recovery configuration alias.
sf : Manage and administer Azure Service Fabric clusters.
sig : Manage shared image gallery.
signalr : Manage Azure SignalR Service.
snapshot : Manage point-in-time copies of managed disks, native blobs, or other
snapshots.
sql : Manage Azure SQL Databases and Data Warehouses.
storage : Manage Azure Cloud Storage resources.
tag : Manage resource tags.
vm : Manage Linux or Windows virtual machines.
vmss : Manage groupings of virtual machines in an Azure Virtual Machine Scale Set
(VMSS).
webapp : Manage web apps.
Commands:
configure : Manage Azure CLI configuration. This command is interactive.
feedback : Send feedback to the Azure CLI Team!
find : Find Azure CLI commands.
interactive : Start interactive mode.
login : Log in to Azure.
logout : Log out to remove access to Azure subscriptions.
[docker-for-desktop] ~/projects/terraform-test-azure $ az account --help
Group
az account : Manage Azure subscription information.
Subgroups:
lock : Manage Azure subscription level locks.
management-group : Manage Azure Management Groups.
Commands:
clear : Clear all subscriptions from the CLI's local cache.
get-access-token : Get a token for utilities to access Azure.
list : Get a list of subscriptions for the logged in account.
list-locations : List supported regions for the current subscription.
set : Set a subscription to be the current active subscription.
show : Get the details of a subscription.
[docker-for-desktop] ~/projects/terraform-test-azure $ az account show
{
"environmentName": "AzureCloud",
"id": "0123456789-a1b2-34de-f50a-123abcd12ab56",
"isDefault": true,
"name": "Pay-As-You-Go",
"state": "Enabled",
"tenantId": "01234567890-abcd-01234-abc012345abc",
"user": {
"name": "acidDrain@elasticplayground.com",
"type": "user"
}
}
[docker-for-desktop] ~/projects/terraform-test-azure $ az account list
A few accounts are skipped as they don't have 'Enabled' state. Use '--all' to display them.
[
{
"cloudName": "AzureCloud",
"id": "0123456789-a1b2-34de-f50a-123abcd12ab56",
"isDefault": true,
"name": "Pay-As-You-Go",
"state": "Enabled",
"tenantId": "01234567890-abcd-01234-abc012345abc",
"user": {
"name": "acidDrain@elasticplayground.com",
"type": "user"
}
}
][docker-for-desktop] ~/projects/terraform-test-azure $ code .
[docker-for-desktop] ~/projects/terraform-test-azure $ clear
[docker-for-desktop] ~/projects/terraform-test-azure $ terraform init
Initializing provider plugins...
- Checking for available provider plugins on https://releases.hashicorp.com...
- Downloading plugin for provider "azurerm" (1.16.0)...
The following providers do not have any version constraints in configuration,
so the latest version was installed.
To prevent automatic upgrades to new major versions that may contain breaking
changes, it is recommended to add version = "..." constraints to the
corresponding provider blocks in configuration, with the constraint strings
suggested below.
- provider.azurerm: version = "~> 1.16"
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
[docker-for-desktop] ~/projects/terraform-test-azure $ mkdir plans
[docker-for-desktop] ~/projects/terraform-test-azure $ terraform plan -out plans/plan.out
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
---
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
- create
Terraform will perform the following actions:
- azurerm_resource_group.network
id: <computed>
location: "westus"
name: "production"
tags.%: <computed>
- azurerm_virtual_network.network
id: <computed>
address_space.#: "1"
address_space.0: "10.0.0.0/16"
~ Press ENTER or type command to continue
[docker-for-desktop] ~/projects/terraform-test-azure $ git init
Initialized empty Git repository in /Users/acidDrain/projects/terraform-test-azure/.git/
[docker-for-desktop] ~/projects/terraform-test-azure $ git add .gitignore ; git commit -m "Added .gitignore"
[master (root-commit) cfae7a1] Added .gitignore
1 file changed, 4 insertions(+)
create mode 100644 .gitignore
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ terraform plan -out plans/plan.out
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
---
Error: Error writing plan file: open plans/plan.out: no such file or directory
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ mkdir plans
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ terraform plan -out plans/plan.out
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
---
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
- create
Terraform will perform the following actions:
- azurerm_eventhub.test-eventhub
id: <computed>
message_retention: "1"
name: "testeventhub-az-prod-tech"
namespace_name: "testeventns-az-prod-tech"
partition_count: "2"
partition_ids.#: <computed>
resource_group_name: "test-resourceGroup1"
- azurerm_eventhub_namespace.testeventns-az-prod-tech
id: <computed>
auto_inflate_enabled: "false"
capacity: "1"
default_primary_connection_string: <computed>
default_primary_key: <computed>
default_secondary_connection_string: <computed>
default_secondary_key: <computed>
location: "westus"
maximum_throughput_units: <computed>
name: "testeventns-az-prod-tech"
resource_group_name: "test-resourceGroup1"
sku: "Basic"
tags.%: "1"
tags.environment: "Test"
- azurerm_resource_group.test
id: <computed>
location: "westus"
name: "test-resourceGroup1"
tags.%: <computed>
Plan: 3 to add, 0 to change, 0 to destroy.
