The azurerm_subnet resource lists a new section for delegation of actions to trusted Azure services. Some services, such as Azure Databricks, make use of these delegations to control adding subnet controls such as network security group rules, etc, on behalf of the user.
In the Terraform doco for the subnet resource, it states that there is a set of actions you can delegate to trusted services. These actions, in the doco, are
- Microsoft.Network/networkinterfaces/*
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
- Microsoft.Network/virtualNetworks/subnets/action
Now I’m guessing these actions map to the RBAC controls, available to a resource, that we want to delegate to the service.
The actions on a resource that we can delegate to a service are defined in the “Azure Resource Manager resource provider operations” document.
There is a mis-match, IMHO, between the list of actions Terraform says it can delegate, and the list of actions that Azure says can be delegated. Specifically, there is no Microsoft.Network/virtualNetworks/subnets/action in the Azure Resource RBAC controls.
The effect of requesting the delegation of this action causes Terraform to continually think that the Microsoft.Network/virtualNetworks/subnets/action hasn’t been delegated, and to report in the plan that it will apply it.
Terraform will perform the following actions:
~ module.databricks_network.azurerm_subnet.private
delegation.0.service_delegation.0.actions.#: "3" => "4"
delegation.0.service_delegation.0.actions.3: "" => "Microsoft.Network/virtualNetworks/subnets/action"
Because the delegation for
Microsoft.Network/virtualNetworks/subnets/action
doesn’t exist in the Resource RBAC actions list linked above, it never successfully applies, it is not reported as failed by Terraform (and possibly not by Azure either), and tries to re-apply for every plan/apply thereon.
I think both the Terraform doco, and the provider, need to drop mention of the spurious action.
If so, I am will to make the required PR’s to the provider and doco projects.