azurerm_virtual_network_gateway: restore ExpressRoute legacy public_ip_address_id behavior

[alkarp]

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for PR followers and do not help prioritize for review

Description

This PR restores legacy azurerm_virtual_network_gateway behavior for ExpressRoute gateways by preserving ip_configuration.public_ip_address_id in state when Azure returns it for existing brownfield resources.

What changed

• Restored flattening of ip_configuration.public_ip_address_id from VirtualNetworkGatewayIPConfiguration.Properties.PublicIPAddress.Id.
• Expanded unit coverage for flattenVirtualNetworkGatewayIPConfigurations with table-driven tests for:
  • nil input
  • empty input
  • inclusion of public_ip_address_id
  • omission of optional fields when absent
  • stable ordering across multiple configurations
• Updated resource documentation for azurerm_virtual_network_gateway to reflect behavior.

PR Checklist

• I have followed the guidelines in our Contributing Documentation.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
• I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
• I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.

Changes to existing Resource / Data Source

• I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
• I have written new tests for my resource or datasource changes & updated any relevant documentation.
• I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
• (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

Testing

• My submission includes Test coverage as described in the Contribution Guide and the tests pass.

Command:
go test ./internal/services/network -run '^(TestVirtualNetworkGatewayResource_NoCustomizeDiff|TestFlattenVirtualNetworkGatewayIPConfigurations)$'
Output:
ok github.com/hashicorp/terraform-provider-azurerm/internal/services/network 1.937s

Command:
go test ./internal/services/network
Output:
ok github.com/hashicorp/terraform-provider-azurerm/internal/services/network 1.755s

Command:
go test ./internal/services/network -run '^(TestVirtualNetworkGatewayResource_NoCustomizeDiff|TestFlattenVirtualNetworkGatewayIPConfigurations)$'
Output:
ok github.com/hashicorp/terraform-provider-azurerm/internal/services/network (cached)

Command:
go test ./internal/services/network
Output:
ok github.com/hashicorp/terraform-provider-azurerm/internal/services/network (cached)

Change Log

N/A - maintainers manage changelog entries during merge.

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

Related Issue(s)

Fixes #31730

AI Assistance Disclosure

• AI Assisted - This contribution was made by, or with the assistance of, AI/LLMs

Extent: AI assistance was used for unit test additions and PR drafting.

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the provider.

Changes to Security Controls

No changes to security controls (access controls, encryption, logging).

[ziyeqf]

Hi @alkarp, thanks for the PR.

For the testing part, please add stuiable acctest and provide the test result, instead of the *_unit_test.go. For you reference, please read through the contributing document.

[alkarp]

Hi @ziyeqf, thanks for the review. I’ve addressed your comments:

• replaced the unit test coverage with an acceptance test
• expanded on the HOBO abbreviation and added a documentation link

local targeted test compile/harness check passed:

go test ./internal/services/network -run TestAccVirtualNetworkGateway_expressRouteWithPublicIPAddressId -count=1
ok  	github.com/hashicorp/terraform-provider-azurerm/internal/services/network	3.651s

For the full acceptance test result: I don’t currently have an environment available to run it.

[alkarp]

apologies for the conflict resolution via web UI fiasco. branch has been cleared, conflicts resolved.

[ziyeqf]

Hi @alkarp, thanks for the update. I left one comment in line and triggered a testing for azurerm_virtual_network_gateway. Will post the testing result here later.

[ziyeqf]

Here is the test result based on this branch:

For those new failures, my understanding is they are not related to the changes in this PR. Error message are like below:

        Error: building account: could not acquire access token to parse claims: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret keys for app '*******' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds. Trace ID: 7e105965-8d6f-4d46-902a-319018a5ce00 Correlation ID: a484dfcb-9ef1-47aa-b38a-f1116d74dcad Timestamp: 2026-03-09 01:47:22Z","error_codes":[7000222],"timestamp":"2026-03-09 01:47:22Z","trace_id":"7e105965-8d6f-4d46-902a-319018a5ce00","correlation_id":"a484dfcb-9ef1-47aa-b38a-f1116d74dcad","error_uri":"https://login.microsoftonline.com/error?code=7000222"}

[alkarp]

@ziyeqf please, give it another review, comments resolved.