Hi I have an issue with an update to an azure virtual networ Pulumi Community #azure

Hi, I have an issue with an update to an azure vi...

lemon-hospital-61528

11/19/2024, 10:25 AM

Hi, I have an issue with an update to an azure virtual network that I am hoping someone can help me with. We are currently breaking down our monolithic IAC into a componentised approach. As part of this work we are creating a hub for regionally shared resources, and a spoke for customer-specific compute. We are using subscriptions to isolate the hub/spoke resources from each other and using peering to connect the networks together. A simplified diagram

Copy code

┌────────────────────────────────────┐                ┌──────────────────────────┐
 │ Hub Subscription                   │                │ Spoke Subscription       │
 │                                    │                │                          │
 │   ┌───────┐      ┌──────────────┐  │                │            ┌──────┐      │
 │   │  agw  ┼┐    ┌┼  sql_server  │  │                │           ┌┼  vm  │      │
 │   └───────┘│    │└──────────────┘  │                │           │└──────┘      │
 │            │    │                  │                │           │              │
 │         ┌──┼────┼────┐             │    peering     │        ┌──┼───────────┐  │
 │         │  hub_vnet  ◄─────────────│────────────────│────────►  spoke_vnet  │  │
 │         └────────────┘             │                │        └──────────────┘  │
 └────────────────────────────────────┘                └──────────────────────────┘

The hub networking component creates the hub_vnet alongside an application gateway, bastion and a WAF. The vnet is class

pulumi_azure_native.networking.VirtualNetwork

and does not declare any subnets. The other resources then create their own subnet with class

az.network.Subnet

and inject their subnet into the hub_vnet. According to the documentation at https://www.pulumi.com/registry/packages/azure-native/api-docs/network/virtualnetwork/#subnets_python pulumi should not remove the subnets during an update to the vnet. However, when I update the tags on the vnet, pulumi is trying to delete the subnets. A snippet of my plan

Copy code

"goal": {
	"type": "azure-native:network:VirtualNetwork",
	"name": "build-sbx-hub-netwrk-vnet",
	"custom": true,
	"inputDiff": {
		"updates": {
			"tags": {
				"BuildBranch": "develop",
				"ClientId": "build",
				"CommitHash": "b7220ed00b93985b794de9eb99c6aab2e1a6afc7",
				"Component": "Networking",
				"CostOwner": "build",
				"DevopsBuildUrl": "devs_machine: FA-0222",
				"Environment": "sandbox",
				"IsClientResource": false,
				"IsEphemeral": false,
				"Legacy": "False",
				"Product": "Hub",
				"Role": "active",
				"Version": "0.0.1"
			}
		}
	}

Error message returned

Copy code

Diagnostics:
  pulumi:pulumi:Stack (Hub.Networking-build.sandbox):
    error: update failed

  azure-native:network:VirtualNetwork (build-sbx-hub-netwrk-vnet):
    error: Code="InUseSubnetCannotBeDeleted" Message="Subnet AzureBastionSubnet is in use by /subscriptions/58d847ff-52c8-4127-b663-1232b8fbbd48/resourceGroups/BUILD-SBX-HUB-NETWRK-RG/providers/Microsoft.Network/bastionHosts/BUILD-SBX-HUB-NETWRK-BAST/bastionHostIpConfigurations/BUILD-SBX-HUB-NETWRK-BAST-IPCONFIG and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See <http://aka.ms/deletesubnet|aka.ms/deletesubnet>." Details=[]

Can anyone offer any guidance on this?

calm-doctor-76791

11/19/2024, 10:29 PM

Have you tried ignoreChanges? https://www.pulumi.com/docs/iac/concepts/options/ignorechanges/

lemon-hospital-61528

11/20/2024, 9:41 AM

Thanks for replying @calm-doctor-76791 So far as I understand it, ignore changes stops pulumi from tracking differences during compare but doesnt prevent changes being made to those properties when an update is applied. This means that I could ignore changes to tags/subnets but the issue will remanifest as soon as any other property on the vnet is changed. The interesting thing to me is that if I set

ignore_changes=["tags"]

then pulumi does not detect any changes (which is what I'd expect here) but if I set

ignore_changes=[]

then

preview

says it will only update tags but

up

actually attempts to destroy subnets. I am beginning to think that this might be a bug.

lemon-hospital-61528

11/20/2024, 11:40 AM

I think I have gotten to the bottom of the problem. The vnet was initially created with inline subnets, which were removed in previous runs. Inspecting the stack file directly showed

input

had a key with

subnets: []

. I manually removed this line from the stack and now I am getting the expected behaviour.

adventurous-butcher-54166

11/22/2024, 2:43 PM

In your

VirtualNetwork

definition are you setting the

subnets

parameter? (unset,

[]

None

)? What do you see during preview if you enable refresh?

pulumi pre --refresh

lemon-hospital-61528

11/22/2024, 2:46 PM

Hi @adventurous-butcher-54166, thanks for replying. I did not define a subnets parameter. I did, however, set

ignore_changes=["subnets"]

and removing this is making the network behave as expected. I'm still going through my testing and will follow up once I'm confident the problem is resolved

lemon-hospital-61528

11/26/2024, 11:00 AM

I have finished testing these changes and can confirm that the virtual network is now behaving as expected. My issue was because I set the

ignore_changes

property

8 Views

Open in Slack

Previous Next