Ignores Azure resource tag for all Azure resources (#422)

As Azure Policies can enforce specific Azure Tags and due to Terraform keeps its own state, Terraform tries to remove the tags at every deploy, but Azure Policy re-adds them.
2021-07-07 17:20:12 +03:00 · 2021-07-07 17:20:12 +03:00 · 665fba147e
--- a/.github/workflows/deploy_tre.yml
+++ b/.github/workflows/deploy_tre.yml
@ -304,4 +304,4 @@ jobs:
      
          export PORTER_DRIVER=docker
          make porter-publish DIR=./workspaces/innereye_deeplearning_inference
-          make porter-install DIR=./workspaces/innereye_deeplearning_inference
+          make porter-install DIR=./workspaces/innereye_deeplearning_inference
--- a/devops/terraform/main.tf
+++ b/devops/terraform/main.tf
@ -10,6 +10,8 @@ data "azurerm_client_config" "current" {}
 resource "azurerm_resource_group" "mgmt" {
  name     = var.mgmt_resource_group_name
  location = var.location
+
+  lifecycle { ignore_changes = [ tags ] }
 }


@ -22,6 +24,8 @@ resource "azurerm_storage_account" "state_storage" {
  account_kind             = "StorageV2"
  account_replication_type = "LRS"
  allow_blob_public_access = false
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 #
@ -33,4 +37,6 @@ resource "azurerm_container_registry" "shared_acr" {
  location            = azurerm_resource_group.mgmt.location
  sku                 = var.acr_sku
  admin_enabled       = true
+
+  lifecycle { ignore_changes = [ tags ] }
 }
--- a/templates/core/terraform/acr/acr.tf
+++ b/templates/core/terraform/acr/acr.tf
@ -9,11 +9,15 @@ resource "azurerm_container_registry" "acr" {
  location                 = var.location
  sku                      = "Premium"
  admin_enabled            = false
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone" "azurecr" {
  name                = "privatelink.azurecr.io"
  resource_group_name = var.resource_group_name
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone_virtual_network_link" "acrlink" {
@ -21,6 +25,8 @@ resource "azurerm_private_dns_zone_virtual_network_link" "acrlink" {
  resource_group_name   = var.resource_group_name
  private_dns_zone_name = azurerm_private_dns_zone.azurecr.name
  virtual_network_id    = var.core_vnet
+  
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_endpoint" "acrpe" {
@ -40,4 +46,6 @@ resource "azurerm_private_endpoint" "acrpe" {
    is_manual_connection           = false
    subresource_names              = ["registry"]
  }
+
+  lifecycle { ignore_changes = [ tags ] }
 }
--- a/templates/core/terraform/api-webapp/api-webapp.tf
+++ b/templates/core/terraform/api-webapp/api-webapp.tf
@ -5,6 +5,8 @@ resource "azurerm_app_service_plan" "core" {
  reserved            = true
  kind                = "linux"

+  lifecycle { ignore_changes = [ tags ] }
+
  sku {
    tier     = "PremiumV3"
    capacity = 1
@ -48,6 +50,8 @@ resource "azurerm_app_service" "management_api" {
    identity_ids = [ var.managed_identity.id ]
  }

+  lifecycle { ignore_changes = [ tags ] }
+
  site_config {
    linux_fx_version            = "DOCKER|${var.docker_registry_server}/${var.management_api_image_repository}:${var.management_api_image_tag}"
    remote_debugging_enabled    = false
@ -92,6 +96,8 @@ resource "azurerm_private_endpoint" "management_api_private_endpoint" {
  location            = var.location
  subnet_id           = var.shared_subnet

+  lifecycle { ignore_changes = [ tags ] }
+
  private_service_connection {
    private_connection_resource_id = azurerm_app_service.management_api.id
    name                           = "psc-api-${var.tre_id}"
--- a/templates/core/terraform/appgateway/appgateway.tf
+++ b/templates/core/terraform/appgateway/appgateway.tf
@ -5,12 +5,16 @@ resource "azurerm_public_ip" "appgwpip" {
  allocation_method     = "Static"
  sku                   = "Standard"
  domain_name_label     = var.tre_id
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_user_assigned_identity" "agw_id" {
  resource_group_name = var.resource_group_name
  location = var.location
  name = "msi-agw-${var.tre_id}"
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_application_gateway" "agw" {
@ -177,7 +181,8 @@ resource "azurerm_application_gateway" "agw" {
  # We don't want Terraform to revert certificate cycle changes. We assume the certificate will be renewed in keyvault.
  lifecycle {
    ignore_changes = [
-      ssl_certificate
+      ssl_certificate,
+      tags
    ]
  }

--- a/templates/core/terraform/appgateway/staticweb.tf
+++ b/templates/core/terraform/appgateway/staticweb.tf
@ -17,6 +17,8 @@ resource "azurerm_storage_account" "staticweb" {
        tre_id = var.tre_id
    }

+    lifecycle { ignore_changes = [ tags ] }
+
    network_rules {
      bypass         = ["AzureServices"]
      default_action = "Deny"
--- a/templates/core/terraform/bastion/bastion.tf
+++ b/templates/core/terraform/bastion/bastion.tf
@ -4,6 +4,8 @@ resource "azurerm_public_ip" "bastion" {
  location            = var.location
  allocation_method   = "Static"
  sku                 = "Standard"
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_bastion_host" "bastion" {
@ -16,5 +18,7 @@ resource "azurerm_bastion_host" "bastion" {
    subnet_id            = var.bastion_subnet
    public_ip_address_id = azurerm_public_ip.bastion.id
  }
+
+  lifecycle { ignore_changes = [ tags ] }
 }

--- a/templates/core/terraform/firewall/firewall.tf
+++ b/templates/core/terraform/firewall/firewall.tf
@ -4,6 +4,8 @@ resource "azurerm_public_ip" "fwpip" {
  location            = var.location
  allocation_method   = "Static"
  sku                 = "Standard"
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_firewall" "fw" {
@ -16,6 +18,8 @@ resource "azurerm_firewall" "fw" {
    subnet_id            = var.firewall_subnet
    public_ip_address_id = azurerm_public_ip.fwpip.id
  }
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_monitor_diagnostic_setting" "firewall" {
--- a/templates/core/terraform/keyvault/keyvault.tf
+++ b/templates/core/terraform/keyvault/keyvault.tf
@ -28,6 +28,8 @@ resource "azurerm_key_vault" "kv" {
      "Get", "List", "Update", "Delete"
    ]
  }
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_key_vault_access_policy" "managed_identity" {
@ -43,6 +45,8 @@ resource "azurerm_key_vault_access_policy" "managed_identity" {
 resource "azurerm_private_dns_zone" "vaultcore" {
  name                = "privatelink.vaultcore.azure.net"
  resource_group_name = var.resource_group_name
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone_virtual_network_link" "vaultcorelink" {
@ -50,6 +54,8 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vaultcorelink" {
  resource_group_name   = var.resource_group_name
  private_dns_zone_name = azurerm_private_dns_zone.vaultcore.name
  virtual_network_id    = var.core_vnet
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_endpoint" "kvpe" {
@ -58,6 +64,8 @@ resource "azurerm_private_endpoint" "kvpe" {
  resource_group_name = var.resource_group_name
  subnet_id           = var.shared_subnet

