Removing 'virtual_network_configuration' block from 'azurerm_kusto_cluster' forcing the resource to be replaced

Terraform Providers Azure
1

Terraform Version

Terraform v1.9.8

Terraform Configuration Files

terraform {

  required_version = ">= 1.9"

 

  required_providers {

    azurerm = {

      source  = "hashicorp/azurerm"

      version = "~> 4.3"

    }

  }
}

Debug Output

# module.kusto_cluster.azurerm_kusto_cluster.main must be replaced

-/+ resource "azurerm_kusto_cluster" "main" {

      - allowed_fqdns                      = [] -> null

      - allowed_ip_ranges                  = [] -> null

      ~ auto_stop_enabled                  = false -> true

      ~ data_ingestion_uri                 = "https://ingest-uri.location.kusto.windows.net/" -> (known after apply)

      - double_encryption_enabled          = false -> null

      ~ id                                 = "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Kusto/clusters/<cluster_namw>" -> (known after apply)

        name                               = "<cluster_name>"

      ~ tags                               = {

            "ApplicationName"   = "<application_name>"

            "DeployableName"    = "<deployable_name>"

          ~ "DeployableVersion" = "6.0.13-unstable" -> "6.0.15-unstable"

            "Environment"       = "<env>"

            "ProjectCode"       = "<project_code>"

        }

      ~ trusted_external_tenants           = [] -> (known after apply)

      ~ uri                                = "https://uri.location.kusto.windows.net/" -> (known after apply)

        # (9 unchanged attributes hidden)

 

      - virtual_network_configuration {

          - data_management_public_ip_id = "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Network/publicIPAddresses/data-pip" -> null # forces replacement

          - engine_public_ip_id          = "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Network/publicIPAddresses/engine-pip" -> null # forces replacement

          - subnet_id                    = "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Network/virtualNetworks/main-vnet/subnets/subnet" -> null # forces replacement

        }

 

        # (1 unchanged block hidden)

    }

Expected Behavior

The documentation suggests that removing the virtual_network_configuration block from the aurerm_kusto_cluster resource definition will set virtual network injection to a disabled state by default which appears to be happening. It also suggests that it shouldn’t force the resource to be replaced if the state is being switched from enabled to disabled

Actual Behavior

Removing the virtual_network_configuration block from the aurerm_kusto_cluster resource definition and changing the state of virtual network injection from enabled to disabled is causing the Kusto cluster resource to be replaced.

Steps to Reproduce

  1. Deploy azurerm_kusto_cluster resource with virtual_network_configuration block defined
  2. Remove virtual_network_configuration block
  3. Run terraform plan

Additional Context

Azure will no longer provide support for virtual network injection on Azure Data Explorer clusters from February 2025 so it is necessary to migrate to a private endpoint configuration see here.

This is a prerequisite step for the migration and we cannot allow our existing cluster to be destroyed in the process.

2

@ben1994mc I wanted to reach out regarding the procedure we followed for migrating our existing cluster. It appears that the current instructions could result in the deletion and recreation of our existing cluster, which we would like to avoid.

Could you please check at your end to see if there’s a way to migrate our existing cluster without needing to delete it?