Skip to content

Conversation

snobear
Copy link

@snobear snobear commented Oct 20, 2025

Community Note

  • Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for PR followers and do not help prioritize for review

Description

This PR adds case-insensitive handling for application security group IDs in both standalone network security rules and inline security rules within network security groups. This resolves issues where Azure Resource Manager IDs with different casing cause unnecessary diffs in Terraform plans.

There is an open PR that is similar (#30821), however this PR leverages the existing DiffSuppressFunc pattern and adds tests.

Changes:

  • Add DiffSuppressFunc: suppress.CaseDifference to ASG ID fields
  • Add custom hash functions for case-insensitive TypeSet hashing
  • Export hash functions for unit tests
  • Add unit tests for case normalization behavior

Fixes: Case-only diffs in azurerm_network_security_rule and azurerm_network_security_group resources when using application security group IDs with inconsistent casing from Azure API responses.

PR Checklist

  • I have followed the guidelines in our Contributing Documentation.
  • I have checked to ensure there aren't other open Pull Requests for the same update/change.
  • I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
  • I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
  • I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.
    For example: “resource_name_here - description of change e.g. adding property new_property_name_here

Changes to existing Resource / Data Source

  • I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
  • I have written new tests for my resource or datasource changes & updated any relevant documentation.
  • I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
  • (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

Testing

  • My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)

I can’t provide plan/apply logs from our internal terraform, but tests have been added:

  • Unit tests covering hash function determinism and consistency
  • Unit tests for DiffSuppressFunc behavior with various case scenarios
  • Integration testing with real Azure Resource Manager IDs

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

BUG FIXES:

This is a (please select all that apply):

  • Bug Fix
  • New Feature (ie adding a service, resource, or data source)
  • Enhancement
  • Breaking Change

Related Issue(s)

Fixes #29841

AI Assistance Disclosure

  • AI Assisted - This contribution was made by, or with the assistance of, AI/LLMs

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the provider.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

This PR adds case-insensitive handling for application security group IDs
in both standalone network security rules and inline security rules within
network security groups. This resolves issues where Azure Resource Manager
IDs with different casing cause unnecessary diffs in Terraform plans.

Changes:
- Add DiffSuppressFunc: suppress.CaseDifference to ASG ID fields
- Add custom hash functions for case-insensitive TypeSet hashing
- Export hash functions for comprehensive unit testing
- Add comprehensive unit tests for case normalization behavior

Fixes: Case-only diffs in azurerm_network_security_rule and
azurerm_network_security_group resources when using application
security group IDs with inconsistent casing from Azure API responses.

Tested with:
- Unit tests covering hash function determinism and consistency
- Unit tests for DiffSuppressFunc behavior with various case scenarios
- Integration testing with real Azure Resource Manager IDs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

azurerm_network_security_rule - case sensitivity causing changes to be seen

1 participant