It would appear that when cloning a vsphere template using terraform, and customizing (in this example a windows machine), terraform queries the network specified in the source template, even though this is not referenced.
For example, the template is on network 1. In the vsphere_virtual_machine.network interface section, this is set to data.vsphere_network.network.id for network 2.
The terraform user in this case has access to network 2, but no access to network 1. In which case the following error is thrown:
error processing network device changes post-clone: network_interface.0: portgroup lookup by key returned nil result for DVS UUID xx xx xx xx and portgroup key xxxxx
It can be reproduced quite easily, and resolved by changing the network in the source template to be network 2. However in a multi tenanted environment, templates should be useable by people with differing permissions to networks, and I cannot see why the source network is being queried as it would not be used in the clone process.
I could not see any reported bugs referencing this so thought I would query here if its a known issue?