Troubleshooting Terraform: Addressing Hangs During Infrastructure Planning with AzureRM Backend
The Problem
Last time I was working with Terraform, I realized it got stuck when planning for the development environment.
Here I used terragrunt plan, but behind the scenes it calls Terraform, so, here is the main problem, I cancelled after 5 minutes, but if I left it there, it could easily stay like that for an hour:
I initially thought it could as simple as restarting my VS Code, then I did that, I also tried to update terraform and terragrunt to the latest version available, but nothing, same issue.
The Investigation
I started with cleaning up any sort of credentials or cache files that Terraform left in the last run:
The .terraform folder has important files such as the providers' executables and the .tfstate of your infrastructure.
One thing I tested was to plan using different .tfstate files, since the one I used could be corrupted.
Same thing, in fact, all of them were behaving the same way.
Last test: I wanted to use different service principal that authenticates to another environment, and when I tried the Terraform SP that is used for the UAT env., it worked! Same thing for Staging and Production environments, so the problem was not in my CLI or my internet connection, it was the credential used, which makes sense, since during the Plan phase, it always got stuck in the following message:
It doesn’t help much, it could be more descriptive, I agree, but it seems to try to create a credential to be used to authenticate to Azure, but something was strange in this service principal, let’s see what I found.
The Solution
With the investigation done, I went to the portal, searched for the service principal I was using and then I found the issue right in the overview page:
That makes total sense! How does Terraform authenticate and plan the infrastructure with expired credentials?
To fix that, we simply go to certificates & Secrets and hit the “New Client Secret” button:
We choose the expiry date, you have multiple choices, make sure to choose the one that fits best for you, as well as its name:
After that, you have the new secret available to you, it can be viewed only once, so make sure to save it before you reload the page!
Here I’m using Terragrunt, and I store all the secrets and sensitive values as Environment variables, then I’ve updated the “TF_VAR_AZURE_CLIENT_SECRET” variable:
When I reran tg plan, it worked, and it took less than 2 minutes, even with lots of calculation involved:
Conclusion
If you see your Terraform getting stuck when planning or applying, always check your credentials to ensure you are properly authenticated to use the cloud’s API.
Happy Terraforming!
