Terraform plan shows " must be replaced"


After a failed import for mssql_database, I was rerunning terraform plan to confirm that the state file and the infrastructure are in sync (as the import failed and no new resources were created) and all of the sudden I had “must be replaced” for
network_interface, custom_dns_configs for my synapse workspace (part of the code)
and network_interface for azurerm_private_endpoint_connection

I believe the state file was not updated by the failed import, noone ran any updated on the infrastructure.
what can be done to proceed with the sync between the state file and the actual resources.

Please assist me with that as I am new to the terraform and I don’t destroy / replace in case something will be ruin as a result as this is our dev environment.

Thank you,

Hi @curious,

I’m sorry to hear that something confusing has happened after your import. To help guess what caused that and what you should now do to recover, it would help if you would share the whole output from terraform plan so we can see what exactly Terraform is proposing.

If you still have it, the output from your failed import command would also be helpful to see if it gives any clues as to why the failure affected the definitions of other existing resources.

Hi @apparentlymart

Please review:
terraform_plan.txt (153.2 KB)
Thank you.

Hi @curious,

There is a lot going on in that plan and so unfortunately I can’t be sure about what is causing each item here without seeing the configuration to understand how you are defining the configuration for each of these resources.

However, I noticed that module.synapse_workspace["synw-xxx-xx01"].data.azurerm_subnet.restricted is having its read deferred to the apply step and that many of the other changes seem to be responding to that. Can you share the data "azurerm_subnet" "restricted" block from that module, along with the configurations for any objects that one refers to in its expressions?

I think the main question here is which resource block is providing the source value that all of these downstream resources are then reacting to. To avoid all of these planned updates and replacements will require either changing the configuration so that the source object doesn’t need to change or to apply the change in a different way to avoid it having such broad impact. I hope to be able to be more specific about what I mean once we can find the source resource.

Hi @apparentlysmart,

Sorry for the delay, was away.
I ran the scripts with the recommended changes and everything came up OK.

Thank you for looking into this one.