Terraform-provider-azurerm: VNET Service Endpoints getting removed during changes to DNS - affected resource azurerm_virtual_network

Terraform removes all service endpoints on VNET during changes to VNET DNS.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.11.10

• provider.azurerm v1.18.0
  (running on Windows WSL)

Affected Resource(s)

azurerm_virtual_network

Terraform Configuration Files

#################################
# Resources
#################################

resource "azurerm_resource_group" "test_rg" {
  name     = "${var.env}"
  location = "${var.azurerm_location}"
}

resource "azurerm_virtual_network" "test_vnet" {
  name                = "${var.env}"
  address_space       = ["10.103.12.0/22"]
  location            = "${var.azurerm_location}"
  resource_group_name = "${azurerm_resource_group.test_rg.name}"
}

resource "azurerm_subnet" "test_subnet" {
  name                 = "${var.env}-subnet"
  address_prefix       = "10.103.14.0/24"
  virtual_network_name = "${azurerm_virtual_network.test_vnet.name}"
  resource_group_name  = "${azurerm_resource_group.test_rg.name}"
  service_endpoints    = ["Microsoft.KeyVault"]
}

Debug Output

$ terraform apply
azurerm_resource_group.test_rg: Refreshing state... (ID: /<...>/resourceGroups/dns-bug)
azurerm_virtual_network.test_vnet: Refreshing state... (ID: /subscriptions/<...>...rosoft.Network/virtualNetworks/dns-bug)
azurerm_subnet.test_subnet: Refreshing state... (ID: /subscriptions/<...>/dns-bug/subnets/dns-bug-subnet)

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place

Terraform will perform the following actions:

~ azurerm_virtual_network.test_vnet
dns_servers.#: "1" => "0"
dns_servers.0: "192.168.3.56" => ""

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.

Enter a value: yes

azurerm_virtual_network.test_vnet: Modifying... (ID: /subscriptions/<...>...rosoft.Network/virtualNetworks/dns-bug)
dns_servers.#: "1" => "0"
dns_servers.0: "192.168.3.56" => ""
azurerm_virtual_network.test_vnet: Still modifying... (ID: /subscriptions/<...>-...rosoft.Network/virtualNetworks/dns-bug, 10s elapsed)
azurerm_virtual_network.test_vnet: Modifications complete after 11s (ID: /subscriptions/<...>-...rosoft.Network/virtualNetworks/dns-bug)

Expected Behavior

Terraform should remove DNS IP which was added manually but leave SE endpoints for KV

Actual Behavior

Terraform removes DNS IP that was added manually and also all Service Endpoints

Steps to Reproduce

1. Run provided configuration
2. Add manually DNS IP
3. Run terraform apply again - at this points SE will be removed along with DNS ip