Subnet and NSG association destroyed on reapply

[nidhi5885]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.18
Provider Azurerm v1.39.0

Affected Resource(s)

• azurerm_subnet
• azurerm_subnet_network_security_group_association
• azurerm_network_security_group

Terraform Configuration Files

resource "azurerm_virtual_network" "vnet" {
  name                = "${var.VNET_NAME}"
  location            = "${var.location}"
  address_space       = ["${var.VNET_ADDR_SPACE}"]
  resource_group_name = var.rgname
  dns_servers         = "${var.DNS_SERVERS}"
}

resource "azurerm_subnet" "subnet" {
  name                      = "${var.SUBNET_NAMES[count.index]}"
  virtual_network_name      = "${azurerm_virtual_network.vnet.name}"
  resource_group_name       = var.rgname
  address_prefix            = "${var.SUBNET_PREFIXES[count.index]}"
  count                     = "${length(var.SUBNET_NAMES)}"

}

resource "azurerm_network_security_group" "subnetnsg" {
  
  name                 = "subnet-nsg-${var.ENVIRONMENT}" 
  location             = "${var.location}"
  resource_group_name = var.rgname
 

  security_rule {
    name                       = "http"
    priority                   = 105
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "80"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
  security_rule {
    name                       = "https"
    priority                   = 104
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "443"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
  security_rule {
    name                       = "grafana"
    priority                   = 103
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "3000"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
  security_rule {
    name                       = "prometheus"
    priority                   = 102
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "9090"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
   security_rule {
    name                       = "mysql"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "3306"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
}


resource "azurerm_subnet_network_security_group_association" "aks" {

  subnet_id                 = "${azurerm_subnet.subnet[count.index].id}"
  network_security_group_id = "${azurerm_network_security_group.subnetnsg.id}"
  count                     = "${length(var.SUBNET_NAMES)}"
}

Expected Behavior

terraform plan should not reflect any changes in the configuration.

Actual Behavior

The association between Subnet and NSG gets created after I execute terraform apply. But when I again run terraform plan(without doing any changes to the configuration), it shows me an output that Subnet needs to be changed - the association between them to be destroyed. And it goes on in the same manner that one terraform apply creates association and another destroys it.

Then by referring #3077 I appended the below inline property of subnet into the azurerm_subnet block

network_security_group_id = "${azurerm_network_security_group.subnetnsg.id}"

Then everything started working fine, no changes found in the terraform plan. But when destroying the environment, it throws an error of Cycle formed between Subnet and NSG

Steps to Reproduce

1. terraform plan
2. terraform apply
3. terraform apply

#3077 #3426

[ToniCipriani]

This looks like the same issue: #4983

[tombuildsstuff]

Fixed via #5801

[ghost]

This has been released in version 2.0.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.0.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!