Terraform-provider-azurerm: Incorrect input generated for azurerm_recovery_services_protected_vm

Created on 2 Nov 2018  ·  7Comments  ·  Source: terraform-providers/terraform-provider-azurerm

The documentation was based on an draft version of the resource and is incorrect As well as the field backup_policy_id should have been required. I have opened 2154 to fix it for the next release.

Yes though in our testing yesterday we did supply the following configuration (after looking into the code) and ran into the same errorcode:

resource "azurerm_recovery_services_protected_vm" "svc-rec-vm0" {
  resource_group_name = "${data.terraform_remote_state.bkp.out-bkp-rg-name}"
  recovery_vault_name = "${data.terraform_remote_state.bkp.out-bkp-rg-bkp014d}"
  source_vm_id        = "${azurerm_virtual_machine.svc-rg-vm0.id}"
  backup_policy_id  = "${data.terraform_remote_state.bkp.out-bkp-rg-bkp014d-pol[0]}"
}

This is a more complex configuration using remote state, but nevertheless it will run into the same error that @RobbieBinnie encountered.

Judging by the Azure JSON template parameters the following values should be needed:

recovery_vault_name = vaultName
resource_group_name = vaultRG
(vaultSubID)
policyName (calculated from backup_policy_id?)
(fabricName)
protectionContainers (which I suppose is a calculated value from source_vm_id or "sourceResourceIds"?)
"IaasVMContainer;iaasvmcontainerv2;(VM Resource Group);(VM Name)"
protectedItems (see above?)
"vm;iaasvmcontainerv2;(VM Resource Group);(VM Name)"
source_vm_id = sourceResourceIds

Note in my configuration the VM is not in the same resource group as the backup vault.
Which may produce errors which may not have been apparent in testing if the VM and the backup vault are in the same resource group.

EDIT: We just ran a test building a VM in the same resource group, which works fine, but using a different resource group will fail with what I predicted:

* azurerm_recovery_services_protected_vm.svc-rec-vm1: Error creating/updating Recovery Service Protected VM "VM;iaasvmcontainerv2;"VaultRG";VMName" (Resource Group "VaultRG"): backup.ProtectedItemsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BMSUserErrorInvalidConfigureProtectionRequest" Message="Input for configure protection is not in proper format\r\nPlease ensure that container exists and other parameters are in valid format"

So the value provided to either "protectionContainers" or "protectedItems" or both is the wrong one.

_Originally posted by @AndreasMWalter in https://github.com/terraform-providers/terraform-provider-azurerm/issues/2143#issuecomment-432960306_

bug servicrecovery-services
Source
picture AndreasMWalter

All 7 comments

Originally I thought I was hitting #2207 but it turns out I'm hitting this issue. Also trying to protect a VM in a different RG than the vault.

## Conditional backup
resource "azurerm_recovery_services_protected_vm" "enable_backup" {
  count               = "${var.bck_enable == "true" && var.vm_count > 0 ? var.vm_count : 0}"

  resource_group_name = "${var.rs-vault-rg_name}"
  recovery_vault_name = "${var.rs-vault_name}"
  source_vm_id        = "${element(azurerm_virtual_machine.vm.*.id,count.index)}"
  backup_policy_id    = "${var.rs-vault-policy_id}"
}

Output:

  • module.vm.azurerm_recovery_services_protected_vm.enable_backup: 1 error(s) occurred:

  • azurerm_recovery_services_protected_vm.enable_backup: Error creating/updating Recovery Service Protected VM "VM;iaasvmcontainerv2;vscsbx-recovery-services-rg;vscsbx-tst-vm-0" (Resource Group "vscsbx-recovery-services-rg"): backup.ProtectedItemsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BMSUserErrorInvalidInput" Message="Input provided for the call is invalid\r\nPlease check the required inputs"

Using my previous approach with an ARM template it all works fine:

## Conditional backup // TODO convert to TF native code
resource "azurerm_template_deployment" "resources_to_backup" {
  count               = "${var.bck_enable == "true" && var.vm_count > 0 ? var.vm_count : 0}"
  name                = "${element(azurerm_virtual_machine.vm.*.name,count.index)}-bck"
  resource_group_name = "${var.rs-vault-rg_name}"
  template_body       = "${file("${path.module}/files/AzureRmRecoveryServicesBackupProtection_template.json")}"
  deployment_mode     = "Incremental"

  parameters = {
    protectedItemType         = "Microsoft.Compute/virtualMachines"
    resourcegroupname         = "${var.rs-vault-rg_name}"
    vaultName                 = "${var.rs-vault_name}"
    backuppolicyname          = "${var.rs-vault-policy_name}"
    location                  = "${local.rg_name}"
    resourcename              = "${element(azurerm_virtual_machine.vm.*.name,count.index)}"
    resourceresourcegroupname = "${element(azurerm_virtual_machine.vm.*.resource_group_name,count.index)}"
    resourceid                = "${element(azurerm_virtual_machine.vm.*.id,count.index)}"
  }
}
geertn picture geertn on 6 Nov 2018

@geertn hitting exact same issue. BTW...the documentation for this resource is incorrect because it says that location is required but this is not even a valid key for this resource.

Phydeauxman picture Phydeauxman on 6 Nov 2018
👍1

Just did some additional testing of this with PowerShell and it works fine. When using PowerShell, the Resource Group it is looking for is the one where the VM lives. In Terraform, the Resource Group it is wanting is the Resource Group where the Vault is located but it seems to be using that to also locate the VM.

Phydeauxman picture Phydeauxman on 6 Nov 2018

@geertn would you be willing to share your ARM template for creating the protected vm resource?

Phydeauxman picture Phydeauxman on 6 Nov 2018

@geertn would you be willing to share your ARM template for creating the protected vm resource?

Sure:
https://gist.github.com/geertn/6b1e186c6fffd4211d03a7a67847e0ca

geertn picture geertn on 7 Nov 2018
👍1

Hi @AndreasMWalter, @geertn & @Phydeauxman

Sorry that you have all been running into this, our tests all only used one resource group.

I've taken a look and opened #2287 that will hopefully fix this for v1.19 🙂

katbyte picture katbyte on 10 Nov 2018

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

hashibot[bot] picture hashibot[bot] on 6 Mar 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

bentterp picture bentterp  ·  3Comments
rolandjohann picture rolandjohann  ·  3Comments
pdeva picture pdeva  ·  3Comments
sam-cogan picture sam-cogan  ·  3Comments
mikemorris picture mikemorris  ·  3Comments