Terraform deletes/modifies resource and its dependency simultaneously

[nitzanm]

Summary

I'm doing the following:

1. Create a public IP, and a load balancer that uses it (and hence depends on it).
2. Simultaneously delete the public IP and remove it from the load balancer.

Since the load balancer depends on the public IP, I'd expect the load balancer to be modified before the public IP is deleted. However, Terraform doesn't recognize that dependency and instead tries to delete the public IP at the same time it's modifying the load balancer - resulting in Azure (correctly) complaining.

Terraform Version

Terraform v0.12.1
+ provider.azurerm v1.30.1

Terraform Configuration Files

resource "azurerm_resource_group" "rg" {
  name     = "nmiron-dependency-test-rg"
  location = "West US"
}

resource "azurerm_public_ip" "pip" {
  name                = "pip"
  location            = "West US"
  resource_group_name = "${azurerm_resource_group.rg.name}"
  allocation_method   = "Static"
}

resource "azurerm_lb" "lb" {
  name                = "lb"
  location            = "West US"
  resource_group_name = "${azurerm_resource_group.rg.name}"

  frontend_ip_configuration {
    name                 = "PublicIPAddress"
    public_ip_address_id = "${azurerm_public_ip.pip.id}"
  }
}

Debug Output

Full output: https://gist.github.com/nitzanm/f228bace457dd657b7a5f4c671faa09c

Summary output:

# terraform apply
azurerm_resource_group.rg: Refreshing state... [id=/subscriptions/xxxx/resourceGroups/nmiron-dependency-test-rg]
azurerm_public_ip.pip: Refreshing state... [id=/subscriptions/xxxx/resourceGroups/nmiron-dependency-test-rg/providers/Microsoft.Network/publicIPAddresses/pip]
azurerm_lb.lb: Refreshing state... [id=/subscriptions/xxxx/resourceGroups/nmiron-dependency-test-rg/providers/Microsoft.Network/loadBalancers/lb]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # azurerm_lb.lb will be updated in-place
  ~ resource "azurerm_lb" "lb" {
        id                   = "/subscriptions/xxxx/resourceGroups/nmiron-dependency-test-rg/providers/Microsoft.Network/loadBalancers/lb"
        location             = "westus"
        name                 = "lb"
        private_ip_addresses = []
        resource_group_name  = "nmiron-dependency-test-rg"
        sku                  = "Basic"
        tags                 = {}

      - frontend_ip_configuration {
          - inbound_nat_rules             = [] -> null
          - load_balancer_rules           = [] -> null
          - name                          = "PublicIPAddress" -> null
          - outbound_rules                = [] -> null
          - private_ip_address_allocation = "Dynamic" -> null
          - public_ip_address_id          = "/subscriptions/xxxx/resourceGroups/nmiron-dependency-test-rg/providers/Microsoft.Network/publicIPAddresses/pip" -> null
          - zones                         = [] -> null
        }
    }

  # azurerm_public_ip.pip will be destroyed
  - resource "azurerm_public_ip" "pip" {
      - allocation_method            = "Static" -> null
      - id                           = "/subscriptions/xxxx/resourceGroups/nmiron-dependency-test-rg/providers/Microsoft.Network/publicIPAddresses/pip" -> null
      - idle_timeout_in_minutes      = 4 -> null
      - ip_address                   = "40.78.94.7" -> null
      - ip_version                   = "IPv4" -> null
      - location                     = "westus" -> null
      - name                         = "pip" -> null
      - public_ip_address_allocation = "Static" -> null
      - resource_group_name          = "nmiron-dependency-test-rg" -> null
      - sku                          = "Basic" -> null
      - tags                         = {} -> null
      - zones                        = [] -> null
    }

Plan: 0 to add, 1 to change, 1 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

azurerm_public_ip.pip: Destroying... [id=/subscriptions/xxxx/resourceGroups/nmiron-dependency-test-rg/providers/Microsoft.Network/publicIPAddresses/pip]
azurerm_lb.lb: Modifying... [id=/subscriptions/xxxx/resourceGroups/nmiron-dependency-test-rg/providers/Microsoft.Network/loadBalancers/lb]
azurerm_lb.lb: Still modifying... [id=/subscriptions/xxxx...ers/Microsoft.Network/loadBalancers/lb, 10s elapsed]
azurerm_lb.lb: Modifications complete after 11s [id=/subscriptions/xxxx/resourceGroups/nmiron-dependency-test-rg/providers/Microsoft.Network/loadBalancers/lb]

Error: Error deleting Public IP "pip" (Resource Group "nmiron-dependency-test-rg"): network.PublicIPAddressesClient#Delete: Failure sending request: StatusCode=400 -- Original Error: Code="PublicIPAddressCannotBeDeleted" Message="Public IP address /subscriptions/xxxx/resourceGroups/nmiron-dependency-test-rg/providers/Microsoft.Network/publicIPAddresses/pip can not be deleted since it is still allocated to resource /subscriptions/xxxx/resourceGroups/nmiron-dependency-test-rg/providers/Microsoft.Network/loadBalancers/lb/frontendIPConfigurations/PublicIPAddress. In order to delete the public IP, disassociate/detach the Public IP address from the resource.  To learn how to do this, see aka.ms/deletepublicip." Details=[]

Expected Behavior

1. Terraform updates the load balancer to not reference the public IP.
2. Terraform then deletes the public IP.

Actual Behavior

Terraform attempts to perform the two steps simultaneously, resulting in an error.

Note that this still happens even if you manually add depends_on = ["azurerm_public_ip.pip"] to the load balancer - since you of course need to delete this line when you delete the public IP.

Steps to Reproduce

1. Create the .tf file above
2. set TF_LOG=DEBUG
3. terraform init, terraform apply
4. Inspect terraform.tfstate: notice that the load balancer correctly depends on the public IP. Inspect the logs, and note the following line: ReferenceTransformer: "azurerm_lb.lb" references: [azurerm_resource_group.rg azurerm_public_ip.pip]`
5. Modify the .tf file above: remove the public IP, and remove the frontend_ip_configuration block from the load balancer (or just use lb-dependency-test.tf-2 from the Gist above).
6. terraform apply
7. Inspect the debug logs from step 5, and note the following line: ReferenceTransformer: "azurerm_lb.lb" references: [azurerm_resource_group.rg]. No dependency on the public IP even though it was in the state file!

Additional Context

References

• Might be related to Order to change/destroy with dependent resources #20196 and Bug: Terraform attempts to delete security groups before dependent EC2 instances #8617
• Might be dupliate of Delete of dependent resource doesn't always honor ordering #20823, but nobody has touched that since March, so maybe it's obsolete.
• Similar to Incorrect order of execution when deleting resource that participates in dependency, together with the dependency #18408, but that was from over a year ago and looks likely to have been resolved since.

[nitzanm]

I also tried updating Terraform and the provider to the latest versions and nothing changed.

Terraform v0.12.12
+ provider.azurerm v1.35.0

[ebatanero]

Hi, I have the same issue. Terraform will try to delete the Public IP before deleting the Ip_configuration. Is there any solution to this issue?

Thank you in advance.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.