search

env0 / terratag

Terratag is a CLI tool that enables users of Terraform to automatically create and maintain tags across their entire set of AWS, Azure, and GCP resources
https://terratag.io
Mozilla Public License 2.0
947 stars 44 forks source link

azapi - not all resources support tags #209

Open hbuckle opened 4 days ago

hbuckle commented 4 days ago

Describe the bug

Support was added in 0.5.1 for tagging azapi resources, but not all resources in ARM support tags (particularly sub-resources), leading to errors at plan time.

To Reproduce


data "azurerm_client_config" "current" {}

data "azurerm_container_app" "example" {
  name                = "example"
  resource_group_name = "example"
}

resource "azapi_resource" "example" {
  type      = "Microsoft.App/containerApps/authConfigs@2024-03-01"
  name      = "current"
  parent_id = data.azurerm_container_app.example.id
  body = {
    properties = {
      globalValidation = {
        redirectToProvider          = "azureactivedirectory"
        unauthenticatedClientAction = "RedirectToLoginPage"
      }
      identityProviders = {
        azureActiveDirectory = {
          enabled           = true
          isAutoProvisioned = false
          registration = {
            clientId                = "example"
            clientSecretSettingName = "microsoft-provider-authentication-secret"
            openIdIssuer            = "https://sts.windows.net/${data.azurerm_client_config.current.tenant_id}/v2.0"
          }
          validation = {
            allowedAudiences = [
              "example",
            ]
            defaultAuthorizationPolicy = {
              allowedApplications = [
                "example",
              ]
            }
          }
        }
      }
      login = {}
      platform = {
        enabled        = true
        runtimeVersion = "~2"
      }
    }
  }
}

terratag -default-to-terraform -rename=false -tags="{\"test\":\"test\"}" -type=terraform -verbose
terraform plan

Planning failed. Terraform encountered an error while generating this plan.

╷ │ Error: Invalid configuration │ │ with azapi_resource.example, │ on main.tf line 8, in resource "azapi_resource" "example": │ 8: resource "azapi_resource" "example" { │ │ embedded schema validation failed: the argument "body" is invalid: │ tags is not expected here. Do you mean properties?

Expected behavior

I'm not sure what the best way to handle this is - we can use the -filter option as a workaround, but there are so many of these sub-resources in ARM I feel like that would become unworkable. I'm also not sure there is any way to handle this from the terratag side, it seems like the azapi provider is doing some dynamic validation at plan time.

Desktop (please complete the following information):

hbuckle commented 4 days ago

For now I've just excluded all azapi resources with the filter option

TomerHeber commented 4 days ago

@hbuckle this is indeed a challenge.

maybe a white list approach.

E.g asking ourselves what type of resources we would like to tag.

type = "Microsoft.App/containerApps/* is a no... But do you have types that are a "yes" ?

TomerHeber commented 4 days ago

Please confirm that this is what we're looking for: https://github.com/tfitzmac/resource-capabilities/blob/main/tag-support.csv

hbuckle commented 4 days ago

I haven't seen that list before, I note it hasn't been updated in some time though...

hbuckle commented 4 days ago

@hbuckle this is indeed a challenge.

maybe a white list approach.

E.g asking ourselves what type of resources we would like to tag.

type = "Microsoft.App/containerApps/* is a no... But do you have types that are a "yes" ?

I'm not sure if there is a good way to tell just from the resource type - it isn't really consistent, some sub-resources do support tags and some don't

TomerHeber commented 4 days ago

this is more up-to-date: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-support

allow me some time to review and come up with a solution. using the information above will hopefully suffice.

hbuckle commented 3 days ago

I may take a look at the azapi provider and see if it can be addressed there - as they are allowing the tags property to be set even if the underlying resource doesn't support it.

TomerHeber commented 1 day ago

from your example above, and https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-support the resource should support tags. I would suggest checking it as well... Microsoft may need to update their documentation... or fix bugs...

hbuckle commented 22 hours ago

Which resource do you mean sorry?

TomerHeber commented 18 hours ago

the one from your example: type = "Microsoft.App/containerApps/authConfigs@2024-03-01"

but maybe the resource is actually 'authConfigs' ?