bug:

[danie1blackmore]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

Please paste the output of terraform version command from within the initialized directory:

Terraform v1.9.7

Please enter the module version that you are using:

4.1.4

Description

When making future changes to the subscription, the changes are not applied. For example, if the subscription was previously placed in the contoso-management management, changing the subscription_management_group_id to contoso-connectivity and then running a terraform apply does not re-associate the subscription to the contoso-connectivity management group

Steps to Reproduce

1. Using the examples, provision a new subscription and populate the subscription_management_group_id
2. Run terraform apply
3. Change the subscription_management_group_id to another management group
4. Run terraform apply

Following this, the subscription should still be in the original management group

Screenshots

Additional context

No workaround found for changing management group ids - instead just a manual move.

[matt-FFFFFF]

Hi - this is strange as we use the management group association resource to manage this - what does your module input look like?

[danie1blackmore]

Hi,

It's pretty typical of some of the examples. While testing I'm just hard-coding, but variables would eventually be used. Just to note as well I wasn't able to copy and paste so just had to re-type the below. The original code works without errors so the inputs appear correct.

module lz_vending {
   source = "azure/lz-vending/azurerm"
   subscription_id = "subid"
   subscription_alias_enabled = false
   subscription_billing_scope = ""
   subscription_display_name = "test sub"
   subscription_alias_name = "test sub"
   subscription_workload = "production"
   subscription_management_group_id = "contoso-online"
}

At the moment, the subscription is currently under the "contoso-sandbox" management group id, and running a terraform plan doesnt detect it or apply doesn't change it.

[danie1blackmore]

Just to note as well, I tried to use the azurerm_management_group_subscription_association as outlined in the terraform documentation (using the data blocks as well) which did successfully associate to the correct management group using the exact same information as outlined above, so it looks like it's something within the lz_vending module rather than the azurerm module

data azurerm_management_group test {
   name = "contoso-online"
}

data azurerm_subscription test {
   subscription_id = "subid" 
}

resource azurerm_management_group_subscription_association test {
   management_group_id = data.azurerm_management_group.test.id
   subscription_id = data.azurerm_subscription.test.id
}