---
This plan was saved to: plans/plan.out
To perform exactly these actions, run the following command to apply:
terraform apply "plans/plan.out"
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ terraform plan -out plans/plan.out
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
---
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
- create
Terraform will perform the following actions:
- azurerm_eventhub.test-eventhub
id: <computed>
message_retention: "1"
name: "testeventhub-az-prod-tech"
namespace_name: "testeventns-az-prod-tech"
partition_count: "2"
partition_ids.#: <computed>
resource_group_name: "az-prod-zone"
- azurerm_eventhub_namespace.testeventns-az-prod-tech
id: <computed>
auto_inflate_enabled: "false"
capacity: "1"
default_primary_connection_string: <computed>
default_primary_key: <computed>
default_secondary_connection_string: <computed>
default_secondary_key: <computed>
location: "eastus"
maximum_throughput_units: <computed>
name: "testeventns-az-prod-tech"
resource_group_name: "az-prod-zone"
sku: "Basic"
tags.%: "1"
tags.environment: "Test"
- azurerm_resource_group.test
id: <computed>
location: "eastus"
name: "az-prod-zone"
tags.%: <computed>
Plan: 3 to add, 0 to change, 0 to destroy.
---
This plan was saved to: plans/plan.out
To perform exactly these actions, run the following command to apply:
terraform apply "plans/plan.out"
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ az --help
Group
az
Subgroups:
account : Manage Azure subscription information.
acr : Manage private registries with Azure Container Registries.
acs : Manage Azure Container Services.
ad : Manage Azure Active Directory Graph entities needed for Role Based Access
Control.
advisor : Manage Azure Advisor.
aks : Manage Azure Kubernetes Services.
ams : Manage Azure Media Services resources.
appservice : Manage App Service plans.
backup : Manage Azure Backups.
batch : Manage Azure Batch.
batchai : Manage Batch AI resources.
billing : Manage Azure Billing.
bot : Manage Microsoft Bot Services.
cdn : Manage Azure Content Delivery Networks (CDNs).
cloud : Manage registered Azure clouds.
cognitiveservices : Manage Azure Cognitive Services accounts.
consumption : Manage consumption of Azure resources.
container : Manage Azure Container Instances.
cosmosdb : Manage Azure Cosmos DB database accounts.
deployment : Manage Azure Resource Manager deployments at subscription scope.
disk : Manage Azure Managed Disks.
dla : (PREVIEW) Manage Data Lake Analytics accounts, jobs, and catalogs.
dls : (PREVIEW) Manage Data Lake Store accounts and filesystems.
dms : Manage Azure Data Migration Service (DMS) instances.
eventgrid : Manage Azure Event Grid topics and subscriptions.
eventhubs : Manage Azure Event Hubs namespaces, eventhubs, consumergroups and geo
recovery configurations - Alias.
extension : Manage and update CLI extensions.
feature : Manage resource provider features.
functionapp : Manage function apps.
group : Manage Resource Groups and template deployments.
identity : Managed Service Identities.
image : Manage custom virtual machine images.
iot : Manage Internet of Things (IoT) assets.
