Changes on azurerm_network_interface / ip_configuration triggers adding all the IP of the NIC to LB backend_address_pool

[johnyc20]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.7

AzureRM Provider Version

3.75.0

Affected Resource(s)/Data Source(s)

azurerm_network_interface

Terraform Configuration Files

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_backend_address_pool_association

diff --git a/lb-tests/lb-tests.tf b/lb-tests/lb-tests.tf
index 1304f97..80f12bf 100644
--- a/lb-tests/lb-tests.tf
+++ b/lb-tests/lb-tests.tf
@@ -53,6 +53,12 @@ resource "azurerm_network_interface" "example" {
     private_ip_address_allocation = "Dynamic"
   }

+    ip_configuration {
+    name                          = "testconfiguration2"
+    subnet_id                     = azurerm_subnet.example.id
+    private_ip_address_allocation = "Dynamic"
+  }
+
}

resource "azurerm_network_interface_backend_address_pool_association" "example" {
(END)

Debug Output/Panic Output

# terraform apply
...
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # azurerm_network_interface.example will be updated in-place
  ~ resource "azurerm_network_interface" "example" {
        id                            = "/subscriptions/...c5/resourceGroups/example-resources/providers/Microsoft.Network/networkInterfaces/example-nic"
        name                          = "example-nic"
        tags                          = {}
        # (9 unchanged attributes hidden)

      + ip_configuration {
          + name                          = "testconfiguration2"
          + private_ip_address_allocation = "Dynamic"
          + private_ip_address_version    = "IPv4"
          + subnet_id                     = "/subscriptions/...c5/resourceGroups/example-resources/providers/Microsoft.Network/virtualNetworks/example-network/subnets/internal"
        }

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

 Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Expected Behaviour

The change on NIC/IPC shouldn't generate an addition of all available IP addresses (associated to the NIC) to all load balancer address pools that have any of the IPC of that specific NIC associated to backend pool.

The changes don't appear on the plan, however the changes are done on Azure side.
I've also checked with Azure support and terraform sends the updated API calls for NIC, with the property "loadBalancerBackendAddressPools" containing the list of all available ip configuration for the updated NIC.

After applying the changes that update the ip configuration of NIC, the state-file backend address pool still has the expected values:

"""
❯ terraform state show 'azurerm_lb_backend_address_pool.example'

azurerm_lb_backend_address_pool.example:

resource "azurerm_lb_backend_address_pool" "example" {
backend_ip_configurations = [
"/subscriptions/...c5/resourceGroups/example-resources/providers/Microsoft.Network/networkInterfaces/example-nic/ipConfigurations/testconfiguration1",
]
id = "/subscriptions/...c5/resourceGroups/example-resources/providers/Microsoft.Network/loadBalancers/example-lb/backendAddressPools/acctestpool"
inbound_nat_rules = []
load_balancing_rules = []
loadbalancer_id = "/subscriptions/...c5/resourceGroups/example-resources/providers/Microsoft.Network/loadBalancers/example-lb"
name = "acctestpool"
outbound_rules = []
}
"""

However, any update from AZ (terraform plan, for example) will trigger an update of the state as well:
"""
❯ terraform apply
azurerm_resource_group.example: Refreshing state... [id=/subscriptions/...c5/resourceGroups/example-resources]
azurerm_virtual_network.example: Refreshing state... [id=/subscriptions/...c5/resourceGroups/example-resources/providers/Microsoft.Network/virtualNetworks/example-network]
azurerm_public_ip.example: Refreshing state... [id=/subscriptions/...c5/resourceGroups/example-resources/providers/Microsoft.Network/publicIPAddresses/example-pip]
azurerm_lb.example: Refreshing state... [id=/subscriptions/...c5/resourceGroups/example-resources/providers/Microsoft.Network/loadBalancers/example-lb]
azurerm_subnet.example: Refreshing state... [id=/subscriptions/...c5/resourceGroups/example-resources/providers/Microsoft.Network/virtualNetworks/example-network/subnets/internal]
azurerm_network_interface.example: Refreshing state... [id=/subscriptions/...c5/resourceGroups/example-resources/providers/Microsoft.Network/networkInterfaces/example-nic]
azurerm_lb_backend_address_pool.example: Refreshing state... [id=/subscriptions/...c5/resourceGroups/example-resources/providers/Microsoft.Network/loadBalancers/example-lb/backendAddressPools/acctestpool]
azurerm_network_interface_backend_address_pool_association.example: Refreshing state... [id=/subscriptions/...c5/resourceGroups/example-resources/providers/Microsoft.Network/networkInterfaces/example-nic/ipConfigurations/testconfiguration1|/subscriptions/...c5/resourceGroups/example-resources/providers/Microsoft.Network/loadBalancers/example-lb/backendAddressPools/acctestpool]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

❯ terraform state show 'azurerm_lb_backend_address_pool.example'

azurerm_lb_backend_address_pool.example:

resource "azurerm_lb_backend_address_pool" "example" {
backend_ip_configurations = [
"/subscriptions/...c5/resourceGroups/example-resources/providers/Microsoft.Network/networkInterfaces/example-nic/ipConfigurations/testconfiguration1",
"/subscriptions/...c5/resourceGroups/example-resources/providers/Microsoft.Network/networkInterfaces/example-nic/ipConfigurations/testconfiguration2",
]
id = "/subscriptions/...c5/resourceGroups/example-resources/providers/Microsoft.Network/loadBalancers/example-lb/backendAddressPools/acctestpool"
inbound_nat_rules = []
load_balancing_rules = []
loadbalancer_id = "/subscriptions/...c5/resourceGroups/example-resources/providers/Microsoft.Network/loadBalancers/example-lb"
name = "acctestpool"
outbound_rules = []
}
"""

Actual Behaviour

A change on the IPC of a NIC should just trigger an update of load balancer address pools members only for the specific IPC changed.

Steps to Reproduce

Add new IPC for the NIC mapped to a LBAP
Check the Azure LBAP

Important Factoids

No response

References

No response