Deleting route tables or security groups fails when still associated with a subnet

[cchildress]

Terraform Version

0.9.6 and 0.10.0-beta1 (from git master)

Affected Resource(s)

• azurerm_route_table
• azurerm_network_security_group

Terraform Configuration Files

From this:

resource "azurerm_network_security_group" "cchildress_debugging_nsec_group" {
  name                = "cchildress_debugging_nsec_group"
  location            = "australiaeast"
  resource_group_name = "${azurerm_resource_group.cchildress_debugging.name}"
}

resource "azurerm_route_table" "cchildress_debugging_route_table" {
  name                = "cchildress_debugging_route_table"
  location            = "australiaeast"
  resource_group_name = "${azurerm_resource_group.cchildress_debugging.name}"
}

resource "azurerm_subnet" "cchildress_debugging_snet" {
  name = "cchildress_debugging_subnet"
  address_prefix = "198.51.100.0/24"
  resource_group_name = "${azurerm_resource_group.cchildress_debugging.name}"
  virtual_network_name = "${azurerm_virtual_network.cchildress_debugging_vnet.name}"
   network_security_group_id = "${azurerm_network_security_group.cchildress_debugging_nsec_group.id}"
   route_table_id = "${azurerm_route_table.cchildress_debugging_route_table.id}"
}

To this:

# resource "azurerm_network_security_group" "cchildress_debugging_nsec_group" {
#   name                = "cchildress_debugging_nsec_group"
#   location            = "australiaeast"
#   resource_group_name = "${azurerm_resource_group.cchildress_debugging.name}"
# }
#
# resource "azurerm_route_table" "cchildress_debugging_route_table" {
#   name                = "cchildress_debugging_route_table"
#   location            = "australiaeast"
#   resource_group_name = "${azurerm_resource_group.cchildress_debugging.name}"
# }

resource "azurerm_subnet" "cchildress_debugging_snet" {
  name = "cchildress_debugging_subnet"
  address_prefix = "198.51.100.0/24"
  resource_group_name = "${azurerm_resource_group.cchildress_debugging.name}"
  virtual_network_name = "${azurerm_virtual_network.cchildress_debugging_vnet.name}"
  # network_security_group_id = "${azurerm_network_security_group.cchildress_debugging_nsec_group.id}"
  # route_table_id = "${azurerm_route_table.cchildress_debugging_route_table.id}"
}

Debug Output

Gist

Expected Behavior

Terraform should remove the association with the subnet and then delete the resource.

Actual Behavior

The apply run fails because the resources cannot be deleted while still associated with a subnet.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. Create a subnet with a route table and/or security group associated with it in Terraform
2. Remove the route table and/or security group and attempt to apply the change with Terraform

[sebastus]

@mbfrahry Using the updated azurerm_route_table (where route is now computed) this does still fail initially saying that nsg can't be deleted because subnet depends on it. but wait a few seconds and tf apply again and all's well. is it possible we're not waiting for the right signal that the nsg and subnet are disassociated before doing the delete of the nsg?

[mbfrahry]

Unfortunately, this is an issue with how Terraform keeps track of associations between resources. We are actively discussing solutions to this issue and will provide updates as they come.

A workaround would be to first comment out the network_security_group_id and route_table_id from the subnet, run terraform apply, and then remove the route table and network security group. We understand that this is not ideal and will hopefully have a solution shortly.

[tombuildsstuff]

hey @cchildress

Given this is a bug in Terraform Core - rather than keep this open in the wrong repository, I'm going to close this in favour of a bug tracking this in the Core repository: hashicorp/terraform#8617 - please subscribe to this issue for more information

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!