iotcentral : Manage IoT Central assets.
keyvault : Manage KeyVault keys, secrets, and certificates.
lab : Manage Azure DevTest Labs.
lock : Manage Azure locks.
managedapp : Manage template solutions provided and maintained by Independent Software
Vendors (ISVs).
maps : Manage Azure Maps.
mariadb : Manage Azure Database for MariaDB servers.
monitor : Manage the Azure Monitor Service.
mysql : Manage Azure Database for MySQL servers.
network : Manage Azure Network resources.
policy : Manage resource policies.
postgres : Manage Azure Database for PostgreSQL servers.
provider : Manage resource providers.
redis : Manage dedicated Redis caches for your Azure applications.
relay : Manage Azure Relay Service namespaces, WCF relays, hybrid connections, and
rules.
reservations : Manage Azure Reservations.
resource : Manage Azure resources.
role : Manage user roles for access control with Azure Active Directory and service
principals.
search : Manage Azure Search services, admin keys and query keys.
servicebus : Manage Azure Service Bus namespaces, queues, topics, subscriptions, rules
and geo-disaster recovery configuration alias.
sf : Manage and administer Azure Service Fabric clusters.
sig : Manage shared image gallery.
signalr : Manage Azure SignalR Service.
snapshot : Manage point-in-time copies of managed disks, native blobs, or other
snapshots.
sql : Manage Azure SQL Databases and Data Warehouses.
storage : Manage Azure Cloud Storage resources.
tag : Manage resource tags.
vm : Manage Linux or Windows virtual machines.
vmss : Manage groupings of virtual machines in an Azure Virtual Machine Scale Set
(VMSS).
webapp : Manage web apps.
Commands:
configure : Manage Azure CLI configuration. This command is interactive.
feedback : Send feedback to the Azure CLI Team!
find : Find Azure CLI commands.
interactive : Start interactive mode.
login : Log in to Azure.
logout : Log out to remove access to Azure subscriptions.
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ az configure --help
Command
az configure : Manage Azure CLI configuration. This command is interactive.
Arguments
--defaults -d : Space-separated 'name=value' pairs for common argument defaults.
Global Arguments
--debug : Increase logging verbosity to show all debug logs.
--help -h : Show this help message and exit.
--output -o : Output format. Allowed values: json, jsonc, table, tsv, yaml. Default: json.
--query : JMESPath query string. See http://jmespath.org/ for more information and
examples.
--subscription : Name or ID of subscription. You can configure the default subscription using
`az account set -s NAME_OR_ID`.
--verbose : Increase logging verbosity. Use --debug for full debug logs.
Examples
Set default Resource Group, webapp and VM names.
az configure --defaults group=myRG web=myweb vm=myvm
Clear default webapp and VM names.
az configure --defaults vm='' web=''
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ az --help | grep -i log
dla : (PREVIEW) Manage Data Lake Analytics accounts, jobs, and catalogs.
login : Log in to Azure.
logout : Log out to remove access to Azure subscriptions.
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ az --help | grep -i activity
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ az monitor --help
Group
az monitor : Manage the Azure Monitor Service.
Subgroups:
action-group : Manage action groups.
activity-log : Manage activity logs.
autoscale : Manage autoscale settings.
diagnostic-settings : Manage service diagnostic settings.
log-profiles : Manage log profiles.
metrics : View Azure resource metrics.
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ az monitor activity-log --help
Group
az monitor activity-log : Manage activity logs.
Subgroups:
alert : Manage activity log alerts.
Commands:
list : Provides the list of activity log.
list-categories : List the event categories of activity logs.
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ az monitor activity-log list
usage error: [--correlation-id ID | --resource-group NAME | --resource-id ID | --resource-provider PROVIDER][docker-for-desktop] ~/projects/terraform-test-azure (master)$ az monitor log-profiles
az monitor log-profiles: error: the following arguments are required: \_subcommand
usage: az monitor log-profiles [-h] {create,delete,show,list,update} ...
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ az monitor log-profiles --help
Group
az monitor log-profiles : Manage log profiles.
Commands:
create : Create a log profile.
delete : Deletes the log profile.
list : List the log profiles.
show : Gets the log profile.
update : Update a log profile.
