Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azapi - not all resources support tags #209

Closed
hbuckle opened this issue Nov 25, 2024 · 15 comments · Fixed by #210
Closed

azapi - not all resources support tags #209

hbuckle opened this issue Nov 25, 2024 · 15 comments · Fixed by #210

Comments

@hbuckle
Copy link
Contributor

hbuckle commented Nov 25, 2024

Describe the bug

Support was added in 0.5.1 for tagging azapi resources, but not all resources in ARM support tags (particularly sub-resources), leading to errors at plan time.

To Reproduce

data "azurerm_client_config" "current" {}

data "azurerm_container_app" "example" {
  name                = "example"
  resource_group_name = "example"
}

resource "azapi_resource" "example" {
  type      = "Microsoft.App/containerApps/authConfigs@2024-03-01"
  name      = "current"
  parent_id = data.azurerm_container_app.example.id
  body = {
    properties = {
      globalValidation = {
        redirectToProvider          = "azureactivedirectory"
        unauthenticatedClientAction = "RedirectToLoginPage"
      }
      identityProviders = {
        azureActiveDirectory = {
          enabled           = true
          isAutoProvisioned = false
          registration = {
            clientId                = "example"
            clientSecretSettingName = "microsoft-provider-authentication-secret"
            openIdIssuer            = "https://sts.windows.net/${data.azurerm_client_config.current.tenant_id}/v2.0"
          }
          validation = {
            allowedAudiences = [
              "example",
            ]
            defaultAuthorizationPolicy = {
              allowedApplications = [
                "example",
              ]
            }
          }
        }
      }
      login = {}
      platform = {
        enabled        = true
        runtimeVersion = "~2"
      }
    }
  }
}
terratag -default-to-terraform -rename=false -tags="{\"test\":\"test\"}" -type=terraform -verbose
terraform plan

Planning failed. Terraform encountered an error while generating this plan.


│ Error: Invalid configuration

│ with azapi_resource.example,
│ on main.tf line 8, in resource "azapi_resource" "example":
│ 8: resource "azapi_resource" "example" {

│ embedded schema validation failed: the argument "body" is invalid:
tags is not expected here. Do you mean properties?

Expected behavior

I'm not sure what the best way to handle this is - we can use the -filter option as a workaround, but there are so many of these sub-resources in ARM I feel like that would become unworkable.
I'm also not sure there is any way to handle this from the terratag side, it seems like the azapi provider is doing some dynamic validation at plan time.

Desktop (please complete the following information):

  • OS: Any
  • Terraform version: 1.9.8
  • Providers/module versions if applicable: azapi 2.0.1
@hbuckle
Copy link
Contributor Author

hbuckle commented Nov 25, 2024

For now I've just excluded all azapi resources with the filter option

@TomerHeber
Copy link
Collaborator

@hbuckle this is indeed a challenge.

maybe a white list approach.

E.g asking ourselves what type of resources we would like to tag.

type = "Microsoft.App/containerApps/* is a no...
But do you have types that are a "yes" ?

@TomerHeber
Copy link
Collaborator

Please confirm that this is what we're looking for:
https://github.com/tfitzmac/resource-capabilities/blob/main/tag-support.csv

@hbuckle
Copy link
Contributor Author

hbuckle commented Nov 25, 2024

I haven't seen that list before, I note it hasn't been updated in some time though...

@hbuckle
Copy link
Contributor Author

hbuckle commented Nov 25, 2024

@hbuckle this is indeed a challenge.

maybe a white list approach.

E.g asking ourselves what type of resources we would like to tag.

type = "Microsoft.App/containerApps/* is a no... But do you have types that are a "yes" ?

I'm not sure if there is a good way to tell just from the resource type - it isn't really consistent, some sub-resources do support tags and some don't

@TomerHeber
Copy link
Collaborator

this is more up-to-date:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-support

allow me some time to review and come up with a solution.
using the information above will hopefully suffice.

@hbuckle
Copy link
Contributor Author

hbuckle commented Nov 26, 2024

I may take a look at the azapi provider and see if it can be addressed there - as they are allowing the tags property to be set even if the underlying resource doesn't support it.

@TomerHeber
Copy link
Collaborator

from your example above, and https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-support
the resource should support tags. I would suggest checking it as well... Microsoft may need to update their documentation... or fix bugs...

@hbuckle
Copy link
Contributor Author

hbuckle commented Nov 29, 2024

Which resource do you mean sorry?

@TomerHeber
Copy link
Collaborator

TomerHeber commented Nov 29, 2024

the one from your example:
type = "Microsoft.App/containerApps/authConfigs@2024-03-01"

but maybe the resource is actually 'authConfigs' ?

@hbuckle
Copy link
Contributor Author

hbuckle commented Nov 30, 2024

Yes, so Microsoft.App/containerApps does support tags, but Microsoft.App/containerApps/authConfigs doesn't

containerApps

containerApps/authConfigs

@TomerHeber
Copy link
Collaborator

Hi @hbuckle -

I created a PR that white lists resources based on Microsoft's documentation.
Feel free to test.

#210
https://github.com/env0/terratag/tree/fix-azapi-whitelist-%23209

@TomerHeber
Copy link
Collaborator

Hi @hbuckle - I'm releasing a new version.
Feel free to try it out, and let me know if it resolves your issues.

@hbuckle
Copy link
Contributor Author

hbuckle commented Dec 10, 2024

@TomerHeber - thanks for addressing this, it seems to work. Hopefully the documentation page format will not change too much

@TomerHeber
Copy link
Collaborator

@TomerHeber - thanks for addressing this, it seems to work. Hopefully the documentation page format will not change too much

Great! Thanks for following up.
We have an easy path to update it if needed.

Fortunately, it's a whitelist. As long as there are no documentation errors or Microsoft decides to remove tags, it should be fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants