CODEWITHSUNDEEP
terraformterraform-provider-azure
Andy
Andy

Reputation: 2946

Can I perform consecutive changes on resource with Terraform?

Sometimes I need to perform several changes to the resource with TF ( within same declaration file ) , for example:

  1. Create Azure VNET/Subnet A
  2. Create Private Endpoint
  3. Change properties of Subnet A from #1

I tried to create same resource with depends_on statement, but it doesn't work.

module.vnet-stage2[1].azurerm_virtual_network.vnet: Creating...
module.vnet-stage2[0].azurerm_virtual_network.vnet: Creating...
╷
│ Error: A resource with the ID "/subscriptions/6fd2b24c-1ffa-43ca-abc1-8127c30dcb39/resourceGroups/PE-TF-RG/providers/Microsoft.Network/virtualNetworks/client-vnet" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_virtual_network" for more information.
│
│   with module.vnet-stage2[0].azurerm_virtual_network.vnet,
│   on ../../modules/vnet/main.tf line 6, in resource "azurerm_virtual_network" "vnet":
│    6: resource azurerm_virtual_network "vnet" {
│
╵
╷
│ Error: A resource with the ID "/subscriptions/6fd2b24c-1ffa-43ca-abc1-8127c30dcb39/resourceGroups/PE-TF-RG/providers/Microsoft.Network/virtualNetworks/server-vnet" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_virtual_network" for more information.
│
│   with module.vnet-stage2[1].azurerm_virtual_network.vnet,
│   on ../../modules/vnet/main.tf line 6, in resource "azurerm_virtual_network" "vnet":
│    6: resource azurerm_virtual_network "vnet" {
│
╵

Upvotes: 0

Views: 426

Answers (1)

Ansuman Bal
Ansuman Bal

Reputation: 11421

I tried testing your requirement with the below code. It's not possible to change the subnet enforce_private_link_service_network_policies = true to false from the same declaration file.

provider "azurerm" {
    features{}
}

data "azurerm_resource_group" "example" {
  name     = "yourresourcegroup"
}

resource "azurerm_virtual_network" "example" {
  name                = "example-network"
  address_space       = ["10.0.0.0/16"]
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name
}

resource "azurerm_subnet" "service" {
  name                 = "service"
  resource_group_name  = data.azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.1.0/24"]

  enforce_private_link_service_network_policies = true
}

resource "azurerm_subnet" "endpoint" {
  name                 = "endpoint"
  resource_group_name  = data.azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.2.0/24"]

  enforce_private_link_endpoint_network_policies = true
}

resource "azurerm_public_ip" "example" {
  name                = "example-pip"
  sku                 = "Standard"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name
  allocation_method   = "Static"
}


resource "azurerm_lb" "example" {
  name                = "example-lb"
  sku                 = "Standard"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name

  frontend_ip_configuration {
    name                 = azurerm_public_ip.example.name
    public_ip_address_id = azurerm_public_ip.example.id
  }
}

resource "azurerm_private_link_service" "example" {
  name                = "example-privatelink"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name

  nat_ip_configuration {
    name      = azurerm_public_ip.example.name
    primary   = true
    subnet_id = azurerm_subnet.service.id
  }

  load_balancer_frontend_ip_configuration_ids = [
    azurerm_lb.example.frontend_ip_configuration.0.id,
  ]
}

resource "azurerm_private_endpoint" "example" {
  name                = "example-endpoint"
  location            = data.azurerm_resource_group.example.location
  resource_group_name = data.azurerm_resource_group.example.name
  subnet_id           = azurerm_subnet.endpoint.id

  private_service_connection {
    name                           = "example-privateserviceconnection"
    private_connection_resource_id = azurerm_private_link_service.example.id
    is_manual_connection           = false
  }
}

Output:

enter image description here

When you try to change the value to false, you get the below error:

enter image description here

Solution:

You can create Vnet+Subnet first on file and then create private endpoint in another using data sources of the vnet and subnet. After private endpoint is created you can change the properties of subnet by going to the vnet+subnet file.

Or

You can create everything at once then use PowerShell or CLI to change that property of subnet.

Command for CLI:

az network vnet subnet update --disable-private-endpoint-network-policies false --name service --resource-group resourcegroup --vnet-name example-network.

Reference:

Manage network policies for private endpoints - Azure Private Link | Microsoft Docs

Note: enforce_private_link_service_network_policies = true on a subnet is mandatory for creating a private endpoint. After creation you can change to enforce_private_link_service_network_policies = false.

Upvotes: 1

Related Questions