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ az monitor log-profiles list
[][docker-for-desktop] ~/projects/terraform-test-azure (master)$ az monitor log-profiles ^C
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ terraform plan -out plans/plan.out
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
---
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
- create
Terraform will perform the following actions:
- azurerm_eventhub.test-eventhub
id: <computed>
message_retention: "1"
name: "testeventhub-az-prod-tech"
namespace_name: "testeventns-az-prod-tech"
partition_count: "2"
partition_ids.#: <computed>
resource_group_name: "az-prod-zone"
- azurerm_eventhub_namespace.testeventns-az-prod-tech
id: <computed>
auto_inflate_enabled: "false"
capacity: "1"
default_primary_connection_string: <computed>
default_primary_key: <computed>
default_secondary_connection_string: <computed>
default_secondary_key: <computed>
location: "eastus"
maximum_throughput_units: <computed>
name: "testeventns-az-prod-tech"
resource_group_name: "az-prod-zone"
sku: "Basic"
tags.%: "1"
tags.environment: "Test"
- azurerm_resource_group.test
id: <computed>
location: "eastus"
name: "az-prod-zone"
tags.%: <computed>
Plan: 3 to add, 0 to change, 0 to destroy.
---
This plan was saved to: plans/plan.out
To perform exactly these actions, run the following command to apply:
terraform apply "plans/plan.out"
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ terraform apply plans/plan.out
azurerm_resource_group.test: Creating...
location: "" => "eastus"
name: "" => "az-prod-zone"
tags.%: "" => "<computed>"
azurerm_resource_group.test: Creation complete after 1s (ID: /subscriptions/12345-67890-5555-5555-5555/resourceGroups/az-prod-zone)
azurerm_eventhub_namespace.testeventns-az-prod-tech: Creating...
auto_inflate_enabled: "" => "false"
capacity: "" => "1"
default_primary_connection_string: "<sensitive>" => "<sensitive>"
default_primary_key: "<sensitive>" => "<sensitive>"
default_secondary_connection_string: "<sensitive>" => "<sensitive>"
default_secondary_key: "<sensitive>" => "<sensitive>"
location: "" => "eastus"
maximum_throughput_units: "" => "<computed>"
name: "" => "testeventns-az-prod-tech"
resource_group_name: "" => "az-prod-zone"
sku: "" => "Basic"
tags.%: "" => "1"
tags.environment: "" => "Test"
Error: Error applying plan:
1 error(s) occurred:
- azurerm_eventhub_namespace.testeventns-az-prod-tech: 1 error(s) occurred:
- azurerm_eventhub_namespace.testeventns-az-prod-tech: eventhub.NamespacesClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: failed auto registering Resource Provider: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'acidDrain@elasticplayground.com' with object id 'ea0bb645-bac4-4342-bedf-4d36f1ab3382' does not have authorization to perform action 'Microsoft.EventHub/register/action' over scope '/subscriptions/12345-67890-5555-5555-5555'.". Original error: autorest/azure: Service returned an error. Status=<nil> Code="MissingSubscriptionRegistration" Message="The subscription is not registered to use namespace 'Microsoft.EventHub'. See https://aka.ms/rps-not-found for how to register subscriptions." Details=[{"code":"MissingSubscriptionRegistration","message":"The subscription is not registered to use namespace 'Microsoft.EventHub'. See https://aka.ms/rps-not-found for how to register subscriptions.","target":"Microsoft.EventHub"}]
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
Mistake that triggered incident
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ terraform plan -out plans/plan.out
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
azurerm_resource_group.test: Refreshing state... (ID: /subscriptions/12345-67890-5555-5555-5555/resourceGroups/az-prod-zone)
---
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
- create
-/+ destroy and then create replacement
Terraform will perform the following actions:
- azurerm_eventhub.test-eventhub
id: <computed>
message_retention: "1"
name: "testeventhub-az-prod-tech"
namespace_name: "testeventns-az-prod-tech"
partition_count: "2"
partition_ids.#: <computed>
resource_group_name: "az-prod-zone-eventhub-test"
- azurerm_eventhub_namespace.testeventns-az-prod-tech
id: <computed>
auto_inflate_enabled: "false"
capacity: "1"
default_primary_connection_string: <computed>
default_primary_key: <computed>
default_secondary_connection_string: <computed>
default_secondary_key: <computed>
location: "eastus"
maximum_throughput_units: <computed>
name: "testeventns-az-prod-tech"
resource_group_name: "az-prod-zone-eventhub-test"
sku: "Basic"
tags.%: "1"
tags.environment: "Test"
-/+ azurerm_resource_group.test (new resource required)
id: "/subscriptions/12345-67890-5555-5555-5555/resourceGroups/az-prod-zone" => <computed> (forces new resource)
location: "eastus" => "eastus"
name: "az-prod-zone" => "az-prod-zone-eventhub-test" (forces new resource)
tags.%: "0" => <computed>
Plan: 3 to add, 0 to change, 1 to destroy.
