Changing public_network_access_enabled should not force replacement

[epomatti]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.4.2

AzureRM Provider Version

3.48.0

Affected Resource(s)/Data Source(s)

azurerm_batch_account

Terraform Configuration Files

resource "azurerm_batch_account" "main" {
  name                          = "ba${var.sys}"
  resource_group_name           = azurerm_resource_group.main.name
  location                      = azurerm_resource_group.main.location
  public_network_access_enabled = var.batch_account_public

  storage_account_id                  = azurerm_storage_account.main.id
  storage_account_authentication_mode = "BatchAccountManagedIdentity"

  pool_allocation_mode = "BatchService"

  identity {
    type = "SystemAssigned"
  }
}

Debug Output/Panic Output

Terraform will perform the following actions:

  # azurerm_batch_account.main must be replaced
-/+ resource "azurerm_batch_account" "main" {
      ~ account_endpoint                    = "bafastbrains.eastus.batch.azure.com" -> (known after apply)
      ~ allowed_authentication_modes        = [
          - "AAD",
          - "SharedKey",
          - "TaskAuthenticationToken",
        ] -> (known after apply)
      - encryption                          = [] -> null
      ~ id                                  = "/subscriptions/000-000-0000-000000/resourceGroups/rg-fastbrains/providers/Microsoft.Batch/batchAccounts/bafastbrains" -> (known after apply)
        name                                = "bafastbrains"
      ~ primary_access_key                  = (sensitive value)
      ~ public_network_access_enabled       = false -> true # forces replacement
      ~ secondary_access_key                = (sensitive value)
      - tags                                = {} -> null
        # (5 unchanged attributes hidden)

      ~ identity {
          - identity_ids = [] -> null
          ~ principal_id = "4a1d9da2-b832-47c3-ae6f-c2369973b240" -> (known after apply)
          ~ tenant_id    = "94d47d96-52c0-4b73-b3ae-028fafc55d47" -> (known after apply)
            # (1 unchanged attribute hidden)
        }
    }

Expected Behaviour

Changing public_network_access_enabled value on a azurerm_batch_account should be an update on the resource, not a replacement.

Actual Behaviour

When I change public_network_access_enabled value on a azurerm_batch_account resource, it forces replacement of the Batch account.

public_network_access_enabled       = false -> true # forces replacement

Steps to Reproduce

1. Create a Batch account resource
2. Change the value of public_network_access_enabled
3. Plan the changes

The plan will have an action to replace the batch account, but it should only be updated.

Important Factoids

No response

References

https://learn.microsoft.com/en-us/azure/batch/public-network-access

[liuwuliuyun]

Hi @epomatti , thanks for raising this issue. I will raise PR to fix this soon.

[liuwuliuyun]

Hi @epomatti , in current 2022-01-01 API version of batch used in Azurerm Provider, changing this property will not be effected hence this property is labeled forceNew. Which means that no matter what you feed into the API after the initial setting, it will not be changed even you ask it to change specificly.

Here is the evidence:

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
PS D:\TerraformTest\batch> terraform apply --auto-approve
╷
│ Warning: Provider development overrides are in effect
│
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/azurerm in C:\Users\yunliu1\go\bin
│
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
azurerm_resource_group.test: Refreshing state... [id=/subscriptions/85b3dbca-5974-4067-9669-67a141095a76/resourceGroups/testaccRG-batch-yun]
azurerm_batch_account.test: Refreshing state... [id=/subscriptions/85b3dbca-5974-4067-9669-67a141095a76/resourceGroups/testaccRG-batch-yun/providers/Microsoft.Batch/batchAccounts/testaccbatch2]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # azurerm_batch_account.test will be updated in-place
  ~ resource "azurerm_batch_account" "test" {
        id                            = "/subscriptions/85b3dbca-5974-4067-9669-67a141095a76/resourceGroups/testaccRG-batch-yun/providers/Microsoft.Batch/batchAccounts/testaccbatch2"
        name                          = "testaccbatch2"
      ~ public_network_access_enabled = false -> true
        tags                          = {}
        # (8 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
azurerm_batch_account.test: Modifying... [id=/subscriptions/85b3dbca-5974-4067-9669-67a141095a76/resourceGroups/testaccRG-batch-yun/providers/Microsoft.Batch/batchAccounts/testaccbatch2]
azurerm_batch_account.test: Modifications complete after 5s [id=/subscriptions/85b3dbca-5974-4067-9669-67a141095a76/resourceGroups/testaccRG-batch-yun/providers/Microsoft.Batch/batchAccounts/testaccbatch2]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
PS D:\TerraformTest\batch> terraform apply --auto-approve
╷
│ Warning: Provider development overrides are in effect
│
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/azurerm in C:\Users\yunliu1\go\bin
│
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
azurerm_resource_group.test: Refreshing state... [id=/subscriptions/85b3dbca-5974-4067-9669-67a141095a76/resourceGroups/testaccRG-batch-yun]
azurerm_batch_account.test: Refreshing state... [id=/subscriptions/85b3dbca-5974-4067-9669-67a141095a76/resourceGroups/testaccRG-batch-yun/providers/Microsoft.Batch/batchAccounts/testaccbatch2]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # azurerm_batch_account.test will be updated in-place
  ~ resource "azurerm_batch_account" "test" {
        id                            = "/subscriptions/85b3dbca-5974-4067-9669-67a141095a76/resourceGroups/testaccRG-batch-yun/providers/Microsoft.Batch/batchAccounts/testaccbatch2"
        name                          = "testaccbatch2"
      ~ public_network_access_enabled = false -> true
        tags                          = {}
        # (8 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
azurerm_batch_account.test: Modifying... [id=/subscriptions/85b3dbca-5974-4067-9669-67a141095a76/resourceGroups/testaccRG-batch-yun/providers/Microsoft.Batch/batchAccounts/testaccbatch2]
azurerm_batch_account.test: Modifications complete after 7s [id=/subscriptions/85b3dbca-5974-4067-9669-67a141095a76/resourceGroups/testaccRG-batch-yun/providers/Microsoft.Batch/batchAccounts/testaccbatch2]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

[liuwuliuyun]

This issue has been fixed in later API version and we will work on upgrading the API version. Once that is done, we will remove the forceNew label here.

But if you really need this now. I would recommend you to use AzAPI provider. Here is an example. Be sure to use Microsoft.Batch/batchAccounts@2022-10-01 or later version of API.

terraform {
  required_providers {
    azapi = {
      source  = "Azure/azapi"
    }
  }
}

provider "azapi" {
}

// azurerm provider
provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "test" {
  name     = "testaccRG-batch-yun"
  location = "west europe"
}

resource "azapi_resource" "name" {
  name = "testaccyun"
  type = "Microsoft.Batch/batchAccounts@2022-10-01"
  parent_id = azurerm_resource_group.test.id
  location = azurerm_resource_group.test.location
  body = jsonencode({
    properties = {
        poolAllocationMode = "BatchService"
        publicNetworkAccess = "Enabled"
    }
  })
}

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.