terraform-provider-azurerm icon indicating copy to clipboard operation
terraform-provider-azurerm copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

azurerm_network_security_rule destroy not working

Open skalragg opened this issue 3 years ago • 6 comments

Description

azurerm_network_security_rule can successfully add or update an existing rule... If I remove a resource azurerm_network_security_rule ... terraform tells me it's destroyed, however it is still an active rule on Azure. ( Both CLI/Portal)

azurerm_network_security_rule.nsg-outbound-rule-200: Destroying...
azurerm_network_security_rule.nsg-outbound-rule-200: Still destroying...
azurerm_network_security_rule.nsg-outbound-rule-200: Destruction complete after 11s

Affected Resource(s)

azurerm_network_security_rule

Terraform (and AzureRM Provider) Version

Terraform v0.14.10 azurerm v2.56.0

Terraform Configuration Files

resource "azurerm_network_security_group" "nsg-innovation-private-endpoint-poc-eastus2-001" {
  name                = "nsg-innovation-private-endpoint-poc-eastus2-001"
  location            = azurerm_resource_group.rg-innovation-poc-002-tf.location
  resource_group_name = azurerm_resource_group.rg-innovation-poc-002-tf.name  
}

resource "azurerm_network_security_rule" "nsg-outbound-rule-100" {
  name                        = "OutboundAccessToAppService"
  priority                    = 100
  direction                   = "Outbound"
  access                      = "Allow"
  protocol                    = "*"
  source_port_range           = "*"
  destination_port_range      = "*"
  source_address_prefix       = "VirtualNetwork"
  destination_address_prefix  = "AppService"
  resource_group_name         = azurerm_resource_group.rg-innovation-poc-002-tf.name
  network_security_group_name = azurerm_network_security_group.nsg-innovation-private-endpoint-poc-eastus2-001.name
}

resource "azurerm_network_security_rule" "nsg-outbound-rule-200" {
  name                        = "OutboundAccessToAppService200"
  priority                    = 200
  direction                   = "Outbound"
  access                      = "Allow"
  protocol                    = "*"
  source_port_range           = "444"
  destination_port_range      = "*"
  source_address_prefix       = "VirtualNetwork"
  destination_address_prefix  = "AppService"
  resource_group_name         = azurerm_resource_group.rg-innovation-poc-002-tf.name
  network_security_group_name = azurerm_network_security_group.nsg-innovation-private-endpoint-poc-eastus2-001.name
}

Expected Behaviour

Deleting/removing an existing azurerm_network_security_rule removes the resource from Azure and the terraform status update reflects this. When the NSG is checked via the Azure portal / CLI, the rule should no longer be present.

Actual Behaviour

Deleting/removing an existing azurerm_network_security_rule appears to work based on the terraform status update. It does not actually destroy/remove the NSG rule from the NSG in Azure.

When removing the azurerm_network_security_rule, I generally delete the config from main.tf or comment out the specific resource.

Workaround

terraform destroy -target azurerm_network_security_rule.nsg-outbound-rule-200 This will actually delete the resource as expected.

skalragg avatar Apr 29 '21 12:04 skalragg

I have noticed in the past that NSG portal reconciliation can sometimes take up to several minutes. If you wait a bit after destroy has completed, say, 5 minutes - is the rule still there?

favoretti avatar May 02 '21 09:05 favoretti

I face this issue. Any update? Background: I created a 8 NSG Rules via terraform and destroyed 6. When code was running at 90% I saw the 6 got destroyed in portal but after completion of execution, when I hit refresh in portal I still see 8 rules. And due to this behavior, it appears as the 6 rules were created outside the state file.

Let me refresh portal after 5 minutes and update below- Update01: Even after 5 minutes no difference; this is a bug in Azure API/Terraform. Please inspect and do the needful.

PS: No point waiting for 5 minutes cuz in real scenario when rules are being overwritten with updated values, we cannot make terraform execution delay by few minutes.

Update02: Can someone from terraform help to check with Microsoft Azure? Looks like even via portal unable to delete the NSG rules as a bulk. image

@favoretti Any update please?

nitmatgeo avatar Jun 04 '21 09:06 nitmatgeo

Over a year later and this still hasn't been addressed?

Pesticles avatar Nov 24 '22 03:11 Pesticles

Can confirm that I tried to destroy rules today via Terraform, got "Destruction complete" in logs and they weren't destroyed. They were still in the portal after hours and I had to manually delete them.

jhirvioja avatar Jun 27 '23 11:06 jhirvioja

Hi @jhirvioja ,

Do you still face this issue with latest azurerm provider? I couldn't replicate the issue at my end.

Having looked at the code, recent versions use 2023-06-01 SDK version which uses PollUntilDone function polling until the resource is deleted.

If this is still happening with latest provider versions, please share verbose logs.

harshavmb avatar Feb 27 '24 10:02 harshavmb

@harshavmb at least in the codebase where I worked the version has been version = ">= 3.26.0" since June 9th (original comment was on June 27th)

Can't really confirm at this time whether destroying works or not as intended, probably fixed.

Thanks 👍

jhirvioja avatar Feb 27 '24 11:02 jhirvioja