+  lifecycle { ignore_changes = [ tags ] }
+
  private_dns_zone_group {
    name                 = "private-dns-zone-group"
    private_dns_zone_ids = [azurerm_private_dns_zone.vaultcore.id]
--- a/templates/core/terraform/main.tf
+++ b/templates/core/terraform/main.tf
@ -20,6 +20,8 @@ resource "azurerm_resource_group" "core" {
    tre_id  = var.tre_id
    source  = "https://github.com/microsoft/AzureTRE/"
  }
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_application_insights" "core" {
@ -27,6 +29,8 @@ resource "azurerm_application_insights" "core" {
  resource_group_name = azurerm_resource_group.core.name
  location            = var.location
  application_type    = "web"
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_log_analytics_workspace" "core" {
@ -35,6 +39,8 @@ resource "azurerm_log_analytics_workspace" "core" {
  location            = var.location
  retention_in_days   = 30
  sku                 = "pergb2018"
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 module "network" {
--- a/templates/core/terraform/network/dns_zones.tf
+++ b/templates/core/terraform/network/dns_zones.tf
@ -2,6 +2,8 @@
 resource "azurerm_private_dns_zone" "azurewebsites" {
  name                = "privatelink.azurewebsites.net"
  resource_group_name = var.resource_group_name
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone_virtual_network_link" "azurewebsites" {
@ -10,4 +12,6 @@ resource "azurerm_private_dns_zone_virtual_network_link" "azurewebsites" {
  private_dns_zone_name = azurerm_private_dns_zone.azurewebsites.name
  name                  = "azurewebsites-link"
  registration_enabled  = false
-}
+
+  lifecycle { ignore_changes = [ tags ] }
+}
--- a/templates/core/terraform/network/network.tf
+++ b/templates/core/terraform/network/network.tf
@ -3,6 +3,8 @@ resource "azurerm_virtual_network" "core" {
  location            = var.location
  resource_group_name = var.resource_group_name
  address_space       = [var.address_space]
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_subnet" "bastion" {
@ -75,6 +77,8 @@ resource "azurerm_network_profile" "aciprofile" {
      subnet_id = azurerm_subnet.aci.id
    }
  }
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_subnet" "shared" {
--- a/templates/core/terraform/processor_function/function.tf
+++ b/templates/core/terraform/processor_function/function.tf
@ -57,4 +57,5 @@ resource "azurerm_function_app" "procesorfunction" {
    identity_ids = [ var.managed_identity.id ]
  }

+  lifecycle { ignore_changes = [ tags ] }
 }
--- a/templates/core/terraform/routetable/routetable.tf
+++ b/templates/core/terraform/routetable/routetable.tf
@ -4,6 +4,8 @@ resource "azurerm_route_table" "rt" {
  location                      = var.location
  disable_bgp_route_propagation = false

+  lifecycle { ignore_changes = [ tags ] }
+
  route {
    name           = "DefaultRoute"
    address_prefix = "0.0.0.0/0"
--- a/templates/core/terraform/servicebus/servicebus.tf
+++ b/templates/core/terraform/servicebus/servicebus.tf
@ -4,6 +4,8 @@ resource "azurerm_servicebus_namespace" "sb" {
  resource_group_name = var.resource_group_name
  sku                 = "Premium"
  capacity            = "1"
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_servicebus_queue" "workspacequeue" {
@ -25,6 +27,8 @@ resource "azurerm_servicebus_queue" "service_bus_deployment_status_update_queue"
 resource "azurerm_private_dns_zone" "servicebus" {
  name                = "privatelink.servicebus.windows.net"
  resource_group_name = var.resource_group_name
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone_virtual_network_link" "servicebuslink" {
@ -32,6 +36,8 @@ resource "azurerm_private_dns_zone_virtual_network_link" "servicebuslink" {
  resource_group_name   = var.resource_group_name
  private_dns_zone_name = azurerm_private_dns_zone.servicebus.name
  virtual_network_id    = var.core_vnet
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_endpoint" "sbpe" {
@ -40,6 +46,8 @@ resource "azurerm_private_endpoint" "sbpe" {
  resource_group_name = var.resource_group_name
  subnet_id           = var.shared_subnet

+  lifecycle { ignore_changes = [ tags ] }
+
  private_dns_zone_group {
    name                 = "private-dns-zone-group"
    private_dns_zone_ids = [azurerm_private_dns_zone.servicebus.id]
--- a/templates/core/terraform/state-store/statestore.tf
+++ b/templates/core/terraform/state-store/statestore.tf
@ -17,6 +17,8 @@ resource "azurerm_cosmosdb_account" "tre-db-account" {
    location          = var.location
    failover_priority = 0
  }
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_cosmosdb_sql_database" "tre-db" {
@ -29,6 +31,8 @@ resource "azurerm_cosmosdb_sql_database" "tre-db" {
 resource "azurerm_private_dns_zone" "cosmos" {
  name                = "privatelink.documents.azure.com"
  resource_group_name = var.resource_group_name
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone_virtual_network_link" "cosmos_documents_dns_link" {
@ -36,6 +40,8 @@ resource "azurerm_private_dns_zone_virtual_network_link" "cosmos_documents_dns_l
  resource_group_name   = var.resource_group_name
  private_dns_zone_name = azurerm_private_dns_zone.cosmos.name
  virtual_network_id    = var.core_vnet
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_endpoint" "sspe" {
@ -44,6 +50,8 @@ resource "azurerm_private_endpoint" "sspe" {
  resource_group_name = var.resource_group_name
  subnet_id           = var.shared_subnet

