Develop Reference

Cannot determine where this terraform apply error occurs

I'm getting the following error when I do a terraform apply, Error: validating Template Deployment "uksfe-dev-api-office365" (Resource Group "app-sfe-dev-eastus"): requesting validating: resources.DeploymentsClient#Validate: Failure sending request: StatusCode=400 -- Original Error: Code="InvalidRequestContent" Message="The request content was invalid and could not be deserialized: 'Error converting value \"sfe-dev-api-office365\" to type 'Azure.Deployments.Core.Definitions.DeploymentParameterDefinition'. Path 'properties.parameters.connections_office365_name', line 1, position 1590.'.".
Here is the resource the error references:
resource "azurerm_resource_group_template_deployment" "office365" {
name = format( "%s%s-%s-api-office365", var.sfe_names.market, var.sfe_names.product_group, var.sfe_names.environment)
resource_group_name = module.resource_group.name
template_content = file("./refScript/logicapp/Office365.json")
deployment_mode = "Incremental"
parameters_content = jsonencode({
"connections_office365_name" = format( "%s-%s-api-office365", var.sfe_names.product_group, var.sfe_names.environment),
"subscription_id" = data.azurerm_subscription.current.subscription_id
})
}
And here is the ARM template file referenced by the resource shown above, Office365.json:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"connections_office365_name": {
"defaultValue": "testoffice365",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[parameters('connections_office365_name')]",
"location": "eastus",
"kind": "V1",
"properties": {
"displayName": "rsgfileexchange#mycompanydomain.com",
"statuses": [
{
"status": "Connected"
}
],
"customParameterValues": {},
"nonSecretParameterValues": {},
"createdTime": "2021-03-25T07:41:30.7103666Z",
"changedTime": "2021-09-02T19:26:09.2638641Z",
"api": {
"name": "sfe-dev-api-office365",
"displayName": "Office 365 Outlook",
"description": "Microsoft Office 365 is a cloud-based service that is designed to help meet your organization's needs for robust security, reliability, and user productivity.",
"iconUri": "https://connectoricons-prod.azureedge.net/releases/v1.0.1507/1.0.1507.2528/office365/icon.png",
"brandColor": "#0078D4",
"id": "/subscriptions/dfdbeere-dfda-ghgh-eree-18a838e6ed7a/providers/Microsoft.Web/locations/eastus/managedApis/office365",
"type": "Microsoft.Web/locations/managedApis"
},
"testLinks": [
{
"requestUri": "[concat('https://management.azure.com:443/subscriptions/dfdbeere-dfda-ghgh-eree-18a838e6ed7a/resourceGroups/app-sfe-dev-eastus/providers/Microsoft.Web/connections/', parameters('connections_office365_name'), '/extensions/proxy/testconnection?api-version=2016-06-01')]",
"method": "get"
}
]
}
}
]
}
I believe the last part of the error message tells where the error occurred, i.e. Path 'properties.parameters.connections_office365_name', line 1, position 1590.'
Any help would be most appreciated.

The example here shows that parameters are passed to the template like this:
parameters_content = jsonencode({
"vnetName" = {
value = local.vnet_name
}
})
So, your code would need to be modified as follows:
parameters_content = jsonencode({
"connections_office365_name" = { value = format( "%s-%s-api-office365", var.sfe_names.product_group, var.sfe_names.environment) }
"subscription_id" = { value = data.azurerm_subscription.current.subscription_id }
})

