Terraform: Azure VMSS rolling_upgrade does not re-image instances

Question

Having the following VMSS terraform config:

resource "azurerm_linux_virtual_machine_scale_set" "my-vmss" {
...
    instances           = 2
...
  upgrade_mode = "Rolling"
  rolling_upgrade_policy {
    max_batch_instance_percent              = 100
    max_unhealthy_instance_percent          = 100
    max_unhealthy_upgraded_instance_percent = 0
    pause_time_between_batches              = "PT10M"
  }

  extension {
    name = "my-vmss-app-health-ext"
    publisher = "Microsoft.ManagedServices"
    type = "ApplicationHealthLinux"
    automatic_upgrade_enabled = true
    type_handler_version = "1.0"
    settings =jsonencode({
      protocol = "tcp"
      port = 8080
    })
...
}

However, whenever a change is applied (e.g., changing custom_data), the VMSS is updated but instances are not reimaged. Only after manual reimage (via UI or Azure CLI) do the instances get updated.

The "terraform plan" is as expected - custom_data change is detected:

 # azurerm_linux_virtual_machine_scale_set.my-vmss will be updated in-place 
~ resource "azurerm_linux_virtual_machine_scale_set" "my-vmss" { 
   ... 
   ~ custom_data = (sensitive value) 
   ...

Plan: 0 to add, 1 to change, 0 to destroy.

Any idea of how to make Terraform cause the instance reimaging?

Answer 1

It looks like not a terraform issue but a "rolling upgrades" design by Azure. From here (1) it follows that updates to custom_data won't affect existing instances. I.e., until the instance is manually reimaged (e.g., via UI or azure CLI) it won't get the new custom_data (e.g., the new cloud-init script). In contrast, AWS does refresh instances on custom_data updates. Please let me know if my understanding is incorrect or if you have an idea of how to work around this limitation in Azure.