Getting Terraform resource already exists error with resource just created by Terraform

4
votes

I'm setting up a virtual network in Azure with Terraform.

I have several VNets each with their own Network Security Group 100% managed in Terraform, no resources except the Resource Group exist prior to running Terraform.

When I run Terraform apply the first time all the resources are created correctly. However if I try and run apply again to update other resources I get an error saying the NSG resources already exist.

Error: A resource with the ID
"/subscriptions/0000000000000000/resourceGroups/SynthArtInfra/providers/Microsoft.Network/networkSecurityGroups/SynthArtInfra_ServerPoolNSG"
already exists - to be managed via Terraform this resource needs to be
imported into the State. Please see the resource documentation for
"azurerm_network_security_group" for more information.

Why is Terraform complaining about an existing resource when it should already be under it's control?

Edit: This is the code related to the NSG, everything else is to do with a VPN gatway:

# Configure the Azure provider
terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = ">= 2.26"
    }
  }
}

provider "azurerm" {
  features {}
}

data "azurerm_resource_group" "SynthArtInfra" {
    name     = "SynthArtInfra"
    location = "Somewhere" # not real
    most_recent = true
}


resource "azurerm_virtual_network" "SynthArtInfra_ComputePool" {
  name = "SynthArtInfra_ComputePool"
  location = azurerm_resource_group.SynthArtInfra.location
  resource_group_name = azurerm_resource_group.SynthArtInfra.name
  address_space = ["10.6.0.0/16"]
}

resource "azurerm_subnet" "ComputePool_default" {
  name = "ComputePool_default"
  resource_group_name = azurerm_resource_group.SynthArtInfra.name
  virtual_network_name = azurerm_virtual_network.SynthArtInfra_ComputePool.name
  address_prefixes = ["10.6.0.0/24"]
}


resource "azurerm_network_security_group" "SynthArtInfra_ComputePoolNSG" {
  name                = "SynthArtInfra_ComputePoolNSG"
  location            = azurerm_resource_group.SynthArtInfra.location
  resource_group_name = azurerm_resource_group.SynthArtInfra.name

  security_rule {
    name                       = "CustomSSH"
    priority                   = 119
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "*"
    source_port_range          = "*"
    destination_port_range     = "0000" # not the real port number
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }    
   
}

The other odd thing is our subscription has a security policy that automatically adds NSGs to resources that don't have one. But weirdly after applying my terraform script the NSGs are created but aren't actually associated with the Subnets and the security policy has created new NSGs. This needs to be resolved but didn't think it would cause this error.

1
terraformterraform-provider-azure
Could you show your full code?Nancy Xiong
Could you also edit your question to include the plan output please?ydaetskcoR
Can you post the policy too? as ydaetskcoR mentioned provide the plan output, but for both runs. Sounds like your policy might be doing something odd, but usually the import error implies your terraform doesn't have state information and wants to create a new resource, but found the exact one already created.Christian Pearce
Thanks for your input! I worked out what was going on, see my answerGeordie

1 Answers

0
votes

I think what was going on is this is my first time using Terraform so I was getting a lot of errors midway through apply and destroy operations.

I ended up manually removing all the resources in Azure and deleting Terraform's local cache then everything started working.