Why is the Network Watcher on Azure not destroyed by Terraform?
I have a simple Terraform configuration to create azure virtual network. When I do plan and then apply, a virtual network is created inside of a resource group as expected. But in addition to this resource group, there is one more created by the name NetworkWatcherRG, and inside of it I see a network watcher.
And the network watcher.
Now when I run the Terraform destroy command, I expect that every thing is cleaned up, all the Resource groups are destroyed. But instead, everything except for the NetworkWatcherRG and the Network Watcher inside of it are destroyed.
Looks like the Network Watcher along with its resource group, is NOT managed by Terraform. What am I missing?
The network watcher is not immediately obvious. Its not reveled immediately. So to see that, you need to go the simplified view of the resource groups. You need to click the Refresh button atleast 5 times(each time with a 2 second time gap) or you have to wait for long time and then click refresh.
So what is this network watcher and is it that Azure is creating it by itself and not managed by Terraform?
My Terraform configuration file is as follows.
# Terraform settings Block
terraform {
required_version = ">= 1.0.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 2.0"
}
}
}
# Provider Block
provider "azurerm" {
features {}
}
# create virtual network
resource "azurerm_virtual_network" "myvnet" {
name = "vivek-1-vnet"
address_space = ["10.0.0.0/16"] # This is a list, it has []. If it has { }, then its a map.
location = azurerm_resource_group.myrg.location
resource_group_name = azurerm_resource_group.myrg.name
tags = { # This is a map. This is {}
"name" = "vivek-1-vnet"
}
}
# Resource-1: Azure Resource Group
resource "azurerm_resource_group" "myrg" {
name = "vivek-vnet-rg"
location = var.resource_group_location
}
variable "resource_group_location" {
default = "centralindia"
description = "Location of the resource group."
}
And finally the commands I use are as follows.
terraform fmt
terraform init
terraform validate
terraform plan -out main.tfplan
terraform apply main.tfplan
terraform plan -destroy -out main.destroy.tfplan
terraform apply main.destroy.tfplan
Before applying terraform code i checked in my resource groups with name network watcher resource group for me , by default this resource grpup is created by Azure side.
As Mike-Ubezzi wrote on Microsoft forums:
Network Watcher resources are located in the hidden NetworkWatcherRG resource group which is created automatically. For example, the NSG Flow Logs resource is a child resource of Network Watcher and is enabled in the NetworkWatcherRG.
The Network Watcher resource represents the backend service for Network Watcher and is fully managed by Azure. Customers do no need to manage it. Operations like move are not supported on the resource. However, the resource can be deleted.
So terraform destroy will only delete the resource created by you(mentioned in .tfstate file).This is the region you won't able to delete the NetworkWatcherRG Resource Group.
- Terraform: Use count.index in variable name
- Terraform not recognizing attributes read from yaml
- Azure Firewall Policy: Decentralized deployment of rule collections with Terraform
- Terraform: Nested for_each in nested dynamic blocks
- Terrform Module for Azure APIM Definitions
- How to enable Application Routing and Configuration Routing settings for AppService VNet Integration using Azure Terraform
- Terraform should I try to merge or flatten a complex variable?
- Not able to do geo restore in same region of azure postgres flex server using terraform
- Terraform Plan Error: Unable to Build Authorizer for Azure Resource Manager API
- Azure waf custom terraform configuration is throwing error for match_variables
- azurerm_virtual_machine doesn't remove managed storage_os_disk on destroy
- terraform use a dynamic count to get value from a list
- How to compare a variable against two strings?
- Azure Terraform Create a Firewall rule for a flexible MySql Database
- How to prevent terraform developers from viewing secrets with the nonsensitive function
- Terraform plan on local shows No Changes after import but shows creation on github actions
- Terraform Azure Key Vault - context deadline exceeded
- Using Terraform to import existing resources on Azure
- terraform - set a variable from commandline for module variable
- Why I can't create azurerm_app_service connection?
- Why commenting private_dns_zone_id in azurerm_postgresql_flexible_server has not effect in terraform?
- Terraform Import Issue
- Why is the Network Watcher on Azure not destroyed by Terraform?
- Get Azure keyvault id from two types of Terraform variable inputs
- Deploying Azure App Service to Multiple Subscriptions in a Tenant using Terraform and Azure DevOps - Need Advice
- Terraform tasks to deploy on azure cloud
- Can I use route tables in Azure hub-and-spoke topology to route outbound HTTP requests to go through hub's NAT Gateway?
- Terraform script to disable multiple functions in Azure Function app
- get terraform to randomly generate uuid ONE TIME ONLY, store in state and use for azuread_application_app_role
- Azure postgresql flexible server restore with terraform