azurerm_network_watcher_flow_log resource is no longer destroyed

[geekzter]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

# terraform -v
Terraform v0.12.21
+ provider.azurerm v1.44.0

Affected Resource(s)

• azurerm_network_watcher_flow_log

Terraform Configuration Files

resource azurerm_resource_group repro {
  name                         = "${var.prefix}-flowlog-issue"
  location                     = var.location
}

# Singleton resource, so assume it exists and reference it
data azurerm_network_watcher watcher {
  name                         = "NetworkWatcher_${var.location}"
  resource_group_name          = "NetworkWatcherRG"
}

resource azurerm_network_security_group nsg {
  name                         = "${azurerm_resource_group.repro.name}-nsg"
  location                     = azurerm_resource_group.repro.location
  resource_group_name          = azurerm_resource_group.repro.name

  security_rule {
    name                       = "AllowRDPOutbound"
    priority                   = 105
    direction                  = "Outbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "3389"
    source_address_prefix      = "VirtualNetwork"
    destination_address_prefix = "Internet"
  }

  security_rule {
    name                       = "AllowSSHOutbound"
    priority                   = 106
    direction                  = "Outbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "22"
    source_address_prefix      = "VirtualNetwork"
    destination_address_prefix = "Internet"
  }
}

resource azurerm_storage_account diag_storage {
  name                         = "${lower(replace(azurerm_resource_group.repro.name,"-",""))}diag"
  resource_group_name          = azurerm_resource_group.repro.name
  location                     = azurerm_resource_group.repro.location
  account_kind                 = "StorageV2"
  account_tier                 = "Standard"
  account_replication_type     = "LRS"
  enable_blob_encryption       = true
  enable_https_traffic_only    = true
}

resource azurerm_log_analytics_workspace workspace {
  name                         = "${azurerm_resource_group.repro.name}-loganalytics"
  location                     = var.location
  resource_group_name          = azurerm_resource_group.repro.name
  sku                          = "Standalone"
  retention_in_days            = 90 
}

# BUG: Resource is not destroyed
resource azurerm_network_watcher_flow_log nsg_logs {
  network_watcher_name         = data.azurerm_network_watcher.watcher.name
  resource_group_name          = data.azurerm_network_watcher.watcher.resource_group_name

  network_security_group_id    = azurerm_network_security_group.nsg.id
  storage_account_id           = azurerm_storage_account.diag_storage.id
  enabled                      = true

  retention_policy {
    enabled                    = true
    days                       = 7
  }

  traffic_analytics {
    enabled                    = true
    workspace_id               = azurerm_log_analytics_workspace.workspace.workspace_id
    workspace_region           = azurerm_log_analytics_workspace.workspace.location
    workspace_resource_id      = azurerm_log_analytics_workspace.workspace.id
  }

  # BUG: self.id references invalid resource id
  #      /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus/networkSecurityGroupId/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/prefix/providers/Microsoft.Network/networkSecurityGroups/prefix-iaas-spoke-network-nsg
  #      instead of:
  #      /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus/flowLogs/Microsoft.Networkprefixprefix-iaas-spoke-network-nsg
  # provisioner local-exec {
  #   when                       = destroy
  #   command                    = "az resource delete --ids ${self.id}"
  # }
}

variable prefix {
  description = "The Prefix used for all resources in this example"
}

variable location {
  description = "The Azure Region in which all resources in this example should be created."
  default     = "westeurope"
}

output flow_logs_id {
  value = azurerm_network_watcher_flow_log.nsg_logs.id
}

Debug Output

Panic Output

Expected Behavior

All resources destroyed

Actual Behavior

The azurerm_network_watcher_flow_log resource is not destroyed: Error: Error deleting Network Security Group "repro-flowlog-issue-nsg" (Resource Group "repro-flowlog-issue"): network.SecurityGroupsClient#Delete: Failure sending request: StatusCode=400 -- Original Error: Code="InvalidResourceReference" Message="Resource /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westeurope/FlowLogs/Microsoft.Networkrepro-flowlog-issuerepro-flowlog-issue-nsg referenced by resource /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/repro-flowlog-issue/providers/Microsoft.Network/networkSecurityGroups/repro-flowlog-issue-nsg was not found. Please make sure that the referenced resource exists, and that both resources are in the same region." Details=[]

Steps to Reproduce

1. terraform init
2. terraform destroy
3. terraform destroy

Important Factoids

Manually removing the resource with az resource delete --ids yields a similar message that the resource can't be found. The resource id exported by azurerm_network_watcher_flow_log is /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westeurope/networkSecurityGroupId/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/repro-flowlog-issue/providers/Microsoft.Network/networkSecurityGroups/repro-flowlog-issue-nsg

while this is the id of the resource created: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westeurope/flowLogs/Microsoft.Networkrepro-flowlog-issuerepro-flowlog-issue-nsg

References