+  lifecycle { ignore_changes = [ tags ] }
+
  private_dns_zone_group {
    name                 = "private-dns-zone-group"
    private_dns_zone_ids = [azurerm_private_dns_zone.cosmos.id]
--- a/templates/core/terraform/storage/storage.tf
+++ b/templates/core/terraform/storage/storage.tf
@ -5,6 +5,7 @@ resource "azurerm_storage_account" "stg" {
  account_tier             = "Standard"
  account_replication_type = "LRS"

+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_storage_share" "storage_state_path" {
@ -16,6 +17,8 @@ resource "azurerm_storage_share" "storage_state_path" {
 resource "azurerm_private_dns_zone" "blobcore" {
  name                = "privatelink.blob.core.windows.net"
  resource_group_name = var.resource_group_name
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone_virtual_network_link" "blobcorelink" {
@ -23,6 +26,8 @@ resource "azurerm_private_dns_zone_virtual_network_link" "blobcorelink" {
  resource_group_name   = var.resource_group_name
  private_dns_zone_name = azurerm_private_dns_zone.blobcore.name
  virtual_network_id    = var.core_vnet
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_endpoint" "blobpe" {
@ -31,6 +36,8 @@ resource "azurerm_private_endpoint" "blobpe" {
  resource_group_name = var.resource_group_name
  subnet_id           = var.shared_subnet

+  lifecycle { ignore_changes = [ tags ] }
+
  private_dns_zone_group {
    name                 = "private-dns-zone-group-blobcore"
    private_dns_zone_ids = [azurerm_private_dns_zone.blobcore.id]
@ -47,6 +54,8 @@ resource "azurerm_private_endpoint" "blobpe" {
 resource "azurerm_private_dns_zone" "filecore" {
  name                = "privatelink.file.core.windows.net"
  resource_group_name = var.resource_group_name
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone_virtual_network_link" "filecorelink" {
@ -54,6 +63,8 @@ resource "azurerm_private_dns_zone_virtual_network_link" "filecorelink" {
  resource_group_name   = var.resource_group_name
  private_dns_zone_name = azurerm_private_dns_zone.filecore.name
  virtual_network_id    = var.core_vnet
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_endpoint" "filepe" {
@ -62,6 +73,8 @@ resource "azurerm_private_endpoint" "filepe" {
  resource_group_name = var.resource_group_name
  subnet_id           = var.shared_subnet

+  lifecycle { ignore_changes = [ tags ] }
+
  private_dns_zone_group {
    name                 = "private-dns-zone-group-filecore"
    private_dns_zone_ids = [azurerm_private_dns_zone.filecore.id]
--- a/templates/core/terraform/user-assigned-identity/identity.tf
+++ b/templates/core/terraform/user-assigned-identity/identity.tf
@ -5,6 +5,8 @@ resource "azurerm_user_assigned_identity" "id" {
  location            = var.location

  name = "msi-${var.tre_id}"
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_role_assignment" "contributor" {
--- a/workspaces/services/azureml/terraform/acr/main.tf
+++ b/workspaces/services/azureml/terraform/acr/main.tf
@ -24,11 +24,15 @@ resource "azurerm_container_registry" "acr" {
  resource_group_name      = data.azurerm_resource_group.ws.name
  sku                      = "Premium"
  admin_enabled            = false
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone" "azurecr" {
  name                = "privatelink.azurecr.io"
  resource_group_name = data.azurerm_resource_group.ws.name
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone_virtual_network_link" "azurecrlink" {
@ -36,6 +40,8 @@ resource "azurerm_private_dns_zone_virtual_network_link" "azurecrlink" {
  resource_group_name   = data.azurerm_resource_group.ws.name
  private_dns_zone_name = azurerm_private_dns_zone.azurecr.name
  virtual_network_id    = data.azurerm_virtual_network.ws.id
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_endpoint" "acrpe" {
@ -44,6 +50,8 @@ resource "azurerm_private_endpoint" "acrpe" {
  resource_group_name   = data.azurerm_resource_group.ws.name
  subnet_id           = data.azurerm_subnet.services.id

+  lifecycle { ignore_changes = [ tags ] }
+
  private_dns_zone_group {
    name                 = "private-dns-zone-group"
    private_dns_zone_ids = [azurerm_private_dns_zone.azurecr.id]
--- a/workspaces/services/azureml/terraform/keyvault/main.tf
+++ b/workspaces/services/azureml/terraform/keyvault/main.tf
@ -27,11 +27,15 @@ resource "azurerm_key_vault" "kv" {
  sku_name                 = "standard"
  purge_protection_enabled = true
  tenant_id                = data.azurerm_client_config.current.tenant_id
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone" "vaultcore" {
  name                = "privatelink.vaultcore.azure.net"
  resource_group_name = data.azurerm_resource_group.ws.name
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone_virtual_network_link" "vaultcorelink" {
@ -39,6 +43,8 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vaultcorelink" {
  resource_group_name   = data.azurerm_resource_group.ws.name
  private_dns_zone_name = azurerm_private_dns_zone.vaultcore.name
  virtual_network_id    = data.azurerm_virtual_network.ws.id
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_endpoint" "kvpe" {
@ -47,6 +53,8 @@ resource "azurerm_private_endpoint" "kvpe" {
  resource_group_name = data.azurerm_resource_group.ws.name
  subnet_id           = data.azurerm_subnet.services.id

+  lifecycle { ignore_changes = [ tags ] }
+
  private_dns_zone_group {
    name                 = "private-dns-zone-group"
    private_dns_zone_ids = [azurerm_private_dns_zone.vaultcore.id]
--- a/workspaces/services/azureml/terraform/main.tf
+++ b/workspaces/services/azureml/terraform/main.tf
@ -59,6 +59,8 @@ resource "azurerm_application_insights" "ai" {
  location            = data.azurerm_resource_group.ws.location
  resource_group_name = data.azurerm_resource_group.ws.name
  application_type    = "web"
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_machine_learning_workspace" "ml" {
@ -72,22 +74,30 @@ resource "azurerm_machine_learning_workspace" "ml" {
  identity {
    type = "SystemAssigned"
  }
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone" "azureml" {
  name                = "privatelink.api.azureml.ms"
  resource_group_name = data.azurerm_resource_group.ws.name
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone" "azuremlcert" {
  name                = "privatelink.cert.api.azureml.ms"
  resource_group_name = data.azurerm_resource_group.ws.name
+
+  lifecycle { ignore_changes = [ tags ] }
 }


 resource "azurerm_private_dns_zone" "notebooks" {
  name                = "privatelink.notebooks.azure.net"
  resource_group_name = data.azurerm_resource_group.ws.name
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone_virtual_network_link" "azuremllink" {
@ -95,6 +105,8 @@ resource "azurerm_private_dns_zone_virtual_network_link" "azuremllink" {
  resource_group_name   = data.azurerm_resource_group.ws.name
  private_dns_zone_name = azurerm_private_dns_zone.azureml.name
  virtual_network_id    = data.azurerm_virtual_network.ws.id
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone_virtual_network_link" "azuremlcertlink" {
@ -102,6 +114,8 @@ resource "azurerm_private_dns_zone_virtual_network_link" "azuremlcertlink" {
  resource_group_name   = data.azurerm_resource_group.ws.name
  private_dns_zone_name = azurerm_private_dns_zone.azuremlcert.name
  virtual_network_id    = data.azurerm_virtual_network.ws.id
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone_virtual_network_link" "notebookslink" {
@ -109,6 +123,8 @@ resource "azurerm_private_dns_zone_virtual_network_link" "notebookslink" {
  resource_group_name   = data.azurerm_resource_group.ws.name
  private_dns_zone_name = azurerm_private_dns_zone.notebooks.name
  virtual_network_id    = data.azurerm_virtual_network.ws.id
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_endpoint" "mlpe" {
@ -117,6 +133,8 @@ resource "azurerm_private_endpoint" "mlpe" {
  resource_group_name = data.azurerm_resource_group.ws.name
  subnet_id           = data.azurerm_subnet.services.id

