azurerm_virtual_network_gateway - modifies the default properties

[tekollt]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.8

• provider.azurerm v1.13.0
• provider.null v1.0.0

Affected Resource(s)

azurerm_virtual_network_gateway

Terraform Configuration Files

resource "azurerm_virtual_network_gateway" "default" {

  name                  = "vng-we-internal-prod"
  location              = "${var.location}"
  resource_group_name   = "${var.resource_group_name}"

  type          = "${var.vngtype}"
  vpn_type      = "${var.vpntype}"
  active_active = false
  enable_bgp    = false
  sku           = "${var.vngsku}"


  ip_configuration {
    name                            = "vnetGatewayConfig"
    public_ip_address_id            = "${azurerm_public_ip.default.id}"
    private_ip_address_allocation   = "Dynamic"
    subnet_id                       = "${azurerm_subnet.GatewaySubnet.id}"
  }

   vpn_client_configuration {
    address_space = [ "10.40.1.0/24" ]  
   }
  
}

Expected Behavior

When creating an virtual network gateway, without using the root_certificate configuration, Azure automatically creates and manages the certificate.

Expected no modifications to the resources on additional runs.

Actual Behavior

When re-running terraform, it removes the automatically created certificate and other defaults.

vpn_client_configuration.0.root_certificate.#: "1" => "0"
vpn_client_configuration.0.root_certificate.24147563.name: "AppServiceCertificate.cer" => ""
vpn_client_configuration.0.root_certificate.24147563.public_cert_data: "MIIDZTCCAlGgAwIBAgIQTmeGdqSdGrFH/Kh+cVGYSDAJBgUrDgMCHQUAMDoxODA2BgNVBAMTL1dlYnNpdGVzQ2VydGlmaWNhdGV2bmV0LXdlLWludGVybmFsLXNoYXJlZC1wcm9kMB4XDTE4MDgyMzA4MDQwMFoXDTM5MTIzMTIzNTk1OVowOjE4MDYGA1UEAxMvV2Vic2l0ZXNDZXJ0aWZpY2F0ZXZuZXQtd2UtaW50ZXJuYWwtc2hhcmVkLXByb2QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+YlTLxKUO3BTAMhtezcQAzKaTBJtnOfbrAVAVXbP0I2T+PjcrLD+iOiEwpPK4AdrAwa2fSRRId9L6wd0uSuBd+kYtCaYgmqkZN1Mwt92xFW6ulNLj0+jiDvKCLtH+g0i3orFPMkwce2MITQi/SaB6bqfpknI6kG9caDIV5SM9l2XI3bNJDloeZe7+ZP06WAID3KeCPcfroKZKlP/07ucKNZCoqlJjY+wbAerBhJcAkHbqjc9fTTs3NpAI+KI3uWbqSaChVuwjyArFKzEynO06oz/qrmk4eA2KWy1sfRNomNZPqMBmGu6Dpj+BdzFp0wjVrQ1NO5/bpL0zPb8tccBrAgMBAAGjbzBtMGsGA1UdAQRkMGKAENJwk+KWEldDDANgPjW1LlmhPDA6MTgwNgYDVQQDEy9XZWJzaXRlc0NlcnRpZmljYXRldm5ldC13ZS1pbnRlcm5hbC1zaGFyZWQtcHJvZIIQTmeGdqSdGrFH/Kh+cVGYSDAJBgUrDgMCHQUAA4IBAQAovAxxrRP/PFAQc9ancqib0SX6MAwwLwmD9FA+OgPJwDOFljRzSlZvM6JgQtke5bgaH4gtZFrmh1kHGp0B02WPX06WQG35FpSyCMy4keBFL+lcTEhWyLKGhqgWfe2Pj9JqmTj/5/6QmBZ1fwW4avgzDSViK+CIe298Uu7e1E223aL/dsQQzohQQkkcLPSTGD2MYCcFSMs495Ypy6eP499y4UowErRuez6cDUNyiqCKxZE7MLgS3EpkPakF/l62QluHx0sV+pPwIvhBKuZls75uFHYEy4FVV/xwnkLPZQxWf9PqUu1vemXlwjvn1AInNUSO40LOaW4lXvBrFcdN/utN" => ""
vpn_client_configuration.0.vpn_client_protocols.#: "1" => "0"
vpn_client_configuration.0.vpn_client_protocols.2936918: "SSTP" => ""

Steps to Reproduce

1. terraform apply

• #0000

[jamielennox]

Makes sense as azure will generate the certificate on first connection rather than on creation. I tried setting it to Computed: true in the provider and didn't really work how i wanted it to.

Working around with standard:

   lifecycle {
     ignore_changes = ["vpn_client_configuration"]
   }

for now

[tesharp]

Having same problem when defining root_certificate. Every run it tries to change the values even when I have not made any changes. It removes the old entry and then adds a new one with exact same values. Should just recognize that entry with same name already exists.

Ended up just ignoring it:

lifecycle {
    ignore_changes = [ "vpn_client_configuration.0.root_certificate" ]
  }

[Lucretius]

@tombuildsstuff - I think this can be fixed by specifying root_certificate and vpn_client_protocols as Computed in addition to it already being Optional, so that they will be calculated if not specified and the diff will no longer be generated. Is this a correct understanding of the terraform diff algorithm? If so, I can do this work.

[katbyte]

@Lucretius,

that is the correct approach to take in situations like this.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!