List to string in Terraform for ARM template use

Trying to use a list(string) to string for subscriptions in my tfvars into an TF ARM deployment.
I want the following:
"scope": [
"/subscriptions/0-1",
"/subscriptions/0-2"
]
I've attempted the following with no success:
"scope": [
${join(", ", each.value.subscriptions)}
]
I'm getting the following error
Error: expanding template_content: invalid character '/' looking for beginning of value
dev.tfvars
schedules = {
01 = {
name = "01"
subscriptions = ["/subscriptions/0-1", "/subscriptions/0-2"]
}
02 = {
name = "02"
subscriptions = ["/subscriptions/0-1", "/subscriptions/0-2"]
}
}
variables.tf
variable "schedules" {
type = map(object({
name = string
subscriptions = list(string)
}))
}
updates.tf
resource "azurerm_resource_group_template_deployment" "updates" {
for_each = var.schedules
name = each.key
resource_group_name = var.rg_name
deployment_mode = "Incremental"
debug_level = "requestContent"
template_content = <<TEMPLATE
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2017-05-15-preview",
"type": "Microsoft.Automation/automationAccounts/softwareUpdateConfigurations",
"name": "[concat(parameters('automationAccounts_automation_account_name'), '/test-schedule')]",
"properties": {
"updateConfiguration": {
"operatingSystem": "Windows",
"duration": "PT2H",
"windows": {
"excludedKbNumbers": [],
"includedUpdateClassifications": "Critical, Security",
"rebootSetting": "IfRequired"
},
"targets": {
"azureQueries": [
{
"scope": [
${join("\", \"", each.value.subscriptions)}
],
"tagSettings": {
"tags": {
"updates": [
"test"
]
},
"filterOperator": "All"
}
}
]
}
},
"scheduleInfo": {
"isEnabled": "true",
"frequency": "Month",
"interval": "1",
"startTime": "2022-01-18T01:01:00+11:00",
"timeZone": "Australia/Sydney",
"advancedSchedule": {
"monthlyOccurrences": [
{
"occurrence": "Saturday",
"day": "2"
}
]
}
}
}
} ]
}
TEMPLATE
}

You inserted the double quotes between each element, but they should be encasing each element.
${join(", ", [ for sub in each.value.subscriptions: "\"${sub}\"" ])}

Usually you would use jsonencode instead of join in cases like yours:
resource "azurerm_resource_group_template_deployment" "updates" {
for_each = var.schedules
name = each.key
resource_group_name = var.rg_name
deployment_mode = "Incremental"
debug_level = "requestContent"
template_content = <<TEMPLATE
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2017-05-15-preview",
"type": "Microsoft.Automation/automationAccounts/softwareUpdateConfigurations",
"name": "[concat(parameters('automationAccounts_automation_account_name'), '/test-schedule')]",
"properties": {
"updateConfiguration": {
"operatingSystem": "Windows",
"duration": "PT2H",
"windows": {
"excludedKbNumbers": [],
"includedUpdateClassifications": "Critical, Security",
"rebootSetting": "IfRequired"
},
"targets": {
"azureQueries": [
{
"scope": ${jsonencode(each.value.subscriptions)},
"tagSettings": {
"tags": {
"updates": [
"test"
]
},
"filterOperator": "All"
}
}
]
}
},
"scheduleInfo": {
"isEnabled": "true",
"frequency": "Month",
"interval": "1",
"startTime": "2022-01-18T01:01:00+11:00",
"timeZone": "Australia/Sydney",
"advancedSchedule": {
"monthlyOccurrences": [
{
"occurrence": "Saturday",
"day": "2"
}
]
}
}
}
} ]
}
TEMPLATE
}

How can I use azurerm_resource_group_template_deployment for azure budget resource but ignore changes in start and end date?

