azurerm_network_interface_application_security_group_association - case sensitivity

[lcondliffe]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.7.5

AzureRM Provider Version

3.111.0

Affected Resource(s)/Data Source(s)

azurerm_network_interface_application_security_group_association

Terraform Configuration Files

data "azurerm_application_security_group" "example" {
  name                = "example-asg"
  resource_group_name = "example-rg"
}

resource "azurerm_network_interface_application_security_group_association" "example" {
  network_interface_id          = azurerm_network_interface.example.id
  application_security_group_id = data.azurerm_application_security_group.example.id
}

Debug Output/Panic Output

╷
│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to
│ azurerm_network_interface_application_security_group_association.example,
│ provider "provider[\"registry.terraform.io/hashicorp/azurerm\"]" produced
│ an unexpected new value: Root object was present, but now absent.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵

Expected Behaviour

Virtual machine should be associated to the ASG with no provider error

Actual Behaviour

The ASG association does apply successfully, but the Terraform provider generates this error and does not import the resource into the state.

This behaviour seems to be limited to using the azurerm_application_security_group Data Source as if the ID is hard-coded the error does not occur.

Steps to Reproduce

1. terraform apply

Important Factoids

No response

References

https://github.com/hashicorp/terraform-provider-azurerm/issues/17968

[neil-yechenwei]

Thanks for raising this issue. Seems I can't reproduce this issue with below tf config and latest azurerm provider. Could you try below tf config and latest azurerm provider to see if the issue still exists? Thanks.

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "test" {
  name     = "acctestRG-nic-test023"
  location = "westeurope"
}

resource "azurerm_virtual_network" "test" {
  name                = "acctestvn-test023"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
}

resource "azurerm_subnet" "test" {
  name                 = "internal"
  resource_group_name  = azurerm_resource_group.test.name
  virtual_network_name = azurerm_virtual_network.test.name
  address_prefixes     = ["10.0.1.0/24"]
}

resource "azurerm_application_security_group" "test" {
  name                = "acctest-test023"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
}

resource "azurerm_network_interface" "test" {
  name                = "acctestni-test023"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name

  ip_configuration {
    name                          = "testconfiguration1"
    subnet_id                     = azurerm_subnet.test.id
    private_ip_address_allocation = "Dynamic"
  }
}

data "azurerm_application_security_group" "test" {
  name                = azurerm_application_security_group.test.name
  resource_group_name = azurerm_application_security_group.test.resource_group_name
}

resource "azurerm_network_interface_application_security_group_association" "test" {
  network_interface_id          = azurerm_network_interface.test.id
  application_security_group_id = data.azurerm_application_security_group.test.id
}

[lcondliffe]

The configuration above works, and does not re-create the issue for me either.

I've discovered that the issue may be with provider case sensitivity on this resource. We use a naming module that dynamically fills parts of resource names for type, environment, region etc. and there is a section of the name that is lower case. AzureRM doesn't care about this, and creates the ASG association; however if the case doesn't match for the Terraform provider this issue occurs for the azurerm_network_interface_application_security_group_association resource

Adjusted the code to re-produce the issue:

resource "azurerm_resource_group" "test" {
  name     = "acctestRG-nic-test023"
  location = "westeurope"
}

resource "azurerm_virtual_network" "test" {
  name                = "acctestvn-test023"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
}

resource "azurerm_subnet" "test" {
  name                 = "internal"
  resource_group_name  = azurerm_resource_group.test.name
  virtual_network_name = azurerm_virtual_network.test.name
  address_prefixes     = ["10.0.1.0/24"]
}

resource "azurerm_application_security_group" "test" {
  name                = "acctest-test023"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
}

resource "azurerm_network_interface" "test" {
  name                = "acctestni-test023"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name

  ip_configuration {
    name                          = "testconfiguration1"
    subnet_id                     = azurerm_subnet.test.id
    private_ip_address_allocation = "Dynamic"
  }
}

data "azurerm_application_security_group" "test" {
  # UPPER CASE SECTION OF NAME HERE
  name                = "accTEST-test023"
  resource_group_name = azurerm_application_security_group.test.resource_group_name
}

resource "azurerm_network_interface_application_security_group_association" "test" {
  network_interface_id          = azurerm_network_interface.test.id
  application_security_group_id = data.azurerm_application_security_group.test.id
}

I think the resource type needs to be case-insensitive on the resource ID parameter to resolve this problem?