Open JackBruceShell opened 3 hours ago
Hi @JackBruceShell - can you share the .tf
configuration files and the output of the plan command? That will help us reproduce and investigate. Thanks!
Hi @liamcervante - is it possible to connect so I can replicate the issue for you on a call?
I have also given you the module block from my main.tf and the module main.tf itself below.
Thanks!
main.tf
module "dev-us-vnet" { source = "./modules/virtual-network" vnet_name = var.vnet_name location = var.location resource_group_name = var.rg_name address_space = var.vnet_address_space tags = var.tags subnets = [ { name = "${var.ASE_Subnet}" address_prefixes = "${var.ASE_Subnet_address}" security_group = module.dev-us-ase-nsg.id attach_to_nat_gateway = false private_endpoint_network_policies = "Disabled" delegation_name = var.ASE_Subnet_Delegation_Name service_delegation_name = var.ASE_Subnet_Service_Delegation_Name service_endpoints = var.ASE_Subnet_Service_Endpoints }, { name = "${var.PrivateLink_Subnet}" address_prefixes = "${var.PrivateLink_Subnet_address}" security_group = module.dev-us-pls-nsg.id attach_to_nat_gateway = false private_endpoint_network_policies = "Disabled" private_link_service_network_policies_enabled = false }, { name = "${var.AppGW_Subnet}" address_prefixes = "${var.AppGW_Subnet_address}" security_group = module.dev-us-appgw-nsg.id attach_to_nat_gateway = false }, { name = "${var.Bastion_Subnet}" address_prefixes = "${var.Bastion_Subnet_address}" security_group = null attach_to_nat_gateway = false private_endpoint_network_policies = "Disabled" service_endpoints = var.Bastion_Subnet_Service_Endpoints }, { name = "${var.Runner_Subnet}" address_prefixes = "${var.Runner_Subnet_address}" security_group = module.dev-us-runner-nsg.id attach_to_nat_gateway = false } ] }
module main.tf
resource "azurerm_virtual_network" "main" { name = var.vnet_name location = var.location resource_group_name = var.resource_group_name address_space = var.address_space dynamic "subnet" { for_each = var.subnets content { name = subnet.value.name address_prefixes = [subnet.value.address_prefixes] security_group = subnet.value.security_group private_endpoint_network_policies = subnet.value.private_endpoint_network_policies private_link_service_network_policies_enabled = subnet.value.private_link_service_network_policies_enabled service_endpoints = subnet.value.service_endpoints dynamic "delegation" { for_each = subnet.value.delegation_name != null ? [1] : [] content { name = subnet.value.delegation_name dynamic "service_delegation" { for_each = subnet.value.service_delegation_name != null ? [1] : [] content { name = subnet.value.service_delegation_name } } } } } } tags = var.tags }
Terraform Version
Terraform Configuration Files
name: Terraform Apply on: workflow_dispatch: inputs: environment: type: choice description: "Choose the environment" options:
DEV-External-US required: true jobs: TerraformApply: runs-on: [AIS-Test] environment: ${{ github.event.inputs.environment}} env: ARM_ENV: ${{github.event.inputs.environment}} ARM_CLIENT_ID: ${{ secrets.client_id }} ARM_SUBSCRIPTION_ID: ${{ secrets.subscription_id }} ARM_TENANT_ID: ${{ secrets.tenant_id }} PEM-FILE: /home/runner/work/spn.pfx PEM-PWD: ${{secrets.PFX_PASS}} CERT: ${{secrets.ARM_PFX_ENCODED}} TF_BACKEND_RG: ${{secrets.TF_BACKEND_RG}} TF_BACKEND_STACC: ${{secrets.TF_BACKEND_STACC}} TF_CONTAINER: ${{secrets.TF_BACKEND_CONTAINER}} defaults: run: shell: bash steps:
name: Setup Azure SPN Certificate file inside the runner run: | touch /home/runner/work/spn.pem echo "$CERT" > /home/runner/work/spn.pem
touch /home/runner/work/spn.pfx
name: Generate PFX Inside Runner shell: pwsh run: | openssl pkcs12 -export -password pass:"${{env.PEM-PWD}}" -in /home/runner/work/spn.pem -out /home/runner/work/spn.pfx ls /home/runner/work/
name: Check Az Login uses: azure/login@v1 with: creds: ${{secrets.AZURE_CREDENTIALS}}
name: Checkout Repo uses: actions/checkout@v2 with: ref: ${{ inputs.commitid }}
name: Get main file for terraform run: | cp "${{env.ARM_ENV}}"/main.tf . cp "${{env.ARM_ENV}}"/variables.tf . working-directory: 'terraform/'
name: Setup Terraform uses: hashicorp/setup-terraform@v2 with: terraform_version: latest
name: Terraform initialization id: init run: | az login --service-principal -u ${{ env.ARM_CLIENT_ID }} -p /home/runner/work/spn.pem --tenant ${{ env.ARM_TENANT_ID }} az account set --subscription ${{ env.ARM_SUBSCRIPTION_ID }} export ARM_CLIENT_ID="${{ env.ARM_CLIENT_ID }}" export ARM_CLIENT_CERTIFICATE_PATH="${{ env.PEM-FILE }}" export ARM_CLIENT_CERTIFICATE_PASSWORD="${{ env.PEM-PWD }}" export ARM_TENANT_ID="${{ env.ARM_TENANT_ID }}" export ARM_SUBSCRIPTION_ID="${{ env.ARM_SUBSCRIPTION_ID }}" terraform init -backend-config="resource_group_name=${{ env.TF_BACKEND_RG }}" -backend-config="storage_account_name=${{ env.TF_BACKEND_STACC }}" -backend-config="container_name=${{ env.TF_CONTAINER }}" -backend-config="key=terraform.tfstate" working-directory: 'terraform/'
name: Terraform Plan shell: pwsh run: | $Env:ARM_CLIENT_ID="${{ env.ARM_CLIENT_ID }}" $Env:ARM_CLIENT_CERTIFICATE_PATH="${{ env.PEM-FILE }}" $Env:ARM_CLIENT_CERTIFICATE_PASSWORD="${{env.PEM-PWD}}" $Env:ARM_TENANT_ID="${{ env.ARM_TENANT_ID }}" $Env:ARM_SUBSCRIPTION_ID="${{ env.ARM_SUBSCRIPTION_ID }}" terraform plan -out "tf_plan" -var-file="${{env.ARM_ENV}}/env.tfvars" working-directory: 'terraform/'
name: Terraform Apply shell: pwsh run: | $Env:ARM_CLIENT_ID="${{ env.ARM_CLIENT_ID }}" $Env:ARM_CLIENT_CERTIFICATE_PATH="${{ env.PEM-FILE }}" $Env:ARM_CLIENT_CERTIFICATE_PASSWORD="${{env.PEM-PWD}}" $Env:ARM_TENANT_ID="${{ env.ARM_TENANT_ID }}" $Env:ARM_SUBSCRIPTION_ID="${{ env.ARM_SUBSCRIPTION_ID }}" terraform apply -var-file="${{env.ARM_ENV}}/env.tfvars" -auto-approve working-directory: 'terraform/'
name: Cleanup run: | rm -rf /home/runner/work/spn.pem rm -rf /home/runner/work/spn.pfx
Debug Output
N/A
Expected Behavior
Subnets should no be updated-in-place because nothing is changing. Also causing the virtual_network_link to be force replaced.
Actual Behavior
Subnets are updating in place, causing the ID of the Virtual Network to be refreshed, and the virtual_network_link being destroyed and re-created.
Steps to Reproduce
terraform apply
Additional Context
No response
References
No response