azurerm_express_route_port - fix bug where Terraform Apply removes managed identity and update supported ciphers. (hashicorp#30240)

bubbletroubles · BubbleTroubles · web-flow · commit 045474594d97 · 2026-02-10T13:51:26.000-07:00
Co-authored-by: BubbleTroubles &lt;bubbletroubles@gmail.com&gt;
diff --git a/internal/services/network/express_route_port_resource.go b/internal/services/network/express_route_port_resource.go
@@ -6,6 +6,7 @@ package network
 import (
 	"fmt"
 	"log"
+	"strings"
 	"time"
 
 	"github.com/hashicorp/go-azure-helpers/lang/pointer"
@@ -42,19 +43,12 @@ var expressRoutePortSchema = &pluginsdk.Schema{
 			"macsec_cipher": {
 				Type:     pluginsdk.TypeString,
 				Optional: true,
-
-				// TODO: The following hardcode can be replaced by SDK types once following is merged:
-				// 	https://github.com/Azure/azure-rest-api-specs/pull/12329
-				Default: "GcmAes128",
-				// Default: string(expressrouteports.GcmAes128),
-
-				// TODO: The following hardcode can be replaced by SDK types once following is merged:
-				// 	https://github.com/Azure/azure-rest-api-specs/pull/12329
+				Default:  string(expressrouteports.ExpressRouteLinkMacSecCipherGcmAesOneTwoEight),
 				ValidateFunc: validation.StringInSlice([]string{
-					"GcmAes128",
-					"GcmAes256",
-					// string(expressrouteports.GcmAes128),
-					// string(expressrouteports.GcmAes256),
+					string(expressrouteports.ExpressRouteLinkMacSecCipherGcmAesOneTwoEight),
+					string(expressrouteports.ExpressRouteLinkMacSecCipherGcmAesTwoFiveSix),
+					string(expressrouteports.ExpressRouteLinkMacSecCipherGcmAesXpnOneTwoEight),
+					string(expressrouteports.ExpressRouteLinkMacSecCipherGcmAesXpnTwoFiveSix),
 				}, false),
 			},
 			"macsec_ckn_keyvault_secret_id": {
@@ -274,6 +268,24 @@ func resourceArmExpressRoutePortUpdate(d *pluginsdk.ResourceData, meta interface
 
 	payload := existing.Model
 
+	// Normalize the identity type - Azure API returns lowercase (e.g. "userAssigned")
+	// but the SDK MarshalJSON expects exact case match (e.g. "UserAssigned")
+	// Without normalization, MarshalJSON defaults to "None" and removes the identity
+	if payload.Identity != nil {
+		// Use string comparison to normalize the type
+		switch strings.ToLower(string(payload.Identity.Type)) {
+		case "systemassigned":
+			payload.Identity.Type = identity.TypeSystemAssigned
+		case "userassigned":
+			payload.Identity.Type = identity.TypeUserAssigned
+		case "systemassigned, userassigned", "systemassigned,userassigned":
+			payload.Identity.Type = identity.TypeSystemAssignedUserAssigned
+		case "none":
+			payload.Identity.Type = identity.TypeNone
+		}
+		log.Printf("[DEBUG] Normalized identity type from %q to %q", existing.Model.Identity.Type, payload.Identity.Type)
+	}
+
 	if d.HasChange("identity") {
 		expandedIdentity, err := identity.ExpandSystemAndUserAssignedMap(d.Get("identity").([]interface{}))
 		if err != nil {
@@ -300,8 +312,6 @@ func resourceArmExpressRoutePortUpdate(d *pluginsdk.ResourceData, meta interface
 	locks.ByID(id.ID())
 	defer locks.UnlockByID(id.ID())
 
-	payload.Properties.Links = expandExpressRoutePortLinks(d.Get("link1").([]interface{}), d.Get("link2").([]interface{}))
-
 	if err := client.CreateOrUpdateThenPoll(ctx, *id, *payload); err != nil {
 		return fmt.Errorf("updating %s: %+v", id, err)
 	}
diff --git a/internal/services/network/express_route_port_resource_test.go b/internal/services/network/express_route_port_resource_test.go
@@ -94,6 +94,26 @@ func TestAccExpressRoutePort_userAssignedIdentity(t *testing.T) {
 			Config: r.userAssignedIdentity(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("identity.0.type").HasValue("UserAssigned"),
+				check.That(data.ResourceName).Key("identity.0.identity_ids.#").HasValue("1"),
+			),
+		},
+		{
+			Config: r.userAssignedIdentityWithTags(data, "tag1"),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("identity.0.type").HasValue("UserAssigned"),
+				check.That(data.ResourceName).Key("identity.0.identity_ids.#").HasValue("1"),
+				check.That(data.ResourceName).Key("tags.environment").HasValue("tag1"),
+			),
+		},
+		{
+			Config: r.userAssignedIdentityWithTags(data, "tag2"),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("identity.0.type").HasValue("UserAssigned"),
+				check.That(data.ResourceName).Key("identity.0.identity_ids.#").HasValue("1"),
+				check.That(data.ResourceName).Key("tags.environment").HasValue("tag2"),
 			),
 		},
 		data.ImportStep(),
@@ -115,6 +135,31 @@ func TestAccExpressRoutePort_linkCipher(t *testing.T) {
 	})
 }
 
