azure_api_management creates always stv1

[feberl]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.9

AzureRM Provider Version

3.33.0

Affected Resource(s)/Data Source(s)

azurem_api_management

Terraform Configuration Files

resource "azurerm_api_management" "apim" {
  name                      = "myapim"
  location                  = "eastus"
  resource_group_name       = "resourcegroup"
  publisher_name            = var.publisher_name
  publisher_email           = var.publisher_email
  sku_name                  = "${var.sku}_${var.sku_capacity}"
  virtual_network_type      = "Internal"
  zones                     = []
  notification_sender_email = "somemeail@email.com"

  tags = merge(var.tags)

  virtual_network_configuration {
    subnet_id =  var.network_subnet_id_apim
  }

}

Debug Output/Panic Output

-

Expected Behaviour

Creates a APIM with PlatformVersion stv2

Actual Behaviour

Creates a APIM with PlatformVersion stv1

Steps to Reproduce

2. In Azure Portal you can see stv1

Important Factoids

Microsoft will retire stv1 in August 2024: https://learn.microsoft.com/en-us/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024

References

No response

[dvob]

@feberl With azurerm version 3.47.0 the created APIM instances are of platform version stv2.

[feberl]

@feberl With azurerm version 3.47.0 the created APIM instances are of platform version stv2.

Cannot find this in the release notes. So with any version <3.47.0 it is stv1?

[dvob]

So with any version <3.47.0 it is stv1?

I don't know in which version this changed. Or maybe it is not even the version but the configuration which makes the difference. I just reproduced a another problem yesterday (#20958) and the instance that got created was of platform version stv2.

[tombuildsstuff]

@dvob @feberl taking a look into this it appears that there hasn't been an API version update for API Management for a while now - and even then there's nothing particularly standing out to me within the diff for this year that would have caused this change: https://github.com/hashicorp/terraform-provider-azurerm/commits/main/internal/services/apimanagement

As such I'd wager this is probably a change within the API - if you're still seeing stv1 and stv2 being provisioned based on the version of the provider being used, which regions are you deploying into?

Thanks!

[feberl]

I think I know what the problem is. There is an implict case distinction in the API. Unfortenately this is not well documented in your docs as the public_ip_address_id is Optional without further explaination.

https://techcommunity.microsoft.com/t5/azure-paas-blog/compute-platform-versions-for-azure-api-management-service/ba-p/2836971

I'd recommend to update the docs and maybe make this setting required when API Managment gets deployed to a VNET

[zadigus]

I am deploying the APIM to region eastus with azurerm provider version 3.57.0 and I systematically get the stv1 platform. However, if I install the APIM through the portal to region eastus, then I systematically get platform stv2.

[BigFrog-coding]

@feberl With azurerm version 3.47.0 the created APIM instances are of platform version stv2.

This is not true

[BigFrog-coding]

The issue is you must supply a public IP for the external vnet to work. The provider, at least in the documetation does not mention it at all.

[arkiaconsulting]

To me this is solved. As @feberl explained in the diagram, as soon as you create an APIM with a public IP (Static with domain name label) AND that you join it to a subnet that is linked to a network security group, the APIM will be created in stv2

[zadigus]

For me, it's solved too, by first the addition of a public IP:

resource "azurerm_public_ip" "apim" {
  name                 = "apim-ip"
  location             = var.location
  resource_group_name  = var.resource_group_name
  domain_name_label    = local.apim_name
  allocation_method    = "Static"
  sku                  = "Standard"
  ddos_protection_mode = "Enabled"
  tags                 = var.tags
}

and then linking that public ip with my APIM

resource "azurerm_api_management" "apim" {
  name                          = local.apim_name
  location                      = var.location
  resource_group_name           = var.resource_group_name
  virtual_network_type          = "External"

  [...]

  public_ip_address_id          = azurerm_public_ip.apim.id

  virtual_network_configuration {
    subnet_id = var.subnet_id
  }
}

[MohnJadden]

@feberl With azurerm version 3.47.0 the created APIM instances are of platform version stv2.

This is not true

Confirmed - I deployed my first and so far only APIM instance with 3.77, internal only, no public IP, on a subnet and NSG also created and managed by TF on 3.77. It created an stv2 platform version type.

If an APIM instance is internal and there is no public IP, then TF should allow an option to specify the platform version similar to what was in #23443 .