azurerm_container_app_environment with infrastructure_subnet_id set is not idempotent

[J0F3]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.5

AzureRM Provider Version

4.2.0

Affected Resource(s)/Data Source(s)

azurerm_container_app_environment

Terraform Configuration Files

resource "azurerm_container_app_environment" "aca_env" {
  name                = "someapp-acae"
  resource_group_name = azurerm_resource_group.aca_env.name
  location            = azurerm_resource_group.aca_env.location

  workload_profile {
    name                  = "Consumption"
    workload_profile_type = "Consumption"
  }

  infrastructure_subnet_id = azurerm_subnet.aca.id

  zone_redundancy_enabled = true
}

Debug Output/Panic Output

N/A

Expected Behaviour

Terraform apply should show no changes after initial apply. (Or at least it should update the infrastructure_resource_group_name in place as it is the case of other properties like static_ip_address, default_domain, etc.)

Actual Behaviour

On every apply the Azure Container App Environment get recreated because of unexpected change of infrastructure_resource_group_name.

  # azurerm_container_app_environment.aca_env must be replaced
-/+ resource "azurerm_container_app_environment" "aca_env" {
      ~ custom_domain_verification_id               = "[redacted] -> (known after apply)
      ~ default_domain                              = "somehting.switzerlandnorth.azurecontainerapps.io" -> (known after apply)
      + docker_bridge_cidr                          = (known after apply)
      ~ id                                          = "/subscriptions/[redacted]" -> (known after apply)
      - infrastructure_resource_group_name          = "ME_someapp-acae-cc50593250ca197-rg_switzerlandnorth" -> null # forces replacement
        name                                        = "someapp-acae"
      + platform_reserved_cidr                      = (known after apply)
      + platform_reserved_dns_ip_address            = (known after apply)
      ~ static_ip_address                           = "1.2.3.4" -> (known after apply)

Steps to Reproduce

terraform apply ( a second time)

Important Factoids

No response

References

While a custom resouce group can be specified it should also work with the default name (without specify any name) as it is the recommend way by Microsoft:

Otherwise, the provider should give an error when infrastructure_resource_group_name is specified but infrastructure_resource_group_name not.

[J0F3]

Workaround is to set:

  lifecycle {
    ignore_changes = [infrastructure_resource_group_name]
  }

Interestingly this "fixes" also all the other in-place updates shown above so that terraform plan shows 'no changes' after the initial apply as expected.