tfstate of azapi_resource and azapi_update_resource is not being validated against azure

[SamSh-585]

Issue

We are trying to deploy the following using azapi_resource and azapi_update_resource if necessarily:

• A List of subnets
• A dedicated NSG will be as well deployed for each subnet in the list
• Associating each subnet with the its NSG and the central route table

We use the subnet provider type Microsoft to associate the subnet to the NSG and the RT.Network/virtualNetworks/subnets. It works without issues for the first creation.

However, if the associating has been removed outside of terraform (e.g., manually in Azure portal), both azapi_resource and azapi_update_resource will not correct this drift. It will be just ignored and Terraform returns No Changes!

The following the update resource for the subnet. I noticed its also happing for some other resources with some configuration. I have tried as well to test it with the azapi v1.5 and some older API versions without any luck.

Code

terraform {
  required_providers {
    azapi = {
      source  = "Azure/azapi"
      version = "~> 2.1"
    }
  }
}

provider "azapi" {}

resource "azapi_resource" "subnet" {
  type      = "Microsoft.Network/virtualNetworks/subnets@2024-05-01"
  parent_id = "vnet_resource_id"
  name = "subnet
  body = {
    properties = {
      addressPrefixes                   = ["ADDRESS_SPACE"]
      defaultOutboundAccess             = true
      networkSecurityGroup = {
        id = "NSG_RESOURCE_ID"
      }
      routeTable = {
        id = "ROUTE_TABLE_RESOURCE_ID"
      }
    }
  }
}

# azapi_update_resource is used here to test if it helps with the update by the next drift
resource "azapi_update_resource" "subnet" {
  type      = "Microsoft.Network/virtualNetworks/subnets@2024-05-01"
  resource_id = "subnet_resource_id"
  body = {
    properties = {
      addressPrefixes                   = ["ADDRESS_SPACE"]
      defaultOutboundAccess             = true
      networkSecurityGroup = {
        id = "NSG_RESOURCE_ID"
      }
      routeTable = {
        id = "ROUTE_TABLE_RESOURCE_ID"
      }
    }
  }
}

I have 3 assumptions here:

1. either terraform azapi provider or the new versions of the azapi have an issue
2. There is another way to associate the nsg and rt to the subnet (which I didn't find)
3. I am missing some additional configurations to azapi in general

[ms-henglu]

Hi @SamSh-585 ,

Thank you for taking time to report this issue!

Please specify ignore_missing_property = false in the resource block like below:

resource "azapi_resource" "subnet" {
  type      = "Microsoft.Network/virtualNetworks/subnets@2024-05-01"
  parent_id = azapi_resource.vnet.id
  name      = "default"
  body = {
    properties = {
      addressPrefix = "10.0.2.0/24"
      networkSecurityGroup = {
        id = azapi_resource.networkSecurityGroup.id
      }
    }
  }
  ignore_missing_property = false
}

  # azapi_resource.subnet will be updated in-place
  ~ resource "azapi_resource" "subnet" {
      ~ body                      = {
          ~ properties = {
              ~ networkSecurityGroup = null -> {
                  + id = "/subscriptions/....../resourceGroups/henglu1223/providers/Microsoft.Network/networkSecurityGroups/henglu1223"
                }
                # (1 unchanged attribute hidden)
            }
        }

The ignore_missing_property feature is enabled by default which is used to ignore the credentials like password that doesn't return from the response. And this feature ignores the missing networkSecurityGroup as well.