Same here,
Failed on 1.16 works fine on 1.14 and 1.15

Error: disk.0: validation failed (ServerFaultCode: NoPermission)

  on machines.tf line 11, in resource "vsphere_virtual_machine" "tftest":
  11: resource "vsphere_virtual_machine" "tftest" {

Thanks

Seeing the same issue here as well...

We are experiencing the same issue with v1.16 - Please see our error in context of DEBUG log

2020-02-04T15:15:37.988Z [DEBUG] plugin.terraform-provider-vsphere_v1.16.0_x4: 2020/02/04 15:15:37 [DEBUG] VM “/“path/to/our/template/ISO found for UUID "4201b507-7907-3b1a-55d3-cdef9f4264cd"
2020-02-04T15:15:38.007Z [DEBUG] plugin.terraform-provider-vsphere_v1.16.0_x4: 2020/02/04 15:15:38 [DEBUG] queryAssociatedProfile: Retrieving storage policy of server object of type [virtualDiskId] and key [vm-1092382:2000].
2020/02/04 15:15:38 [ERROR] root: eval: *terraform.EvalDiff, err: disk.0: validation failed (ServerFaultCode: NoPermission)
2020/02/04 15:15:38 [ERROR] root: eval: *terraform.EvalSequence, err: disk.0: validation failed (ServerFaultCode: NoPermission)
2020/02/04 15:15:38 [TRACE] [walkPlan] Exiting eval tree: vsphere_virtual_machine.vm
2020/02/04 15:15:38 [TRACE] dag/walk: upstream errored, not walking "meta.count-boundary (count boundary fixup)"
2020/02/04 15:15:38 [TRACE] dag/walk: upstream errored, not walking "provisioner.local-exec (close)"
2020/02/04 15:15:38 [TRACE] dag/walk: upstream errored, not walking "provisioner.remote-exec (close)"
2020/02/04 15:15:38 [TRACE] dag/walk: upstream errored, not walking "provider.vsphere (close)"
2020/02/04 15:15:38 [TRACE] dag/walk: upstream errored, not walking "provisioner.file (close)"
2020/02/04 15:15:38 [TRACE] dag/walk: upstream errored, not walking "root"
2020/02/04 15:15:38 [DEBUG] plugin: waiting for all plugin processes to complete...
2020-02-04T15:15:38.225Z [DEBUG] plugin.terraform: remote-exec-provisioner (internal) 2020/02/04 15:15:38 [ERR] plugin: plugin server: accept unix /tmp/plugin930112039: use of closed network connection
2020-02-04T15:15:38.225Z [DEBUG] plugin.terraform: remote-exec-provisioner (internal) 2020/02/04 15:15:38 [DEBUG] plugin: waiting for all plugin processes to complete...
2020-02-04T15:15:38.225Z [DEBUG] plugin: plugin process exited: path=/home/terraform/bin/terraform

Hello,

Same issue here.

After debug, it's related the following change:
12e2fc9

Could we know which access/role name is missing to be able to fix it ? :p
Thanks!

Thank you for filing this issue - we're investigating the problem

I'm working on tracking down the potential causes of this issue. There are a few data points I could use that would help make sure I cover all the cases.

1. What vCenter/vSphere version are you using?
2. Does the user Terraform is running as have "Profile-driven storage" permissions at the vCenter level?

Thanks, and I'll provide updates shortly.

Hello @bill-rich,

We are running in Vcenter 6.5.

The user running terraform had some specific RW access on ressources pools/Datastore and was running fine in 1.15. Also, the user had a global read only access on the vcenter.
However, it seems that the global read only do not cover the profile-driven storage.
With the complementary access "profile-driven storage view", it work!

I guess it could be good to document (or catch the error and print a detailed output) it as we will not be the only ones to get impacted :p.

