NatGateway: Public IP is not detached if intended to be deleted

[dkistner]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

$ tf version
Terraform v0.12.23
+ provider.azurerm v2.0.0 (also reproduced with v1.44.0)

Affected Resource(s)

• azurerm_nat_gateway
• azurerm_public_ip

Terraform Configuration Files

1. Apply this.

provider "azurerm" {
  subscription_id = "subscription_id"
  tenant_id       = "tenant_id"
  client_id       = "sp-id"
  client_secret   = "sp-secret"
  version         = "2.0.0"
  features {}
}
resource "azurerm_resource_group" "rg" {
  name     = "test-nat"
  location = "westeurope"
}
resource "azurerm_public_ip" "natip" {
  name                = "test-nat-ip"
  location            = "westeurope"
  resource_group_name = "${azurerm_resource_group.rg.name}"
  allocation_method   = "Static"
  sku                 = "Standard"
}
resource "azurerm_nat_gateway" "nat" {
  name                    = "test-nat-gateway"
  location                = "westeurope"
  resource_group_name     = "${azurerm_resource_group.rg.name}"
  public_ip_address_ids   = ["${azurerm_public_ip.natip.id}"]
  sku_name                = "Standard"
}
resource "azurerm_subnet_nat_gateway_association" "nat-worker-subnet-association" {
  subnet_id      = "/subscriptions/<subscription-id>/resourceGroups/my-rg/providers/Microsoft.Network/virtualNetworks/test/subnets/test"
  nat_gateway_id = "${azurerm_nat_gateway.nat.id}"
}

2. Apply modified version with removed ip association (public_ip_address_ids = [])on natgateway and azurerm_public_ip resource deletion

provider "azurerm" {
  subscription_id = "subscription_id"
  tenant_id       = "tenant_id"
  client_id       = "sp-id"
  client_secret   = "sp-secret"
  version         = "2.0.0"
  features {}
}
resource "azurerm_resource_group" "rg" {
  name     = "test-nat"
  location = "westeurope"
}
resource "azurerm_nat_gateway" "nat" {
  name                    = "test-nat-gateway"
  location                = "westeurope"
  resource_group_name     = "${azurerm_resource_group.rg.name}"
  public_ip_address_ids   = []
  sku_name                = "Standard"
}
resource "azurerm_subnet_nat_gateway_association" "nat-worker-subnet-association" {
  subnet_id      = "/subscriptions/<subscription-id>/resourceGroups/my-rg/providers/Microsoft.Network/virtualNetworks/test/subnets/test"
  nat_gateway_id = "${azurerm_nat_gateway.nat.id}"
}

Panic Output

$ tf apply -auto-approve
azurerm_resource_group.rg: Refreshing state... [id=/subscriptions/<subscription-id>/resourceGroups/test-nat]
azurerm_public_ip.natip: Refreshing state... [id=/subscriptions/<subscription-id>/resourceGroups/test-nat/providers/Microsoft.Network/publicIPAddresses/test-nat-ip]
azurerm_nat_gateway.nat: Refreshing state... [id=/subscriptions/<subscription-id>/resourceGroups/test-nat/providers/Microsoft.Network/natGateways/test-nat-gateway]
azurerm_subnet_nat_gateway_association.nat-worker-subnet-association: Refreshing state... [id=/subscriptions/<subscription-id>/resourceGroups/my-rg/providers/Microsoft.Network/virtualNetworks/test/subnets/test]
azurerm_public_ip.natip: Destroying... [id=/subscriptions/<subscription-id>/resourceGroups/test-nat/providers/Microsoft.Network/publicIPAddresses/test-nat-ip]

Warning: Interpolation-only expressions are deprecated

  on main.tf line 18, in resource "azurerm_nat_gateway" "nat":
  18:   resource_group_name     = "${azurerm_resource_group.rg.name}"

Terraform 0.11 and earlier required all non-constant expressions to be
provided via interpolation syntax, but this pattern is now deprecated. To
silence this warning, remove the "${ sequence from the start and the }"
sequence from the end of this expression, leaving just the inner expression.

Template interpolation syntax is still used to construct strings from
expressions when the template includes multiple interpolation sequences or a
mixture of literal strings and interpolations. This deprecation applies only
to templates that consist entirely of a single interpolation sequence.

(and one more similar warning elsewhere)


Error: Error deleting Public IP "test-nat-ip" (Resource Group "test-nat"): network.PublicIPAddressesClient#Delete: Failure sending request: StatusCode=400 -- Original Error: Code="PublicIPAddressCannotBeDeleted" Message="Public IP address /subscriptions/<subscription-id>/resourceGroups/test-nat/providers/Microsoft.Network/publicIPAddresses/test-nat-ip can not be deleted since it is still allocated to resource /subscriptions/<subscription-id>/resourceGroups/test-nat/providers/Microsoft.Network/natGateways/test-nat-gateway. In order to delete the public IP, disassociate/detach the Public IP address from the resource.  To learn how to do this, see aka.ms/deletepublicip." Details=[]

Expected Behavior

1. Terraform should detach ip from nat gateway
2. Terraform should delete the ip after step 1. has been completed

Actual Behavior

Terraform seems not to detach the public ip if the resource is intended to be deleted.

Steps to Reproduce

1. Apply first manifest and wait until completed
2. Apply modified version, see second tf manifest
   • without ip association on the natgateway
   • without azurerm_public_ip resource

Important Factoids

no

References

• #0000

[ghost]

This has been released in version 2.12.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.12.0"
}
# ... other configuration ...

[dkistner]

I have tested with azurerm provider v2.12.0, which should contain #6450

Error: Error deleting Public IP "test-nat-ip" (Resource Group "test"): network.PublicIPAddressesClient#Delete: Failure sending request: StatusCode=400 -- Original Error: Code="PublicIPAddressCannotBeDeleted" Message="Public IP address /subscriptions/<subsciption-id>/resourceGroups/test/providers/Microsoft.Network/publicIPAddresses/test-nat-ip can not be deleted since it is still allocated to resource /subscriptions/<subsciption-id>/resourceGroups/test/providers/Microsoft.Network/natGateways/test-nat-gateway. In order to delete the public IP, disassociate/detach the Public IP address from the resource.  To learn how to do this, see aka.ms/deletepublicip." Details=[]

This happen only on the first apply from time to time. The next applies work always in my test.

cc @katbyte

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!