Maybe related: azurerm_resource_group_template_deployment ignoring parameter file
I would like to use the resource azurerm_resource_group_template_deployment from Terraform version 0.37. But there is the problem that Terraform wants to reapply the resource every month, so I thought I could tell to ignore changes to start date and end date, but this would (opposite to the deprecated resource azurerm_template_deployment) need a compute operation, namely jsondecode, which is not allowed. I.e. the following code would not work.
terraform {
required_version = "~> 0.13.0"
required_providers {
azurerm = "~> 2.37.0"
}
}
provider azurerm {
features {}
}
locals {
budget_start_date = formatdate("YYYY-MM-01", timestamp())
budget_end_date = formatdate("YYYY-MM-01", timeadd(timestamp(), "17568h"))
budget_params = jsonencode({
"budgetName" = "budgettest",
"amount" = "4000",
"timeGrain" = "Annually",
"startDate" = local.budget_start_date,
"endDate" = local.budget_end_date,
"firstThreshold" = "75",
"secondThreshold" = "100",
"thirdThreshold" = "50",
"contactGroups" = ""
})
}
resource "azurerm_resource_group" "rg" {
# A subscription cannot have more than 980 resource groups:
# https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits
name = "example-rg"
location = "westeurope"
}
resource "azurerm_resource_group_template_deployment" "dsw_budget" {
name = "test-budget-template"
resource_group_name = azurerm_resource_group.rg[0].name
deployment_mode = "Incremental"
template_content = file("${path.module}/arm/budget_deploy.json")
parameters_content = local.budget_params
lifecycle {
ignore_changes = [
jsondecode(parameters_content)["startDate"],
jsondecode(parameters_content)["endDate"]
]
}
}
For the sake of completeness, content of budget_deploy.json:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"budgetName": {
"type": "string",
"defaultValue": "MyBudget"
},
"amount": {
"type": "string",
"defaultValue": "1000"
},
"timeGrain": {
"type": "string",
"defaultValue": "Monthly",
"allowedValues": [
"Monthly",
"Quarterly",
"Annually"
]
},
"startDate": {
"type": "string"
},
"endDate": {
"type": "string"
},
"firstThreshold": {
"type": "string",
"defaultValue": "90"
},
"secondThreshold": {
"type": "string",
"defaultValue": "110"
},
"thirdThreshold": {
"type": "string",
"defaultValue": "80"
},
"contactEmails": {
"type": "string",
"defaultValue": ""
},
"contactGroups": {
"type": "string",
"defaultValue": ""
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
}
},
"variables": {
"groups": "[split(parameters('contactGroups'),',')]"
},
"resources": [
{
"name": "[parameters('budgetName')]",
"type": "Microsoft.Consumption/budgets",
"location": "[parameters('location')]",
"apiVersion": "2019-10-01",
"properties": {
"timePeriod": {
"startDate": "[parameters('startDate')]",
"endDate": "[parameters('endDate')]"
},
"timeGrain": "[parameters('timeGrain')]",
"amount": "[parameters('amount')]",
"category": "Cost",
"notifications": {
"NotificationForExceededBudget1": {
"enabled": true,
"operator": "GreaterThan",
"threshold": "[parameters('firstThreshold')]",
"contactGroups": "[variables('groups')]"
},
"NotificationForExceededBudget2": {
"enabled": true,
"operator": "GreaterThan",
"threshold": "[parameters('secondThreshold')]",
"contactGroups": "[variables('groups')]"
},
"NotificationForExceededBudget3": {
"enabled": true,
"operator": "GreaterThan",
"threshold": "[parameters('thirdThreshold')]",
"contactGroups": "[variables('groups')]"
}
}
}
}
]
}
Is there any way that I can still achieve my goal? - thank you!

I don't think it's right the way you use the ignore_changes. Take a look at the ignore_changes in lifecycle for every resource. It should the property of the resource you want to create, not the value. In addition, if you want to change the resources via the Azure Template in Terraform, it's better to use the Incremental deployment_mode, and do not change the property that you want to ignore the changes.

I resorted to use tags for the end and start date for the budget. The ignore_changes would work for the deprecated azurerm_template_deployment as parameters is of type map in that case and not of json type, like so:
terraform {
required_version = "~> 0.13.0"
required_providers {
azurerm = "~> 2.37.0"
}
}
provider azurerm {
features {}
}
locals {
budget_start_date = formatdate("YYYY-MM-01", timestamp())
budget_end_date = formatdate("YYYY-MM-01", timeadd(timestamp(), "17568h"))
budget_params = {
"budgetName" = "budgettest",
"amount" = "4000",
"timeGrain" = "Annually",
"startDate" = local.budget_start_date,
"endDate" = local.budget_end_date,
"firstThreshold" = "75",
"secondThreshold" = "100",
"thirdThreshold" = "50",
"contactGroups" = ""
}
}
resource "azurerm_resource_group" "rg" {
# A subscription cannot have more than 980 resource groups:
# https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits
name = "example-rg"
location = "westeurope"
}
resource "azurerm_template_deployment" "dsw_budget" {
name = "test-budget-template"
resource_group_name = azurerm_resource_group.rg[0].name
deployment_mode = "Incremental"
template_content = file("${path.module}/arm/budget_deploy.json")
parameters_content = local.budget_params
lifecycle {
ignore_changes = [
parameters["startDate"],
parameters["endDate"]
]
}
}
Now this is not possible anymore with azurerm_resource_group_template_deployment, as json content is has to passed and therefore in ignore_changes a json-decoding which is a computation operation would have to be made, which is not allowed.
Therefore to solve my problem of fixating start and end dates, I resorted to using tags for start and end date and a data source querying them:
terraform {
required_version = "~> 0.13.0"
required_providers {
azurerm = "~> 2.37.0"
}
}
provider azurerm {
features {
template_deployment {
delete_nested_items_during_deletion = false
}
}
}
data "azurerm_resources" "aml" {
resource_group_name = "${var.tk_name_id}-${local.stage}-rg"
type = "Microsoft.MachineLearningServices/workspaces"
}
locals {
budget_start_date_tag = try(element(data.azurerm_resources.aml.resources[*].tags.budget_start_date, 0), "NA")
budget_end_date_tag = try(element(data.azurerm_resources.aml.resources[*].tags.budget_end_date, 0), "NA")
should_test_budget = local.is_test_stage_boolean && var.test_budget
budget_start_date = local.budget_start_date_tag != "NA" ? local.budget_start_date_tag : (local.should_test_budget ? "START DATE FAIL!" : formatdate("YYYY-MM-01", timestamp()))
budget_end_date = local.budget_end_date_tag != "NA" ? local.budget_end_date_tag : (local.should_test_budget ? "END DATE FAIL!" : formatdate("YYYY-MM-01", timeadd(timestamp(), "17568h")))
budget_date_tags = {
"budget_start_date" : local.budget_start_date,
"budget_end_date" : local.budget_end_date
}
}
#--------------------------------------------------------------------------------------------------------------------
# DSW: Resource Group
# --------------------------------------------------------------------------------------------------------------------
resource "azurerm_resource_group" "rg" {
# A subscription cannot have more than 980 resource groups:
# https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits
count = local.no_addresses_available_boolean ? 0 : 1
name = "test-rg"
location = var.location
tags = local.budget_date_tags
}
resource "azurerm_machine_learning_workspace" "aml_workspace" {
name = local.aml_ws_name
resource_group_name = azurerm_resource_group.rg[0].name
location = azurerm_resource_group.rg[0].location
application_insights_id = azurerm_application_insights.aml_insights.id
key_vault_id = azurerm_key_vault.aml_kv.id
storage_account_id = azurerm_storage_account.aml_st.id
container_registry_id = azurerm_container_registry.aml_acr.id
sku_name = "Basic"
tags = merge(var.azure_tags, local.budget_date_tags)
identity {
type = "SystemAssigned"
}
}
#Charles Xu I did not quite test it yet and I am also not sure if this is the best solution?
EDIT: Now I actually run into cyclic dependency because the data source does obviously not exist before resource group is created: https://github.com/hashicorp/terraform/issues/16380.

