azurerm_api_management transition from None to Internal network type produces no effect

arkiaconsulting commented 1 year ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.0

AzureRM Provider Version

3.75.0

Affected Resource(s)/Data Source(s)

azurerm_api_management

Terraform Configuration Files

Let's assume that we have an APIM already, which is not integrated (virtualNetworkType = None). When modifying the terraform configuration in order to get a integrated APIM, by using the following:

resource "azurerm_api_management" "main" {
  ............

  public_ip_address_id = azurerm_public_ip.apim.id
  virtual_network_type = "Internal"
  virtual_network_configuration {
    subnet_id = azurerm_subnet.apim.id
  }
}

When running apply with resource targeting, terraform detects the changes but when effectively applying them, it runs to the end straight away, and the APIM resource does not change (even its status does not transition to Updating).

Debug Output/Panic Output

Plan result:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # azurerm_api_management.main will be updated in-place
  ~ resource "azurerm_api_management" "main" {
        id                            = "/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.ApiManagement/service/<redacted>"
        name                          = "<redacted>"
      + public_ip_address_id          = "/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.Network/publicIPAddresses/<redacted>"
      ~ virtual_network_type          = "None" -> "Internal"
        # (19 unchanged attributes hidden)

      + virtual_network_configuration {
          + subnet_id = "/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.Network/virtualNetworks/<redacted>/subnets/<redacted>"
        }

        # (8 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Apply result:

.....

Apply complete! Resources: 0 added, 0 changed, 0 destroyed

Expected Behaviour

...

Apply complete! Resources: 0 added, 1 changed, 0 destroyed

and the APIM resource should go to the Updating status, and after a while, it should have migrated to network Internal.

Actual Behaviour

The APIM resource is not updated.

Steps to Reproduce

No response

Important Factoids

No response

References

No response

arkiaconsulting commented 1 year ago

Might be related: I oberserved the same behaviour when I change the identity type from SystemAssigned to UserAssigned.

# azurerm_api_management.main will be updated in-place
  ~ resource "azurerm_api_management" "main" {
        id                            = "/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.ApiManagement/service/<redacted>"
        name                          = "<redacted>"
        # (21 unchanged attributes hidden)

      ~ identity {
          ~ identity_ids = [] -> (known after apply)
          ~ type         = "SystemAssigned" -> "UserAssigned"
            # (2 unchanged attributes hidden)
        }

        # (8 unchanged blocks hidden)
    }

The changes are planned, but apply does not produce any changes

arkiaconsulting commented 1 year ago

Might be related: I oberserved the same behaviour when I change the identity type from SystemAssigned to UserAssigned.

# azurerm_api_management.main will be updated in-place
  ~ resource "azurerm_api_management" "main" {
        id                            = "/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.ApiManagement/service/<redacted>"
        name                          = "<redacted>"
        # (21 unchanged attributes hidden)

      ~ identity {
          ~ identity_ids = [] -> (known after apply)
          ~ type         = "SystemAssigned" -> "UserAssigned"
            # (2 unchanged attributes hidden)
        }

        # (8 unchanged blocks hidden)
    }

The changes are planned, but apply does not produce any changes

I found out that the resource is effectively updated while not in resource targeting mode. The issue might be in the terraform scope instead of the provider scope.

sinbai commented 1 year ago

Hi @arkiaconsulting thanks for opening this issue. Is it possible that the virtual_network_type was updated by other clients before Terraform updated it?

arkiaconsulting commented 1 year ago

Hi @sinbai. I'm the only one operating on this resource, and no other scripts exist. Furthermore, I retried the steps several times to make sure of the issue.

sinbai commented 1 year ago

Thanks for the updates @arkiaconsulting , except for resource azurerm_api_management, do other terraform resources have the same behavior?

arkiaconsulting commented 1 year ago

@sinbai I never experienced this behavior on any azurerm resource. This is not blocking as it works correctly when not in resource targeting mode, but it's kind of annoying...

hashicorp / terraform-provider-azurerm