Azure delegation issue after first plan

saraivaf · July 13, 2022, 11:34pm

Hi,

I’m trying to enable a delegation for a subnet defined as below on my tfvars file:

# Subnets
subnets = {
  apptier-snet = {
    address_prefixes   = ["192.168.32.64/26"]
    service_delegation = false
    delegation_name    = ""
    delegation_action  = []
  }
  containers-snet = {
    address_prefixes   = ["192.168.32.192/28"]
    service_delegation = true
    delegation_name    = "Microsoft.ContainerInstance/containerGroups"
    delegation_action  = []
  }

And inside vnet.tf file I’m using this code to deploy:

  dynamic "delegation" {
    for_each = lookup(each.value, "service_delegation", {}) ? [1] : []


    content {
      name = "delegation"

      service_delegation {
        name = each.value.delegation_name
      }
    }
  }

Vnet and Delegation creation works fine when I execute apply for the first time.
But, after that every plan or apply to none or any other related service(even if I change a tag), I receive this:

  # azurerm_subnet.subnetdata["containers-snet"] will be updated in-place
  ~ resource "azurerm_subnet" "subnetdata" {
        id                                             = "(REDACTED)/containers-snet"
        name                                           = "containers-snet"
        # (7 unchanged attributes hidden)

      ~ delegation {
            name = "delegation"

          ~ service_delegation {
              ~ actions = [
                  - "Microsoft.Network/virtualNetworks/subnets/action",
                ]
                name    = "Microsoft.ContainerInstance/containerGroups"
            }
        }
    }

Apply command returns:

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

If I ran plan again, it will try to update the delegation again.

Also tried:

tfvars:

# Subnets
subnets = {
  apptier-snet = {
    address_prefixes   = ["192.168.32.64/26"]
    service_delegation = false
    delegation_name    = ""
    delegation_action  = []
  }
  containers-snet = {
    address_prefixes   = ["192.168.32.192/28"]
    service_delegation = true
    delegation_name    = "Microsoft.ContainerInstance/containerGroups"
    delegation_action  = ["Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action"]
  }

vnet.tf:

  dynamic "delegation" {
    for_each = lookup(each.value, "service_delegation", {}) ? [1] : []


    content {
      name = "delegation"

      service_delegation {
        name = each.value.delegation_name
        actions = each.value.delegation_action
      }
    }
  }

Even this way I got no luck to stop messages to update the delegation. Anyone faced the same issue? Or there is something that I missed on lookup sentence?

Appreciate any help on that!

Thanks

apparentlymart · July 14, 2022, 3:44pm

Hi @saraivaf!

I think you are describing the same behavior that was discussed in this issue in the Azure provider repository:

github.com/hashicorp/terraform-provider-azurerm

[fixed in 1.42 back in 2.0] azurerm_subnet delegation: If "Actions" is empty Terraform modifies the subnet on each "apply"

opened 06:35PM - 03 Mar 20 UTC

closed 10:55PM - 03 Mar 20 UTC

juanjojulian

question service/subnets

### Community Note * Please vote on this issue by adding a 👍 [reaction](https…://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request * Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request * If you are interested in working on this issue or have submitted a pull request, please leave a comment ### Terraform (and AzureRM Provider) Version ``` juanjo@Dune spoke-cdt-lab-dev-westeurope$ terraform version Terraform v0.12.21 + provider.azurerm v2.0.0 ``` ### Affected Resource(s) * `azurerm_subnet ` ### Terraform Configuration Files ```hcl resource "azurerm_subnet" "example" { name = "testsubnet" resource_group_name = "${azurerm_resource_group.example.name}" virtual_network_name = "${azurerm_virtual_network.example.name}" address_prefix = "10.0.1.0/24" delegation { name = "acctestdelegation" service_delegation { name = "Microsoft.ContainerInstance/containerGroups" } } } ``` ### Expected Behavior Once the subnet is deployed no more changes should be attempted. ### Actual Behavior Terraform tries to remove the default "actions" each time you apply or plan: ```hcl ~ delegation { name = "westeurope-sql-mi-dev-delegation" ~ service_delegation { ~ actions = [ - "Microsoft.Network/virtualNetworks/subnets/join/action", - "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action", - "Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action", ] name = "Microsoft.Sql/managedInstances" } } ``` ### Steps to Reproduce Create a subnet with delegation and no actions, remember that as per Terraform docs "actions" is optional. ### Important Factoids This bug was happening before azurerm v1.42.0 and was fixed in that version, it came back from the future? original bug report was #5476 fixed in #5484

saraivaf · August 22, 2022, 4:25pm

Hi,

Yes, seem the same behavior. But in the title says as fixed, do you know if this has returned on recent releases?

Thanks

Topic		Replies	Views
Azure subnet delegation for selected subnets using for_each Azure	1	698	September 13, 2021
Possible bug in Azure Subnet Delegation options Azure	0	974	November 4, 2019
Azure rm subnet delegation to sql managed instance Terraform	0	461	October 25, 2021
Dynamic block used together with count Terraform	3	31025	May 29, 2020
How to create service delagation to an existing subnet? Azure	0	396	January 19, 2022

Azure delegation issue after first plan

Related topics