Documentation: azurerm_subnet

[OffColour]

Documentation on this is a little confusing as it says NSGs need to be configured "both using" and then says "and/or".
Terraform reports the association is deprecated and to use the new resource, but if I remove the association and only use the new resource the NSG doesn't get applied to the subnet.

"NOTE: At this time Subnet <-> Network Security Group associations need to be configured both using this field (which is now Deprecated) and/or using the azurerm_subnet_network_security_group_association resource. This field field is deprecated and will be removed in favour of that resource in the next major version (2.0) of the AzureRM Provider."

Update:
First Apply with Terraform after removing the association in the subnet resource removes the NSG from the subnet.
Applying again reinstates them with the association resource.
Running a third time removes them all again as the subnet resource assocation is not there.

I presume this means that both need to be there and we remove the entry from the subnet resource when v 2.0 comes out.

[tombuildsstuff]

hey @OffColour

Thanks for opening this issue :)

At this point in time both the field within the azurerm_subnet resource and the separate resource azurerm_subnet_network_security_group_association need to be specified; however as you've mentioned we'll be changing this in 2.0 by removing the network_security_group_id field within the azurerm_subnet resource, such that only the azurerm_subnet_network_security_group_association resource will be necessary.

Whilst we're aware this isn't ideal from a UX perspective - unfortunately this is necessary to ensure we don't break a use-case where removing the network_security_group_id field from the Terraform Config for a Subnet removes the attached Network Security Group.

I presume this means that both need to be there and we remove the entry from the subnet resource when v 2.0 comes out.

Indeed - setting this in both locations (using the network_security_group_id field within the azurerm_subnet resource) and via the azurerm_subnet_network_security_group_association resource will ensure this is configured in 1.x. When 2.0 comes out you should be able to remove the network_security_group_id field from the azurerm_subnet resource and work as before; technically speaking you don't need the azurerm_subnet_network_security_group_association resource in 1.x - it's mostly useful at this point in time as a migration (so that you can just drop the field).

As mentioned above - we're aware this isn't an ideal UX in 1.x but this is something we'll be fixing in 2.0 - as such I'm going to close this issue for the moment, that said feel free to let us know if setting this in both places doesn't work for you and we'll take another look.

Thanks!

[OffColour]

Thanks, @tombuildsstuff .
One minor request in the interim: Can you change the wording on the page so it clearly says "and" rather than "and/or". Should stop anyone else being as confused as I was!

[tombuildsstuff]

@OffColour sorry forgot to mention that - I've updated that as a part of #2789 which will be released when v1.22 goes out, thanks for the heads up!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!