Drift detection " terraform plan --refresh-only --detailed-exitcode " exits with 2, even when there are no changes. #36403

stehubhex · 2025-01-28T18:35:40Z

Terraform Version

Terraform v1.10.5
on windows_amd64
+ provider registry.terraform.io/hashicorp/azurerm v4.16.0

Terraform Configuration Files

# Resource Group
resource "azurerm_resource_group" "rg" {
  name     = var.resource_group_name
  location = var.location
  tags = {
    Environment = "Testing"
  }
}

# Storage Account
resource "azurerm_storage_account" "sa" {
  name                     = var.storage_account_name
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  tags = {
    Environment = "Testing"
  }
}

Debug Output

No changes. Your infrastructure still matches the configuration.

Terraform has checked that the real remote objects still match the result of your most recent changes, and found no differences.

Expected Behavior

The command terraform plan -refresh-only -detailed-exitcode should return 0 if the configuration was just deployed with terraform apply and there are no changes detected .

Actual Behavior

When running the command terraform plan -refresh-only -detailed-exitcode it returns "$LASTEXITCODE 2" even though it is ran right after terraform apply and there are no changes detected .

Steps to Reproduce

terraform init
terraform plan
terraform apply
terraform plan -refresh-only -detailed-exitcode
$LASTEXITCODE

Additional Context

When deploying a new configuration methodically and checking the drift on each step I see the following :

Deploying successfully the resource "azurerm_resource_group" "rg" and running terraform plan -refresh-only -detailed-exitcode -out=tfplan and then checking $LASTEXITCODE returns 0 as expected. Checking the plan with terraform show -json tfplan also confirms that there are no changes pending.

Continuing with the same actions for the next resource "azurerm_storage_account" "sa" , it is successfully deployed. Immediately after the terraform apply a terraform plan -refresh-only -detailed-exitcode -out=tfplan1 is triggered in the terminal. This results in "No changes." , but suddenly $LASTEXITCODE returns 2 . Reviewing the plan terraform show -json tfplan1 also does not indicate any changes.

This behavior is seen with other resources as well for example: resource "azurerm_service_plan" "sp" ; resource "azurerm_linux_function_app" "fn" ; and some more complicated resources other than a "azurerm_resource_group" .

The documentation clearly explains the expected behavior and results for the -detailed-exitcode option

References

Generative AI / LLM assisted development?

No response

The text was updated successfully, but these errors were encountered:

jbardin · 2025-02-03T14:06:13Z

Hi @stehubhex,

The azurerm provider has many legacy resources which create a lot of incorrect drift in plans, and I wonder if there are actually changes which are just being suppressed in the CLI output for convenience. Can you show the json output from the generated plan?

Thanks!

stehubhex · 2025-02-03T16:25:20Z

Hello @jbardin , Thanks for your answer .

To confirm your question , I run the drift detection (terraform plan -refresh-only -detailed-exitcode) immediately after terraform apply , so there should not be any changes at all .

I can get you the Json output to view ... I just need some time to find and sanitize it . Please expect reply soon

stehubhex · 2025-02-03T17:38:11Z

Here is the file you requested ... It is json output of terraform plan -refresh-only -detailed-exitcode -out=plan

TFplanRFonly-rg-sa.json

jbardin · 2025-02-03T18:57:13Z

Thanks @stehubhex, the plan has "applyable": true for some reason, but I'm not seeing anything which should be triggering that.

I wonder if it's not the resources, but the outputs that are somehow triggering the applyable status. Could you check if this happens with v1.9 as well?

stehubhex · 2025-02-04T12:30:41Z

"but I'm not seeing anything which should be triggering that"

This is exactly what I am trying to convey .

"I wonder if it's not the resources, but the outputs that are somehow triggering the applyable status."

I tested it with and without outputs and it still has the same results . I will respond soon with the plan from the repeated test.
I will also test v1.9 and confirm .

jbardin · 2025-02-04T12:45:31Z

Thanks, the change from 1.9 was specifically around the outputs, but it can't hurt to check anyway just in case this is a new regression.

stehubhex · 2025-02-04T14:13:48Z

I have change the version.

Terraform v1.9.8
on windows_amd64
+ provider registry.terraform.io/hashicorp/azurerm v4.16.0

And redeployed the infrastructure with terraform apply . After a successful execution my next command was the below.

PS D:\temp\jan\TFTest> terraform plan -refresh-only -detailed-exitcode -out=plan
azurerm_resource_group.rg: Refreshing state... [...]
azurerm_storage_account.sa: Refreshing state... [...]

No changes. Your infrastructure still matches the configuration.

Terraform has checked that the real remote objects still match the result of your most recent changes, and found no differences.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 

Saved the plan to: plan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan"
PS D:\> $LASTEXITCODE
2

Here is the detailed refresh plan of "RG" and "SA" without outputs :

TFplanRFonly-rg-sa-no-output.json

You can see the same results are repeated.

Please advise or suggest different test you would need to see .

jbardin · 2025-02-04T14:39:49Z

Thanks @stehubhex, that is very helpful. I don't think there's any other tests to run, we will need to continue debugging this within Terraform.

stehubhex · 2025-02-04T15:31:49Z

Thanks you @jbardin ,
Please let me know when you find something.
Good luck!

github-actions · 2025-03-14T02:15:18Z

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

stehubhex added bug new new issue not yet triaged labels Jan 28, 2025

jbardin added waiting-response An issue/pull request is waiting for a response from the community waiting for reproduction unable to reproduce issue without further information labels Feb 3, 2025

jbardin removed the waiting-response An issue/pull request is waiting for a response from the community label Feb 3, 2025

jbardin added cli and removed new new issue not yet triaged waiting for reproduction unable to reproduce issue without further information labels Feb 4, 2025

jbardin self-assigned this Feb 10, 2025

jbardin mentioned this issue Feb 10, 2025

Serialize AttrSensitivePaths in a consistent order #36465

Merged

jbardin closed this as completed in #36465 Feb 11, 2025

github-actions bot locked as resolved and limited conversation to collaborators Mar 14, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Drift detection " terraform plan --refresh-only --detailed-exitcode " exits with 2, even when there are no changes. #36403

Drift detection " terraform plan --refresh-only --detailed-exitcode " exits with 2, even when there are no changes. #36403

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Drift detection " terraform plan --refresh-only --detailed-exitcode " exits with 2, even when there are no changes. #36403

Drift detection " terraform plan --refresh-only --detailed-exitcode " exits with 2, even when there are no changes. #36403

Comments

Terraform Version

Terraform Configuration Files

Debug Output

Expected Behavior

Actual Behavior

Steps to Reproduce

Additional Context

References

Generative AI / LLM assisted development?

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!