azurerm_private_endpoint sees constant drift unless subnet_id case is an exact match with Azure API

[simonmcc]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.4

AzureRM Provider Version

3.29.1

Affected Resource(s)/Data Source(s)

azurerm_private_endpoint

Terraform Configuration Files

resource "azurerm_resource_group" "example" {
  name     = "example-rg"
  location = "usgovvirginia"
}

resource "azurerm_virtual_network" "example" {
  name                = "example-network"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  address_space = ["10.0.0.0/16"]
}

resource "azurerm_subnet" "example" {
  name                 = "CASEPRESERVED"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name

  address_prefixes = ["10.0.1.0/24"]

  private_endpoint_network_policies_enabled = false
  private_link_service_network_policies_enabled = false

  service_endpoints = ["Microsoft.Storage"]
}

data "azurerm_subnet" "lookup" {
  #name                 = "CASEPRESERVED"
  name                 = "CaSePrEsErVeD"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name

  depends_on = [
    azurerm_subnet.example
  ]
}

resource "azurerm_storage_account" "main" {
  name                     = "terratest1234"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_kind             = "BlobStorage"
  account_tier             = "Standard"
  access_tier              = "Cool"
  account_replication_type = "LRS"
}

resource "azurerm_private_endpoint" "example" {
  name                = "example-endpoint"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  # subnet_id           = azurerm_subnet.example.id
  subnet_id           = data.azurerm_subnet.lookup.id

  private_service_connection {
    name                           = "example-privateserviceconnection"
    private_connection_resource_id = azurerm_storage_account.main.id
    subresource_names              = ["Blob"]
    is_manual_connection           = false
  }
}

Debug Output/Panic Output

az network vnet subnet show --resource-group example-rg --vnet-name example-network --name CASEPRESERVED --query id
"/subscriptions/XXXXX/resourceGroups/example-rg/providers/Microsoft.Network/virtualNetworks/example-network/subnets/CASEPRESERVED"
az network vnet subnet show --resource-group example-rg --vnet-name example-network --name CaSePrEsErVeD --query id
"/subscriptions/XXXXX/resourceGroups/example-rg/providers/Microsoft.Network/virtualNetworks/example-network/subnets/CASEPRESERVED"

az network private-endpoint show --name example-endpoint --resource-group example-rg --query subnet.id
"/subscriptions/XXXXX/resourceGroups/example-rg/providers/Microsoft.Network/virtualNetworks/example-network/subnets/CASEPRESERVED"

Expected Behaviour

because the azurerm_subnet data resource returns the casing from the search & not the result, and the subnet_id passed into the azurerm_private_endpoint is normalised either by Terraform or Azure, we're stuck in permanent drift.

No changes. Your infrastructure matches the configuration.

Actual Behaviour

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # azurerm_private_endpoint.example must be replaced
-/+ resource "azurerm_private_endpoint" "example" {
      ~ custom_dns_configs       = [
          - {
              - fqdn         = "terratest1234.blob.core.usgovcloudapi.net"
              - ip_addresses = [
                  - "10.0.1.4",
                ]
            },
        ] -> (known after apply)
      ~ id                       = "/subscriptions/XXXXX/resourceGroups/example-rg/providers/Microsoft.Network/privateEndpoints/example-endpoint" -> (known after apply)
        name                     = "example-endpoint"
      ~ network_interface        = [
          - {
              - id   = "/subscriptions/XXXXX/resourceGroups/example-rg/providers/Microsoft.Network/networkInterfaces/example-endpoint.nic.cde0a0d8-6342-4e36-9c0c-5258508ae4c7"
              - name = "example-endpoint.nic.cde0a0d8-6342-4e36-9c0c-5258508ae4c7"
            },
        ] -> (known after apply)
      ~ private_dns_zone_configs = [] -> (known after apply)
      ~ subnet_id                = "/subscriptions/XXXXX/resourceGroups/example-rg/providers/Microsoft.Network/virtualNetworks/example-network/subnets/CASEPRESERVED" -> "/subscriptions/XXXXX/resourceGroups/example-rg/providers/Microsoft.Network/virtualNetworks/example-network/subnets/CaSePrEsErVeD" # forces replacement
      - tags                     = {} -> null
        # (2 unchanged attributes hidden)

      ~ private_service_connection {
            name                           = "example-privateserviceconnection"
          ~ private_ip_address             = "10.0.1.4" -> (known after apply)
            # (3 unchanged attributes hidden)
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Steps to Reproduce

1. terraform apply
2. terraform apply

Important Factoids

No response

References

related to https://github.com/hashicorp/terraform-provider-azurerm/issues/19148

[guidooliveira]

I'm facing the exact same issue