Hi, I just experimented w.r.t. what Terraform does if the TF file, state file, and actual infrastructure differ, I discovered a weird behavior.
Let’s say I want to create a
azurerm_storage_account. My assumption was that state file always contains all attributes, and the values in the state either reflect the real infrastructure (if I just ran
terraform import), or whatever was set by Terraform during the most recent run of
terraform apply. Then, I would also expect that if a resource has an optional attribute which I omit in the TF file, if I then run
terraform plan/apply, then this attribute’s default should be present in the state, with the default value (as documented on the provider’s Terraform module website), and be set in the real infrastructure. Most of the time, this seems to be the case, e.g. for the attributes
cross_tenant_replication_enabled of the storage account. But for
network_rules (there might be more) this is not the case.
So, for instance, I can omit
access_tier in my TF file, the real value is “Cold”, and
terraform apply does not do anything, even though the default value of
access_tier is “Hot” (so omitting it should mean that Terraform sets it to Hot).
What am I missing?
This behavior leads to non-reproducible infrastructure, so it’s rather spicy.