Skip to content

Instantly share code, notes, and snippets.

@mikebranstein

mikebranstein/terraform-output.md

Created February 5, 2021 15:24
Show Gist options
  • Save mikebranstein/9f295c6d880291de56a4206699e143c4 to your computer and use it in GitHub Desktop.
Save mikebranstein/9f295c6d880291de56a4206699e143c4 to your computer and use it in GitHub Desktop.
Download ZIP
Terraform AzureRM - Storage Account Network Rules Virtual Network Subnet Ids not detecting changes
Raw
terraform-output.md

Getting Started

  1. Unzip example.zip from https://www.dropbox.com/s/2yd3d8d642cotc0/example.zip?dl=0
  2. Update main.tf file to include tenant_id and subscription_id values for an Azure subscription
  3. az login --tenant <tenant_id>
  4. terraform init
  5. terraform apply, which creates the base of the example resources:
  • example-rg resource group
  • example-vnet virtual network
  • subnet1 subnet (with Storage and Key Vault service endpoints)
  • exampleXXXXXXXXX storage account
  • exampleXXXXXXXXX key vault

Test 1: Adding a subnet, using concat()

The purpose of this test is to show that when adding a subnet and using concat(), both Storage Account and Key Vault virtual network subnet ids are updated with the new subnet.

Before beginning review the main.tf in the region module folder. Note the virtual_network_subnet_ids property of the storage account and key vault resources is using a concat() function to combine a for value in and list(string) object.

  1. Uncomment subnet2 definition in config.auto.tfvars file
  2. terraform plan

Test 1 Result

Note 1 resource will be added (subnet2), and 2 resources will be updated (storage account and key vault virtual network subnet ids). This is expected behavior.

Test 2: Adding a subnet, using concat() and distinct()

The purpose of this test is to show that when adding a subnet and using concat() and distinct(), only the Key Vault virtual network subnet ids are updated with the new subnet. The Storage Account virtual network subnet ids do not detect a change.

  1. Open the main.tf file in the region module folder.
  2. Uncomment the Test 2 scenario virtual_network_subnet_ids property for the Storage Account and Key Vault
  3. terraform plan

Test 2 Result

Note 1 resource will be added (subnet2), and only 1 resource will be updated (the key vault). This behavior is unexpected. The expected behavior it to see 2 resources updated (the storage account and the key vault).

Test 3, 4, & 5

The purpose of these tests is to show that when distinct() and compact() are used, only the Key Vault virtual network subnet ids are updated with the new subnet. The Storage Account virtual network subnet ids do not detect a change.

Follow the same process as test 2 to see the same results.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment