Azure API case-insensitivity and terraform-provider-azurerm

[twexler]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.0

AzureRM Provider Version

3.39.1

Affected Resource(s)/Data Source(s)

azurerm_resource_group, azurerm_network_security_group

Terraform Configuration Files

resource "azurerm_resource_group" "my-cool-resource-group" {
  name     = "hello-world"
  location = "West US 2"
}

Debug Output/Panic Output

N/A

Expected Behaviour

terraform-provider-azurerm should produce a clean plan when the Azure API returns case-insensitive resource names

Actual Behaviour

terraform-provider-azurerm produces plans that attempt to revert casing to the defined casing in the terraform manifest

Steps to Reproduce

1. terraform apply an azurerm resource with a name
2. Azure changes something in their API, or the Azure API upcases the name of the resource without warning
3. terraform plan will produce a plan that attempts to revert casing to the manifest's casing

Important Factoids

No response

References

Azure themselves (after opening a support case in hopes that they're realize this is a bug and not a feature) insists that their API will never honor casing and users of their API should not expect casing to be consistent for certain values returned by their API.

[twexler]

Example plan:

module.cluster.module.sec_groups.azurerm_network_security_group.my_cool_security_group: Refreshing state... [id=/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Network/networkSecurityGroups/my-cool-security-group]
module.cluster.module.sec_groups.azurerm_network_security_rule.outbound: Refreshing state... [id=/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Network/networkSecurityGroups/my-cool-security-group/securityRules/my-cool-security-group-outbound]
Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:

  # module.cluster.module.sec_groups.azurerm_network_security_group.my_cool_security_group has changed
  ~ resource "azurerm_network_security_group" "my_cool_security_group" {
        id                  = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Network/networkSecurityGroups/my-cool-security-group"
      ~ name                = "my-cool-security-group" -> "MY-COOL-SECURITY-GROUP"
        # (3 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

  # module.cluster.module.sec_groups.azurerm_network_security_rule.outbound must be replaced
-/+ resource "azurerm_network_security_rule" "outbound" {
      - destination_address_prefixes               = [] -> null
      - destination_application_security_group_ids = [] -> null
      - destination_port_ranges                    = [] -> null
      ~ id                                         = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Network/networkSecurityGroups/my-cool-security-group/securityRules/my-cool-security-group-outbound" -> (known after apply)
        name                                       = "my-cool-security-group-outbound"
      ~ network_security_group_name                = "my-cool-security-group" -> "MY-COOL-SECURITY-GROUP" # Forces replacement
      - source_address_prefixes                    = [] -> null
      - source_port_ranges                         = [] -> null
        # (9 unchanged attributes hidden)
    }

  Plan: 1 to add, 0 to change, 1 to destroy.

[gogonaft]

Opened similar case here https://github.com/hashicorp/terraform-provider-azurerm/issues/24893

[msapitree]

Is there any update/progress on this?

@tombuildsstuff will this change to hashicorp/go-azure-sdk mentioned here resolve the situation per se or is this a prerequisite? Is this change being tracked elsewhere?

Also, if I get it right, there are two workarounds mentioned - the first being to ignore_changes on the subject value (which is imho unacceptable), second one being by matching the casing being returned for this field which is supposing to handle it at specific place in provider's code base

Summary: no fix possible in user tf code at the moment.