Is it required for the LB rule and LB backend address pool to be in the same RG as the LB?

Hi, sorry, new here, so excuse any policy mistakes. I recently ran into the issue where I have a terraform template for a Load Balancer in a resource group with stuff that I need only once per project. Let’s call that project-level-rg. I have another terraform template that I want to re-use per DTAP environment. Those resources I deploy into their own resource groups: ENV-level-rg. So, for example, dev-level-rg, test-level-rg, etc.

I thought it would be a pretty clean setup to deploy the Load Balancer in the project-level-rg, and deploy the backend address pool (one for each environment) and load balancer rule in their respective ENV-level-rg. This way, I can create or delete everything that is specific to an environment with one terraform template, and I have everything nicely “encapsulated” in one resource group.

However, using terraform I find out it implicitly overrides the resource group to project-level-rg. Because, when re-applying the exact same terraform template, it gives me this:

      # azurerm_lb_rule.my-rule must be replaced
-/+ resource "azurerm_lb_rule" "my-rule" {
        backend_address_pool_id        = "/subscriptions/my-subscription/resourceGroups/project-level-rg/providers/Microsoft.Network/loadBalancers/project-level-ozp-load-balancer/backendAddressPools/env-level-acc-backend-pool"
        backend_port                   = 443
        disable_outbound_snat          = false
        enable_floating_ip             = false
      ~ frontend_ip_configuration_id   = "/subscriptions/my-subscription/resourceGroups/project-level-rg/providers/Microsoft.Network/loadBalancers/project-level-ozp-load-balancer/frontendIPConfigurations/project-level-acc-lb-frontend-ip-config" -> (known after apply)
        frontend_ip_configuration_name = "project-level-acc-lb-frontend-ip-config"
        frontend_port                  = 443
      ~ id                             = "/subscriptions/my-subscription/resourceGroups/project-level-rg/providers/Microsoft.Network/loadBalancers/project-level-ozp-load-balancer/loadBalancingRules/env-level-acc-lb-https-rule" -> (known after apply)
      ~ idle_timeout_in_minutes        = 4 -> (known after apply)
      ~ load_distribution              = "Default" -> (known after apply)
        loadbalancer_id                = "/subscriptions/my-subscription/resourceGroups/project-level-rg/providers/Microsoft.Network/loadBalancers/project-level-ozp-load-balancer"
        name                           = "env-level-acc-lb-https-rule"
        probe_id                       = "/subscriptions/my-subscription/resourceGroups/project-level-rg/providers/Microsoft.Network/loadBalancers/project-level-ozp-load-balancer/probes/project-level-ozp-lb-https-probe"
        protocol                       = "Tcp"
      ~ resource_group_name            = "project-level-rg" -> "ENV-level-rg" # forces replacement
    }

This results in some pretty unexpected behavior where both azurerm_lb_rule and azurerm_lb_backend_address_pool keep getting replaced. When I adjust my template for these two resources to be deployed in the project-level-rg, everything works as expected.

Do I understand this behavior correctly or is something else going on? May I suggest updating the docs on these resources, either with a NOTE on top of the page, or as a remark at the resource_group_name argument reference?

Thanks!