Modification of Tags forces rebuild of VNET

[mrclemensiii]

The following code will successfully deploy a VNET with one Subnet and a Security Group with 4 tags

`terraform {
required_version = "> 0.13.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 2.49.0"
}
}
}

provider "azurerm" {

subscription_id = var.subscription_id
client_id = var.client_id
client_secret = var.client_secret
tenant_id = var.tenant_id

features {}
}

locals {
common_tags = {
Environment = "Production"
Product = "MRCProduct"
Product_Organization = "MRC"
Datacenter = "Azure East US"
}
}

resource "azurerm_resource_group" "mgmt" {
name = "mrc-mgmt-rg01"
location = "East US"

tags = local.common_tags
}

module "mgmt-network" {
source = "Azure/vnet/azurerm"
version = "2.4.0"
vnet_name = "mrc-mgmt-vnet"
resource_group_name = azurerm_resource_group.mgmt.name
address_space = ["10.10.0.0/23"]
subnet_prefixes = ["10.10.0.0/27"]
subnet_names = ["mrc-mgmt-ad"]
dns_servers = []

nsg_ids = {
"mrc-mgmt-ad" = azurerm_network_security_group.ad.id
}

tags = local.common_tags

depends_on = [azurerm_resource_group.mgmt]
}

resource "azurerm_network_security_group" "ad" {
name = "mrc-mgmt-ad-nsg"
resource_group_name = azurerm_resource_group.mgmt.name
location = azurerm_resource_group.mgmt.location

tags = local.common_tags
}`

Unfortunately if I try to re-run this code updating or changing the Tags I recieve the following result that wants to rebuild the VNET

module.mgmt-network.azurerm_virtual_network.vnet must be replaced

-/+ resource "azurerm_virtual_network" "vnet" {
~ guid = "9d834e0d-7801-4032-b0c7-4bc0b29c3d8e" -> (known after apply)
~ id = "/subscriptions/22fa4733-0585-4e85-9962-e4242aaf829f/resourceGroups/mrc-mgmt-rg01/providers/Microsoft.Network/virtualNetworks/mrc-mgmt-vnet" -> (known after apply)
~ location = "eastus" -> (known after apply) # forces replacement
name = "mrc-mgmt-vnet"
~ subnet = [
- {
- address_prefix = "10.10.0.0/27"
- id = "/subscriptions/22fa4733-0585-4e85-9962-e4242aaf829f/resourceGroups/mrc-mgmt-rg01/providers/Microsoft.Network/virtualNetworks/mrc-mgmt-vnet/subnets/mrc-mgmt-ad"
- name = "mrc-mgmt-ad"
- security_group = "/subscriptions/22fa4733-0585-4e85-9962-e4242aaf829f/resourceGroups/mrc-mgmt-rg01/providers/Microsoft.Network/networkSecurityGroups/mrc-mgmt-ad-nsg"
},
] -> (known after apply)
~ tags = {
~ "Datacenter" = "Azure West US" -> "Azure East US"
# (3 unchanged elements hidden)
}
# (4 unchanged attributes hidden)
}

Plan: 1 to add, 2 to change, 1 to destroy.

---

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

[yupwei68]

Hi @mrclemensiii , thanks for opening this issue. Unfortunately, I could not reproduce your error. After carefully looking into the output, I think the forcenew is resulted from the change of the location. Please check if the location is different from the remote state of the virtual network.
~ location = "eastus" -> (known after apply) # forces replacement

[manoatsas]

I'm seeing similar issue too. While I'm not changing the location I do see this line from TF output
location = "eastus2" -> (known after apply) # forces replacement

[manoatsas]

This seems to be due to the change to tags value in azurerm_resource_group and depends_on, that forces vnet module to refresh and forces replacement of subnets and location in vnet.

[mrclemensiii]

You are correct. If I remove the depends_on the issue is solved. Thanks you @manoatsas I think we can close this one.

[manoatsas]

@mrclemensiii I doubt if removing depends_on solves your issue. In my case, running terraform plan with a clean state fails withError: Error: Resource Group "xx" was not found

[andyliddle]

I am having the same issue with updated tags on the resource group.

If I remove the depends_on, the tags update and the vent isn't deleted. If I run from a clean slate a get an error on resource group doesn't exist.

Terraform v0.14.9