bug: provider produced inconsistent result after apply

[matt-FFFFFF]

Getting this error when creating a role assignment. It is possible that a retry had occurred but I cannot see why the updatedOn is of any use to the practitioner. Should we ignore it? @ms-henglu

│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to module.alz.azapi_resource.policy_role_assignments["4eb5e902-cf89-5342-9592-d66dfcfaee49"], provider
│ "provider[\"registry.terraform.io/azure/azapi\"]" produced an unexpected new value: .output.properties.updatedOn: was
│ cty.StringVal("2024-11-13T22:45:31.1232261Z"), but now cty.StringVal("2024-11-14T10:21:59.6845579Z").
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

This error also happens on a re-plan, once the resource has been created.

Resource config

resource "azapi_resource" "policy_role_assignments" {
  for_each = local.policy_role_assignments

  type = "Microsoft.Authorization/roleAssignments@2022-04-01"
  body = {
    properties = {
      principalId      = each.value.principal_id
      roleDefinitionId = each.value.role_definition_id
      description      = "Created by ALZ Terraform provider. Assignment required for Azure Policy."
      principalType    = "ServicePrincipal"
    }
  }
  name      = each.key
  parent_id = each.value.scope
  replace_triggers_external_values = [
    each.value.principal_id,
    each.value.role_definition_id,
  ]
  retry = {
    error_message_regex  = ["ResourceNotFound"]
  }

  timeouts {
    create = var.timeouts.policy_role_assignment.create
    delete = var.timeouts.policy_role_assignment.delete
    read   = var.timeouts.policy_role_assignment.read
    update = var.timeouts.policy_role_assignment.update
  }

  depends_on = [terraform_data.policy_role_assignments_dependencies]
}

Workaround

Adding output.properties.updatedOn to lifecycle ignore_changes seems to bypass the issue.

[ms-henglu]

Hi @matt-FFFFFF ,

Thank you for taking time to report this issue!

In v2.0.1, the azapi_resource exports readonly properties in output by default. In above case, the readonly properties include properties.updatedOn, and every update will change its value.

There're some workarounds:

1. Disable the default output feature, by disable_default_output = true, more details: https://registry.terraform.io/providers/Azure/azapi/latest/docs#disable_default_output-1
2. Use the response_export_values to specify the export values.

And would you please share more details about the plan changes when you encountered the "Error: Provider produced inconsistent result after apply".
I guess you added some configuration after the creation, for example, adding a "retry" or timeout configuration, and these configs didn't trigger the output to be computed again.

[matt-FFFFFF]

Upon further reflection, the error is triggered even once the configuration had been applied, therefore I think we can discount retry here.

Perhaps a solution is to exclude any temporal values from the state?