Unable to set the Subscription scope for azurerm_maintenance_assignment_dynamic_scope

[naikajah]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.2

AzureRM Provider Version

3.112.0

Affected Resource(s)/Data Source(s)

azurerm_maintenance_assignment_dynamic_scope

Terraform Configuration Files

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_maintenance_configuration" "example" {
  name                     = "example"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  scope                    = "InGuestPatch"
  in_guest_user_patch_mode = "User"

  window {
    start_date_time = formatdate("YYYY-MM-DD hh:mm", timestamp())
    time_zone       = "Greenwich Standard Time"
    recur_every     = "1Day"
  }

  install_patches {
    reboot = "Always"

    windows {
      classifications_to_include = ["Critical"]
      kb_numbers_to_exclude      = []
      kb_numbers_to_include      = []
    }
  }
}

resource "azurerm_maintenance_assignment_dynamic_scope" "example" {
  name                         = "example"
  maintenance_configuration_id = azurerm_maintenance_configuration.example.id

  filter {
    locations       = ["West Europe"]
    os_types        = ["Windows"]
    resource_groups = [azurerm_resource_group.example.name]
    resource_types  = ["Microsoft.Compute/virtualMachines"]
    tag_filter      = "Any"
    tags {
      tag    = "foo"
      values = ["barbar"]
    }
  }
}

When creating a dynamic scope within the maintenance configuration the Azure portal lets you select the scope (Subscription) where the Filters will be applied during the Update management schedule. 

However, the azurerm_maintenance_assignment_dynamic_scope does not allow setting the subscription scope, so the default subscription is selected from where the terraform is applied. 

In my case, I am creating the schedules in the management subscription, where I need to manage updating all VMs under different target subscriptions as it is allowed via the portal. The Microsoft documentation uses the parentID attribute to set the subscription scope for the Configuration Assignments as per below link:
https://learn.microsoft.com/en-us/azure/templates/microsoft.maintenance/configurationassignments?pivots=deployment-language-terraform

if I use the AzAPI resource from the above link I can use the below 
resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Maintenance/configurationAssignments@2023-04-01"
  name = "string"
  location = "string"
  parent_id = "string"
  body = jsonencode({
    properties = {
      filter = {
        locations = [
          "string"
        ]
        osTypes = [
          "string"
        ]
        resourceGroups = [
          "string"
        ]
        resourceTypes = [
          "string"
        ]
        tagSettings = {
          filterOperator = "string"
          tags = {}
        }
      }
      maintenanceConfigurationId = "string"
      resourceId = "string"
    }
  })
}

and set the parentID to correctly set the dynamic scope.

Debug Output/Panic Output

Doesnt allow setting up the target subscription scope/

Expected Behaviour

Dynamic Scope should be allowed to set up the target Subscription Scope.

Actual Behaviour

Always sets the scope as the current subscription's context from where the terraform is run.

Steps to Reproduce

No response

Important Factoids

NA

References

https://learn.microsoft.com/en-us/azure/templates/microsoft.maintenance/configurationassignments?pivots=deployment-language-terraform

[teowa]

Hi @naikajah , thanks for submitting this! The subscription id of azurerm_maintenance_assignment_dynamic_scope is inherited from the provider block. Can you try with the provider alias feature, e.g.,

provider "azurerm" {
  alias = "sub2"
  subscription_id = "<sub2-id>"
}
resource "azurerm_maintenance_assignment_dynamic_scope" "example" {
  provider                     = azurerm.sub2
  name                         = "example"
  maintenance_configuration_id = azurerm_maintenance_configuration.example.id
 ...
}

[naikajah]

@teowa Yes, that approach could work. However, my requirements are slightly different. I have a YAML configuration file for the Azure Update Manager, which includes multiple dynamic scopes tailored for various projects utilizing the module. The YAML configuration specifies Subscription Aliases instead of Subscription IDs. Therefore, I need to extract the subscription alias from the YAML and convert it to the Subscription ID to set it as the parentID.

Using provider blocks might necessitate multiple provider blocks unless I completely redesign the solution.