No way rename a azurerm_public_ip resource if it is associated to a bastion host , requires manual deletion of bastion host on portal

[satyakrish]

Hi,

1. I have a azurerm_public_ip and a azurerm_bastion_host to which the pip is associated with.
2. I want to rename the name of the pip resource to follow our standard practices.
3. Our consumers who are updating their versions to new module call (with new names) are expected to experience a delete and recreate. But all of this should happen in our ci/cd pipelines and consumers should not have to go to azure portal to make any changes.
4. But the problem we have is since the pip is already associated to bastion host that should be force replaced as well bt it is only getting updated in place. Because of this the terraform apply fails.
5. The only workaround seems to be to go to azure portal and delete the bastion host manually and then run a terraform apply.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

terraform --version
Terraform v0.14.0

• provider registry.terraform.io/hashicorp/azurerm v2.46.1

Affected Resource(s)

1. azurerm_bastion_host
2. azurerm_public_ip

• azurerm_XXXXX

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

  # module.bastion_host.module.bastion_host["eastus"].azurerm_bastion_host.bastion_host will be updated in-place
  ~ resource "azurerm_bastion_host" "bastion_host" {
        id                  = "/subscriptions/xxxx/resourceGroups/dojo-networking-bastion-default-upgrade/providers/Microsoft.Network/bastionHosts/dojo-networking-bastion-default-bastion-upgrade"
        name                = "dojo-networking-bastion-default-bastion-upgrade"
      ~ tags                = {
          ~ "DojoVersion"      = "v3.0.x" -> "v4.0.x"
            # (10 unchanged elements hidden)
        }
        # (3 unchanged attributes hidden)

      ~ ip_configuration {
          ~ name                 = "bastion_configuration" -> "bastion_ip_config"
          ~ public_ip_address_id = "/subscriptions/xxx/resourceGroups/dojo-networking-bastion-default-upgrade/providers/Microsoft.Network/publicIPAddresses/dojo-networking-bastion-default-bastion-upgrade" -> (known after apply)
            # (1 unchanged attribute hidden)
        }
    }

  # module.bastion_host.module.bastion_host_pip["eastus"].azurerm_public_ip.pip must be replaced
-/+ resource "azurerm_public_ip" "pip" {
      + fqdn                    = (known after apply)
      ~ id                      = "/subscriptions/xxxx/resourceGroups/dojo-networking-bastion-default-upgrade/providers/Microsoft.Network/publicIPAddresses/dojo-networking-bastion-default-bastion-upgrade" -> (known after apply)
      ~ ip_address              = "xxxxxx" -> (known after apply)
      ~ name                    = "dojo-networking-bastion-default-bastion-upgrade" -> "dojo-networking-bastion-default-bastion-pip-upgrade" # forces replacement
      ~ tags                    = {
          ~ "DojoVersion"      = "v3.0.x" -> "v4.0.x"
            # (10 unchanged elements hidden)
        }
      - zones                   = [] -> null
        # (6 unchanged attributes hidden)
    }

