search

hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.59k stars 4.62k forks source link

API Management User Creation using Signup or Invite confirmation type sends legacy Developer Portal URL which is no longer supported #9414

Open jkieffer0616 opened 3 years ago

jkieffer0616 commented 3 years ago

When confirmation is set to invite or signup in the following Azure APIM User creation:

resource "azurerm_api_management_user" "test" { user_id = "5931a75ae4bbd512288c680b" confirmation = "invite" state = "active" api_management_name = azurerm_api_management.apim.name resource_group_name = azurerm_api_management.apim.resource_group_name first_name = "Test" last_name = "Test" email = "test@emailcom" }

a URL is sent to the users email asking them to finish their registration. The URL takes users to the Legacy Dev Portal, which is deprecated, to complete registration. Finishing registration then results in a User Registration Is Disabled page that is displayed to the user.

When inviting a user through the Azure Portal, the proper URL (apimname.developer.azure-api.net/####) is sent and registration works fine.

philippeckelintive commented 1 year ago

For anyone interested: there is a workaround.

The issue is not on the Terraform provider azurerm_api_management_user resource, but - after replicating the same using an ARM template and azapi provider - the error is clearly on Azure API's side as the ARM template produces the same email leading to the legacy developer portal.

To be correct @jkieffer0616: the legacy portal can still be used until retirement in October 2023; but of course you're right API Management should invite users to the new developer portal.

And true, the Azure portal apparently uses a different template than the API.

After some debugging, to fix this one needs to update the InviteUserNotificationMessage email template by using the azapi_update_resource as this:

# api_management.tf file
resource "azurerm_api_management" "api_management" {
[...]
}

resource "azapi_update_resource" "invite" {
  type = "Microsoft.ApiManagement/service/templates@2021-08-01"
  name = "InviteUserNotificationMessage"
  parent_id = azurerm_api_management.api_management.id
  body = jsonencode({
    properties : {
      subject = "Customized confirmation email for your new $OrganizationName API account"
      body = templatefile("${path.module}/invite.html.tpl", {
        developer_portal_url = azurerm_api_management.api_management.developer_portal_url
      })
      title = "Invite user"
    }
  })
}

Then on needs to build the correct url using an HTML template like this:

# invite.html.tpl
<!DOCTYPE html>
<html>
<head />
<body>
    <p style="font-size:12pt;font-family:'Segoe UI'">Dear $DevFirstName $DevLastName,</p>
    <p style="font-size:12pt;font-family:'Segoe UI'">
        Your account has been created. Please follow the link below to visit the $OrganizationName developer portal
        and claim it:
    </p>
    <p style="font-size:12pt;font-family:'Segoe UI'">
        <a
            href="${developer_portal_url}/confirm-v2/identities/basic/invite?$ConfirmQuery">${developer_portal_url}/confirm-v2/identities/basic/invite?$ConfirmQuery</a>
    </p>
    <p style="font-size:12pt;font-family:'Segoe UI'">Best,</p>
    <p style="font-size:12pt;font-family:'Segoe UI'">The $OrganizationName API Team</p>
</body>
</html>

Inviting a user then sends out the correct URL to the new developer portal.

@katbyte the api_management_email_template is a little useless as the email templates already exists and Terraform fails to create them, proposing to import them into state first.

So the azapi_update_resource is definitely the better option.

And if someone from Azure is reading here: I'd suggest fixing this on the API itself.

Hope it helps!