Drift detection " terraform plan --refresh-only --detailed-exitcode " exits with 2, even when there are no changes.

[stehubhex]

Terraform Version

Terraform v1.10.5
on windows_amd64
+ provider registry.terraform.io/hashicorp/azurerm v4.16.0

Terraform Configuration Files

# Resource Group
resource "azurerm_resource_group" "rg" {
  name     = var.resource_group_name
  location = var.location
  tags = {
    Environment = "Testing"
  }
}

# Storage Account
resource "azurerm_storage_account" "sa" {
  name                     = var.storage_account_name
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  tags = {
    Environment = "Testing"
  }
}

Debug Output

No changes. Your infrastructure still matches the configuration.

Terraform has checked that the real remote objects still match the result of your most recent changes, and found no differences.

Expected Behavior

The command terraform plan -refresh-only -detailed-exitcode should return 0 if the configuration was just deployed with terraform apply and there are no changes detected .

Actual Behavior

When running the command terraform plan -refresh-only -detailed-exitcode it returns "$LASTEXITCODE 2" even though it is ran right after terraform apply and there are no changes detected .

Steps to Reproduce

1. terraform init
2. terraform plan
3. terraform apply
4. terraform plan -refresh-only -detailed-exitcode
5. $LASTEXITCODE

Additional Context

When deploying a new configuration methodically and checking the drift on each step I see the following :

Deploying successfully the resource "azurerm_resource_group" "rg" and running terraform plan -refresh-only -detailed-exitcode -out=tfplan and then checking $LASTEXITCODE returns 0 as expected. Checking the plan with terraform show -json tfplan also confirms that there are no changes pending.

Continuing with the same actions for the next resource "azurerm_storage_account" "sa" , it is successfully deployed. Immediately after the terraform apply a terraform plan -refresh-only -detailed-exitcode -out=tfplan1 is triggered in the terminal. This results in "No changes." , but suddenly $LASTEXITCODE returns 2 . Reviewing the plan terraform show -json tfplan1 also does not indicate any changes.

This behavior is seen with other resources as well for example: resource "azurerm_service_plan" "sp" ; resource "azurerm_linux_function_app" "fn" ; and some more complicated resources other than a "azurerm_resource_group" .

The documentation clearly explains the expected behavior and results for the -detailed-exitcode option

References

• terraform plan -refresh-only -detailed-exitcode gives incorrect exit code 2 even if the console output says no changes detected #35117
• Drift detection feature request: terraform plan should execute Checks and exit with 0 if everything matches. #35226

Generative AI / LLM assisted development?

No response

[jbardin]

Hi @stehubhex,

The azurerm provider has many legacy resources which create a lot of incorrect drift in plans, and I wonder if there are actually changes which are just being suppressed in the CLI output for convenience. Can you show the json output from the generated plan?

Thanks!

[stehubhex]

Hello @jbardin , Thanks for your answer .

To confirm your question , I run the drift detection (terraform plan -refresh-only -detailed-exitcode) immediately after terraform apply , so there should not be any changes at all .

I can get you the Json output to view ... I just need some time to find and sanitize it . Please expect reply soon

[stehubhex]

Here is the file you requested ... It is json output of terraform plan -refresh-only -detailed-exitcode -out=plan

TFplanRFonly-rg-sa.json

[jbardin]

Thanks @stehubhex, the plan has "applyable": true for some reason, but I'm not seeing anything which should be triggering that.

I wonder if it's not the resources, but the outputs that are somehow triggering the applyable status. Could you check if this happens with v1.9 as well?

[stehubhex]

"but I'm not seeing anything which should be triggering that"

This is exactly what I am trying to convey .

"I wonder if it's not the resources, but the outputs that are somehow triggering the applyable status."

I tested it with and without outputs and it still has the same results . I will respond soon with the plan from the repeated test.
I will also test v1.9 and confirm .

[jbardin]

Thanks, the change from 1.9 was specifically around the outputs, but it can't hurt to check anyway just in case this is a new regression.

[stehubhex]

I have change the version.

Terraform v1.9.8
on windows_amd64
+ provider registry.terraform.io/hashicorp/azurerm v4.16.0

And redeployed the infrastructure with terraform apply . After a successful execution my next command was the below.

PS D:\temp\jan\TFTest> terraform plan -refresh-only -detailed-exitcode -out=plan
azurerm_resource_group.rg: Refreshing state... [...]
azurerm_storage_account.sa: Refreshing state... [...]

No changes. Your infrastructure still matches the configuration.

Terraform has checked that the real remote objects still match the result of your most recent changes, and found no differences.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 

Saved the plan to: plan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan"
PS D:\> $LASTEXITCODE
2

Here is the detailed refresh plan of "RG" and "SA" without outputs :

TFplanRFonly-rg-sa-no-output.json

You can see the same results are repeated.

Please advise or suggest different test you would need to see .

[jbardin]

Thanks @stehubhex, that is very helpful. I don't think there's any other tests to run, we will need to continue debugging this within Terraform.