bug: hub_virtual_networks vnet getting recreated on policy assignment change

Is there an existing issue for this?

[X] I have searched the existing issues

Greenfield/Brownfield provisioning

brownfield

Terraform Version

1.9.7

Module Version

0.1.0

AzureRM Provider Version

3.116.0

Affected Resource(s)/Data Source(s)

azapi_resource.vnet

Terraform Configuration Files

inputs.yaml file for SLZ accelerator:
---
# Basic Inputs
iac: "terraform"
bootstrap: "alz_local"
starter: "microsoft_cloud_for_sovereignty"

# Shared Interface Inputs
bootstrap_location: "westus2"
starter_location: "westus2"
root_parent_management_group_id: ""
subscription_id_management: "<...>"
subscription_id_identity: "<...>"
subscription_id_connectivity: "<...>"

# Bootstrap Inputs
target_directory: ""
create_bootstrap_resources_in_azure: "false"
bootstrap_subscription_id: ""
service_name: "slz"
environment_name: "mgmt"
postfix_number: "3"
apply_alz_archetypes_via_architecture_definition_template: "true"

# Starter Module Specific Variables
default_location: "westus2"
allowed_locations: ["westus2", "westus"]
allowed_locations_for_confidential_computing: ["eastus", "eastus2"]
default_prefix: "slz"
default_postfix: "sd3"
subscription_billing_scope: ""
automation_account_name: ""
private_dns_resource_group_id: ""
deploy_bastion: "true"
ddos_protection_resource_id: ""
log_analytics_workspace_retention_in_days: "365"
use_premium_firewall: "true"
deploy_ddos_protection: "true"
ms_defender_for_cloud_email_security_contact: "security_contact@replaceme.com"
policy_assignment_enforcement_mode: "Default"
landing_zone_management_group_children: {}
deploy_log_analytics_workspace: "true"
policy_exemptions: {}
policy_effect: "Audit"
hub_network_address_prefix: "10.20.0.0/16"
deploy_hub_network: "true"
customer_policy_sets: {}
customer: "Other Value"
enable_firewall: "true"
architecture_definition_override_path: ""
log_analytics_workspace_id: ""
az_firewall_policies_enabled: "true"
tags: {}

# Advanced Inputs
bootstrap_module_version: "latest"
starter_module_version: "latest"

tfvars variables values

shared internally

Debug Output/Panic Output

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement
 <= read (data resources)

Terraform will perform the following actions:

  # module.firewall_policy[0].data.azurerm_client_config.telemetry[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_client_config" "telemetry" {
      + client_id       = (known after apply)
      + id              = (known after apply)
      + object_id       = (known after apply)
      + subscription_id = (known after apply)
      + tenant_id       = (known after apply)
    }

  # module.firewall_policy[0].data.modtm_module_source.telemetry[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "modtm_module_source" "telemetry" {
      + module_path    = ".terraform/modules/firewall_policy"
      + module_source  = (known after apply)
      + module_version = (known after apply)
    }

  # module.firewall_policy[0].modtm_telemetry.telemetry[0] will be updated in-place
  ~ resource "modtm_telemetry" "telemetry" {
      + ephemeral_number = (known after apply)
        id               = "f98512ea-a096-4d42-952a-ba2d1cd8466c"
      + nonce            = (known after apply)
      ~ tags             = {
          ~ "module_source"   = "registry.terraform.io/Azure/avm-res-network-firewallpolicy/azurerm" -> (known after apply)
          ~ "module_version"  = "0.2.3" -> (known after apply)
            "random_id"       = "082f5520-95cf-4403-bbea-58b1f006dd1c"
          ~ "subscription_id" = "87402bc2-99d0-458c-a0c5-087ff4d66154" -> (known after apply)
          ~ "tenant_id"       = "7ee5fd88-0678-40e2-8af3-2b3c606a90ed" -> (known after apply)
        }
    }

  # module.hub_rg.data.azurerm_client_config.telemetry[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_client_config" "telemetry" {
      + client_id       = (known after apply)
      + id              = (known after apply)
      + object_id       = (known after apply)
      + subscription_id = (known after apply)
      + tenant_id       = (known after apply)
    }

