Virtual Network Subnets being modified when no changes

JackBruceShell commented 1 month ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

Latest

AzureRM Provider Version

4.5.0

Affected Resource(s)/Data Source(s)

azurerm_virtual_network

Terraform Configuration Files

main.tf

module "dev-us-vnet" {
  source              = "./modules/virtual-network"
  vnet_name           = var.vnet_name
  location            = var.location
  resource_group_name = var.rg_name
  address_space       = var.vnet_address_space
  tags                = var.tags
  subnets = [
    {
      name                              = "${var.ASE_Subnet}"
      address_prefixes                  = "${var.ASE_Subnet_address}"
      security_group                    = module.dev-us-ase-nsg.id
      attach_to_nat_gateway             = false
      private_endpoint_network_policies = "Disabled"
      delegation_name                   = var.ASE_Subnet_Delegation_Name
      service_delegation_name           = var.ASE_Subnet_Service_Delegation_Name
      service_endpoints                 = var.ASE_Subnet_Service_Endpoints
    },
    {
      name                                          = "${var.PrivateLink_Subnet}"
      address_prefixes                              = "${var.PrivateLink_Subnet_address}"
      security_group                                = module.dev-us-pls-nsg.id
      attach_to_nat_gateway                         = false
      private_endpoint_network_policies             = "Disabled"
      private_link_service_network_policies_enabled = false
    },
    {
      name                  = "${var.AppGW_Subnet}"
      address_prefixes      = "${var.AppGW_Subnet_address}"
      security_group        = module.dev-us-appgw-nsg.id
      attach_to_nat_gateway = false
    },
    {
      name                              = "${var.Bastion_Subnet}"
      address_prefixes                  = "${var.Bastion_Subnet_address}"
      security_group                    = null
      attach_to_nat_gateway             = false
      private_endpoint_network_policies = "Disabled"
      service_endpoints                 = var.Bastion_Subnet_Service_Endpoints
    },
    {
      name                  = "${var.Runner_Subnet}"
      address_prefixes      = "${var.Runner_Subnet_address}"
      security_group        = module.dev-us-runner-nsg.id
      attach_to_nat_gateway = false
    }
  ]
}

env.tfvars

#-----------------------------------------------
# Virtual Network and Subnets
#-----------------------------------------------
vnet_name                          = "VNET-AIS-ENT-DEV-US-10.1.0.0-16"
vnet_address_space                 = ["10.1.0.0/16"]
ASE_Subnet                         = "SN-AIS-ENT-ASE-DEV-US-001"
ASE_Subnet_address                 = "10.1.2.0/24"
ASE_Subnet_Delegation_Name         = "Microsoft.Web/hostingEnvironments"
ASE_Subnet_Service_Delegation_Name = "Microsoft.Web/hostingEnvironments"
ASE_Subnet_Service_Endpoints       = ["Microsoft.AzureActiveDirectory", "Microsoft.AzureCosmosDB", "Microsoft.CognitiveServices", "Microsoft.ContainerRegistry", "Microsoft.EventHub", "Microsoft.KeyVault", "Microsoft.ServiceBus", "Microsoft.Sql", "Microsoft.Storage", "Microsoft.Web"]
AppGW_Subnet                       = "SN-AIS-ENT-APPGW-DEV-US-001"
AppGW_Subnet_address               = "10.1.1.0/24"
PrivateLink_Subnet                 = "SN-AIS-ENT-PLS-DEV-US-001"
PrivateLink_Subnet_address         = "10.1.3.0/24"
Bastion_Subnet                     = "AzureBastionSubnet"
Bastion_Subnet_address             = "10.1.4.0/24"
Bastion_Subnet_Service_Endpoints   = ["Microsoft.KeyVault", "Microsoft.ServiceBus"]
Runner_Subnet                      = "SN-AIS-ENT-RUNNER-DEV-US-001"
Runner_Subnet_address              = "10.1.5.0/24"

