azurerm_virtual_network_gateway - ExpressRoute unsupported SKU resize don't force re-creation

jhauray commented 1 year ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.9

AzureRM Provider Version

3.39

Affected Resource(s)/Data Source(s)

azurerm_virtual_network_gateway

Terraform Configuration Files

data "azurerm_resource_group" "rg-transit" {
    name = "RG_TSK"
}

data "azurerm_virtual_network" "vn-transit"{
    name = "vn-poc-np-app"
    resource_group_name = data.azurerm_resource_group.rg-transit.name
}

data "azurerm_subnet" "gw-subnet"{
    name = "GatewaySubnet"
    resource_group_name = data.azurerm_resource_group.rg-transit.name
    virtual_network_name = data.azurerm_virtual_network.vn-transit.name
}

data "azurerm_public_ip" "pip-transit" {
    name = "pip_poc_vng"
    resource_group_name = data.azurerm_resource_group.rg-transit.name
}

resource "azurerm_virtual_network_gateway" "vng-transit" {
    name = "vng-express-route"
    location = data.azurerm_resource_group.rg-transit.location
    resource_group_name = data.azurerm_resource_group.rg-transit.name
    sku ="ErGw2AZ"
    type = "ExpressRoute"

    active_active = false
    vpn_type = "PolicyBased"

    ip_configuration {
    name                          = "default"
    public_ip_address_id          = data.azurerm_public_ip.pip-transit.id
    private_ip_address_allocation = "Dynamic"
    subnet_id                     = data.azurerm_subnet.gw-subnet.id
  }
}

Debug Output/Panic Output

data.azurerm_resource_group.rg-transit: Reading...
data.azurerm_resource_group.rg-transit: Read complete after 0s [id=/subscriptions/b1f6a133-5efa-4d1e-b750-a104ec1c5798/resourceGroups/RG_TSK]
data.azurerm_public_ip.pip-transit: Reading...     
data.azurerm_virtual_network.vn-transit: Reading...
data.azurerm_public_ip.pip-transit: Read complete after 0s [id=/subscriptions/b1f6a133-5efa-4d1e-b750-a104ec1c5798/resourceGroups/RG_TSK/providers/Microsoft.Network/publicIPAddresses/pip_poc_vng]
data.azurerm_virtual_network.vn-transit: Read complete after 0s [id=/subscriptions/b1f6a133-5efa-4d1e-b750-a104ec1c5798/resourceGroups/RG_TSK/providers/Microsoft.Network/virtualNetworks/vn-poc-np-app]
data.azurerm_subnet.gw-subnet: Reading...
data.azurerm_subnet.gw-subnet: Read complete after 0s [id=/subscriptions/b1f6a133-5efa-4d1e-b750-a104ec1c5798/resourceGroups/RG_TSK/providers/Microsoft.Network/virtualNetworks/vn-poc-np-app/subnets/GatewaySubnet]
azurerm_virtual_network_gateway.vng-transit: Refreshing state... [id=/subscriptions/b1f6a133-5efa-4d1e-b750-a104ec1c5798/resourceGroups/RG_TSK/providers/Microsoft.Network/virtualNetworkGateways/vng-express-route]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # azurerm_virtual_network_gateway.vng-transit will be updated in-place
  ~ resource "azurerm_virtual_network_gateway" "vng-transit" {
        id                         = "/subscriptions/b1f6a133-5efa-4d1e-b750-a104ec1c5798/resourceGroups/RG_TSK/providers/Microsoft.Network/virtualNetworkGateways/vng-express-route"
        name                       = "vng-express-route"
      ~ sku                        = "HighPerformance" -> "ErGw2AZ"
        # (8 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

azurerm_virtual_network_gateway.vng-transit: Modifying... [id=/subscriptions/b1f6a133-5efa-4d1e-b750-a104ec1c5798/resourceGroups/RG_TSK/providers/Microsoft.Network/virtualNetworkGateways/vng-express-route]
azurerm_virtual_network_gateway.vng-transit: Still modifying... [id=/subscriptions/b1f6a133-5efa-4d1e-b750-...lNetworkGateways/vng-express-route, 10s elapsed]
╷
│ Error: waiting for completion of Virtual Network Gateway: (Name "vng-express-route" / Resource Group "RG_TSK"): Code="InvalidGatewaySize" Message="Gateway resize for Gateway SKU ErGw2AZ is not supported." Details=[]
│
│   with azurerm_virtual_network_gateway.vng-transit,
│   on main.tf line 23, in resource "azurerm_virtual_network_gateway" "vng-transit":
│   23: resource "azurerm_virtual_network_gateway" "vng-transit" {
│

Expected Behaviour

azurerm Terraform provider should detect an unsupported sku resize, and force azurerm_virtual_network_gateway re-creation (detroy and creation).

Supported sku resizing are documented here : https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways#gwsku

Actual Behaviour

azurerm Terraform provider plan to do a simple update, which is not supported by Azure.

Apply fail with the following error :

│ Error: waiting for completion of Virtual Network Gateway: (Name "vng-express-route" / Resource Group "RG_TSK"): Code="InvalidGatewaySize" Message="Gateway resize for Gateway SKU ErGw2AZ is not supported." Details=[]

Steps to Reproduce

Create a resource group
create a virtual network
Create a gateway subnet named GatewaySubnet.
Create a public IP.
terraform plan
terraform apply
Notice the error.

Important Factoids

No response

References

No response

frederic-peraud commented 1 year ago

Hi, any update on this issue ?

leuthelt commented 6 months ago

Hi,

Any updates regarding the issue? Any plans to implement recreation of azurerm_virtual_network_gateway when unsupported change is happening (e.g. "Standard" to "ErGw1AZ")? Supported changes (https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-virtual-network-gateways#gwsku) were tested and working properly.

Supported SKU upgrades:
- "Standard" to "HighPerformance"
- "Standard" to "UltraPerformance"
- "HighPerformance" to "UltraPerformance"
- "ErGw1AZ" to "ErGw2AZ"
- "ErGw1AZ" to "ErGw3AZ"
- "ErGw2AZ" to "ErGw3AZ"
- "Default" to "Standard"
1. Supported SKU downgrades
  - "HighPerformance" to "Standard"
  - "ErGw2AZ" to "ErGw1AZ"

But all "unsupported" changes are a "update in-place", but will fail in the end. Like following example:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.blueprint_network_per_region["region1"].module.expressroute_gateway[0].azurerm_virtual_network_gateway.this will be updated in-place
  ~ resource "azurerm_virtual_network_gateway" "this" {
        id                                    = "/subscriptions/43874e1a-49c1-4f27-af83-fa322b0765f6/resourceGroups/RG-dev-Network-WEUR/providers/Microsoft.Network/virtualNetworkGateways/VGW-dev-Default-WEUR"
        name                                  = "VGW-dev-Default-WEUR"
      ~ sku                                   = "Standard" -> "ErGw1AZ"
        # (14 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Thanks, Thomas

hashicorp / terraform-provider-azurerm