  # module.hub_rg.data.azurerm_subscription.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_subscription" "current" {
      + display_name          = (known after apply)
      + id                    = (known after apply)
      + location_placement_id = (known after apply)
      + quota_id              = (known after apply)
      + spending_limit        = (known after apply)
      + state                 = (known after apply)
      + subscription_id       = (known after apply)
      + tags                  = (known after apply)
      + tenant_id             = (known after apply)
    }

  # module.hub_rg.data.modtm_module_source.telemetry[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "modtm_module_source" "telemetry" {
      + module_path    = ".terraform/modules/hub_rg"
      + module_source  = (known after apply)
      + module_version = (known after apply)
    }

  # module.hub_rg.modtm_telemetry.telemetry[0] will be updated in-place
  ~ resource "modtm_telemetry" "telemetry" {
      + ephemeral_number = (known after apply)
        id               = "a10a41d9-29eb-4516-a718-a256e2058b3c"
      + nonce            = (known after apply)
      ~ tags             = {
          ~ "module_source"   = "registry.terraform.io/Azure/avm-res-resources-resourcegroup/azurerm" -> (known after apply)
          ~ "module_version"  = "0.1.0" -> (known after apply)
            "random_id"       = "d36aefd5-250f-daa3-605f-1e5544c9505d"
          ~ "subscription_id" = "87402bc2-99d0-458c-a0c5-087ff4d66154" -> (known after apply)
          ~ "tenant_id"       = "7ee5fd88-0678-40e2-8af3-2b3c606a90ed" -> (known after apply)
        }
    }

  # module.hubnetworks[0].data.azurerm_client_config.telemetry[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_client_config" "telemetry" {
      + client_id       = (known after apply)
      + id              = (known after apply)
      + object_id       = (known after apply)
      + subscription_id = (known after apply)
      + tenant_id       = (known after apply)
    }

  # module.hubnetworks[0].data.modtm_module_source.telemetry[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "modtm_module_source" "telemetry" {
      + module_path    = ".terraform/modules/hubnetworks"
      + module_source  = (known after apply)
      + module_version = (known after apply)
    }

  # module.hubnetworks[0].modtm_telemetry.telemetry[0] will be updated in-place
  ~ resource "modtm_telemetry" "telemetry" {
      + ephemeral_number = (known after apply)
        id               = "a7aaa1a4-0731-4633-a459-842b3690ee58"
      + nonce            = (known after apply)
      ~ tags             = {
          ~ "module_source"   = "registry.terraform.io/Azure/avm-ptn-hubnetworking/azurerm" -> (known after apply)
          ~ "module_version"  = "0.1.0" -> (known after apply)
            "random_id"       = "26c5c629-087d-19c3-90db-3410c41dc536"
          ~ "subscription_id" = "87402bc2-99d0-458c-a0c5-087ff4d66154" -> (known after apply)
          ~ "tenant_id"       = "7ee5fd88-0678-40e2-8af3-2b3c606a90ed" -> (known after apply)
        }
    }

  # module.private_dns_zones[0].data.azurerm_resource_group.this[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_resource_group" "this" {
      + id         = (known after apply)
      + location   = (known after apply)
      + managed_by = (known after apply)
      + name       = "slz-rg-hub-network-westus2sd3"
      + tags       = (known after apply)
    }

