Adding built-in 'Guests' role to azurerm_api_management_product_group throws 'Resource already exists' error during apply

kerbou commented 5 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.6.3

AzureRM Provider Version

2.92.0

Affected Resource(s)/Data Source(s)

azurerm_api_management_product_group

Terraform Configuration Files

resource "azurerm_api_management_product" "apim_product_datahub" {
  ...removed for brevity...
}

# Built-in 'Guests' group
data "azurerm_api_management_group" "guests" {
  name                = "Guests"
  ...removed for brevity...
}

# Add access for 'Guests'
resource "azurerm_api_management_product_group" "apim_product_datahub_group_guests" {
  product_id          = azurerm_api_management_product.apim_product_datahub.product_id
  group_name          = lower(data.azurerm_api_management_group.guests.name)
  ...removed for brevity...
}

Debug Output/Panic Output

Terraform apply fails, see error description in "Actual behaviour"

Expected Behaviour

Built-in group 'Guests' have been added to the product

Actual Behaviour

Terraform apply fails with the following error:

Error: A resource with the ID "/subscriptions/{subscription}resourceGroups/{resourcegroup}/providers/Microsoft.ApiManagement/service/{apimservice}/products/{product}/groups/guests" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_api_management_product_group" for more information

Steps to Reproduce

No response

Important Factoids

Running on Github hosted runner, image version: https://github.com/actions/runner-images/blob/ubuntu22/20240407.1/images/ubuntu/Ubuntu2204-Readme.md

References

It appears that the built-in group 'Guests' have issues already, see https://github.com/hashicorp/terraform-provider-azurerm/issues/17619#issuecomment-1403127161

sinbai commented 5 months ago

Hi @kerbou thanks for opening this issue. I would like to explain that the Built-in group name is guests and the Built-in group display Name is Guests. We could get it by Product Group - List By Product API, see below for details.

{
      "id": "/subscriptions/"redacted"/resourceGroups/testRG-25648-0419/providers/Microsoft.ApiManagement/service/acctestAM-25648-0419/products/test-product/groups/guests",
      "type": "Microsoft.ApiManagement/service/products/groups",
      "name": "guests",
      "properties": {
        "displayName": "Guests",
        "description": "Guests is a built-in group. Its membership is managed by the system. Unauthenticated users visiting the developer portal fall into this group.",
        "builtIn": true,
        "type": "system",
        "externalId": null
      }
    }

When using data.azurerm_api_management_group.guests, if name is specified, guests should be used , and if display_name is specified, Guests should be used.


data "azurerm_api_management_group" "guests" {
  display_name                = "Guests"
  ...removed for brevity...
}

data "azurerm_api_management_group" "guests" {
  name                = "guests"
  ...removed for brevity...
}

In addition, the function configured below is to create a new group. If specifying the name of group_name has been existed, the above error is expected, this is by design.


resource "azurerm_api_management_product_group" "apim_product_datahub_group_guests" {
  product_id          = azurerm_api_management_product.apim_product_datahub.product_id
  group_name          = lower(data.azurerm_api_management_group.guests.name)
  ...removed for brevity...
}

kerbou commented 5 months ago

Hi @sinbai

Thank you for your elaborate reply.

As I read your comment, I think that I should have gotten an error when attempting to use the datapointer to retrieve a group that doesn't point to the built-in group correctly instead of the provider to attempt creating a group when a built-in group named 'Guests' already exists

It would be very beneficial for me consuming the provider to have an error returned from the data pointer in the form of "Resource does not exist" or something similar when using an invalid name - the API should be able to deduct that my attempt to create a relationship will never work given the values I provide. Figuring out that there is a difference between using 'name' and 'display_name' when the value of both are 'Guests' is very hard to deduct.

Would it be possible to either update the provider documentation or refactor this inconvenient API behaviour in data.azurerm_api_management_group ?

hashicorp / terraform-provider-azurerm