I have experienced; "statusMessage": "{\"error\":{\"code\":\"InUseSubnetCannotBeDeleted\",\"message\":\"Subnet GatewaySubnet is in use by /subscriptions/x/resourceGroups/vdc-rg-1b7ce3ef/providers/Microsoft.Network/virtualNetworkGateways/hub-vpn-gw-374360cb/ipConfigurations/hub-vpn-gw-ipconf and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See aka.ms/deletesubnet.\",\"details\":[]}}"     },

But I think that was an intentional deletion at the end of an experiment

Did you create GatewaySubnet along with ssvc-vnet-prod using subnets= or as a separate Subnet resource (or both)? "*NOTE on Virtual Networks and Subnet’s:* This provider currently provides both a standalone Subnet resource, and allows for Subnets to be defined in-line within the Virtual Network resource. At this time you cannot use a Virtual Network with in-line Subnets in conjunction with any Subnet resources. Doing so will cause a conflict of Subnet configurations and will overwrite Subnet’s."

https://www.pulumi.com/docs/reference/pkg/python/pulumi_azure/network/#pulumi_azure.network.Subnet name (pulumi.Input[str]) – The name of the subnet. Changing this forces a new resource to be created resource_group_name (pulumi.Input[str]) – The name of the resource group in which to create the subnet. Changing this forces a new resource to be created. virtual_network_name (pulumi.Input[str]) – The name of the virtual network to which to attach the subnet. Changing this forces a new resource to be created. But changing tags does not appear to force a new resource to be created. Similar for https://www.pulumi.com/docs/reference/pkg/python/pulumi_azure/network/#pulumi_azure.network.VirtualNetwork

terraform / pulumi only support one or the other, either nested or separate

But so far my vnets are successfully updated… I’ll try your example 1-on-1

@colossal-room-15708

import * as azure from "@pulumi/azure";
import * as pulumi from "@pulumi/pulumi";

const defaultTags = {
  "environment": "stack_name",
  "new": "tag",
};

const resourceGroup = new azure.core.ResourceGroup("rg", {
  tags: defaultTags,
});

const vnet = new azure.network.VirtualNetwork("server-network", {
  resourceGroupName: resourceGroup.name,
  name: "ssvc-net-stack-name",
  addressSpaces: ["10.0.0.0/16"],
  tags: defaultTags,
});

const subnetConfig = [
  ['AzureBastionSubnet', '10.0.1.0/27'], 
  ['GatewaySubnet', '10.0.2.0/27'], 
  ['AzureFirewallSubnet', '10.0.3.0/27'],
];

for (let subnet of subnetConfig) {
  const subnetResource = new azure.network.Subnet(subnet[0], {
    resourceGroupName: resourceGroup.name,
    name: subnet[0],
    addressPrefix: subnet[1],
    virtualNetworkName: vnet.name,
  });
}

This works fine for me: I update the tags, and

pulumi up

succeeds

Do you see any difference to your case?

That will fail, @tall-librarian-49374

Right now, your subnets aren't in use

Still, looking at the actual API calls, you should also see that ARM redeployed your subnets.

A gateway takes like half-an-hour to provision

I’m basically trying to make the smallest repro possible