  # module.slz_management_groups.azapi_resource.policy_assignments["slz-landingzones-confidential-corpsd3/Enforce-Sovereign-Conf"] will be updated in-place
  ~ resource "azapi_resource" "policy_assignments" {
      ~ body                             = {
          ~ properties = {
              ~ parameters            = {
                  ~ effect                    = {
                      ~ value = "Audit" -> "Deny"
                    }
                    # (3 unchanged attributes hidden)
                }
                # (9 unchanged attributes hidden)
            }
        }
        id                               = "/providers/Microsoft.Management/managementGroups/slz-landingzones-confidential-corpsd3/providers/Microsoft.Authorization/policyAssignments/Enforce-Sovereign-Conf"
        name                             = "Enforce-Sovereign-Conf"
      ~ output                           = {} -> (known after apply)
        # (8 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.slz_management_groups.azapi_resource.policy_assignments["slz-landingzones-confidential-onlinesd3/Enforce-Sovereign-Conf"] will be updated in-place
  ~ resource "azapi_resource" "policy_assignments" {
      ~ body                             = {
          ~ properties = {
              ~ parameters            = {
                  ~ effect                    = {
                      ~ value = "Audit" -> "Deny"
                    }
                    # (3 unchanged attributes hidden)
                }
                # (9 unchanged attributes hidden)
            }
        }
        id                               = "/providers/Microsoft.Management/managementGroups/slz-landingzones-confidential-onlinesd3/providers/Microsoft.Authorization/policyAssignments/Enforce-Sovereign-Conf"
        name                             = "Enforce-Sovereign-Conf"
      ~ output                           = {} -> (known after apply)
        # (8 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.slz_management_groups.azapi_resource.policy_assignments["slzsd3/Enforce-Sovereign-Global"] will be updated in-place
  ~ resource "azapi_resource" "policy_assignments" {
      ~ body                             = {
          ~ properties = {
              ~ parameters            = {
                  ~ effect                 = {
                      ~ value = "Audit" -> "Deny"
                    }
                    # (1 unchanged attribute hidden)
                }
                # (9 unchanged attributes hidden)
            }
        }
        id                               = "/providers/Microsoft.Management/managementGroups/slzsd3/providers/Microsoft.Authorization/policyAssignments/Enforce-Sovereign-Global"
        name                             = "Enforce-Sovereign-Global"
      ~ output                           = {} -> (known after apply)
        # (8 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.hubnetworks[0].module.hub_firewalls["hub"].data.azurerm_client_config.telemetry[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_client_config" "telemetry" {
      + client_id       = (known after apply)
      + id              = (known after apply)
      + object_id       = (known after apply)
      + subscription_id = (known after apply)
      + tenant_id       = (known after apply)
    }

  # module.hubnetworks[0].module.hub_firewalls["hub"].data.modtm_module_source.telemetry[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "modtm_module_source" "telemetry" {
      + module_path    = ".terraform/modules/hubnetworks.hub_firewalls"
      + module_source  = (known after apply)
      + module_version = (known after apply)
    }

  # module.hubnetworks[0].module.hub_firewalls["hub"].modtm_telemetry.telemetry[0] will be updated in-place
  ~ resource "modtm_telemetry" "telemetry" {
      + ephemeral_number = (known after apply)
        id               = "2ac4d8cd-88ee-49a2-a305-6c055a4f0a37"
      + nonce            = (known after apply)
      ~ tags             = {
          ~ "module_source"   = "registry.terraform.io/Azure/avm-res-network-azurefirewall/azurerm" -> (known after apply)
          ~ "module_version"  = "0.2.2" -> (known after apply)
            "random_id"       = "04449c41-71c9-ad51-50f8-d087871a6f95"
          ~ "subscription_id" = "87402bc2-99d0-458c-a0c5-087ff4d66154" -> (known after apply)
          ~ "tenant_id"       = "7ee5fd88-0678-40e2-8af3-2b3c606a90ed" -> (known after apply)
        }
    }

  # module.hubnetworks[0].module.hub_routing["hub"].data.azurerm_client_config.telemetry[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_client_config" "telemetry" {
      + client_id       = (known after apply)
      + id              = (known after apply)
      + object_id       = (known after apply)
      + subscription_id = (known after apply)
      + tenant_id       = (known after apply)
    }

  # module.hubnetworks[0].module.hub_routing["hub"].data.modtm_module_source.telemetry[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "modtm_module_source" "telemetry" {
      + module_path    = ".terraform/modules/hubnetworks.hub_routing"
      + module_source  = (known after apply)
      + module_version = (known after apply)
    }

