Closed abotelhofilho closed 2 months ago
Thanks for raising this issue. As you mentioned, azurerm_network_interface_security_group_association is not a real resource. So you can't add lock to it. It's by TF design. So I assume adding lock to network interface and network security group is enough for azurerm_network_interface_security_group_association.
Thanks for the quick response!
Unfortunately it is not enough because if I make a destructive change to the vm that causes it to be replaced, for example accidentally changing the vm name, the current locks prevent that from destroying the vm but nsg to nic association gets destroyed.
Something I discovered today was that the behavior above is only if the lock is set to "CanNotDelete", if it is set to "ReadOnly" which prevents ALL changes not just delete, the locks actually prevent the nsg to nic association to get destroyed. This would be my solution and it may end up being my solution, but this would prevent ALL changes and if any change were needed the locks would need to be removed first before any change can be made.
Would you say then that this is more of an azure issue?
I'm waiting to ger Microsoft to confirm that the azurerm_network_interface_security_group_association resource isn't a real resource before I close this.
@rcskosir we can close this. This is behaving as designed because what was causing all of the destructive behavior is how I had my code written.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Is there an existing issue for this?
Community Note
Terraform Version
1.6.6
AzureRM Provider Version
3.102.0
Affected Resource(s)/Data Source(s)
azurerm_network_interface_security_group_association,azurerm_management_lock
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
I'd expect a management lock resource to be created for the azurerm_network_interface_security_group_association resource.
Actual Behaviour
I believe what is causing the problem is that the id exported\output from the azurerm_network_interface_security_group_association resource isn't a real azure resource id and without a real azure resource id the azurerm_management_lock can't be created.
Steps to Reproduce
terraform apply
Important Factoids
Some context to why I'm trying to create a azurerm_management_lock for the azurerm_network_interface_security_group_association resource, its because I'm locking all the resources associate to a VM so no one can accidently delete it. This lead me down the road to creating a management_lock resource for the vm, os disk, data disk/s, nic, nsg, the data disk attachment resource and finally the nsg association resource.
References
No response