---
This plan was saved to: plans/plan.out
To perform exactly these actions, run the following command to apply:
terraform apply "plans/plan.out"
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ terraform apply plans/plan.out
azurerm_resource_group.test: Destroying... (ID: /subscriptions/12345-67890-5555-5555-5555/resourceGroups/az-prod-zone)
azurerm_resource_group.test: Still destroying... (ID: /subscriptions/12345-67890-5555-5555-5555/resourceGroups/az-prod-zone, 10s elapsed)
azurerm_resource_group.test: Still destroying... (ID: /subscriptions/12345-67890-5555-5555-5555/resourceGroups/az-prod-zone, 20s elapsed)
^CInterrupt received.
Please wait for Terraform to exit or data loss may occur.
Gracefully shutting down...
stopping operation...
Error: Error applying plan:
1 error(s) occurred:
- azurerm_eventhub.test-eventhub: Resource 'azurerm_eventhub_namespace.testeventns-az-prod-tech' not found for variable 'azurerm_eventhub_namespace.testeventns-az-prod-tech.name'
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ terraform plan -out plans/plan.out
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
azurerm_resource_group.test: Refreshing state... (ID: /subscriptions/12345-67890-5555-5555-5555/resourceGroups/az-prod-zone)
---
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
- create
Terraform will perform the following actions:
- azurerm_eventhub.test-eventhub
id: <computed>
message_retention: "1"
name: "testeventhub-az-prod-tech"
namespace_name: "testeventns-az-prod-tech"
partition_count: "2"
partition_ids.#: <computed>
resource_group_name: "az-prod-zone"
- azurerm_eventhub_namespace.testeventns-az-prod-tech
id: <computed>
auto_inflate_enabled: "false"
capacity: "1"
default_primary_connection_string: <computed>
default_primary_key: <computed>
default_secondary_connection_string: <computed>
default_secondary_key: <computed>
location: "eastus"
maximum_throughput_units: <computed>
name: "testeventns-az-prod-tech"
resource_group_name: "az-prod-zone"
sku: "Basic"
tags.%: "1"
tags.environment: "Test"
Plan: 2 to add, 0 to change, 0 to destroy.
---
This plan was saved to: plans/plan.out
To perform exactly these actions, run the following command to apply:
terraform apply "plans/plan.out"
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ terraform apply plans/plan.out
azurerm_eventhub_namespace.testeventns-az-prod-tech: Creating...
auto_inflate_enabled: "" => "false"
capacity: "" => "1"
default_primary_connection_string: "<sensitive>" => "<sensitive>"
default_primary_key: "<sensitive>" => "<sensitive>"
default_secondary_connection_string: "<sensitive>" => "<sensitive>"
default_secondary_key: "<sensitive>" => "<sensitive>"
location: "" => "eastus"
maximum_throughput_units: "" => "<computed>"
name: "" => "testeventns-az-prod-tech"
resource_group_name: "" => "az-prod-zone"
sku: "" => "Basic"
tags.%: "" => "1"
tags.environment: "" => "Test"
Error: Error applying plan:
1 error(s) occurred:
- azurerm_eventhub_namespace.testeventns-az-prod-tech: 1 error(s) occurred:
- azurerm_eventhub_namespace.testeventns-az-prod-tech: eventhub.NamespacesClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: autorest/azure: Service returned an error. Status=<nil> Code="ResourceGroupBeingDeleted" Message="The Resource Group 'az-prod-zone' is in deprovisioning state and cannot perform this operation."
Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ terraform import
The import command expects two arguments.
Usage: terraform import [options] ADDR ID
Import existing infrastructure into your Terraform state.
This will find and import the specified resource into your Terraform
state, allowing existing infrastructure to come under Terraform
management without having to be initially created by Terraform.
The ADDR specified is the address to import the resource to. Please
see the documentation online for resource addresses. The ID is a
resource-specific ID to identify that resource being imported. Please
reference the documentation for the resource type you're importing to
determine the ID syntax to use. It typically matches directly to the ID
that the provider uses.
The current implementation of Terraform import can only import resources
into the state. It does not generate configuration. A future version of
Terraform will also generate configuration.
Because of this, prior to running terraform import it is necessary to write
a resource configuration block for the resource manually, to which the
imported object will be attached.
This command will not modify your infrastructure, but it will make
network requests to inspect parts of your infrastructure relevant to
the resource being imported.
Options:
-backup=path Path to backup the existing state file before
modifying. Defaults to the "-state-out" path with
".backup" extension. Set to "-" to disable backup.
-config=path Path to a directory of Terraform configuration files
to use to configure the provider. Defaults to pwd.
If no config files are present, they must be provided
via the input prompts or env vars.
-allow-missing-config Allow import when no resource configuration block exists.
-input=true Ask for input for variables if not directly set.
-lock=true Lock the state file when locking is supported.
-lock-timeout=0s Duration to retry a state lock.
-no-color If specified, output won't contain any color.
-provider=provider Specific provider to use for import. This is used for
specifying aliases, such as "aws.eu". Defaults to the
normal provider prefix of the resource being imported.
-state=PATH Path to the source state file. Defaults to the configured
backend, or "terraform.tfstate"
-state-out=PATH Path to the destination state file to write to. If this
isn't specified, the source state file will be used. This
can be a new or existing path.
-var 'foo=bar' Set a variable in the Terraform configuration. This
flag can be set multiple times. This is only useful
with the "-config" flag.
-var-file=foo Set variables in the Terraform configuration from
a file. If "terraform.tfvars" or any ".auto.tfvars"
files are present, they will be automatically loaded.
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ terraform a^C
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ az re
redis relay reservations resource
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ az re
redis relay reservations resource
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ az re
redis relay reservations resource
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ az resource --ghelp
az resource: error: the following arguments are required: \_subcommand
usage: az resource [-h]
{create,delete,show,list,tag,move,invoke-action,update,lock,link}
...
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ az resource --help
Group
az resource : Manage Azure resources.
Subgroups:
link : Manage links between resources.
lock : Manage Azure resource level locks.
Commands:
create : Create a resource.
delete : Delete a resource.
invoke-action : Invoke an action on the resource.
list : List resources.
move : Moves resources from one Resource Group to another(can be under different
subscription).
show : Get the details of a resource.
tag : Tag a resource.
update : Update a resource.