  # module.hubnetworks[0].module.hub_routing["hub"].modtm_telemetry.telemetry[0] will be updated in-place
  ~ resource "modtm_telemetry" "telemetry" {
      + ephemeral_number = (known after apply)
        id               = "7a36160f-7d27-403c-a74b-fbe198bfe5ab"
      + nonce            = (known after apply)
      ~ tags             = {
          ~ "module_source"   = "registry.terraform.io/Azure/avm-res-network-routetable/azurerm" -> (known after apply)
          ~ "module_version"  = "0.2.2" -> (known after apply)
            "random_id"       = "ae50d748-ccd7-c91a-3890-fb85f2829d93"
          ~ "subscription_id" = "87402bc2-99d0-458c-a0c5-087ff4d66154" -> (known after apply)
          ~ "tenant_id"       = "7ee5fd88-0678-40e2-8af3-2b3c606a90ed" -> (known after apply)
        }
    }

  # module.hubnetworks[0].module.hub_virtual_networks["hub"].data.azurerm_client_config.telemetry[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_client_config" "telemetry" {
      + client_id       = (known after apply)
      + id              = (known after apply)
      + object_id       = (known after apply)
      + subscription_id = (known after apply)
      + tenant_id       = (known after apply)
    }

  # module.hubnetworks[0].module.hub_virtual_networks["hub"].data.azurerm_client_config.this will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_client_config" "this" {
      + client_id       = (known after apply)
      + id              = (known after apply)
      + object_id       = (known after apply)
      + subscription_id = (known after apply)
      + tenant_id       = (known after apply)
    }

  # module.hubnetworks[0].module.hub_virtual_networks["hub"].data.modtm_module_source.telemetry[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "modtm_module_source" "telemetry" {
      + module_path    = ".terraform/modules/hubnetworks.hub_virtual_networks"
      + module_source  = (known after apply)
      + module_version = (known after apply)
    }

  # module.hubnetworks[0].module.hub_virtual_networks["hub"].azapi_resource.vnet must be replaced
-/+ resource "azapi_resource" "vnet" {
      ~ id                        = "/subscriptions/87402bc2-99d0-458c-a0c5-087ff4d66154/resourceGroups/slz-rg-hub-network-westus2sd3/providers/Microsoft.Network/virtualNetworks/slz-hub-westus2sd3" -> (known after apply)
        name                      = "slz-hub-westus2sd3"
      ~ output                    = {} -> (known after apply)
      ~ parent_id                 = "/subscriptions/87402bc2-99d0-458c-a0c5-087ff4d66154/resourceGroups/slz-rg-hub-network-westus2sd3" -> (known after apply) # forces replacement
        tags                      = {}
        # (6 unchanged attributes hidden)
    }

  # module.hubnetworks[0].module.hub_virtual_networks["hub"].modtm_telemetry.telemetry[0] will be updated in-place
  ~ resource "modtm_telemetry" "telemetry" {
      + ephemeral_number = (known after apply)
        id               = "3de4edba-9b6f-497c-ba51-1d023f501556"
      + nonce            = (known after apply)
      ~ tags             = {
          ~ "module_source"   = "registry.terraform.io/Azure/avm-res-network-virtualnetwork/azurerm" -> (known after apply)
          ~ "module_version"  = "0.4.0" -> (known after apply)
            "random_id"       = "5ed10e1f-365f-9c88-67b7-59be19516b83"
          ~ "subscription_id" = "87402bc2-99d0-458c-a0c5-087ff4d66154" -> (known after apply)
          ~ "tenant_id"       = "7ee5fd88-0678-40e2-8af3-2b3c606a90ed" -> (known after apply)
        }
    }

Plan: 1 to add, 9 to change, 1 to destroy.

Expected Behaviour

Changes in telemetry and tags in hubnetworks, hubnetworks resource group, and firewall policy do not cause the vnet to get recreated.

Actual Behaviour

Changes in telemetry and tags in hubnetworks, hubnetworks resource group, and firewall policy cause vnet to be recreated.

Steps to Reproduce

Deploy-Accelerator with provided inputs file
terraform init
terraform apply
update "policy_effect" variable to "Deny" in terraform.tfvars.json
terraform apply

Important Factoids

No response

References