ARM Return App Service Environment ID to use in Terraform Script

Terraform does not allow for the deployment of App Service Environments so I am using the azurerm_template_deployment as a work around. However, I want to reference the App Service Environment ID in an App Service Plan resource that I am creating later. How would I get and save the ID of the App Service Environment using this method?
I am using the depends_on tag in the app service plan resource to ensure its creation after the app service environment, but I can not figure out how to get the id out of the creation and save to a variable. I think that it would involve the use of the variable and output tags of the ARM template.
resource "azurerm_template_deployment" "ase" {
name = "ILBASE_ARM_template"
resource_group_name = "${azurerm_resource_group.ase.name}"
template_body = <<DEPLOY
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"ilbase_name": {
"type": "string"
},
"ilbase_domain_name": {
"type": "string"
},
"ilbase_subnet_name": {
"type": "string"
},
"ilbase_rglocation": {
"defaultValue": "East US",
"type": "string"
},
"vnet_id": {
"type": "string"
}
},
"variables": {
},
"resources": [
{
"apiVersion": "2016-09-01",
"type": "Microsoft.Web/hostingEnvironments",
"name": "[parameters('ilbase_name')]",
"kind": "ASEV2",
"location": "[parameters('ilbase_rglocation')]",
"properties": {
"name": "[parameters('ilbase_name')]",
"location": "[parameters('ilbase_rglocation')]",
"virtualNetwork": {
"Id": "[parameters('vnet_id')]",
"Subnet": "[parameters('ilbase_subnet_name')]"
},
"internalLoadBalancingMode": "Web, Publishing",
"multiSize": "Standard_D1_V2",
"multiRoleCount": 2,
"workerPools": null,
"ipsslAddressCount": 0,
"dnsSuffix": "[parameters('ilbase_domain_name')]",
"networkAccessControlList": [],
"frontEndScaleFactor": 15,
"apiManagementAccountId": null,
"suspended": false,
"dynamicCacheEnabled": null,
"clusterSettings": null
}
}
],
"outputs": {
}
}
DEPLOY
parameters {
"vnet_id" = "${azurerm_virtual_network.main_vnet.id}"
"ilbase_subnet_name" = "${azurerm_subnet.ase.name}"
"ilbase_name" = "${var.env}-ASE-001"
"ilbase_domain_name" = "${var.dnsName}"
"ilbase_rglocation" = "${var.location}"
}
deployment_mode = "Incremental"
}
resource "azurerm_app_service_plan" "test" {
name = "api-appserviceplan-pro"
location = "${var.location}"
resource_group_name = "${azurerm_resource_group.ase.name}"
app_service_environment_id = ????????????????????
sku {
tier = "Isolated"
size = "S1"
}
depends_on = ["azurerm_template_deployment.ase"]
}
Thanks in advance for any help!

