error destroying azurerm_api_management_api_version_set resource

[scott-doyland-burrows]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.1

AzureRM Provider Version

3.9.0

Affected Resource(s)/Data Source(s)

azurerm_api_management_api_version_set

Terraform Configuration Files

resource "azurerm_api_management" "hogarth_api_management" {
  depends_on = [azurerm_key_vault_access_policy.user_assigned_managed_identity_001]

  name                          = "${var.opp_grp}-${var.proj_code}-${var.locale}-${var.sn_env}-apim-001"
  location                      = var.location
  resource_group_name           = var.resource_group_name
  publisher_name                = "Hogarth"
  publisher_email               = "hogarth@hogarthww.com"
  public_network_access_enabled = true
  sku_name                      = var.sn_env == "p" ? "Premium_1" : "Developer_1"
  zones                         = var.sn_env == "p" ? [1, 2, 3] : null
  virtual_network_type          = "Internal"

  virtual_network_configuration {
    subnet_id = azurerm_subnet.pwapimgw_apimanagement_subnet.id
  }

  identity {
    type = "SystemAssigned"
  }

  certificate {
    encoded_certificate  = filebase64("../certificates/${var.automation_cert_name}.crt")
    certificate_password = ""
    store_name           = "Root"
  }

  tags = merge(local.tags, {
    hostname    = "${var.opp_grp}-${var.proj_code}-${var.locale}-${var.sn_env}-apim-001"
    serverrole  = "N/A"
    serveros    = "N/A"
    servicename = "api_management"
  })
}

resource "azurerm_api_management_logger" "apim_appinsights_logger" {
  name                = "apim-logger"
  api_management_name = azurerm_api_management.hogarth_api_management.name
  resource_group_name = azurerm_api_management.hogarth_api_management.resource_group_name

  application_insights {
    instrumentation_key = azurerm_application_insights.apim_app_insights.instrumentation_key
  }
}

resource "azurerm_api_management_api" "automation_engine_api" {
  name                  = "automation-engine-health-check"
  resource_group_name   = azurerm_api_management.hogarth_api_management.resource_group_name
  api_management_name   = azurerm_api_management.hogarth_api_management.name
  revision              = "1"
  display_name          = "Automation Engine Health Check"
  path                  = "AutomationEngineHealthCheck"
  protocols             = ["https"]
  subscription_required = false
}

resource "azurerm_api_management_api_operation" "automation_engine_api_get" {
  operation_id        = "get"
  api_name            = azurerm_api_management_api.automation_engine_api.name
  api_management_name = azurerm_api_management_api.automation_engine_api.api_management_name
  resource_group_name = azurerm_api_management_api.automation_engine_api.resource_group_name
  display_name        = "GET"
  method              = "GET"
  url_template        = "/"
  description         = "This is used to determine if API Management is working and that it can get a successful response from Automation Engine"
}

resource "azurerm_api_management_api_operation_policy" "automation_engine_api_get_policy" {
  api_name            = azurerm_api_management_api_operation.automation_engine_api_get.api_name
  api_management_name = azurerm_api_management_api_operation.automation_engine_api_get.api_management_name
  resource_group_name = azurerm_api_management_api_operation.automation_engine_api_get.resource_group_name
  operation_id        = azurerm_api_management_api_operation.automation_engine_api_get.operation_id
  xml_content         = local.automation_engine_api_get_policy
}

resource "azurerm_api_management_api_version_set" "pwapi_api_version_set" {
  name                = "pwapiversion"
  resource_group_name = azurerm_api_management.hogarth_api_management.resource_group_name
  api_management_name = azurerm_api_management.hogarth_api_management.name
  display_name        = "PW API"
  versioning_scheme   = "Segment"
}

resource "azurerm_api_management_api" "pwapi_api" {
  name                = "pwapi"
  resource_group_name = azurerm_api_management.hogarth_api_management.resource_group_name
  api_management_name = azurerm_api_management.hogarth_api_management.name
  revision            = "1"
  display_name        = "PWAPI"
  path                = "pwapi"
  protocols           = ["https"]
  version             = "v1"
  version_description = null

}

resource "azurerm_api_management_api_operation" "pwapi_api_folder_create" {
  operation_id        = "folder-create"
  api_name            = azurerm_api_management_api.pwapi_api.name
  api_management_name = azurerm_api_management_api.pwapi_api.api_management_name
  resource_group_name = azurerm_api_management_api.pwapi_api.resource_group_name
  display_name        = "Folder Create"
  method              = "POST"
  url_template        = "/folder-create"
  description         = ""
}

resource "azurerm_api_management_api_operation_policy" "pwapi_api_folder_create_policy" {
  api_name            = azurerm_api_management_api_operation.pwapi_api_folder_create.api_name
  api_management_name = azurerm_api_management_api_operation.pwapi_api_folder_create.api_management_name
  resource_group_name = azurerm_api_management_api_operation.pwapi_api_folder_create.resource_group_name
  operation_id        = azurerm_api_management_api_operation.pwapi_api_folder_create.operation_id
  xml_content         = local.pwapi_policy
}

resource "azurerm_api_management_subscription" "pwapi_subscription" {
  api_management_name = azurerm_api_management.hogarth_api_management.name
  resource_group_name = azurerm_api_management.hogarth_api_management.resource_group_name
  display_name        = "pwapi"
  api_id              = azurerm_api_management_api.pwapi_api.id
  primary_key         = data.azurerm_key_vault_secret.pwapi_primary.value
  secondary_key       = data.azurerm_key_vault_secret.pwapi_secondary.value
  allow_tracing       = true
  state               = "active"
}

Debug Output/Panic Output

Error: deleting Api Version Set "pwapiversion" (Resource Group "pwapimgw-t-app-rg" / Api Management Service "hgh-pwapimgw-weuro-t-apim-001"): apimanagement.APIVersionSetClient#Delete: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="ValidationError" Message="VersionSet cannot be deleted since it has existing APIs."

Expected Behaviour

azurerm_api_management_api_version_set resource should be deleted.

Actual Behaviour

On the first run of a destroy I get the error as above.

I look in the APIs in the APIM resource via the Portal and there are none (they are destroyed).

Running a second destroy works as there are now no APIs so the azurerm_api_management_api_version_set resource can destroy cleanly.

I assume there is some sort of timing issue and the APIs are still "active" when the resource is being destroyed during the first destroy.

Steps to Reproduce

Setup code as above and apply.

The destroy it.

Important Factoids

No response

References

No response

[cchet]

I experience the same issue. Also, if the version_set alone is to be deleted, then the apis and the version_set have have to be deleted as described here with two runs, and then we need to create the api without an version_set.

I would expect that to be handled by the provider properly, so it can be done in one run