Dynamic Scopes created by Terraform azapi provider doesn't work

Kasper Kornak 20 Reputation points
2024-03-23T20:42:33.3166667+00:00

Hi,

I've been trying to deploy Dynamic Scopes resource using azapi provider, as azurerm doesn't support it yet. I have create the following resource: 

resource "azapi_resource" "test_dynamic_scope" {
 type = "Microsoft.Maintenance/configurationAssignments@2023-04-01" 

name = "DynamicScopeAttachment" 

location = var.location 

parent_id = "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX" 

body = jsonencode({ 

properties = { 
filter = { locations = [] 
osTypes = [] 
resourceGroups = ["myRG"] 
resourceTypes = ["Microsoft.Compute/virtualMachines"] 
tagSettings = { filterOperator = "All" tags = {} } } 
maintenanceConfigurationId = azapi_resource.test_maintenance_configuration.id 
resourceId = "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX" } }) }

Now, when I try to apply this resource, I get through the Terraform validation, but while creating resource I get:

│ --------------------------------------------------------------------------------
│ RESPONSE 500: 500 Internal Server Error
│ ERROR CODE UNAVAILABLE
│ --------------------------------------------------------------------------------
│ {
│   "Message": "An error has occurred."
│ }
│ --------------------------------------------------------------------------------

I have read that the resourceId should be set to subscription ID, based on this thread. I have also tried multiple combinations of resource group, subscription, and maintenance configuration IDs in parent_id and resourceId fields, yet nothing seems to work. Does this resource support creating new ones or is it used to update only existing ones? Could someone help me with troubleshooting or provide an example of a working Terraform config to deploy Dynamic Scopes?

Azure Update Manager
Azure Update Manager
An Azure service to centrally manages updates and compliance at scale.
222 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 3,561 Reputation points
    2024-03-24T15:22:40.5366667+00:00

    Hello @Kasper Kornak

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    Sequel to your questions, I understand that you are deploying a Dynamic Scope Attachment using the azapi_resource in Terraform to Azure API Management. You asked, if the resource support creating new ones or is it used to update only existing ones, and how to troubleshoot and provide an example of a working Terraform config to deploy Dynamic Scopes.

    Based on the provided configuration, it's crucial to troubleshoot and understand the possible issues causing the Internal Server Error (500).

    On the first question, the azapi_resource is typically used to interact with Azure API Management resources. Regarding Dynamic Scopes, it should be possible to create new Dynamic Scope Attachments using this resource, not just update existing ones.

    Second question part A: Troubleshooting the issue with a 500 Internal Server Error can involve several steps and are not limited to the followings:

    • Check the Azure API Management logs for more detailed error information.
    • Ensure that the configuration provided to the API Management service is correct and properly formatted.
    • Verify that all necessary permissions are granted to the service principal used by Terraform to manage resources.
    • Check if there are any restrictions or limitations specific to the Azure API Management service that could be causing the error.

    Second question part B: The example Terraform configuration for deploying Dynamic Scopes, This is a simplified version.

    variable "location" {
  default = "eastus"
}
variable "subscription_id" {
  default = "YOUR_SUBSCRIPTION_ID"
}
resource "azapi_resource" "test_dynamic_scope" {
  type = "Microsoft.Maintenance/configurationAssignments@2023-04-01"
  name = "DynamicScopeAttachment"
  location = var.location
  parent_id = "/subscriptions/${var.subscription_id}"
  body = jsonencode({
    properties = {
      filter = {
        locations = []
        osTypes = []
        resourceGroups = ["myRG"]
        resourceTypes = ["Microsoft.Compute/virtualMachines"]
        tagSettings = {
          filterOperator = "All"
          tags = {}
        }
      }
      maintenanceConfigurationId = azapi_resource.test_maintenance_configuration.id
      resourceId = "/subscriptions/${var.subscription_id}"
    }
  })
}

    Recommended solution on how to solve the issues:

    1. Ensure that the parent_id and resourceId are correctly set to the subscription ID.
    2. Double-check the formatting of the body payload, and confirm if it fit into the Azure API Management's requirements for Dynamic Scope Attachments.
    3. Ensure you meet specific requirements or restrictions for Dynamic Scope Attachments in the Azure API Management especially credentials, because dynamic scope attachments enable you to dynamically attach scopes to access tokens issued by Azure AD. These scopes can be based on various criteria such as user roles, groups, or other conditions.

    If the issue persists after all of the above, consider reaching out to Microsoft Azure support via Azure portal for further assistance.

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam