VN snippet should use nested children for subnets instead of properties/subnets

[StephenWeatherford]

Here's the current "res-vnet" snippet output:

resource virtualNetwork 'Microsoft.Network/virtualNetworks@2019-11-01' = {
  name: 'name'
  location: resourceGroup().location
  properties: {
    addressSpace: {
      addressPrefixes: [
        '10.0.0.0/16'
      ]
    }
    subnets: [
      {
        name: 'Subnet-1'
        properties: {
          addressPrefix: '10.0.0.0/24'
        }
      }
      {
        name: 'Subnet-2'
        properties: {
          addressPrefix: '10.0.1.0/24'
        }
      }
    ]
  }
}

You can see the problem with this approach when you go to hook up a NIC:

resource networkInterface 'Microsoft.Network/networkInterfaces@2020-11-01' = {
  name: 'name'
  location: resourceGroup().location
  properties: {
    ipConfigurations: [
      {
        name: 'name'
        properties: {
          privateIPAllocationMethod: 'Dynamic'
          subnet: {
            id: subnet.id    <<<<<<. WE DON'T HAVE A SYMBOLIC NAME for subnet
          }
        }
      }
    ]
  }
}

RECOMMEND: Use this instead:

resource virtualNetwork 'Microsoft.Network/virtualNetworks@2019-11-01' = {
  name: 'name'
  location: resourceGroup().location
  properties: {
    addressSpace: {
      addressPrefixes: [
        '10.0.0.0/16'
      ]
    }
  }
  resource subnet1 'subnets' = {
    name: 'Subnet-1'
    properties: {
      addressPrefix: '10.0.0.0/24'
    }
  }
  resource subnet2 'subnets' = {
    name: 'Subnet-2'
    properties: {
      addressPrefix: '10.0.1.0/24'
    }
  }
}

[StephenWeatherford]

Related: #3501

[anthony-c-martin]

Syntactically, I much prefer the recommendation of breaking out subnets into child resources rather than properties, but one thing to be careful with generally with this type of refactor is that it leads to a different pattern of API requests between deployment engine and RP.

For children declared as parent properties, ARM will submit a single PUT containing all the data to the RP's /parent endpoint.

For children declared as actual child resources, ARM will submit a single PUT without child resource data to the RP's /parent endpoint, followed by a series of PUTs to the RP's /parent/child endpoint for the individual child resources.

In an ideal world, we would like RPs to treat both sets of operations as equivalent, however there are RPs that will interpret the latter as "remove all the child resources first, then add them back" - meaning there's a period where a destructive action occurs. The most common examples I'm aware of with this behavior are Microsoft.KeyVault/vaults (with accessPolicies), and Microsoft.Network/networkSecurityGroups (with securityRules).

You're probably already aware; just wanted to note this info down for anyone else who might come across this!

[alex-frankel]

+1 to Anthony's comments. Unfortunately, the current snippet is the less bad one :) If you have resources connected to these subnets and the subnets get redeployed as a child resource, the deployment will fail because NetworkRP will attempt to delete the subnet, which is not allowed if there are currently connected resources.

You can use resourceId('microsoft.network/virtualNetworks/subnets', virtualNetwork.name, '<SUBNET-NAME>') to get the ID or access via virtualNetwork.properties.subnets[*].id. The latter is also not ideal because you can't guarantee the order of the subnets array.

Going to close this for now, but feel free to reopen/continue the discussion.

[StephenWeatherford]

Let's discuss at next triage. BTW, I've been doing this transformation in a lot of samples and no one has complained in the code reviews.

[StephenWeatherford]

Superseded by #3886