Debug Output/Panic Output

TF Apply output

# module.dev-us-vnet.azurerm_virtual_network.main will be updated in-place
  ~ resource "azurerm_virtual_network" "main" ***
        id                      = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/virtualNetworks/VNET-AIS-ENT-DEV-US-10.1.0.0-16"
        name                    = "VNET-AIS-ENT-DEV-US-10.1.0.0-16"
      ~ subnet                  = [
          - ***
              - address_prefixes                              = [
                  - "10.1.1.0/24",
                ]
              - default_outbound_access_enabled               = true
              - delegation                                    = []
              - id                                            = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/virtualNetworks/VNET-AIS-ENT-DEV-US-10.1.0.0-16/subnets/SN-AIS-ENT-APPGW-DEV-US-001"
              - name                                          = "SN-AIS-ENT-APPGW-DEV-US-001"
              - private_endpoint_network_policies             = "Disabled"
              - private_link_service_network_policies_enabled = true
              - security_group                                = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/networkSecurityGroups/NSG-AIS-ENT-APPGW-DEV-US-001"
              - service_endpoint_policy_ids                   = []
              - service_endpoints                             = [
                  - "Microsoft.KeyVault",
                ]
                # (1 unchanged attribute hidden)
            ***,
          - ***
              - address_prefixes                              = [
                  - "10.1.2.0/24",
                ]
              - default_outbound_access_enabled               = true
              - delegation                                    = [
                  - ***
                      - name               = "Microsoft.Web/hostingEnvironments"
                      - service_delegation = [
                          - ***
                              - actions = [
                                  - "Microsoft.Network/virtualNetworks/subnets/action",
                                ]
                              - name    = "Microsoft.Web/hostingEnvironments"
                            ***,
                        ]
                    ***,
                ]
              + private_endpoint_network_policies             = "Disabled"
              + private_link_service_network_policies_enabled = true
              + security_group                                = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/networkSecurityGroups/NSG-AIS-ENT-ASE-DEV-US-001"
              + service_endpoint_policy_ids                   = []
              + service_endpoints                             = [
                  + "Microsoft.AzureActiveDirectory",
                  + "Microsoft.AzureCosmosDB",
                  + "Microsoft.CognitiveServices",
                  + "Microsoft.ContainerRegistry",
                  + "Microsoft.EventHub",
                  + "Microsoft.KeyVault",
                  + "Microsoft.ServiceBus",
                  + "Microsoft.Sql",
                  + "Microsoft.Storage",
                  + "Microsoft.Web",
                ]
                # (1 unchanged attribute hidden)
            ***,
          + ***
              + address_prefixes                              = [
                  + "10.1.3.0/24",
                ]
              + default_outbound_access_enabled               = true
              + delegation                                    = []
              + id                                            = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/virtualNetworks/VNET-AIS-ENT-DEV-US-10.1.0.0-16/subnets/SN-AIS-ENT-PLS-DEV-US-001"
              + name                                          = "SN-AIS-ENT-PLS-DEV-US-001"
              + private_endpoint_network_policies             = "Disabled"
              + private_link_service_network_policies_enabled = false
              + security_group                                = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/networkSecurityGroups/NSG-AIS-ENT-PLS-DEV-US-001"
              + service_endpoint_policy_ids                   = []
              + service_endpoints                             = []
            ***,
          + ***
              + address_prefixes                              = [
                  + "10.1.4.0/24",
                ]
              + default_outbound_access_enabled               = true
              + delegation                                    = []
              + id                                            = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/virtualNetworks/VNET-AIS-ENT-DEV-US-10.1.0.0-16/subnets/AzureBastionSubnet"
              + name                                          = "AzureBastionSubnet"
              + private_endpoint_network_policies             = "Disabled"
              + private_link_service_network_policies_enabled = true
              + service_endpoint_policy_ids                   = []
              + service_endpoints                             = [
                  + "Microsoft.KeyVault",
                  + "Microsoft.ServiceBus",
                ]
            ***,
          + ***
              + address_prefixes                              = [
                  + "10.1.5.0/24",
                ]
              + default_outbound_access_enabled               = true
              + delegation                                    = []
              + id                                            = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/virtualNetworks/VNET-AIS-ENT-DEV-US-10.1.0.0-16/subnets/SN-AIS-ENT-RUNNER-DEV-US-001"
              + name                                          = "SN-AIS-ENT-RUNNER-DEV-US-001"
              + private_endpoint_network_policies             = "Disabled"
              + private_link_service_network_policies_enabled = true
              + security_group                                = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/networkSecurityGroups/NSG-AIS-ENT-RUNNER-DEV-US-001"
              + service_endpoint_policy_ids                   = []
              + service_endpoints                             = []
            ***,
        ]
        tags                    = ***
            "IsEnterpriseCoreResource" = "true"
            "businessunit"             = "DEV-US"
        ***
        # (8 unchanged attributes hidden)
    ***

Also causing a azurerm_private_dns_zone_virtual_network_link to be force replaced

# module.dev-us-ase.azurerm_private_dns_zone_virtual_network_link.main[0] must be replaced
-/+ resource "azurerm_private_dns_zone_virtual_network_link" "main" ***
      ~ id                    = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/privateDnsZones/ASE-AIS-ENT-DEV-US-001.appserviceenvironment.net/virtualNetworkLinks/vnetlink" -> (known after apply)
        name                  = "vnetlink"
      - tags                  = *** -> null
      ~ virtual_network_id    = "/subscriptions/***/resourceGroups/RG-AIS-ENT-DEV-US-001/providers/Microsoft.Network/virtualNetworks/VNET-AIS-ENT-DEV-US-10.1.0.0-16" -> (known after apply) # forces replacement
        # (3 unchanged attributes hidden)
    ***

Expected Behaviour

No changes to any subnets azurerm_private_dns_zone_virtual_network_link is not force replaced

Actual Behaviour

Subnets are updated-in-place and shows that the ID of the subnet is changing but should not be happening.

Steps to Reproduce

terraform apply

Important Factoids

No response

References

https://github.com/hashicorp/terraform/issues/35841

neil-yechenwei commented 1 month ago

Thanks for raising this issue. May I ask if the Virtual Network with Subnet is created with v3.x? Does this issue happen since TF azurerm provider is upgraded to v4.x?

JackBruceShell commented 1 month ago

@neil-yechenwei

Yes this Virtual Network with Subnet was created with v3.x

We have only noticed this issue recently once Version 4 has been available, yes.

Thanks

JackBruceShell commented 1 month ago

Hi @neil-yechenwei

Is there any updates here at all?

Thanks.

JackBruceShell commented 1 month ago

Hi @neil-yechenwei

Can I please ask for an update?

JackBruceShell commented 2 weeks ago

@neil-yechenwei , @caius , @mitchellh , @lamdor

Referencing everybody here that I can see to get some form of response.

Thanks in advance.

rcskosir commented 1 week ago

:wave: @JackBruceShell Thank you for opening this issue. Do you know what 3.x version this Virtual Network with Subnet was created in, to help isolate and investigate what code changes could be impacting you? To help us maintain a supportive environment for everyone, please remember to follow our community note at the top of the issue regarding asking for updates.

JackBruceShell commented 2 days ago

Hi @rcskosir

The Virtual Network with Subnet would have been created with anything < 4.0.0.

We found this issue when v4.x came out.

hashicorp / terraform-provider-azurerm