azurerm_private_endpoint removes asg_association after update of tags on private endpoint

[Thomsen96]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.6.0

AzureRM Provider Version

3.90.0

Affected Resource(s)/Data Source(s)

azurerm_private_endpoint

Terraform Configuration Files

locals {
  prefix                              = "pep-test"
  resource_group_name                 = "pep-testrg"
  virtual_network_resource_group_name = "vnet_rg_name"
  virtual_network_name                = "vnet"
  subnet_name                         = "subnet"
  asg_name                            = "asg"

  tags = {
    "tag" = "TagToReplace"
  }
}

data "azurerm_resource_group" "main" {
  name = local.resource_group_name
}

data "azurerm_resource_group" "vnet" {
  name = local.virtual_network_resource_group_name
}

data "azurerm_subnet" "snet" {
  name                 = local.subnet_name
  virtual_network_name = local.virtual_network_name
  resource_group_name  = local.virtual_network_resource_group_name
}

data "azurerm_application_security_group" "asg" {
  name                = local.asg_name
  resource_group_name = local.virtual_network_resource_group_name
}

data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "placeholder_to_assign_asg" {
  name                = "${local.prefix}kv"
  resource_group_name = data.azurerm_resource_group.main.name
  location            = data.azurerm_resource_group.main.location
  tenant_id           = data.azurerm_client_config.current.tenant_id

  soft_delete_retention_days    = 7
  purge_protection_enabled      = true
  sku_name                      = "standard"
  public_network_access_enabled = false
  enable_rbac_authorization     = true

  network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
  }
  lifecycle {
    ignore_changes = [
      contact
    ]
  }

  tags = local.tags
}


resource "azurerm_private_endpoint" "private_endpoint_to_update_tag_on" {
  name                = "${local.prefix}-pep-vault"
  resource_group_name = azurerm_key_vault.placeholder_to_assign_asg.resource_group_name
  location            = azurerm_key_vault.placeholder_to_assign_asg.location
  subnet_id           = data.azurerm_subnet.snet.id

  private_service_connection {
    name                           = "${local.prefix}-psc-blob"
    is_manual_connection           = false
    private_connection_resource_id = azurerm_key_vault.placeholder_to_assign_asg.id
    subresource_names              = ["vault"]
  }

  tags = local.tags

  lifecycle {
    ignore_changes = [
      private_dns_zone_group
    ]
  }
}

resource "azurerm_private_endpoint_application_security_group_association" "asg_which_is_removed_after_tag_update" {
  application_security_group_id = data.azurerm_application_security_group.asg.id
  private_endpoint_id           = azurerm_private_endpoint.private_endpoint_to_update_tag_on.id

}

Debug Output/Panic Output

> terraform apply -auto-approve

## Reading state

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # azurerm_key_vault.placeholder_to_assign_asg will be created
  + resource "azurerm_key_vault" "placeholder_to_assign_asg" {
      + access_policy                 = (known after apply)
      + enable_rbac_authorization     = true
      + id                            = (known after apply)
      + location                      = "westeurope"
      + name                          = "pep-testkv"
      + public_network_access_enabled = false
      + purge_protection_enabled      = true
      + resource_group_name           = "cloud-adoption-rg"
      + sku_name                      = "standard"
      + soft_delete_retention_days    = 7
      + tags                          = {
          + "tag" = "TagToReplace"
        }
      + tenant_id                     = "REDACTED"
      + vault_uri                     = (known after apply)

      + network_acls {
          + bypass         = "AzureServices"
          + default_action = "Deny"
        }
    }

  # azurerm_private_endpoint.private_endpoint_to_update_tag_on will be created
  + resource "azurerm_private_endpoint" "private_endpoint_to_update_tag_on" {
      + custom_dns_configs       = (known after apply)
      + id                       = (known after apply)
      + location                 = "westeurope"
      + name                     = "pep-test-pep-vault"
      + network_interface        = (known after apply)
      + private_dns_zone_configs = (known after apply)
      + resource_group_name      = "cloud-adoption-rg"
      + subnet_id                = "REDACTED"
      + tags                     = {
          + "tag" = "TagToReplace"
        }

      + private_service_connection {
          + is_manual_connection           = false
          + name                           = "pep-test-psc-blob"
          + private_connection_resource_id = (known after apply)
          + private_ip_address             = (known after apply)
          + subresource_names              = [
              + "vault",
            ]
        }
    }

  # azurerm_private_endpoint_application_security_group_association.asg_which_is_removed_after_tag_update will be created
  + resource "azurerm_private_endpoint_application_security_group_association" "asg_which_is_removed_after_tag_update" {
      + application_security_group_id = "REDACTED"
      + id                            = (known after apply)
      + private_endpoint_id           = (known after apply)
    }

Plan: 3 to add, 0 to change, 0 to destroy.

## Creating

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.


## Updating the tag value

> terraform apply -auto-approve

## Reading state 

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # azurerm_key_vault.placeholder_to_assign_asg will be updated in-place
  ~ resource "azurerm_key_vault" "placeholder_to_assign_asg" {
        id                              = "REDACTED"
        name                            = "pep-testkv"
      ~ tags                            = {
          ~ "tag" = "TagToReplace" -> "TagUpdated"
        }
        # (13 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # azurerm_private_endpoint.private_endpoint_to_update_tag_on will be updated in-place
  ~ resource "azurerm_private_endpoint" "private_endpoint_to_update_tag_on" {
        id                       = "REDACTED"
        name                     = "pep-test-pep-vault"
      ~ tags                     = {
          ~ "tag" = "TagToReplace" -> "TagUpdated"
        }
        # (6 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

## Modifying

Apply complete! Resources: 0 added, 2 changed, 0 destroyed.

> terraform apply -auto-approve

## Reading state

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # azurerm_private_endpoint_application_security_group_association.asg_which_is_removed_after_tag_update will be created
  + resource "azurerm_private_endpoint_application_security_group_association" "asg_which_is_removed_after_tag_update" {
      + application_security_group_id = "REDACTED"
      + id                            = (known after apply)
      + private_endpoint_id           = "REDACTED"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

## Modifying

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Expected Behaviour

Updating a tag on a azurerm_private_endpoint resource doesn't remove ASG associations.

Actual Behaviour

ASG associations of a Private Endpoint is removed when a tag is updated on the azurerm_private_endpoint resource without any information in the terraform plan output.

Steps to Reproduce

1. Fill out the appropriate local variables, note the key vault could be any resource which a private end point could be attached.
2. Run terraform apply
3. Update the tag value "TagToReplace"
4. Run terraform apply
5. Run terraform apply

Important Factoids

No response

References

No response

[bPhysicist]

This issue is caused by the update function of azurerm_private_endpoint calling CreateOrUpdate without attaching existing ApplicationSecurityGroups.
I created a PR (#24846) that addresses the issue.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.