azurerm_virtual_network_gateway: Removal of public_ip_address_id support for ExpressRoute type breaks management of existing (brownfield) resources

[alkarp]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.14.5

AzureRM Provider Version

4.59.0

Affected Resource(s)/Data Source(s)

azurerm_virtual_network_gateway

Terraform Configuration Files

resource "azurerm_public_ip" "example" {
  name                = "test-pip"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  allocation_method   = "Dynamic"
}

resource "azurerm_virtual_network_gateway" "example" {
  name                = "test-er-gateway"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  type     = "ExpressRoute"
  vpn_type = "RouteBased"

  sku = "Standard"

  ip_configuration {
    name                          = "vnetGatewayConfig"
    
    # This field triggers the issue. 
    # It is required for existing brownfield deployments that have a manual PIP, 
    # but the provider now rejects it or forces replacement if removed.
    public_ip_address_id          = azurerm_public_ip.example.id
    
    private_ip_address_allocation = "Dynamic"
    subnet_id                     = azurerm_subnet.example.id
  }
}

Debug Output/Panic Output

│ Error: `ip_configuration.0.public_ip_address_id` cannot be set when `type` is set to `ExpressRoute`
│ 
│   with module.azure_network_hub["uks-shrd-01"].azurerm_virtual_network_gateway.hub_express_route_virtual_gateway[0],
│   on ../../../../.modules/azure_network_hub/resource_azurerm_virtual_network_gateway.tf line 1, in resource "azurerm_virtual_network_gateway" "hub_express_route_virtual_gateway":
│    1: resource "azurerm_virtual_network_gateway" "hub_express_route_virtual_gateway" {
│

Expected Behaviour

Microsoft has changed the default behavior for new ExpressRoute Gateways to use auto-assigned (HOBO) public IPs. However, Azure still supports existing ExpressRoute Gateways that were deployed with explicit/manual Public IP resources.

The latest version of the provider appears to enforce a validation rule (or schema change) that prevents public_ip_address_id from being set when type = "ExpressRoute".

This creates a breaking scenario for existing infrastructure:

1. If we keep public_ip_address_id in the config, the provider throws a validation error (e.g., "public_ip_address_id must not be set when type is ExpressRoute").
2. If we remove public_ip_address_id to satisfy the provider validation, Terraform detects a drift between the config (null) and the state (has IP ID). Because ip_configuration changes force a new resource, Terraform plans a destroy and recreate of the gateway.

Destruction of an ExpressRoute gateway causes significant downtime (30-45 minutes) and is not an acceptable path for managing existing production resources that are still valid in Azure. The provider should support the legacy configuration for brownfield deployments.

Expected Behaviour The provider should allow public_ip_address_id to be defined for azurerm_virtual_network_gateway when type = "ExpressRoute" to support existing resources.

Alternatively, the provider should ignore the presence of a Public IP in the state if the config omits it, without triggering a "ForceNew" replacement event, allowing for a seamless transition or state-adoption of the existing IP.

Actual Behaviour

Scenario A (Field present): terraform plan fails with a schema/validation error stating the field is not supported for ExpressRoute gateways.

Scenario B (Field removed): terraform plan succeeds but proposes a replacement (destroy/create) of the Virtual Network Gateway because the ip_configuration block has changed (removing the IP reference).

Steps to Reproduce

1. Have an existing Azure ExpressRoute Virtual Network Gateway deployed (using an older provider version) that has a specific public_ip_address_id associated with it.
2. Upgrade to the latest azurerm provider version.
3. Run terraform plan.
4. Observe validation error regarding public_ip_address_id.
5. Remove public_ip_address_id from the configuration to fix the validation error.
6. Run terraform plan.
7. Observe that Terraform plans to destroy and recreate the gateway.

Important Factoids

No response

References

#31084

[alkarp]

FYI, @katbyte @jiaweitao001

[CharbelHanna]

Hello, do we have an update on the this issue please ?
at least could we confirm that this change has been shipped with the 4.59.0 and above of the provider, so at the mean time we try to use a lower version ?

[wiebeck]

Same here. Since provider version 4.59.0 our Terraform plans error with the exact same error message. This needs to get fixed.

[Swathi-Bekkera]

Same issue, our Terraform plan throws error with the exact same error message. This needs to be fixed asap.

[danielbeltejar]

Same here

[catt231]

Could we have any type of update on this?

[es-cs1]

@jiaweitao001

Hi Jia,

we saw that the PR
#31084
was merged a month or so ago, and was targeted for v.4.59 milestone,

Wondering why in the changelog for v4.59 it did not show up?
https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v4.59.0

[alkarp]

@es-cs1 this was the PR that introduced that issue.

@catt231 fix PR is open and under review #31771