Virtual Network Subnets being modified when no changes

JackBruceShell commented 1 week ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

Latest

AzureRM Provider Version

4.5.0

Affected Resource(s)/Data Source(s)

azurerm_virtual_network

Terraform Configuration Files

main.tf

module "dev-us-vnet" {
  source              = "./modules/virtual-network"
  vnet_name           = var.vnet_name
  location            = var.location
  resource_group_name = var.rg_name
  address_space       = var.vnet_address_space
  tags                = var.tags
  subnets = [
    {
      name                              = "${var.ASE_Subnet}"
      address_prefixes                  = "${var.ASE_Subnet_address}"
      security_group                    = module.dev-us-ase-nsg.id
      attach_to_nat_gateway             = false
      private_endpoint_network_policies = "Disabled"
      delegation_name                   = var.ASE_Subnet_Delegation_Name
      service_delegation_name           = var.ASE_Subnet_Service_Delegation_Name
      service_endpoints                 = var.ASE_Subnet_Service_Endpoints
    },
    {
      name                                          = "${var.PrivateLink_Subnet}"
      address_prefixes                              = "${var.PrivateLink_Subnet_address}"
      security_group                                = module.dev-us-pls-nsg.id
      attach_to_nat_gateway                         = false
      private_endpoint_network_policies             = "Disabled"
      private_link_service_network_policies_enabled = false
    },
    {
      name                  = "${var.AppGW_Subnet}"
      address_prefixes      = "${var.AppGW_Subnet_address}"
      security_group        = module.dev-us-appgw-nsg.id
      attach_to_nat_gateway = false
    },
    {
      name                              = "${var.Bastion_Subnet}"
      address_prefixes                  = "${var.Bastion_Subnet_address}"
      security_group                    = null
      attach_to_nat_gateway             = false
      private_endpoint_network_policies = "Disabled"
      service_endpoints                 = var.Bastion_Subnet_Service_Endpoints
    },
    {
      name                  = "${var.Runner_Subnet}"
      address_prefixes      = "${var.Runner_Subnet_address}"
      security_group        = module.dev-us-runner-nsg.id
      attach_to_nat_gateway = false
    }
  ]
}

env.tfvars

#-----------------------------------------------
# Virtual Network and Subnets
#-----------------------------------------------
vnet_name                          = "VNET-AIS-ENT-DEV-US-10.1.0.0-16"
vnet_address_space                 = ["10.1.0.0/16"]
ASE_Subnet                         = "SN-AIS-ENT-ASE-DEV-US-001"
ASE_Subnet_address                 = "10.1.2.0/24"
ASE_Subnet_Delegation_Name         = "Microsoft.Web/hostingEnvironments"
ASE_Subnet_Service_Delegation_Name = "Microsoft.Web/hostingEnvironments"
ASE_Subnet_Service_Endpoints       = ["Microsoft.AzureActiveDirectory", "Microsoft.AzureCosmosDB", "Microsoft.CognitiveServices", "Microsoft.ContainerRegistry", "Microsoft.EventHub", "Microsoft.KeyVault", "Microsoft.ServiceBus", "Microsoft.Sql", "Microsoft.Storage", "Microsoft.Web"]
AppGW_Subnet                       = "SN-AIS-ENT-APPGW-DEV-US-001"
AppGW_Subnet_address               = "10.1.1.0/24"
PrivateLink_Subnet                 = "SN-AIS-ENT-PLS-DEV-US-001"
PrivateLink_Subnet_address         = "10.1.3.0/24"
Bastion_Subnet                     = "AzureBastionSubnet"
Bastion_Subnet_address             = "10.1.4.0/24"
Bastion_Subnet_Service_Endpoints   = ["Microsoft.KeyVault", "Microsoft.ServiceBus"]
Runner_Subnet                      = "SN-AIS-ENT-RUNNER-DEV-US-001"
Runner_Subnet_address              = "10.1.5.0/24"

