Recreate Azure resources without changing the code. Why?

gabor.varga · October 24, 2023, 3:09pm

Hi,

Can someone please explain me the following behavior from terraform. Output of plan:

> -/+ resource "azurerm_firewall" "AZFW" {
>       - dns_servers         = [  ] -> null
>       ~ firewall_policy_id  = "/subscriptions/xxxxxxxx-e960-4d2a-878c-xxxxxxxxxxxx/resourceGroups/XXXX-Connectivity-WEU-NETWORK/providers/Microsoft.Network/firewallPolicies/afwp-afw-XXXX-Connectivity-WEU" -> (known after apply)
>       ~ id                  = "/subscriptions/xxxxxxxx-e960-4d2a-878c-xxxxxxxxxxxx/resourceGroups/XXXX-Connectivity-WEU-NETWORK/providers/Microsoft.Network/azureFirewalls/afw-XXXX-Connectivity-WEU" -> (known after apply)
>       ~ location            = "westeurope" # forces replacement -> (known after apply) # forces replacement
>         name                = "afw-XXXX-Connectivity-WEU"
>       - private_ip_ranges   = [  ] -> null
>       - tags                = {} -> null
>       ~ threat_intel_mode   = "Alert" -> (known after apply)
>       - zones               = [  ] -> null
>         # (3 unchanged attributes hidden)
> 
>       ~ ip_configuration {
>             name                 = "Private_IP_configuration"
>           ~ private_ip_address   = "10.130.238.68" -> (known after apply)
>             # (2 unchanged attributes hidden)
>         }
>     }
> 
>   # module.firewall-policy.data.azurerm_resource_group.rg will be read during apply
>   # (depends on a resource or a module with changes pending)
>  <= data "azurerm_resource_group" "rg" {
>       + id         = (known after apply)
>       + location   = (known after apply)
>       + managed_by = (known after apply)
>       + name       = "XXXX-Connectivity-WEU-NETWORK"
>       + tags       = (known after apply)
>     }
> 
>   # module.firewall-policy.azurerm_firewall_policy.fwpolicy must be replaced
> -/+ resource "azurerm_firewall_policy" "fwpolicy" {
>       ~ child_policies                    = [  ] -> (known after apply)
>       ~ firewalls                         = [
>           - "/subscriptions/xxxxxxxx-e960-4d2a-878c-xxxxxxxxxxxx/resourceGroups/XXXX-Connectivity-WEU-NETWORK/providers/Microsoft.Network/azureFirewalls/afw-XXXX-Connectivity-WEU",
>         ] -> (known after apply)
>       ~ id                                = "/subscriptions/xxxxxxxx-e960-4d2a-878c-xxxxxxxxxxxx/resourceGroups/XXXX-Connectivity-WEU-NETWORK/providers/Microsoft.Network/firewallPolicies/afwp-afw-XXXX-Connectivity-WEU" -> (known after apply)
>       ~ location                          = "westeurope" # forces replacement -> (known after apply) # forces replacement
>         name                              = "afwp-afw-XXXX-Connectivity-WEU"
>       - private_ip_ranges                 = [  ] -> null
>       ~ rule_collection_groups            = [
>           - "/subscriptions/xxxxxxxx-e960-4d2a-878c-xxxxxxxxxxxx/resourceGroups/XXXX-Connectivity-WEU-NETWORK/providers/Microsoft.Network/firewallPolicies/afwp-afw-XXXX-Connectivity-WEU/ruleCollectionGroups/XXXX-MGMT-AVD-FW-Rules",
>         ] -> (known after apply)
>       ~ sku                               = "Standard" -> (known after apply)
>       - tags                              = {} -> null
>         # (3 unchanged attributes hidden)
> 
>         # (1 unchanged block hidden)
>     }

For me it is really not understandable that nothing got changed to the related resources. But it wants to recreate the resources and changing the [ ] with null. After deployment it wants doing again.

If I add the [ ] into the code, then it is crying that it must have at least one value added into the brackets.

Anyone any idea?

Thanks!
G

jbardin · October 24, 2023, 3:39pm

Hi @gabor.varga,

The changes between [] to null are not relevant to the resource replacement, the reason for replacement will be marked with # forces replacement by the provider (it will help others read this to format the output as code to prevent markdown formatting).

So the problem here is the location attribute is not known during the plan, and the provider indicates that the resource needs to be replaced because the location may change. You need to determine why the location value is not known during plan, which I assume is related to data.azurerm_resource_group.rg being deferred to apply. Since that says it "depends on a resource or a module with changes pending", it usually means you have an incorrect or unnecessary depends_on preventing the data source from being read during the plan.

gabor.varga · October 24, 2023, 3:55pm

Thanks a lot!

Yes, because I used data, to retrieve the current resource group’s details (location), and it is a dynamic object for terraform therefore it did not know the location during the run.

Now I fixed, and it is fine.

Topic		Replies	Views
Terraform in recreating resources even if no changes in version, code Terraform azure	5	4661	April 15, 2021
Terraform plan destroys, replaces and changes existing resources despite having a matching configuration written? Azure	5	526	December 2, 2022
Azurerm_linux_virtual_machine getting recreated on every apply Terraform	2	2616	August 3, 2020
Create Azure resource using a Terraform code without destroying the existing Resouce Terraform	2	617	March 15, 2022
Azurerm_firewall_policy changes on every run despite not changing anything Terraform Providers azure	2	243	March 5, 2024

Recreate Azure resources without changing the code. Why?

Related topics