+func TestAccExpressRoutePort_identityRemoval(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_express_route_port", "test")
+	r := ExpressRoutePortResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.linkCipher(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("identity.0.type").HasValue("UserAssigned"),
+				check.That(data.ResourceName).Key("identity.0.identity_ids.#").HasValue("1"),
+				check.That(data.ResourceName).Key("link1.0.macsec_cipher").HasValue("GcmAesXpn256"),
+			),
+		},
+		{
+			Config: r.basic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("identity.#").HasValue("0"),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func (r ExpressRoutePortResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
 	client := clients.Network.ExpressRoutePorts
 
@@ -137,18 +182,18 @@ func (r ExpressRoutePortResource) basic(data acceptance.TestData) string {
 %s
 
 resource "azurerm_express_route_port" "test" {
-  name                = "acctestERP-%d"
+  name                = "acctestERP-%[2]d"
   resource_group_name = azurerm_resource_group.test.name
   location            = azurerm_resource_group.test.location
-  peering_location    = "Equinix-London-LDS"
+  peering_location    = "Airtel-Chennai2-CLS"
   bandwidth_in_gbps   = 10
   encapsulation       = "Dot1Q"
   billing_type        = "MeteredData"
   tags = {
     ENV = "Test"
   }
 }
-`, template, data.RandomInteger)
+`, template, data.RandomIntOfLength(8))
 }
 
 func (r ExpressRoutePortResource) adminState(data acceptance.TestData) string {
@@ -201,7 +246,7 @@ resource "azurerm_express_route_port" "test" {
   name                = "acctestERP-%[2]d"
   resource_group_name = azurerm_resource_group.test.name
   location            = azurerm_resource_group.test.location
-  peering_location    = "Area51-ERDirect"
+  peering_location    = "Airtel-Chennai2-CLS"
   bandwidth_in_gbps   = 10
   encapsulation       = "Dot1Q"
   identity {
@@ -276,7 +321,7 @@ resource "azurerm_express_route_port" "test" {
     identity_ids = [azurerm_user_assigned_identity.test.id]
   }
   link1 {
-    macsec_cipher                 = "GcmAes256"
+    macsec_cipher                 = "GcmAesXpn256"
     macsec_ckn_keyvault_secret_id = azurerm_key_vault_secret.ckn.id
     macsec_cak_keyvault_secret_id = azurerm_key_vault_secret.cak.id
     macsec_sci_enabled            = true
@@ -290,6 +335,45 @@ resource "azurerm_express_route_port" "test" {
 `, template, data.RandomIntOfLength(8))
 }
 
+func (r ExpressRoutePortResource) userAssignedIdentityWithTags(data acceptance.TestData, tagValue string) string {
+	template := r.template(data)
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_user_assigned_identity" "test" {
+  location            = azurerm_resource_group.test.location
+  name                = "acctestUAI-%[2]d"
+  resource_group_name = azurerm_resource_group.test.name
+}
+
+resource "azurerm_express_route_port" "test" {
+  name                = "acctestERP-%[2]d"
+  resource_group_name = azurerm_resource_group.test.name
+  location            = azurerm_resource_group.test.location
+  peering_location    = "Airtel-Chennai2-CLS"
+  bandwidth_in_gbps   = 10
+  encapsulation       = "Dot1Q"
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.test.id]
+  }
+
+  link1 {
+    admin_enabled = false
+  }
+
+  link2 {
+    admin_enabled = false
+  }
+
+  tags = {
+    environment = "%[3]s"
+  }
+}
+`, template, data.RandomIntOfLength(8), tagValue)
+}
+
 func (r ExpressRoutePortResource) template(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azurerm" {
diff --git a/website/docs/r/express_route_port.html.markdown b/website/docs/r/express_route_port.html.markdown
@@ -70,7 +70,7 @@ A `link` block supports the following:
 
 * `admin_enabled` - (Optional) Whether enable administration state on the Express Route Port Link? Defaults to `false`.
   
-* `macsec_cipher` - (Optional) The MACSec cipher used for this Express Route Port Link. Possible values are `GcmAes128` and `GcmAes256`. Defaults to `GcmAes128`.
+* `macsec_cipher` - (Optional) The MACSec cipher used for this Express Route Port Link. Possible values are `GcmAes128`, `GcmAes256`, `GcmAesXpn128` and `GcmAesXpn256`. Defaults to `GcmAes128`.
 
 * `macsec_ckn_keyvault_secret_id` - (Optional) The ID of the Key Vault Secret that contains the MACSec CKN key for this Express Route Port Link.
 
