Terraform seems to be incorrectly fetching the subscription of the firewall_policy_id

[RahulTripathi-07]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

The policy ID should be the NPS subscription and already exists, firewall policies only exist in the NPS & SHD sub's. Terraform seems to be incorrectly fetching the subscription of the firewall_policy_id (QA instead of NPS),
this seems like a Terraform bug.

Every time it seems terraform to force replacement even the Firewall policy id already exists.
We have tried to update same with other terraform version as well.

Terraform Version

1.5

AzureRM Provider Version

3.83.0

Affected Resource(s)/Data Source(s)

azurerm_firewall_policy_rule_collection_group

Terraform Configuration Files

# Setup the terraform configuration
terraform {
  required_version = ">= 0.12.6"
  backend "azurerm" {
      resource_group_name  = "rg-${lookup(local.short_region_names, var.location)}-${var.environment_code}-tf-01"
      storage_account_name = "rb0${lookup(local.short_region_names, var.location)}0${var.environment_code}0lrs0tstate001"
      container_name       = "tfstate"
      key                  = "${var.environment_code}-${local.current_du_details.name}-terraform.tfstate"
  }  

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.83.0"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = "~> 2.11.0"
    }
    random = {
      source  = "hashicorp/random"
      version = "~> 3.1.0"
    }
    null = {
      source  = "hashicorp/null"
      version = "~> 3.1.0"
    }
    http = {
      source  = "hashicorp/http"
      version = "~> 2.1.0"
    }
    tls = {
      source = "hashicorp/tls"
      version = "~> 3.1.0"
    }
  }
}

Debug Output/Panic Output

~ firewall_policy_id = "/subscriptions/XXXXX-b028-XXXXX-adee-XXXXX/resourceGroups/test-azfw-01/providers/Microsoft.Network/firewallPolicies/azfw-weu-nps-policy-01" -> "/subscriptions/XXXXX-d0f7-4038-XXXXX-XXXXX/resourceGroups/test-azfw-01/providers/Microsoft.Network/firewallPolicies/azfw-weu-nps-policy-01" # forces replacement

In the above example Terraform believes that the current id is in the QA sub (XXXXX-b028-XXXXX-adee-XXXXX) and is wanting to change it to the NPS sub (XXXXX-d0f7-4038-XXXXX-XXXXX). The policy ID should be the NPS sub and already is, firewall policies only exist in the NPS & SHD sub's. Terraform seems to be incorrectly fetching the subscription of the firewall_policy_id (QA instead of NPS).

Expected Behaviour

There should no force replacement of resource.

Actual Behaviour

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.