Terraform-provider-azurerm: Network rule collection deleted when updating tags on firewall

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

$ terraform -v
Terraform v0.11.11
+ provider.azurerm v1.20.0

Affected Resource(s)

• azurerm_firewall
• azurerm_firewall_network_rule_collection

Terraform Configuration Files

All of the necessary Terraform templates to recreate this issue are in this gist.

Expected Behavior

Terraform should have added/updated the tags on the Firewall.

Actual Behavior

Terraform added/updated the tags on the Firewall, and also deleted the network rule collection.

A subsequent terraform plan included the (re)creation of the network rule collection.

Steps to Reproduce

1. Using the Terraform templates in the linked gist, run terraform plan and terraform apply.
2. In the Azure portal, navigate to the firewall's network rule collections, and confirm the existence of the network rule collection described in the Terraform templates.
3. In the Terraform templates, make a change to the azurerm_firewall resource, e.g. add a new tag or edit an existing one in terraform.tfvars.
4. Run terraform plan and terraform apply again.
5. Refresh the network rule collections in the Azure portal.

Important Factoids

Our discovery of this issue came when updating tags to meet compliance, and the inadvertent removal of the above network rule collection led to some resources not having internet access briefly.