vnet hangs indefinitely on destroy

[tomasquith]

Terraform Version

latest core and provider

Affected Resource(s)

Please list the resources as a list, for example:

• azurerm_virtual_network

Expected Behavior

The environment is all destroyed within a reasonable time.

Actual Behavior

Upon destroying my whole environment, the destruction of the vnet hangs indefinitely. There is nothing else in the resource group other than the vnet (the subnets/peerings have been removed)

module.network.virtual_network.azurerm_virtual_network.virtual-network: Still destroying... (ID: /subscriptions/XXXXXX-...rk/virtualNetworks/tom-XXXXXX-vnet, 1h9m11s elapsed)

if I then ctrl c to cancel, unlock the state and plan destroy - I can see null resources (with remote-exec provisioners) and consul keys as well as the network and resource group. These have no dependencies on the vnet.

If I then destroy, it works as intended.

Steps to Reproduce

Unable to reproduce with a simple config

[tombuildsstuff]

Hey @tomasquith

Thanks for opening this issue :)

So that we can investigate this further - would it be possible for you to post a reproducible Terraform Configuration that you're seeing the issue with?

Thanks!

[tombuildsstuff]

accidentally hit "close and comment" and not "comment" 🤦‍♂️.. reopened, sorry!

[tombuildsstuff]

ping @tomasquith

[alexandreg19]

Hi @tombuildsstuff

I can reproduce exactly the same behaviour on my Terraform stack.
All my resources are destroyed without any problem, but when it comes to the vnet, I got the same issue. It's looping indefinitely.

I checked on the Azure portal, there is no locks on the VNet, no resources linked..

On my side, I'm using the resource like this :

resource "azurerm_virtual_network" "vnet" {
  name                = "vnet.${var.environment}"
  resource_group_name = "${var.resource_group_name}"
  address_space       = "${var.vnet_cidr}"
  location            = "${var.az_region}"

  tags {
    environment = "${var.environment}"
  }
}

[tombuildsstuff]

hey @alexandreg19

Would you be able to provide a reproducible Terraform Config where you're seeing this issue? In particular I'd be interested to know if the Virtual Network, Subnets, Network Security Groups or Network Security Rules have the same name?

Thanks!

[alexandreg19]

Hi again @tombuildsstuff ,

Here my Terraform Config :

resource "azurerm_resource_group" "rg" {
  name     = "rgp.${var.environment}.${var.name}"
  location = "${var.az_region}"

  tags {
    environment = "${var.environment}"
  }
}

resource "azurerm_virtual_network" "vnet" {
  name                = "vnet.${var.environment}.${var.name}"
  resource_group_name = "${azurerm_resource_group.rg.name}"
  address_space       = "${var.vnet_cidr}"
  location            = "${var.az_region}"

  tags {
    environment = "${var.environment}"
  }
}

resource "azurerm_network_security_group" "subnet" {
  name                = "sg.${var.environment}.subnet"
  location            = "${var.az_region}"
  resource_group_name = "${azurerm_resource_group.rg.name}"

  tags {
    environment = "${var.environment}"
  }
}

resource "azurerm_network_security_rule" "subnet-allow-outbound" {
  name                        = "AllowOutBound"
  priority                    = 100
  direction                   = "Outbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = "*"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = "${azurerm_resource_group.rg.name}"
  network_security_group_name = "${azurerm_network_security_group.subnet.name}"
}

resource "azurerm_network_security_rule" "subnet-allow-default" {
  name                        = "AllowInBound"
  priority                    = 101
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "*"
  source_port_range           = "*"
  destination_port_range      = "*"
  source_address_prefix       = "*"
  destination_address_prefix  = "*"
  resource_group_name         = "${azurerm_resource_group.rg.name}"
  network_security_group_name = "${azurerm_network_security_group.subnet.name}"
}

resource "azurerm_subnet" "public-subnets" {
  name                 = "sub.${var.environment}.${element(var.subnet_names_support, count.index)}"
  resource_group_name  = "${azurerm_resource_group.rg.name}"
  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
  address_prefix       = "${element(var.cidr_block_support, count.index)}"

  network_security_group_id = "${azurerm_network_security_group.subnet.id}"

  count = "${length(var.cidr_block_support)}"
}

At the beginning, the resource_group and virtual_network blocs got both the same name. I changed it, but the issue is still here.

I'm running Terraform on version v0.10.7.

Thanks for your help.

[alexandreg19]

Hi @tombuildsstuff ,
I think I can add a workaround to reproduce the issue.

I run the exact same code with two values for resource "azurerm_virtual_network" "xxxx" :

• xxxx = basic -> I can apply and destroy without any issue
• xxxx = support -> My destroy loop on module.infra.vnet.azurerm_virtual_network.support: Still destroying...

Hope it can help.
Regards

[fvillain]

Hi, i'm having the same issue here.

My TF content (which is used as a module) and called by another .tf file :

resource "azurerm_resource_group" "rg" {
  name = "${var.resource_group_name}"
  location = "${var.location}"
}

resource "azurerm_virtual_network" "vnet" {
  name                = "${var.resource_group_name}-vnet"
  resource_group_name = "${azurerm_resource_group.rg.name}"
  address_space       = ["${var.network_cidr}"]
  location            = "${var.location}"

  tags {
    environment = "${var.environment}"
  }
}

resource "azurerm_network_security_group" "netsg" {
  name = "default-network-sg"
  location = "${var.location}"
  resource_group_name = "${azurerm_resource_group.rg.name}"

  security_rule {
    name                       = "default-allow-all"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "*"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefix      = "${var.network_cidr}"
    destination_address_prefix = "*"
  }

  tags {
    environment = "${var.environment}"
  }
}

resource "azurerm_subnet" "public" {
  name  = "${var.resource_group_name}-subnet-public"
  resource_group_name  = "${azurerm_resource_group.rg.name}"
  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
  address_prefix       = "10.0.1.0/24"
  network_security_group_id = "${azurerm_network_security_group.netsg.id}"
}
resource "azurerm_subnet" "private" {
  name  = "${var.resource_group_name}-subnet-private"
  resource_group_name  = "${azurerm_resource_group.rg.name}"
  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
  address_prefix       = "10.0.2.0/24"
  network_security_group_id = "${azurerm_network_security_group.netsg.id}"
}

Hopes it helps too.

[tombuildsstuff]

hey @tomasquith @alexandreg19 @fvillain

Sorry for the delayed response here!

I've taken a look into this today and have opened #620 which contains a fix for this - which has now been merged. This will go out in the next release - which should be later this week.

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!