Support for adding/removing subnet delegation after the subnet is created.

[Magicloud]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The delegation can be added or removed via Terraform at the moment, but it is tied with azurerm_subnet resource. I cannot work on the delegation without touching the code for azurerm_subnet.

New or Affected Resource(s)

• azurerm_subnet (AFFECTED)

• azurerm_subnet_delegation (NEW)

Potential Terraform Configuration

resource "azurerm_subnet" "example" {
  name                 = "testsubnet"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.1.0/24"]
}


resource "azurerm_subnet_delegation" "example" {
    subnet_id = azurerm_subnet.example.id

    name = "acctestdelegation"

    service_delegation {
      name    = "Microsoft.ContainerInstance/containerGroups"
      actions = ["Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action"]
    }
  }
}

References

• #0000

[neil-yechenwei]

Thanks for opening this issue. Seems this feature has been implemented in subnet resource. I assume you have to add/remove delegation block from subnet resource to implement it. Below is the example.

Adding delegation:

resource "azurerm_subnet" "test" {
  name                 = "testsubnettest01"
  resource_group_name  = azurerm_resource_group.test.name
  virtual_network_name = azurerm_virtual_network.test.name
  address_prefix       = "10.1.0.0/24"

  delegation {
    name = "delegation"
  
    service_delegation {
      name    = "Microsoft.ContainerInstance/containerGroups"
      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
    }
  }
}

Removing delegation:

resource "azurerm_subnet" "test" {
  name                 = "testsubnettest01"
  resource_group_name  = azurerm_resource_group.test.name
  virtual_network_name = azurerm_virtual_network.test.name
  address_prefix       = "10.1.0.0/24"
}

[Magicloud]

@neil-yechenwei Sorry, I did not make myself clear. Current design is hard to do abstraction. For example, I cannot make a VPC module without setting the delegation or exposing the subnets to users. Updated the original post.

[renzo-cast]

Another use-case for this is, which applies in our environment, is where the subnet is already created and provided to us. We don't want to import the subnet into state and just want to be able to manage (create/remove/change) the subnet delegation,

[withakay]

I am in a situation where there is a policy that denies the creation of subnets without a network security group, this means I have to create subnets as part of a azurerm_virtual_network resource which doesn't and won't allow delegation to be defined (see #11187 for why).

Currently I am resorting to hackery such as

  provisioner "local-exec" {
    command = <<-EOT
    az network vnet subnet update \
    --resource-group foo-rg \
    --name foo-subnet \
    --vnet-name foo-vnet \
    --delegations Microsoft.DBforPostgreSQL/flexibleServers \
    --service-endpoints Microsoft.Storage
EOT
  }

Having a provider native way to achieve this would be much nicer.