Adding to map forces replacement

b0bu · November 24, 2023, 3:48pm

I’m using a 3rd party module here https://github.com/Azure/terraform-azurerm-lz-vending/blob/main/modules/virtualnetwork/outputs.tf where the output virtual_network_resource_ids is a map of vnetname = vnetid.

It’s my understanding that maps have no order so I’m confused as to why adding an entry at any position, start middle or end to the input map var.virtual_networks (used to key the output values) would result in a force replacement of anything using the output. I.e. scaling the vnets breaks anything using the existing vnet ids.

The var.virtual_networks input var taken from the example in the readme

  virtual_networks = {
    one = {
      name                    = "my-vnet"
      address_space           = ["192.168.1.0/24"]
      hub_peering_enabled     = true
      hub_network_resource_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-hub-network-rg/providers/Microsoft.Network/virtualNetworks/my-hub-network"
      mesh_peering_enabled    = true
    }
    two = {
      name                    = "my-vnet2"
      location                = "northeurope"
      address_space           = ["192.168.2.0/24"]
      hub_peering_enabled     = true
      hub_network_resource_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-hub-network-rg/providers/Microsoft.Network/virtualNetworks/my-hub-network2"
      mesh_peering_enabled    = true
    }
  }

When adding a third either at the start, middle or end
anything using the outputs module.sub.virtual_network_resource_ids.one or module.sub.virtual_network_resource_ids.two results in force replacement when the virtual network id is now only “known after apply”.

  virtual_networks = {
    one = {
      name                    = "my-vnet"
      address_space           = ["192.168.1.0/24"]
      hub_peering_enabled     = true
      hub_network_resource_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-hub-network-rg/providers/Microsoft.Network/virtualNetworks/my-hub-network"
      mesh_peering_enabled    = true
    }
    two = {
      name                    = "my-vnet2"
      location                = "northeurope"
      address_space           = ["192.168.2.0/24"]
      hub_peering_enabled     = true
      hub_network_resource_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-hub-network-rg/providers/Microsoft.Network/virtualNetworks/my-hub-network2"
      mesh_peering_enabled    = true
    }
    athird = {
      name                    = "my-vnet3"
      location                = "northeurope"
      address_space           = ["192.168.3.0/24"]
      hub_peering_enabled     = true
      hub_network_resource_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-hub-network-rg/providers/Microsoft.Network/virtualNetworks/my-hub-network2"
      mesh_peering_enabled    = true
    }
  }

The first question is why is this happening but more importantly how do I stop it from happening. Example usage causing the issue is linking some dns zones to one of the above vnets.

resource azurerm_private_dns_zone_virtual_network_link "test" {
  for_each = local.private_zones
  name = each.key
  resource_group_name = data.azurerm_resource_group.zones.name
  private_dns_zone_name = each.value.zone
  virtual_network_id = module.sub.virtual_network_resource_ids.one
}

b0bu · December 2, 2023, 8:09pm

github.com/Azure/terraform-azurerm-lz-vending

bug: virtual networks can't scale if using virtual_network_resource_ids output

opened 01:51PM - 28 Nov 23 UTC

b0bu

bug

Needs: Attention

### Community Note - Please vote on this issue by adding a 👍 [reaction](h…ttps://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request - Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request - If you are interested in working on this issue or have submitted a pull request, please leave a comment ### Versions Please paste the output of `terraform version` command from within the initialized directory: ```text 1.6.4 ``` Please enter the module version that you are using: ```text 3.3.0 ``` ### Description The output variable https://github.com/Azure/terraform-azurerm-lz-vending/blob/f5d2209403f36186bbec6f0f3f56d26c15a06236/modules/virtualnetwork/outputs.tf#L1 doesn't scale. Maps have no order so add an entry at the beginning middle or end when referencing by key doesn't cause an ordering issue for example ```hcl locals { mymap = { a = 1 b = 2 c = 3 } } ``` when adding `d = 4` at any position in the map, beginning middle or end doesn't cause references to any existing keys to change based on index position so referencing `local.mymap.a` doesn't change when adding `local.mymap.d`. This doesn't appear to be true for module outputs. The module output `virtual_network_resource_ids` is output according to alphabetical order. Based on the input `var.virtual_network` if I define an abitrarily ordered map of virtual networks ```hcl virtual_networks = { b = {} c = {} a = {} } ``` the output for `module.sub.virtual_network_resource_ids` will always be ```hcl output vnets { value = module.sub.virtual_network_resource_ids } vnets = { a = id b = id c = id } ``` This means that if you're using the outputs from the module to create subnets, and you scale the virtual network object by adding a vnet at any position, the order of all virtual networks is updated or becomes unknown to terraform. So if I'm referencing the vnet id via the module output and I add a vnet, anything using that references loses it resulting in a `(known after apply) # force replacement` in the plan. #### Steps to Reproduce 1. create some virtual networks ```hcl module sub { ... virtual_networks = { vnet1 = { name = "vnet1" address_space = ["10.10.0.0/16] location = "uksouth" resource_group_name = module.rg.name ... } vnet2 = { name = "vnet2" address_space = ["10.20.0.0/16"] location = "uksouth" resource_group_name = module.rg.name ... } } ... } ``` 2. use the module output ```hcl locals { private_zones = { vault-private = { zone = "privatelink.vaultcore.azure.net" } vault-public = { zone = "vaultcore.azure.net" } } } resource azurerm_private_dns_zone_virtual_network_link "link" { for_each = local.private_zones name = each.key resource_group_name = module.rg.name private_dns_zone_name = each.value.zone virtual_network_id = module.sub.virtual_network_resource_ids.vnet1 } ``` 3. update the virtual networks ```hcl module sub { ... virtual_networks = { vnet1 = { name = "vnet1" address_space = ["10.10.0.0/16"] location = "uksouth" resource_group_name = module.rg.name ... } vnet2 = { name = "vnet2" address_space = ["10.20.0.0/16"] location = "uksouth" resource_group_name = module.rg.name ... } vnet3 = { name = "vnet3" address_space = ["10.30.0.0/16"] location = "uksouth" resource_group_name = module.rg.name ... } } ... } ``` 4. reference to `module.sub.virtual_network_resource_ids.vnet1` is now lost and forces replacement of all dns links #### Screenshots #### Additional context The only "fix" I've found for this is to create a copy of the output as a local ```hcl locals { vnets = { vnet1 = id vnet2 = id ... } } ``` that way adding a vnet3 doesn't lose the reference to vnet1 as it's a static map and not dynamically and without any imposed order but this obviously breaks the dependency tree and updating things becomes painful

Topic		Replies	Views
Terraform plan want to replace all components when a map of resources passed to a module has changed Terraform	4	1579	October 14, 2022
Force replacement caused by location (non)-change Terraform	4	5189	December 2, 2021
Multiple subnet_ids / output / compute module Terraform	7	2927	November 20, 2022
Private Endpoint Forcing Replacement on Identical Subnet_id Azure	0	631	June 2, 2021
Issues with Terraform Moved block forcing replacement Terraform	3	51	December 16, 2024

Adding to map forces replacement

Related topics