search

hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.6k stars 4.64k forks source link

azurerm_network_security_rule destroy not working #11521

Open skalragg opened 3 years ago

skalragg commented 3 years ago

Description

azurerm_network_security_rule can successfully add or update an existing rule... If I remove a resource azurerm_network_security_rule ... terraform tells me it's destroyed, however it is still an active rule on Azure. ( Both CLI/Portal) 

azurerm_network_security_rule.nsg-outbound-rule-200: Destroying...
azurerm_network_security_rule.nsg-outbound-rule-200: Still destroying...
azurerm_network_security_rule.nsg-outbound-rule-200: Destruction complete after 11s

Affected Resource(s)

azurerm_network_security_rule

Terraform (and AzureRM Provider) Version

Terraform v0.14.10 azurerm v2.56.0

Terraform Configuration Files

resource "azurerm_network_security_group" "nsg-innovation-private-endpoint-poc-eastus2-001" {
  name                = "nsg-innovation-private-endpoint-poc-eastus2-001"
  location            = azurerm_resource_group.rg-innovation-poc-002-tf.location
  resource_group_name = azurerm_resource_group.rg-innovation-poc-002-tf.name  
}

resource "azurerm_network_security_rule" "nsg-outbound-rule-100" {
  name                        = "OutboundAccessToAppService"
  priority                    = 100
  direction                   = "Outbound"
  access                      = "Allow"
  protocol                    = "*"
  source_port_range           = "*"
  destination_port_range      = "*"
  source_address_prefix       = "VirtualNetwork"
  destination_address_prefix  = "AppService"
  resource_group_name         = azurerm_resource_group.rg-innovation-poc-002-tf.name
  network_security_group_name = azurerm_network_security_group.nsg-innovation-private-endpoint-poc-eastus2-001.name
}

resource "azurerm_network_security_rule" "nsg-outbound-rule-200" {
  name                        = "OutboundAccessToAppService200"
  priority                    = 200
  direction                   = "Outbound"
  access                      = "Allow"
  protocol                    = "*"
  source_port_range           = "444"
  destination_port_range      = "*"
  source_address_prefix       = "VirtualNetwork"
  destination_address_prefix  = "AppService"
  resource_group_name         = azurerm_resource_group.rg-innovation-poc-002-tf.name
  network_security_group_name = azurerm_network_security_group.nsg-innovation-private-endpoint-poc-eastus2-001.name
}

Expected Behaviour

Deleting/removing an existing azurerm_network_security_rule removes the resource from Azure and the terraform status update reflects this. When the NSG is checked via the Azure portal / CLI, the rule should no longer be present.

Actual Behaviour

Deleting/removing an existing azurerm_network_security_rule appears to work based on the terraform status update. It does not actually destroy/remove the NSG rule from the NSG in Azure.

When removing the azurerm_network_security_rule, I generally delete the config from main.tf or comment out the specific resource.

Workaround

terraform destroy -target azurerm_network_security_rule.nsg-outbound-rule-200 This will actually delete the resource as expected.

favoretti commented 3 years ago

I have noticed in the past that NSG portal reconciliation can sometimes take up to several minutes. If you wait a bit after destroy has completed, say, 5 minutes - is the rule still there?

nitmatgeo commented 3 years ago

I face this issue. Any update? Background: I created a 8 NSG Rules via terraform and destroyed 6. When code was running at 90% I saw the 6 got destroyed in portal but after completion of execution, when I hit refresh in portal I still see 8 rules. And due to this behavior, it appears as the 6 rules were created outside the state file.

Let me refresh portal after 5 minutes and update below- Update01: Even after 5 minutes no difference; this is a bug in Azure API/Terraform. Please inspect and do the needful.

PS: No point waiting for 5 minutes cuz in real scenario when rules are being overwritten with updated values, we cannot make terraform execution delay by few minutes.

Update02: Can someone from terraform help to check with Microsoft Azure? Looks like even via portal unable to delete the NSG rules as a bulk. image

@favoretti Any update please?

Pesticles commented 1 year ago

Over a year later and this still hasn't been addressed?

jhirvioja commented 1 year ago

Can confirm that I tried to destroy rules today via Terraform, got "Destruction complete" in logs and they weren't destroyed. They were still in the portal after hours and I had to manually delete them.

harshavmb commented 8 months ago

Hi @jhirvioja ,

Do you still face this issue with latest azurerm provider? I couldn't replicate the issue at my end.

Having looked at the code, recent versions use 2023-06-01 SDK version which uses PollUntilDone function polling until the resource is deleted.

If this is still happening with latest provider versions, please share verbose logs.

jhirvioja commented 8 months ago

@harshavmb at least in the codebase where I worked the version has been version = ">= 3.26.0" since June 9th (original comment was on June 27th)

Can't really confirm at this time whether destroying works or not as intended, probably fixed.

Thanks 👍