How to create service delagation to an existing subnet?

Below code will create a service while creating subnet. Is there anyway to create a delegation to existing subnet? The main purpose is, below code will be create error for policy Deny-Subnet-Without-Nsg. So, creating this subnet directly in the vnet block.

resource "azurerm_subnet" "example" {

  virtual_network_name = azurerm_virtual_network.aksvnet.name
  name                 = "aks-postgres-subnet"
  resource_group_name  = azurerm_resource_group.aks_rg.name
  address_prefixes     = ["10.230.2.0/24"]
  service_endpoints    = ["Microsoft.Storage"]
  delegation {
    name = "fs"
    service_delegation {
      name = "Microsoft.DBforPostgreSQL/flexibleServers"
      actions = [
        "Microsoft.Network/virtualNetworks/subnets/join/action",
      ]
    }
  }
  depends_on = [azurerm_virtual_network.aksvnet, azurerm_network_security_group.example]
}

The below code don't have option to add service delegation.

resource "azurerm_virtual_network" "aksvnet" {

  name                = "aks-network"

  location            = azurerm_resource_group.aks_rg.location

  resource_group_name = azurerm_resource_group.aks_rg.name

  address_space       = ["10.0.0.0/8"]

  subnet {

    name           = "aks-default-subnet"

    address_prefix = "10.240.0.0/16"

    security_group = azurerm_network_security_group.example.id

  }

  subnet {

    name           = "aks-postgres-subnet"

    address_prefix = "10.230.2.0/24"

    security_group = azurerm_network_security_group.example.id

  }

}

So thought to create a subnet first like above and apply the service delegation after that. How to do it?

A bit late to the party, but I just had to solve this issue myself and stumble across this post.

I solved it by utilizing the AzAPI Provider to patch the subnet.

In short: use the subnet data source to get the id and patch it:

data "azurerm_subnet" "subnet" {
  name                 = "my-subnet"
  virtual_network_name = "my-vnet"
  resource_group_name  = "network-rg"
}

/*
NB: Delegation isn't removed on destroy. It does however resolve delta if the delegation is manually removed from the subnet. 
Beware of race condition with azurerm_subnet.delegation[] if it's managed by Terraform somewhere else -> in that case: lifecycle { ignore_changes = [ delegation ] }
*/
resource "azapi_update_resource" "patch" {
  type        = "Microsoft.Network/virtualNetworks/subnets@2022-05-01"
  resource_id = data.azurerm_subnet.subnet.id

  body = jsonencode({
    properties = {
      delegations = [
        {
          name = "aci-delegation"
          properties = {
            serviceName = "Microsoft.ContainerInstance/containerGroups"
            actions     = ["Microsoft.Network/virtualNetworks/subnets/action"]
          }
        }
      ]
    }
  })
}

I don't know why Terraform doesn't allow you to add a delegation in a subnet when using the nested option, the ARM spec for this does include delegations so you might want to raise a bug with Terraform to add this.

That said, you can't have Terraform update a resource it created earlier, so the only way you can do this is use a local_exec block to run some PowerShell or Azure CLI to add the delegation.

The other option would be to use the ARM module in Terraform to have it run an ARM template which creates the vNet, but then you loose a lot of the benefit of Terraform.