provider/azurerm: Fixes for azurerm subnet properties

[carinadigital]

Partially fixes GH-8227

So far this implements the setting of address range, route table association and network security group association for azurerm subnet resource.

There is still failure when going from a set resource to none for route tables and nsg, e.g.

resource "azurerm_subnet" "test" {
    name = "testsubnet"
    resource_group_name = "${azurerm_resource_group.test.name}"
    virtual_network_name = "${azurerm_virtual_network.test.name}"
    address_prefix = "10.0.1.0/24"
    route_table_id = "${azurerm_route_table.test.id}"
    network_security_group_id = "${azurerm_network_security_group.test.id}"
}

to

resource "azurerm_subnet" "test" {
    name = "testsubnet"
    resource_group_name = "${azurerm_resource_group.test.name}"
    virtual_network_name = "${azurerm_virtual_network.test.name}"
    address_prefix = "10.0.1.0/24"
    route_table_id = ""
    network_security_group_id = ""
}

[carinadigital]

I think the fact that network_security_group_id and route_table_id are computed resources is relevant. I don't completely understand the use of 'computed' in the schema, but when I compile without it, I get the correct behaviour.

It's perfectly reasonable to create route tables and NSGs and not link them with any subnets.

[carinadigital]

So I think that 'computed' in the resource schema does not match the actual relationship of subnet to route_table_id and network_security_group_id.

A Route Table is not created when a Subnet is created, and neither is any relationship established. The linkage is manual and depends on the Route Table being created and it's ID provided to the subnet.

[carinadigital]

This is ready for review. Fully fixes GH-8227 and route_table_id &network_security_group_id associations in the azurerm subnet resource.

There will be an impact on those who have manually set route table or NSG associations and do not have a corresponding entry in the subnet resource. Previously during the plan it will ignore route table or NSG associations and leave real-life associations. The new behaviour will remove any existing associations if route_table_id and network_security_group_id are ommitted or set to "".

[carinadigital]

Added TestAccAzureRMSubnet_update() to show the problem with removing route table and NSG associations on the subnet.

[carinadigital]

@stack72 Can someone review this / advise on next steps please? It's been hanging around for a while.

[carinadigital]

I think it will need another look due to the recent merge of #9646
They cover some similar code..

[carinadigital]

I'm going to close this pull request given that some of the functionality in resourceArmSubnetRead() was fixed in #9646 . I have opened another PR #9648 that's more specific to the issue of route table association and network security group in the subnet

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.