search

Azure / azure-quickstart-templates

Azure Quickstart Templates
https://aka.ms/azqst
MIT License
14.08k stars 16.13k forks source link

Provisioning with Terraform a Redis Cache in VNet with Azure Diagnostics Issue #6383

Open alvintownsend opened 5 years ago

alvintownsend commented 5 years ago

Our Goal is automate the provisioning of a Redis Cache using IaC (e.g. Terraform and/or ARM templates) that is in compliance with our regulatory and governance structure.

For this particular case, the defect can be reproduced by creating a Redis Cache that:

  1. Is deployed within a VNET ( to ensure no public endpoint)
  2. Azure Diagnostic logs configured against a Log Analytics workspace for the Redis Cache.

The above can be created from Portal but it fails when the same config is performed through Terraform/ARM scripts.

The scripts used are found below.

The error message received suggests that it is not possible to modify a Redis Cache when it is deployed in a VNET:

Error: Error waiting for deployment: Code='DeploymentFailed' Message='At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details.' Details=[{'code':'BadRequest','message':'{\\r\\n \\'error\\': {<\\r\\n \\'code\\'>: <\\'BadRequest\\',\\r\\n \\'message\\'>: \\'The requested update to the resource is not permitted. The following properties(s) cannot be modified: 'properties.subnet'.\\\\r\\\\nRequestID=7003259d-add3-45d8-b254-afba60bf35ad\\',\\r\\n \\'target\\': null\\r\\n }\\r\\n}'}]

Please note, some variable and instance names have been changed as to not reveal the client for which we are working, it's possible they don't line up perfectly since we did a few quick search and replaces.

The following snippet of Terraform script, shows how to create a Redis Cache and configure the Diagnostic Logs:

# NOTE: the Name used for Redis needs to be globally unique
resource "azurerm_redis_cache" "compliant_redis_cache" {
  name                = "${var.environment}-redis-cache-${random_id.redis_name.hex}"
  location            = "${var.region}"
  resource_group_name = "${azurerm_resource_group.main.name}"
  capacity            = 1
  family              = "P"
  sku_name            = "Premium"
  enable_non_ssl_port = false
  minimum_tls_version = "1.2"
  subnet_id          = "${local.redis_subnet_id}"
  patch_schedule {
    day_of_week     = "${var.patch_schedule_day}"
    start_hour_utc  = "${var.patch_schedule_hour}"
  }

  tags = "${var.tags}"
}

# Activate diagnostic settings
resource "azurerm_template_deployment" "azurerm_redis_cache_diagnostic_service" {
  name  = "${var.log_analytics_config_name}"
  resource_group_name = "${azurerm_resource_group.main.name}"

  template_body = <<DEPLOY
  {
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "redis_cache_name": {
        "type": "String"
      },
      "log_analytics_config_name": {
        "type": "String"
      },
      "log_analytics_workspace_id": {
        "type": "String"
      },
      "region": {
        "type": "String"
      }
    },
    "resources": [
      {
        "name": "[parameters('redis_cache_name')]",
        "type": "Microsoft.Cache/Redis",
        "apiVersion": "2018-03-01",
        "location": "[parameters('region')]",
        "properties": {
          "mode": "Incremental",
          "enableNonSslPort": "false",
          "sku": {
            "capacity": "1",
            "family": "P",
            "name": "Premium"
          },
          "minimumTlsVersion": "1.2",
          "redisConfiguration": {
            "rdb-backup-enabled": "false"
          }
        },
        "resources": [
            {
              "type": "Microsoft.Cache/redis/providers/diagnosticsettings",
              "name": "[concat(parameters('redis_cache_name'), '/Microsoft.Insights/', parameters('redis_cache_name'))]",
              "location": "[parameters('region')]",
              "dependsOn": [
                "[concat('Microsoft.Cache/Redis/', parameters('redis_cache_name'))]"
              ],
              "apiVersion": "2017-05-01-preview",
              "properties": {
              "name": "[parameters('log_analytics_config_name')]",
              "workspaceId": "[parameters('log_analytics_workspace_id')]",
              "metrics": [
                  {
                    "category": "AllMetrics",
                    "enabled": true,
                    "retentionPolicy": {
                    "enabled": true,
                    "days": 30
                  }
                }
              ]
            }
          }
        ]
      }
    ]
  }
  # DEPLOY

  # these key-value pairs are passed into the ARM Template's `parameters` block
  parameters = {
    "redis_cache_name" = "${azurerm_redis_cache.compliant_redis_cache.name}"
    "log_analytics_config_name" = "${var.log_analytics_config_name}"
    "log_analytics_workspace_id" = "${local.log_analytics_workspace_id}"
    "region" = "${var.region}"
  }

  deployment_mode = "Incremental"
}

locals {
  log_analytics_workspace_id = "/subscriptions/${var.subscription_id}/resourcegroups/${var.analytics_resource_group}/providers/microsoft.operationalinsights/workspaces/${var.log_analytics_workspace_name}"
  redis_subnet_id            = "/subscriptions/${var.subscription_id}/resourceGroups/${var.network_resource_group}/providers/Microsoft.Network/virtualNetworks/${var.network_redis_vnet_name}/subnets/${var.network_redis_subnet_name}"
}

resource "random_id" "redis_name" {
  byte_length = 4
}
matheusgiuliano commented 5 years ago

The exact same problem is happening with me. By any chances, did you manage to fix it?



Error: Error issuing create request for Redis Cache XXXXXXXX (resource group XXXXX): redis.Client#Create: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="The requested update to the resource is not permitted. The following properties(s) cannot be modified: 'properties.subnet'.```