The same we have: err: disk.0: validation failed (ServerFaultCode: NoPermission)

Also just started getting this error:

Error: Error running plan: 2 errors occurred:
* module.rhel.vsphere_virtual_machine.vm: 1 error occurred:
* module.rhel.vsphere_virtual_machine.vm: disk.0: validation failed (ServerFaultCode: NoPermission)

* module.rhel.vsphere_virtual_machine.vm: 1 error occurred:
* module.rhel.vsphere_virtual_machine.vm: disk.0: validation failed (ServerFaultCode: NoPermission)

Previously:

We were experiencing the above (v1.16 ERROR:ServerFaultCode: NoPermission #966) error

We were running Terraform v0.11.11 with v1.16 vsphere provider against vCenter 6.7 / ESXi 6.5

We got the following error: err: disk.0: validation failed (ServerFaultCode: NoPermission)

Now:

I tried to work-around this problem I still get the following error running terraform plan

 upgraded Terraform to v0.12.20 
 ran terraform 0.12upgrade
 Allocated Profile-driven storage (view) privilege to Terraform-related user role

 Error: disk.0: validation failed (ServerFaultCode: NoPermission)

   on config.tf line 32, in resource "vsphere_virtual_machine" "vm":
   32: resource "vsphere_virtual_machine" "vm" {

   [terraform@nohost ]$ /var/tmp/terraform --version
   Terraform v0.12.20
   + provider.vsphere v1.16.0
   [terraform@nohost ]$

I would like to have a working approach for vCenter 6.7 if possible

It would also help to know how to select a specific vSphere provider version say v1.15.0

I tried the following stanza which seemed to agree with the provider documentation at
https://github.com/terraform-providers/terraform-provider-vsphere

provider "vsphere" {
version = "~> 1.15"
user = “not”
password = “working”
vsphere_server = “server”
allow_unverified_ssl = true
}

However, my terraform run continues to use 1.16.0

[terraform@nohost]$ /var/tmp/terraform init
Initializing the backend...
Initializing provider plugins...

• Checking for available provider plugins...
• Downloading plugin for provider "vsphere" (hashicorp/vsphere) 1.16.0...

I looked for a state file to determine whether I needed to purge that but there isn't one in the pwd after the terraform plan nor is there one anywhere else on the host

It would also help to know how to select a specific vSphere provider version say v1.15.0

I tried the following stanza which seemed to agree with the provider documentation at
https://github.com/terraform-providers/terraform-provider-vsphere

provider "vsphere" {
version = "~> 1.15"
user = “not”
password = “working”
vsphere_server = “server”
allow_unverified_ssl = true
}

You need to specify the version string correctly:

provider "vsphere" {
  version = "< 1.16.0"
  ...
}

The key being the < symbol which means you want a version less than 1.16.0. By using ~> you're specifying you want a release equal to or greater than 1.15, but below 2.0.

That worked - thanks for your help Josh

Thanks for testing that @arsiesys!

For everyone still experiencing this issue, it looks like is is due to new permissions being required for the addition of SPBM support in v1.16.0. Please check that the user Terraform is running as has "Profile-driven storage" permissions at the vCenter.

I will get the changelog updated with notes about the additional permissions.

Still fails with v0.12.20 and v1.16.1

$ egrep -i 'terraform|1.16' terraform.log | head
2020/02/19 09:24:00 [INFO] Terraform version: 0.12.20
...
2020/02/19 09:24:00 [DEBUG] fetching provider location from "https://registry.terraform.io/v1/providers/hashicorp/vsphere/1.16.1/download/linux/amd64"
[terraform@terraform ece02.vh.iot.ed.ac.uk]$

Error:
WARNING:
There was an error performing post-clone changes to virtual machine "/MY Datacenter/vm/YY/ Servers/my.f.q.d.n":
error processing disk changes post-clone: disk.0: ServerFaultCode: NoPermission: RESOURCE (vm-1215521:2000), ACTION (queryAssociatedProfile): RESOURCE (vm-1215521), ACTION (PolicyIDByVirtualDisk)
Additionally, there was an error removing the cloned virtual machine:
error destroying virtual machine: ServerFaultCode: Permission to perform this operation was denied.

The virtual machine may still exist in Terraform state. If it does, the
resource will need to be tainted before trying again. For more information on
how to do this, see the following page:
https://www.terraform.io/docs/commands/taint.html

If the virtual machine does not exist in state, manually delete it to try again.

on config.tf line 35, in resource "vsphere_virtual_machine" "vm":
35: resource "vsphere_virtual_machine" "vm" {

@glenfiddich have you ensured this - Please check that the user Terraform is running as has "Profile-driven storage" permissions at the vCenter.?

Upgrade to 1.16.1 and provide the mentioned permissions "Profile-driven storage" fixed it for us.

Plugin version 1.16.2.

It's seems that it is necessary to set "Profile-driven storage" policy at the root group of vcenter server.

Fixed for us.

Closing this issue - please create a new issue if this recurs in current or future versions of the provider.

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!