azurerm_subnet removes Microsoft.Storage service_endpoints after changes to VNet

[ghost]

This issue was originally opened by @idelix as hashicorp/terraform#18501. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Hi,

I have VNet with subnet which has Microsoft.Storage service endpoint, each time I do change to VNet like for example adding DNS server or changing tags on VNet resource services endpoint is being removed from subnet without any error and I have to run apply to add it again.

resource "azurerm_virtual_network" "example_vnet" {
  name                = "example${terraform.workspace}Ne-vnet"
  address_space       = ["${local.workspace["example_vnet_address_space"]}"]
  location            = "${azurerm_resource_group.network_rg.location}"
  resource_group_name = "${azurerm_resource_group.network_rg.name}"
  dns_servers         = ["8.8.8.8"]
  provider            = "azurerm.default"
  tags                = "${local.common_tags}"

  lifecycle {
    prevent_destroy = true
  }
}

resource "azurerm_subnet" "example_vnet_aks_subnet" {
  name                      = "${local.workspace["example_vnet_aks_subnet_name"]}"
  virtual_network_name      = "${azurerm_virtual_network.example_vnet.name}"
  address_prefix            = "${local.workspace["example_vnet_aks_subnet_address_prefix"]}"
  service_endpoints         = ["Microsoft.Storage"]
  network_security_group_id = "${azurerm_network_security_group.example_vnet_nsg.id}"
  resource_group_name       = "${azurerm_resource_group.network_rg.name}"
  provider                  = "azurerm.default"

  depends_on = ["azurerm_virtual_network.example_vnet"]
}

resource "azurerm_storage_account" "example_sa" {
  name                      = "example${lower(terraform.workspace)}ne"
  account_tier              = "Standard"
  account_replication_type  = "${local.workspace["example_sa_replication_type"]}"
  enable_https_traffic_only = true
  location                  = "${azurerm_resource_group.data_rg.location}"
  resource_group_name       = "${azurerm_resource_group.data_rg.name}"
  provider                  = "azurerm.default"
  tags                      = "${local.common_tags}"

  depends_on = ["azurerm_virtual_network.example_vnet",
    "azurerm_subnet.example_vnet_aks_subnet",
  ]

  network_rules {
    bypass                     = ["AzureServices"]
    ip_rules                   = ["${local.workspace["my_pip"]}"]
    virtual_network_subnet_ids = ["${azurerm_subnet.example_vnet_aks_subnet.id}"]
  }
}

Terraform Version

Terraform v0.11.7

• provider.azurerm v1.9.0

Expected Behavior

Terraform should not remove service endpoint from subnet and I change DNS server on VNet

Actual Behavior

Terraform removes service endpoint from subnet without any notification/error when I change DNS server on VNet

Steps to Reproduce

run provided example without dns servers and then add dns servers

[junbug178]

Hello, I'm experiencing the same issue. Do we have a time frame on the fix?

Running this code:
resource "azurerm_subnet" "subnet" {
name = "${var.environment}_subnet_1"
resource_group_name = "${azurerm_resource_group.vnet_rg.name}"
virtual_network_name = "${azurerm_virtual_network.vnet.name}"
address_prefix = "10.0.1.0/24"
service_endpoints = ["Microsoft.Sql"]
}

Terraform will perform the following actions:

~ module.vnet.azurerm_subnet.subnet
service_endpoints.#: "1" => "0"
service_endpoints.0: "Microsoft.Sql" => ""

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!