azurerm_network_interface_security_group_association id is invalid when trying to create a azurerm_management_lock

[abotelhofilho]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.6.6

AzureRM Provider Version

3.102.0

Affected Resource(s)/Data Source(s)

azurerm_network_interface_security_group_association,azurerm_management_lock

Terraform Configuration Files

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_virtual_network" "example" {
  name                = "example-network"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_subnet" "example" {
  name                 = "internal"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.2.0/24"]
}

resource "azurerm_network_security_group" "example" {
  name                = "example-nsg"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_network_interface" "example" {
  name                = "example-nic"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  ip_configuration {
    name                          = "testconfiguration1"
    subnet_id                     = azurerm_subnet.example.id
    private_ip_address_allocation = "Dynamic"
  }
}

resource "azurerm_network_interface_security_group_association" "example" {
  network_interface_id      = azurerm_network_interface.example.id
  network_security_group_id = azurerm_network_security_group.example.id
}

resource "azurerm_management_lock" "vm-nic-nsg-associate-lock" {
  name       = "vm-nic-nsg-associate-resource-lock"
  scope      = azurerm_network_interface_security_group_association.example[0].id
  lock_level = "CanNotDelete"
  notes      = "Locked because it's needed by a third-party"
}

Debug Output/Panic Output

│ Error: creating Scoped Lock (Scope: "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/tf-dev-rg/providers/Microsoft.Network/networkInterfaces/tfvm-dev3-nic-1|/subscriptions/7ddba57a-e790-4bdb-97bd-1bca3b94990e/resourceGroups/tfvm-dev-rg/providers/Microsoft.Network/networkSecurityGroups/tfvm-dev3-1-nic-nsg"
│ Lock Name: "vm-nic-nsg-associate-resource-lock"): unexpected status 404 (404 Not Found) with error: ResourceNotFound: The Resource 'Microsoft.Network/networkInterfaces/tfvm-dev3-nic-1|' under resource group 'tf-dev-rg' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix
│
│   with module.virtual-machine.module.virtual-machine["vm1"].azurerm_management_lock.vm-nic-nsg-associate-lock[0],
│   on .terraform\modules\virtual-machine\modules\virtual_machine\main.tf line 448, in resource "azurerm_management_lock" "vm-nic-nsg-associate-lock":
│  448: resource "azurerm_management_lock" "vm-nic-nsg-associate-lock" {
│
╵

Expected Behaviour

I'd expect a management lock resource to be created for the azurerm_network_interface_security_group_association resource.

Actual Behaviour

I believe what is causing the problem is that the id exported\output from the azurerm_network_interface_security_group_association resource isn't a real azure resource id and without a real azure resource id the azurerm_management_lock can't be created.

  # module.virtual-machine.module.virtual-machine["vm1"].azurerm_management_lock.vm-nic-nsg-associate-lock[0] will be created
  + resource "azurerm_management_lock" "vm-nic-nsg-associate-lock" {
      + id         = (known after apply)
      + lock_level = "CanNotDelete"
      + name       = "vm-nic-nsg-associate-resource-lock"
      + notes      = "Locked because it's needed by a third-party"
      + scope      = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/tf-dev-rg/providers/Microsoft.Network/networkInterfaces/tfvm-dev3-nic-1|/subscriptions/7ddba57a-e790-4bdb-97bd-1bca3b94990e/resourceGroups/tfvm-dev-rg/providers/Microsoft.Network/networkSecurityGroups/tfvm-dev3-1-nic-nsg"
    }

│ Error: creating Scoped Lock (Scope: "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/tf-dev-rg/providers/Microsoft.Network/networkInterfaces/tfvm-dev3-nic-1|/subscriptions/7ddba57a-e790-4bdb-97bd-1bca3b94990e/resourceGroups/tfvm-dev-rg/providers/Microsoft.Network/networkSecurityGroups/tfvm-dev3-1-nic-nsg"
│ Lock Name: "vm-nic-nsg-associate-resource-lock"): unexpected status 404 (404 Not Found) with error: ResourceNotFound: The Resource 'Microsoft.Network/networkInterfaces/tfvm-dev3-nic-1|' under resource group 'tf-dev-rg' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix
│
│   with module.virtual-machine.module.virtual-machine["vm1"].azurerm_management_lock.vm-nic-nsg-associate-lock[0],
│   on .terraform\modules\virtual-machine\modules\virtual_machine\main.tf line 448, in resource "azurerm_management_lock" "vm-nic-nsg-associate-lock":
│  448: resource "azurerm_management_lock" "vm-nic-nsg-associate-lock" {
│
╵

Steps to Reproduce

terraform apply

Important Factoids

Some context to why I'm trying to create a azurerm_management_lock for the azurerm_network_interface_security_group_association resource, its because I'm locking all the resources associate to a VM so no one can accidently delete it. This lead me down the road to creating a management_lock resource for the vm, os disk, data disk/s, nic, nsg, the data disk attachment resource and finally the nsg association resource.

References

No response

[neil-yechenwei]

Thanks for raising this issue. As you mentioned, azurerm_network_interface_security_group_association is not a real resource. So you can't add lock to it. It's by TF design. So I assume adding lock to network interface and network security group is enough for azurerm_network_interface_security_group_association.

[abotelhofilho]

Thanks for the quick response!

Unfortunately it is not enough because if I make a destructive change to the vm that causes it to be replaced, for example accidentally changing the vm name, the current locks prevent that from destroying the vm but nsg to nic association gets destroyed.

Something I discovered today was that the behavior above is only if the lock is set to "CanNotDelete", if it is set to "ReadOnly" which prevents ALL changes not just delete, the locks actually prevent the nsg to nic association to get destroyed. This would be my solution and it may end up being my solution, but this would prevent ALL changes and if any change were needed the locks would need to be removed first before any change can be made.

Would you say then that this is more of an azure issue?

[abotelhofilho]

I'm waiting to ger Microsoft to confirm that the azurerm_network_interface_security_group_association resource isn't a real resource before I close this.

[abotelhofilho]

@rcskosir we can close this. This is behaving as designed because what was causing all of the destructive behavior is how I had my code written.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.