terraform apply -auto-approve
Acquiring state lock. This may take a few moments...
azurerm_resource_group.rg: Refreshing state... [id=/subscriptions/xxxx/resourceGroups/dojo-networking-bastion-default-upgrade]
module.virtual_network.module.virtual_network["eastus"].azurerm_virtual_network.vnet: Refreshing state... [id=/subscriptions/xxxx/resourceGroups/dojo-networking-bastion-default-upgrade/providers/Microsoft.Network/virtualNetworks/dojo-networking-bastion-default-vnet-upgrade]
module.bastion_host.module.bastion_host_subnet["eastus"].azurerm_subnet.subnet["AzureBastionSubnet"]: Refreshing state... [id=/subscriptions/xxxx/resourceGroups/dojo-networking-bastion-default-upgrade/providers/Microsoft.Network/virtualNetworks/dojo-networking-bastion-default-vnet-upgrade/subnets/AzureBastionSubnet]
module.bastion_host.module.bastion_host_pip["eastus"].azurerm_public_ip.pip: Refreshing state... [id=/subscriptions/xxxx/resourceGroups/dojo-networking-bastion-default-upgrade/providers/Microsoft.Network/publicIPAddresses/dojo-networking-bastion-default-bastion-upgrade]        
module.bastion_host.module.bastion_host_nsg["eastus"].azurerm_network_security_group.nsg: Refreshing state... [id=/subscriptions/xxxx/resourceGroups/dojo-networking-bastion-default-upgrade/providers/Microsoft.Network/networkSecurityGroups/dojo-networking-bastion-default-bastion-nsg-upgrade]
module.bastion_host.module.bastion_host_nsg_assoc["eastus"].azurerm_subnet_network_security_group_association.nsg_assoc: Refreshing state... [id=/subscriptions/xxxx/resourceGroups/dojo-networking-bastion-default-upgrade/providers/Microsoft.Network/virtualNetworks/dojo-networking-bastion-default-vnet-upgrade/subnets/AzureBastionSubnet]
module.bastion_host.module.bastion_host["eastus"].azurerm_bastion_host.bastion_host: Refreshing state... [id=/subscriptions/xxxx/resourceGroups/dojo-networking-bastion-default-upgrade/providers/Microsoft.Network/bastionHosts/dojo-networking-bastion-default-bastion-upgrade]
module.bastion_host.module.diagnostics.module.bastion_host_diagnostics_setting["eastus"].azurerm_monitor_diagnostic_setting.diagnostic_setting[0]: Refreshing state... [id=/subscriptions/xxxx/resourceGroups/dojo-networking-bastion-default-upgrade/providers/Microsoft.Network/bastionHosts/dojo-networking-bastion-default-bastion-upgrade|dojo-networking-bastion-default-bastion-upgrade-ds]
module.bastion_host.module.bastion_host_pip["eastus"].azurerm_public_ip.pip: Destroying... [id=/subscriptions/xxxx/resourceGroups/dojo-networking-bastion-default-upgrade/providers/Microsoft.Network/publicIPAddresses/dojo-networking-bastion-default-bastion-upgrade]

Error: Error deleting Public IP "dojo-networking-bastion-default-bastion-upgrade" (Resource Group "dojo-networking-bastion-default-upgrade"): network.PublicIPAddressesClient#Delete: Failure sending request: StatusCode=400 -- Original Error: Code="PublicIPAddressCannotBeDeleted" Message="Public IP address /subscriptions/xxxx/resourceGroups/dojo-networking-bastion-default-upgrade/providers/Microsoft.Network/publicIPAddresses/dojo-networking-bastion-default-bastion-upgrade can not be deleted since it is still allocated to resource /subscriptions/xxxx/resourceGroups/dojo-networking-bastion-default-upgrade/providers/Microsoft.Network/bastionHosts/dojo-networking-bastion-default-bastion-upgrade/bastionHostIpConfigurations/bastion_configuration. In order to delete the public IP, disassociate/detach the Public IP address from the resource.  To learn how to do this, see aka.ms/deletepublicip." Details=[]

Panic Output

Expected Behaviour

• Changing the name of pip resource shoudl cause force replacement of all bastion host resources to which the pip is associated as well

Actual Behaviour

• Renaming pip only force replaces pip resources and not the associated bastion host, since the pip is already associated to bastion host terraform apply fails stating already associated

Steps to Reproduce

1. create a bastion pip resource
2. create a bastion host resource and associate the above created pip to it.
3. run terraform plan and apply -> success
4. now rename the pip resource to a different value.
5. run terraform plan -> will show pip will be force replaced, bastion host will be updated in place.
6. run terraform apply -> will fail with error stating pip already associated to bastino host.

Important Factoids

References

• #0000

[ghost]

This has been released in version 2.59.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.59.0"
}
# ... other configuration ...

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.