+  lifecycle { ignore_changes = [ tags ] }
+
  private_dns_zone_group {
    name                 = "private-dns-zone-group"
    private_dns_zone_ids = [azurerm_private_dns_zone.azureml.id, azurerm_private_dns_zone.notebooks.id, azurerm_private_dns_zone.azuremlcert.id]
--- a/workspaces/services/azureml/terraform/storage/main.tf
+++ b/workspaces/services/azureml/terraform/storage/main.tf
@ -20,21 +20,26 @@ resource "azurerm_storage_account" "stg" {
  account_tier             = "Standard"
  account_replication_type = "GRS"

+  lifecycle { ignore_changes = [ tags ] }
+
  network_rules {
      bypass         = ["AzureServices"]
      default_action = "Deny"
  }
-
 }

 resource "azurerm_private_dns_zone" "filecore" {
  name                = "privatelink.file.core.windows.net"
  resource_group_name = data.azurerm_resource_group.ws.name
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone" "blobcore" {
  name                = "privatelink.blob.core.windows.net"
  resource_group_name = data.azurerm_resource_group.ws.name
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone_virtual_network_link" "filecorelink" {
@ -42,6 +47,8 @@ resource "azurerm_private_dns_zone_virtual_network_link" "filecorelink" {
  resource_group_name   = data.azurerm_resource_group.ws.name
  private_dns_zone_name = azurerm_private_dns_zone.filecore.name
  virtual_network_id    = data.azurerm_virtual_network.ws.id
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_dns_zone_virtual_network_link" "blobcorelink" {
@ -49,6 +56,8 @@ resource "azurerm_private_dns_zone_virtual_network_link" "blobcorelink" {
  resource_group_name   = data.azurerm_resource_group.ws.name
  private_dns_zone_name = azurerm_private_dns_zone.blobcore.name
  virtual_network_id    = data.azurerm_virtual_network.ws.id
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 resource "azurerm_private_endpoint" "stgfilepe" {
@ -57,6 +66,8 @@ resource "azurerm_private_endpoint" "stgfilepe" {
  resource_group_name = data.azurerm_resource_group.ws.name
  subnet_id           = data.azurerm_subnet.services.id

+  lifecycle { ignore_changes = [ tags ] }
+
  private_dns_zone_group {
    name                 = "private-dns-zone-group"
    private_dns_zone_ids = [azurerm_private_dns_zone.filecore.id]
@ -76,6 +87,8 @@ resource "azurerm_private_endpoint" "stgblobpe" {
  resource_group_name = data.azurerm_resource_group.ws.name
  subnet_id           = data.azurerm_subnet.services.id

+  lifecycle { ignore_changes = [ tags ] }
+
  private_dns_zone_group {
    name                 = "private-dns-zone-group"
    private_dns_zone_ids = [azurerm_private_dns_zone.blobcore.id]
--- a/workspaces/vanilla/terraform/main.tf
+++ b/workspaces/vanilla/terraform/main.tf
@ -22,6 +22,8 @@ resource "azurerm_resource_group" "ws" {
    tre_id  = var.tre_id
    source  = "https://github.com/microsoft/AzureTRE/"
  }
+
+  lifecycle { ignore_changes = [ tags ] }
 }

 module "network" {
--- a/workspaces/vanilla/terraform/network/network.tf
+++ b/workspaces/vanilla/terraform/network/network.tf
@ -3,6 +3,8 @@ resource "azurerm_virtual_network" "ws" {
  location            = var.location
  resource_group_name = var.resource_group_name
  address_space       = [var.address_space]
+
+  lifecycle { ignore_changes = [ tags ] }
 }


@ -70,6 +72,8 @@ resource "azurerm_network_security_group" "ws" {
  location            = var.location
  name                = "nsg-ws"
  resource_group_name = var.resource_group_name
+
+  lifecycle { ignore_changes = [ tags ] }
 }


@ -199,4 +203,6 @@ resource "azurerm_private_dns_zone_virtual_network_link" "azurewebsites" {
  private_dns_zone_name = "privatelink.azurewebsites.net"
  name                  = "link-azurewebsites-${local.workspace_resource_name_suffix}"
  registration_enabled  = false
-}
+
+  lifecycle { ignore_changes = [ tags ] }
+}