Debug Output/Panic Output

TF Apply output

# module.dev-us-vnet.azurerm_virtual_network.main will be updated in-place
  ~ resource "azurerm_virtual_network" "main" ***
        id                      = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/virtualNetworks/VNET-AIS-ENT-DEV-US-10.1.0.0-16"
        name                    = "VNET-AIS-ENT-DEV-US-10.1.0.0-16"
      ~ subnet                  = [
          - ***
              - address_prefixes                              = [
                  - "10.1.1.0/24",
                ]
              - default_outbound_access_enabled               = true
              - delegation                                    = []
              - id                                            = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/virtualNetworks/VNET-AIS-ENT-DEV-US-10.1.0.0-16/subnets/SN-AIS-ENT-APPGW-DEV-US-001"
              - name                                          = "SN-AIS-ENT-APPGW-DEV-US-001"
              - private_endpoint_network_policies             = "Disabled"
              - private_link_service_network_policies_enabled = true
              - security_group                                = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/networkSecurityGroups/NSG-AIS-ENT-APPGW-DEV-US-001"
              - service_endpoint_policy_ids                   = []
              - service_endpoints                             = [
                  - "Microsoft.KeyVault",
                ]
                # (1 unchanged attribute hidden)
            ***,
          - ***
              - address_prefixes                              = [
                  - "10.1.2.0/24",
                ]
              - default_outbound_access_enabled               = true
              - delegation                                    = [
                  - ***
                      - name               = "Microsoft.Web/hostingEnvironments"
                      - service_delegation = [
                          - ***
                              - actions = [
                                  - "Microsoft.Network/virtualNetworks/subnets/action",
                                ]
                              - name    = "Microsoft.Web/hostingEnvironments"
                            ***,
                        ]
                    ***,
                ]
              + private_endpoint_network_policies             = "Disabled"
              + private_link_service_network_policies_enabled = true
              + security_group                                = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/networkSecurityGroups/NSG-AIS-ENT-ASE-DEV-US-001"
              + service_endpoint_policy_ids                   = []
              + service_endpoints                             = [
                  + "Microsoft.AzureActiveDirectory",
                  + "Microsoft.AzureCosmosDB",
                  + "Microsoft.CognitiveServices",
                  + "Microsoft.ContainerRegistry",
                  + "Microsoft.EventHub",
                  + "Microsoft.KeyVault",
                  + "Microsoft.ServiceBus",
                  + "Microsoft.Sql",
                  + "Microsoft.Storage",
                  + "Microsoft.Web",
                ]
                # (1 unchanged attribute hidden)
            ***,
          + ***
              + address_prefixes                              = [
                  + "10.1.3.0/24",
                ]
              + default_outbound_access_enabled               = true
              + delegation                                    = []
              + id                                            = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/virtualNetworks/VNET-AIS-ENT-DEV-US-10.1.0.0-16/subnets/SN-AIS-ENT-PLS-DEV-US-001"
              + name                                          = "SN-AIS-ENT-PLS-DEV-US-001"
              + private_endpoint_network_policies             = "Disabled"
              + private_link_service_network_policies_enabled = false
              + security_group                                = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/networkSecurityGroups/NSG-AIS-ENT-PLS-DEV-US-001"
              + service_endpoint_policy_ids                   = []
              + service_endpoints                             = []
            ***,
          + ***
              + address_prefixes                              = [
                  + "10.1.4.0/24",
                ]
              + default_outbound_access_enabled               = true
              + delegation                                    = []
              + id                                            = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/virtualNetworks/VNET-AIS-ENT-DEV-US-10.1.0.0-16/subnets/AzureBastionSubnet"
              + name                                          = "AzureBastionSubnet"
              + private_endpoint_network_policies             = "Disabled"
              + private_link_service_network_policies_enabled = true
              + service_endpoint_policy_ids                   = []
              + service_endpoints                             = [
                  + "Microsoft.KeyVault",
                  + "Microsoft.ServiceBus",
                ]
            ***,
          + ***
              + address_prefixes                              = [
                  + "10.1.5.0/24",
                ]
              + default_outbound_access_enabled               = true
              + delegation                                    = []
              + id                                            = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/virtualNetworks/VNET-AIS-ENT-DEV-US-10.1.0.0-16/subnets/SN-AIS-ENT-RUNNER-DEV-US-001"
              + name                                          = "SN-AIS-ENT-RUNNER-DEV-US-001"
              + private_endpoint_network_policies             = "Disabled"
              + private_link_service_network_policies_enabled = true
              + security_group                                = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/networkSecurityGroups/NSG-AIS-ENT-RUNNER-DEV-US-001"
              + service_endpoint_policy_ids                   = []
              + service_endpoints                             = []
            ***,
        ]
        tags                    = ***
            "IsEnterpriseCoreResource" = "true"
            "businessunit"             = "DEV-US"
        ***
        # (8 unchanged attributes hidden)
    ***

Also causing a azurerm_private_dns_zone_virtual_network_link to be force replaced

# module.dev-us-ase.azurerm_private_dns_zone_virtual_network_link.main[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "main" ***
      ~ id                    = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/privateDnsZones/ASE-AIS-ENT-DEV-US-001.appserviceenvironment.net/virtualNetworkLinks/vnetlink" -> (known after apply)
        name                  = "vnetlink"
      - tags                  = *** -> null
      ~ virtual_network_id    = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/virtualNetworks/VNET-AIS-ENT-DEV-US-10.1.0.0-16" -> (known after apply) # forces replacement
        # (3 unchanged attributes hidden)
    ***

Expected Behaviour

No changes to any subnets azurerm_private_dns_zone_virtual_network_link is not force replaced

Actual Behaviour

Subnets are updated-in-place and shows that the ID of the subnet is changing but should not be happening.

Steps to Reproduce

terraform apply

Important Factoids

No response

References

https://github.com/hashicorp/terraform/issues/35841

neil-yechenwei commented 1 week ago

Thanks for raising this issue. May I ask if the Virtual Network with Subnet is created with v3.x? Does this issue happen since TF azurerm provider is upgraded to v4.x?

JackBruceShell commented 1 week ago

@neil-yechenwei

Yes this Virtual Network with Subnet was created with v3.x

We have only noticed this issue recently once Version 4 has been available, yes.

Thanks

JackBruceShell commented 4 days ago

Hi @neil-yechenwei

Is there any updates here at all?

Thanks.

JackBruceShell commented 1 day ago

Hi @neil-yechenwei

Can I please ask for an update?

hashicorp / terraform-provider-azurerm