Hi, sorry, new here, so excuse any policy mistakes. I recently ran into the issue where I have a terraform template for a Load Balancer in a resource group with stuff that I need only once per project. Let’s call that project-level-rg. I have another terraform template that I want to re-use per DTAP environment. Those resources I deploy into their own resource groups: ENV-level-rg. So, for example, dev-level-rg, test-level-rg, etc.
I thought it would be a pretty clean setup to deploy the Load Balancer in the project-level-rg, and deploy the backend address pool (one for each environment) and load balancer rule in their respective ENV-level-rg. This way, I can create or delete everything that is specific to an environment with one terraform template, and I have everything nicely “encapsulated” in one resource group.
However, using terraform I find out it implicitly overrides the resource group to project-level-rg. Because, when re-applying the exact same terraform template, it gives me this:
# azurerm_lb_rule.my-rule must be replaced
-/+ resource "azurerm_lb_rule" "my-rule" {
backend_address_pool_id = "/subscriptions/my-subscription/resourceGroups/project-level-rg/providers/Microsoft.Network/loadBalancers/project-level-ozp-load-balancer/backendAddressPools/env-level-acc-backend-pool"
backend_port = 443
disable_outbound_snat = false
enable_floating_ip = false
~ frontend_ip_configuration_id = "/subscriptions/my-subscription/resourceGroups/project-level-rg/providers/Microsoft.Network/loadBalancers/project-level-ozp-load-balancer/frontendIPConfigurations/project-level-acc-lb-frontend-ip-config" -> (known after apply)
frontend_ip_configuration_name = "project-level-acc-lb-frontend-ip-config"
frontend_port = 443
~ id = "/subscriptions/my-subscription/resourceGroups/project-level-rg/providers/Microsoft.Network/loadBalancers/project-level-ozp-load-balancer/loadBalancingRules/env-level-acc-lb-https-rule" -> (known after apply)
~ idle_timeout_in_minutes = 4 -> (known after apply)
~ load_distribution = "Default" -> (known after apply)
loadbalancer_id = "/subscriptions/my-subscription/resourceGroups/project-level-rg/providers/Microsoft.Network/loadBalancers/project-level-ozp-load-balancer"
name = "env-level-acc-lb-https-rule"
probe_id = "/subscriptions/my-subscription/resourceGroups/project-level-rg/providers/Microsoft.Network/loadBalancers/project-level-ozp-load-balancer/probes/project-level-ozp-lb-https-probe"
protocol = "Tcp"
~ resource_group_name = "project-level-rg" -> "ENV-level-rg" # forces replacement
}
This results in some pretty unexpected behavior where both azurerm_lb_rule and azurerm_lb_backend_address_pool keep getting replaced. When I adjust my template for these two resources to be deployed in the project-level-rg, everything works as expected.
Do I understand this behavior correctly or is something else going on? May I suggest updating the docs on these resources, either with a NOTE on top of the page, or as a remark at the resource_group_name argument reference?
Thanks!