In the ARM template, use outputs to set an output to the app service environment ID.
(something like this, didn't have a chance to test, any feedback on changes would be greatly appreciated!)
"outputs": {
"app_service_evironment_id": {
"type": "string",
"value": "[resourceId('Microsoft.Web/hostingEnvironments', parameters('ilbase_name'))]"
}
}
The azurerm_template_deployment supports an outputs map. Using this map, you can then set
azurerm_app_service_plan.test.app_service_environment_id = azurerm_template_deployment.ase.outputs["app_service_evironment_id"]
The depends_on shouldn't be necessary and should be implicit (since the azurerm_app_service_plan uses an output of azurerm_template_deployment)

Terraform - Long running Azure deployment errors out

We are using Terraform executed via a shell script from a Bash window to deploy an App Service Environment. Deploying an App Service Environment takes anywhere from 1 to 2 hours to complete.
The Terraform deployment times out after 1 hour with an error that says:
azurerm_template_deployment.ase: Error creating deployment: azure#WaitForCompletion: context has been cancelled: StatusCode=200 -- Original Error: context deadline exceeded
The deployment does not actually stop and eventually succeeds. If after it completes (as observed in the Azure portal) we re-run the Terraform deployment, the deployment completes successfully.
Terraform log file:
https://gist.github.com/Phydeauxman/0f9aa3d1c1379c36e2f8f420d0ae345e
Terraform config file:
provider "azurerm" {
subscription_id = "${var.sub_id}"
}
data "terraform_remote_state" "rg" {
backend = "azurerm"
config {
storage_account_name = "${var.tfstate_storage_account}"
container_name = "${var.tfstate_container}"
key = "${var.tfstate_rgstate_file}"
access_key = "${var.tfstate_access_key}"
}
}
resource "azurerm_resource_group" "ase_rg" {
name = "${var.ilbase_rg_name}"
location = "${data.terraform_remote_state.rg.rglocation}"
}
resource "azurerm_template_deployment" "ase" {
name = "ILBASE_ARM_template"
resource_group_name = "${azurerm_resource_group.ase_rg.name}"
template_body = <<DEPLOY
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"ilbase_name": {
"type": "string"
},
"ilbase_domain_name": {
"type": "string"
},
"ilbase_subnet_name": {
"type": "string"
},
"ilbase_rglocation": {
"defaultValue": "East US",
"type": "string"
},
"vnet_id": {
"type": "string"
}
},
"variables": {
},
"resources": [
{
"apiVersion": "2016-09-01",
"type": "Microsoft.Web/hostingEnvironments",
"name": "[parameters('ilbase_name')]",
"kind": "ASEV2",
"location": "[parameters('ilbase_rglocation')]",
"properties": {
"name": "[parameters('ilbase_name')]",
"location": "[parameters('ilbase_rglocation')]",
"virtualNetwork": {
"Id": "[parameters('vnet_id')]",
"Subnet": "[parameters('ilbase_subnet_name')]"
},
"internalLoadBalancingMode": "Web, Publishing",
"multiSize": "Standard_D1_V2",
"multiRoleCount": 2,
"workerPools": null,
"ipsslAddressCount": 0,
"dnsSuffix": "[parameters('ilbase_domain_name')]",
"networkAccessControlList": [],
"frontEndScaleFactor": 15,
"apiManagementAccountId": null,
"suspended": false,
"dynamicCacheEnabled": null,
"clusterSettings": null
}
}
],
"outputs": {
}
}
DEPLOY
# these key-value pairs are passed into the ARM Template's `parameters` block
parameters {
"vnet_id" = "${data.terraform_remote_state.rg.vnetid}"
"ilbase_subnet_name" = "${data.terraform_remote_state.rg.sn2name}"
"ilbase_name" = "${var.ilbase_name}"
"ilbase_domain_name" = "${var.ilbase_domain_name}"
}
deployment_mode = "Incremental"
}
#output "storageAccountName" {
# value = "${azurerm_template_deployment.test.outputs["storageAccountName"]}"
#}

There doesn't seem to be a specific question, but as of the AzureRM 2.0 provider it is now possible to add custom timeouts. Secondly it is considered best practice to only use azurerm_template_deployment when a resource type doesn't exist in terraform. App service is a first class resource