[docker-for-desktop] ~/projects/terraform-test-azure (master)$ az resource list
[
{
"id": "/subscriptions/12345-67890-5555-5555-5555/resourceGroups/AZPRODZONE/providers/Microsoft.Compute/disks/REMOTEACCESS-POC-Win10_OsDisk_1_abcdef01234567890abcdef012345",
"identity": null,
"kind": null,
"location": "eastus",
"managedBy": "/subscriptions/12345-67890-5555-5555-5555/resourceGroups/az-prod-zone/providers/Microsoft.Compute/virtualMachines/REMOTEACCESS-POC-Win10",
"name": "REMOTEACCESS-POC-Win10_OsDisk_1_abcdef01234567890abcdef012345",
"plan": null,
"properties": null,
"resourceGroup": "AZPRODZONE",
"sku": {
"capacity": null,
"family": null,
"model": null,
"name": "Premium_LRS",
"size": null,
"tier": "Premium"
},
"tags": null,
"type": "Microsoft.Compute/disks"
},
{
"id": "/subscriptions/12345-67890-5555-5555-5555/resourceGroups/az-prod-zone/providers/Microsoft.Compute/virtualMachines/REMOTEACCESS-POC-Win10",
"identity": null,
"kind": null,
"location": "eastus",
"managedBy": null,
"name": "REMOTEACCESS-POC-Win10",
"plan": null,
"properties": null,
"resourceGroup": "az-prod-zone",
"sku": null,
"tags": null,
"type": "Microsoft.Compute/virtualMachines"
},
{
"id": "/subscriptions/12345-67890-5555-5555-5555/resourceGroups/az-prod-zone/providers/Microsoft.Network/localNetworkGateways/LABGW",
"identity": null,
"kind": null,
"location": "eastus",
"managedBy": null,
"name": "LABGW",
"plan": null,
"properties": null,
"resourceGroup": "az-prod-zone",
"sku": null,
"tags": null,
"type": "Microsoft.Network/localNetworkGateways"
},
{
"id": "/subscriptions/12345-67890-5555-5555-5555/resourceGroups/az-prod-zone/providers/Microsoft.Network/networkInterfaces/zpa-poc-win10318",
"identity": null,
"kind": null,
"location": "eastus",
"managedBy": null,
"name": "zpa-poc-win10318",
"plan": null,
"properties": null,
"resourceGroup": "az-prod-zone",
"sku": null,
"tags": null,
"type": "Microsoft.Network/networkInterfaces"
},
{
"id": "/subscriptions/12345-67890-5555-5555-5555/resourceGroups/az-prod-zone/providers/Microsoft.Network/networkSecurityGroups/thycotic-ss-nsg",
"identity": null,
"kind": null,
"location": "eastus",
"managedBy": null,
"name": "thycotic-ss-nsg",
"plan": null,
"properties": null,
"resourceGroup": "az-prod-zone",
"sku": null,
"tags": null,
"type": "Microsoft.Network/networkSecurityGroups"
},
{
"id": "/subscriptions/12345-67890-5555-5555-5555/resourceGroups/az-prod-zone/providers/Microsoft.Network/networkSecurityGroups/REMOTEACCESS-POC-Win10-nsg",
"identity": null,
"kind": null,
"location": "eastus",
"managedBy": null,
"name": "REMOTEACCESS-POC-Win10-nsg",
"plan": null,
"properties": null,
"resourceGroup": "az-prod-zone",
"sku": null,
"tags": null,
"type": "Microsoft.Network/networkSecurityGroups"
},
{
"id": "/subscriptions/12345-67890-5555-5555-5555/resourceGroups/az-prod-zone/providers/Microsoft.Network/publicIPAddresses/LAB_GW",
"identity": null,
"kind": null,
"location": "eastus",
"managedBy": null,
"name": "LAB_GW",
"plan": null,
"properties": null,
"resourceGroup": "az-prod-zone",
"sku": {
"capacity": null,
"family": null,
"model": null,
"name": "Basic",
"size": null,
"tier": "Regional"
},
"tags": null,
"type": "Microsoft.Network/publicIPAddresses"
},
{
"id": "/subscriptions/12345-67890-5555-5555-5555/resourceGroups/az-prod-zone/providers/Microsoft.Network/virtualNetworkGateways/LAB_GW",
"identity": null,
"kind": null,
"location": "eastus",
"managedBy": null,
"name": "LAB_GW",
"plan": null,
"properties": null,
"resourceGroup": "az-prod-zone",
"sku": null,
"tags": null,
"type": "Microsoft.Network/virtualNetworkGateways"
},
{
"id": "/subscriptions/12345-67890-5555-5555-5555/resourceGroups/az-prod-zone/providers/Microsoft.Network/virtualNetworks/az-prod-zone-vnet",
"identity": null,
"kind": null,
"location": "eastus",
"managedBy": null,
"name": "az-prod-zone-vnet",
"plan": null,
"properties": null,
"resourceGroup": "az-prod-zone",
"sku": null,
"tags": null,
"type": "Microsoft.Network/virtualNetworks"
}
][docker-for-desktop] ~/projects/terraform-test-azure (master)$